Re: [PATCH nptl] Fix memory overwrite bug in pthread_attr_getaffinity().

Mon, 11 Jan 2010 09:47:50 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Metcalf wrote:
> If the caller requests fewer bytes of cpu_set_t data than are
> available from the system, the code will still copy all of the
> system's data to the user, overwriting additional memory.
> 
> Signed-off-by: Chris Metcalf <[email protected]>
> ---
>  .../unix/sysv/linux/pthread_attr_getaffinity.c     |    8 +++++++-
>  1 files changed, 7 insertions(+), 1 deletions(-)
> 
> diff --git 
> a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c 
> b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> index 5a3d418..376eac8 100644
> --- a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> +++ b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> @@ -43,9 +43,15 @@ __pthread_attr_getaffinity_new (const pthread_attr_t 
> *attr, size_t cpusetsize,
>       if (((char *) iattr->cpuset)[cnt] != 0)
>         return EINVAL;
>  
> -      void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>        if (cpusetsize > iattr->cpusetsize)
> +      {
> +     void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>       memset (p, '\0', cpusetsize - iattr->cpusetsize);
> +      }
> +      else
> +      {
> +     memcpy (cpuset, iattr->cpuset, cpusetsize);
> +      }
>      }
>    else
>      /* We have no information.  */

Chris,
the patch is fine to me, anyway I've sent a slightly modified version to glibc 
list
(as we agreed by emails) to raise the issue to them too: at the end I'd like to 
avoid
diverging from glibc/nptl code from which we taken the nptl implementation.
I'll just wait any feedback from Drepper & glibc community, to see if we can 
keep the same
code, otherwise we can commit your patch into uClibc.

Anyway I'm wondering how this exploit this issue ? do you have a real case in 
which this
occurred ? or you were just doing a static code analysis and find it out ?

Cheers,
Carmelo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktLZCkACgkQoRq/3BrK1s8REwCeM/mgl/hQ8F69zHyaaTyxfBzW
OSUAnA5MVLSVBRJGpFvkS+QjMRw3oq42
=yUMl
-----END PGP SIGNATURE-----
_______________________________________________
uClibc mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/uclibc

Reply via email to