Page MenuHomeFreeBSD
Differential D42839

tail: Fix heap overflow in -F case.
ClosedPublic
Actions

Authored by des on Nov 29 2023, 8:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Jan 9 2024, 3:48 AM
Unknown Object (File)
Dec 24 2023, 9:44 PM
Unknown Object (File)
Dec 23 2023, 3:58 AM
Unknown Object (File)
Dec 21 2023, 11:10 PM
Unknown Object (File)
Nov 29 2023, 9:50 PM
Subscribers
allanjude
imp
markj

Details

Reviewers
allanjude
markj
Group Reviewers
Klara
tests
Commits
rG7441705cae68: tail: Fix heap overflow in -F case.
rG817f2d83bd50: tail: Fix heap overflow in -F case.
rG621f45532c58: tail: Fix heap overflow in -F case.
Summary

The number of events we track can vary over time, but we only allocated
enough space for the exact number of events we are tracking when we
first begin, resulting in a trivially reproducable heap overflow. Fix
this by allocating enough space for the greatest possible number of
events (two per file) and clean up the code a bit.

Also add a test case which triggers the aforementioned heap overflow,
although we don't currently have a way to detect it.

MFC after: 1 week
Sponsored by: Klara, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

des created this revision.Nov 29 2023, 8:21 PM
Herald added a subscriber: imp. · View Herald TranscriptNov 29 2023, 8:21 PM
des requested review of this revision.Nov 29 2023, 8:21 PM
Harbormaster completed remote builds in B54695: Diff 130812.Nov 29 2023, 8:21 PM
des added a reviewer: tests.Nov 29 2023, 8:24 PM
allanjude accepted this revision as: allanjude.Nov 29 2023, 9:02 PM
allanjude added a subscriber: allanjude.

reviewed-by: allanjude

This revision is now accepted and ready to land.Nov 29 2023, 9:02 PM
markj accepted this revision as: markj.Nov 29 2023, 9:02 PM
markj added a subscriber: markj.

It is silly that kq and ev are global variables instead of being passed as parameters to set_events() (and action should be a return value of set_events()), but fixing that is out of the scope of this patch.

Also add a test case which triggers the aforementioned heap overflow, although we don't currently have a way to detect it.

Does ASAN detect it?

usr.bin/tail/forward.c
338

since you're changing this line anyway.

des added a comment.Nov 29 2023, 9:14 PM
In D42839#977069, @markj wrote:

Also add a test case which triggers the aforementioned heap overflow, although we don't currently have a way to detect it.

Does ASAN detect it?

I haven't tried, but I would be surprised if it didn't. Valgrind loses its mind, just try valgrind tail -F /tmp/nonexistent in one terminal and then touch /tmp/nonexistent in another.

des marked an inline comment as done.Nov 29 2023, 9:17 PM
des added inline comments.
usr.bin/tail/forward.c
338

There's at least one other unrelated case in another file so I'll do them separately.

des marked an inline comment as done.Nov 29 2023, 9:21 PM
des added a child revision: D42842: tail: Clean up error messages..
Closed by commit rG621f45532c58: tail: Fix heap overflow in -F case. (authored by des). · Explain WhyNov 29 2023, 9:50 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rG621f45532c58: tail: Fix heap overflow in -F case..
des added a commit: rG817f2d83bd50: tail: Fix heap overflow in -F case..Dec 13 2023, 8:09 PM
des added a commit: rG7441705cae68: tail: Fix heap overflow in -F case..

Revision Contents
Changeset List

PathSize
usr.bin/
tail/
39 lines
tests/
21 lines

Diff 130816

View Options

usr.bin/tail/forward.c

Loading...
View Options

usr.bin/tail/tests/tail_test.sh

Loading...