[Bug 206178] Out-of-bounds read in wcslcat(3)

Tue, 12 Jan 2016 14:44:44 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206178

            Bug ID: 206178
           Summary: Out-of-bounds read in wcslcat(3)
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: chere...@mccme.ru

Created attachment 165469
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165469&action=edit
Patch

The wcslcat function could read several bytes behind the end of its input
buffer. This could lead to a crash if the buffer happens to immediately precede
an unmapped page (or when dst=NULL and n=0).

The strlcat function[1] and, hence[2], wcslcat function are documented to work
with the destination buffer not containing NUL. In this case FreeBSD
implementation of wcslcat will read one extra wide char. The code[3] for
traversing the destination array:

56              /* Find the end of dst and adjust bytes left but don't go past
end */
57              while (*d != '\0' && n-- != 0)
58                      d++;

"n-- != 0" in the loop controlling expression makes sure that the loop is
terminated after n chars are examined but the dereference in "*d != '\0'"
happens before the "n" check. For example, there would be one dereference when
n=0.
In particular, wcslcat(NULL, L"", 0) will crash. A crashing testcase with
non-null dst is attached.

To fix it, it's enough to swap the checks in the while loop (patch attached).
Or all the code could be changed to match strlcat.

The issue has security consequences but the function is rarely used so severity
seems very low.

Other BSDs are affected except for OpenBSD which fixed it in [4].

The issue is similar to [5].

[1]
https://svnweb.freebsd.org/base/head/lib/libc/string/strlcpy.3?revision=257720&view=markup#l86
[2]
https://svnweb.freebsd.org/base/head/lib/libc/string/wmemchr.3?revision=251069&view=markup
[3]
https://svnweb.freebsd.org/base/head/lib/libc/string/wcslcat.c?revision=188080&view=markup#l56
[4]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/wcslcat.c?rev=1.4&content-type=text/x-cvsweb-markup
[5] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206177

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to