Page MenuHomeFreeBSD
Differential D3311

fix format specifier in libpkg, which triggers a coredump
ClosedPublic
Actions

Authored by op on Aug 5 2015, 11:41 PM.
Tags
Referenced Files
Unknown Object (File)
Sun, Oct 26, 11:30 AM
Unknown Object (File)
Thu, Oct 23, 3:53 PM
Unknown Object (File)
Thu, Oct 23, 3:22 PM
Unknown Object (File)
Fri, Oct 17, 2:10 PM
Unknown Object (File)
Fri, Oct 17, 2:10 PM
Unknown Object (File)
Fri, Oct 17, 5:22 AM
Unknown Object (File)
Sun, Oct 12, 3:50 PM
Unknown Object (File)
Sat, Oct 4, 3:39 AM
View All Files
Subscribers
None

Details

Reviewers
pfg
bapt
Group Reviewers
pkg
Summary

commit f6c84ecd8a30a77eeefd8106496e6692d6348190
Author: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Date: Thu Aug 6 01:35:47 2015 +0200

HBSD: fix format specifier in libpkg's pkg_vets(...)

The attr variables type is int, but the format string in pkg_emit_error
is %s. In some case with enabled ASLR this cause a core dump.

 441     {
 442             int attr;
 443
 444             while ((attr = va_arg(ap, int)) > 0) {
 445                     if (attr >= PKG_NUM_FIELDS || attr <= 0) {
 446                             pkg_emit_error("Bad argument on pkg_set %s", attr);
 447                             return (EPKG_FATAL);
 448                     }
 449
 450                     switch (attr) {

(gdb) bt
 #0  0x00000000007f25ab in strlen ()
 #1  0x00000000007e8062 in __vfprintf ()
 #2  0x00000000007a5747 in vasprintf_l ()
 #3  0x0000000000451e7e in pkg_emit_error (
    fmt=0x84b9f5 "Bad argument on pkg_set %s") at pkg_event.c:418
 #4  0x00000000004264c9 in pkg_vset (pkg=0x22036461600, ap=0x6529128ac3e0)
    at pkg.c:446
 #5  0x0000000000426409 in pkg_set2 (pkg=0x22036461600) at pkg.c:567
 #6  0x00000000004024a2 in exec_audit (argc=1, argv=0x6529128acd00)
    at audit.c:207
 #7  0x000000000040e22e in main (argc=2, argv=0x6529128accf8) at main.c:847

Sponsored-by: HardenedBSD
Found-by: ASLR - stack randomization
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
CC: Pedro Giffuni <pfg@freebsd.org
CC: Baptiste Daroussin <bapt@freebsd.org>

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

op updated this revision to Diff 7695.Aug 5 2015, 11:41 PM
op retitled this revision from to fix format specifier in libpkg, which triggers a coredump.
op updated this object.
op edited the test plan for this revision. (Show Details)
op added reviewers: pfg, bapt, pkg.
op added a project: pkg.

And created a pull request in github too: https://github.com/freebsd/pkg/pull/1302

bapt accepted this revision.Aug 6 2015, 9:01 PM
bapt edited edge metadata.
This revision is now accepted and ready to land.Aug 6 2015, 9:01 PM
bapt closed this revision.Aug 12 2015, 8:25 PM

This is in pkg master and release 1.5.6

Revision Contents
Changeset List

PathSize
libpkg/
2 lines

Diff 7695

View Options

libpkg/pkg.c

Loading...