Page MenuHomeFreeBSD

tail: Fix heap overflow in -F case.
ClosedPublic

Authored by des on Nov 29 2023, 8:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 8 2024, 7:41 PM
Unknown Object (File)
Nov 8 2024, 5:42 PM
Unknown Object (File)
Sep 15 2024, 4:55 PM
Unknown Object (File)
Sep 10 2024, 5:02 AM
Unknown Object (File)
Sep 5 2024, 8:44 AM
Unknown Object (File)
Aug 31 2024, 3:38 AM
Unknown Object (File)
Aug 27 2024, 3:12 PM
Unknown Object (File)
Aug 23 2024, 8:01 AM

Details

Summary

The number of events we track can vary over time, but we only allocated
enough space for the exact number of events we are tracking when we
first begin, resulting in a trivially reproducable heap overflow. Fix
this by allocating enough space for the greatest possible number of
events (two per file) and clean up the code a bit.

Also add a test case which triggers the aforementioned heap overflow,
although we don't currently have a way to detect it.

MFC after: 1 week
Sponsored by: Klara, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 54695
Build 51584: arc lint + arc unit

Event Timeline

des requested review of this revision.Nov 29 2023, 8:21 PM
allanjude added a subscriber: allanjude.

reviewed-by: allanjude

This revision is now accepted and ready to land.Nov 29 2023, 9:02 PM
markj added a subscriber: markj.

It is silly that kq and ev are global variables instead of being passed as parameters to set_events() (and action should be a return value of set_events()), but fixing that is out of the scope of this patch.

Also add a test case which triggers the aforementioned heap overflow, although we don't currently have a way to detect it.

Does ASAN detect it?

usr.bin/tail/forward.c
341

since you're changing this line anyway.

Also add a test case which triggers the aforementioned heap overflow, although we don't currently have a way to detect it.

Does ASAN detect it?

I haven't tried, but I would be surprised if it didn't. Valgrind loses its mind, just try valgrind tail -F /tmp/nonexistent in one terminal and then touch /tmp/nonexistent in another.

des marked an inline comment as done.Nov 29 2023, 9:17 PM
des added inline comments.
usr.bin/tail/forward.c
341

There's at least one other unrelated case in another file so I'll do them separately.

This revision was automatically updated to reflect the committed changes.