Re: [PATCH v2] Add bounds checking to sys_getdents, sys_getdents64

Dmitry V. Levin Wed, 17 Sep 2014 14:36:58 -0700

On Thu, Sep 11, 2014 at 05:29:04AM +0400, Dmitry V. Levin wrote:
> On Mon, Aug 04, 2014 at 07:42:57AM +0530, Zubin Mithra wrote:
> > * file.c (sys_getdents): Add d_reclen check.
> > (sys_getdents64): Add d_reclen check.
> > 
> > Signed-off-by: Zubin Mithra <zubin.mit...@gmail.com>
> > ---
> >  file.c | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/file.c b/file.c
> > index a92a7dc..0934ce1 100644
> > --- a/file.c
> > +++ b/file.c
> > @@ -2076,6 +2076,10 @@ sys_getdents(struct tcb *tcp)
> >                             i ? " " : "", d->d_ino, d->d_off);
> >                     tprintf("d_reclen=%u, d_name=\"%s\", d_type=",
> >                             d->d_reclen, d->d_name);
> > +                   if (i + d->d_reclen >= len) {
> > +                           tprints("...}");
> > +                           break;
> > +                   }
> >                     printxval(direnttypes, buf[i + d->d_reclen - 1], 
> > "DT_???");
> >                     tprints("}");
> >             }
> 
> I was talking about this d_reclen check back in April, but this is not
> the only out-of-bounds read issue with getdents.
> 
> > @@ -2138,8 +2142,13 @@ sys_getdents64(struct tcb *tcp)
> >                     tprints("d_type=");
> >                     printxval(direnttypes, d->d_type, "DT_???");
> >                     tprints(", ");
> > -                   tprintf("d_reclen=%u, d_name=\"%s\"}",
> > +                   tprintf("d_reclen=%u, d_name=\"%s\"",
> >                             d->d_reclen, d->d_name);
> > +                   if (i + d->d_reclen >= len) {
> > +                           tprints("...}");
> > +                           break;
> > +                   }
> > +                   tprints("}");
> >             }
> >             if (!d->d_reclen) {
> >                     tprints("/* d_reclen == 0, problem here */");
> 
> getdents64 doesn't need this check, but there are other issues
> similar to getdents.
> 
> Here is a fix of potential out-of-bounds read issues in
> getdents/getdents64 I was thinking of:


Pushed:
http://sourceforge.net/p/strace/code/ci/68d64241ac8e8c49f950fef506099f093fc6fa18/


-- 
ldv

pgpkB6nivJY_V.pgp
Description: PGP signature

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Strace-devel mailing list
Strace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/strace-devel

Re: [PATCH v2] Add bounds checking to sys_getdents, sys_getdents64

Reply via email to