Page MenuHomeFreeBSD
Differential D33616

Fix buffer overread in preloaded hostuuid parsing
ClosedPublic
Actions

Authored by jrtc27 on Dec 22 2021, 4:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Mar 1, 11:34 PM
Unknown Object (File)
Fri, Feb 21, 9:47 PM
Unknown Object (File)
Feb 6 2025, 8:09 AM
Unknown Object (File)
Jan 31 2025, 7:01 AM
Unknown Object (File)
Jan 30 2025, 6:34 AM
Unknown Object (File)
Jan 28 2025, 3:46 AM
Unknown Object (File)
Jan 28 2025, 3:34 AM
Unknown Object (File)
Jan 27 2025, 8:46 AM
View All 50 Files
Subscribers
imp

Details

Reviewers
cperciva
emaste
kevans
markj
jhb
Commits
rG3c7f332f716d: Fix buffer overread in preloaded hostuuid parsing
rGd2ef3774306c: Fix buffer overread in preloaded hostuuid parsing
Summary

Commit b6be9566d236 stopped prison0_init writing outside of the
preloaded hostuuid's bounds. However, the preloaded data will not
(normally) have a NUL in it, and so validate_uuid will walk off the end
of the buffer in its call to sscanf. Previously if there was any
whitespace in the string we'd at least know there's a NUL one past the
end due to the off-by-one error, but now no such byte is guaranteed.

Fix this by copying to a temporary buffer and explicitly adding a NUL.

Whilst here, change the strlcpy call to use a far less suspicious
argument for dstsize; in practice it's fine, but it's an unusual pattern
and not necessary.

Found by: CHERI
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
kern/
31 lines

Diff 100464

View Options

sys/kern/kern_jail.c

Loading...