Page MenuHomeFreeBSD

Fix buffer overread in preloaded hostuuid parsing
ClosedPublic

Authored by jrtc27 on Dec 22 2021, 4:10 PM.
Tags
None
Referenced Files
F105815587: D33616.id100463.diff
Sat, Dec 21, 2:52 AM
Unknown Object (File)
Thu, Dec 5, 3:43 AM
Unknown Object (File)
Nov 14 2024, 2:32 PM
Unknown Object (File)
Nov 14 2024, 2:15 PM
Unknown Object (File)
Sep 21 2024, 3:21 AM
Unknown Object (File)
Sep 20 2024, 1:58 AM
Unknown Object (File)
Sep 19 2024, 12:58 PM
Unknown Object (File)
Sep 18 2024, 7:00 PM
Subscribers

Details

Summary

Commit b6be9566d236 stopped prison0_init writing outside of the
preloaded hostuuid's bounds. However, the preloaded data will not
(normally) have a NUL in it, and so validate_uuid will walk off the end
of the buffer in its call to sscanf. Previously if there was any
whitespace in the string we'd at least know there's a NUL one past the
end due to the off-by-one error, but now no such byte is guaranteed.

Fix this by copying to a temporary buffer and explicitly adding a NUL.

Whilst here, change the strlcpy call to use a far less suspicious
argument for dstsize; in practice it's fine, but it's an unusual pattern
and not necessary.

Found by: CHERI
MFC after: 1 week

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 43539
Build 40427: arc lint + arc unit