Page MenuHomeFreeBSD
Differential D7619

bspatch: add sanity checks on sizes
ClosedPublic
Actions

Authored by emaste on Aug 23 2016, 11:26 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Apr 14, 3:16 AM
Unknown Object (File)
Tue, Apr 1, 9:54 PM
Unknown Object (File)
Mar 18 2025, 7:53 PM
Unknown Object (File)
Dec 8 2024, 6:31 PM
Unknown Object (File)
Nov 28 2024, 7:04 AM
Unknown Object (File)
Nov 18 2024, 10:12 AM
Unknown Object (File)
Nov 18 2024, 7:01 AM
Unknown Object (File)
Nov 17 2024, 6:12 PM
View All 96 Files
Subscribers
cem
cperciva

Details

Reviewers
kib
cem
allanjude
delphij
glebius
cperciva
Commits
rS305486: bspatch: add sanity checks on sizes to avoid integer overflow
Summary

Note that on i386 this introduces a new 2GB limit, but this is not a concern in practice. Also avoid allocating an extra byte in the old and new file content buffers.

Based on the "NON-CRYPTANALYTIC ATTACKS AGAINST FREEBSD UPDATE COMPONENTS" gist.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste updated this revision to Diff 19599.Aug 23 2016, 11:26 PM
emaste retitled this revision from to bspatch: add sanity checks on sizes.
emaste updated this object.
emaste edited the test plan for this revision. (Show Details)
emaste added reviewers: allanjude, delphij, glebius.
emaste added a subscriber: cperciva.
delphij added a reviewer: cperciva.Aug 23 2016, 11:29 PM
emaste added inline comments.Aug 23 2016, 11:30 PM
usr.bin/bsdiff/bspatch/bspatch.c
76–77 ↗(On Diff #19599)

On i386 ssize_t is 4 bytes, so would truncate from offtin / lseek.

123 ↗(On Diff #19599)

SSIZE_MAX introduces a 2G limit, but we already had an implicit 2G limit for proper operation based on the previous newsize type.

155 ↗(On Diff #19599)

Same 2G argument as above.

emaste updated this revision to Diff 19679.Aug 25 2016, 3:53 PM

rebase after rS304807

allanjude accepted this revision.Aug 25 2016, 4:57 PM
allanjude edited edge metadata.
This revision is now accepted and ready to land.Aug 25 2016, 4:57 PM
cem accepted this revision.Sep 6 2016, 5:05 AM
cem added a reviewer: cem.
cem added a subscriber: cem.

Changes seem fine to me. This code is really ugly, though.

usr.bin/bsdiff/bspatch/bspatch.c
175 ↗(On Diff #19679)

The gist checks for newsize <= 0. Is zero a valid newsize?

emaste added inline comments.Sep 6 2016, 2:36 PM
usr.bin/bsdiff/bspatch/bspatch.c
175 ↗(On Diff #19679)

Yes, a zero byte output file is legitimate.

kib accepted this revision.Sep 6 2016, 2:39 PM
kib added a reviewer: kib.
Closed by commit rS305486: bspatch: add sanity checks on sizes to avoid integer overflow (authored by emaste). · Explain WhySep 6 2016, 7:01 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
usr.bin/
bsdiff/
bspatch/
17 lines

Diff 20101

View Options

head/usr.bin/bsdiff/bspatch/bspatch.c

Show All 18 Lines
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd March 8, 2015 .Dd April 18, 2015
.Dt SDT 9 .Dt SDT 9
.Os .Os
.Sh NAME .Sh NAME
.Nm SDT .Nm SDT
.Nd a DTrace framework for adding statically-defined tracing probes .Nd a DTrace framework for adding statically-defined tracing probes
.Sh SYNOPSIS .Sh SYNOPSIS
.In sys/param.h .In sys/param.h
.In sys/queue.h .In sys/queue.h
▲ Show 20 LinesShow All 153 Lines▼ Show 20 Lines
.Pp .Pp
The The
.Fn SDT_PROBE* .Fn SDT_PROBE*
macros are used to create macros are used to create
.Nm .Nm
trace points. trace points.
They are meant to be added to executable code and can be used to instrument the They are meant to be added to executable code and can be used to instrument the
code in which they are called. code in which they are called.
.Sh PROVIDERS
A number of kernel DTrace providers are available.
In general, these providers define stable interfaces and should be treated as
such: existing D scripts may be broken if a probe is renamed or its arguments
are modified.
However, it is often useful to define ad-hoc
.Nm
probes for debugging a subsystem or driver.
Similarly, a developer may wish to provide a group of
.Nm
probes without committing to their future stability.
Such probes should be added to the
.Ql sdt
provider instead of defining a new provider.
.Sh EXAMPLES .Sh EXAMPLES
The DTrace providers available on the current system can be listed with
.Bd -literal -offset indent
dtrace -l | sed 1d | awk '{print $2}' | sort -u
.Ed
.Pp
A detailed list of the probes offered by a given provider can be obtained by
specifying the provider using the
.Fl P
flag.
For example, to view the probes and argument types for the
.Ql sched
provider, run
.Bd -literal -offset indent
dtrace -lv -P sched
.Ed
.Pp
The following probe definition will create a DTrace probe called The following probe definition will create a DTrace probe called
.Ql icmp:::receive-unreachable , .Ql icmp:::receive-unreachable ,
which would hypothetically be triggered when the kernel receives an ICMP packet which would hypothetically be triggered when the kernel receives an ICMP packet
of type Destination Unreachable: of type Destination Unreachable:
.Bd -literal -offset indent .Bd -literal -offset indent
SDT_PROVIDER_DECLARE(icmp); SDT_PROVIDER_DECLARE(icmp);
SDT_PROBE_DEFINE1(icmp, , , receive__unreachable, SDT_PROBE_DEFINE1(icmp, , , receive__unreachable,
▲ Show 20 LinesShow All 105 LinesShow Last 20 Lines