|
From: <sv...@va...> - 2013-05-26 21:09:36
|
philippe 2013-05-26 22:09:20 +0100 (Sun, 26 May 2013)
New Revision: 13409
Log:
fix 320211 Stack buffer overflow in ./coregrind/m_main.c with huge TMPDIR
* Addition of a function to compute size of buffer needed for VG_(mkstemp)
* Use it to dimension buffers for all VG_(mkstemp) calls.
Modified files:
trunk/NEWS
trunk/coregrind/m_debuginfo/readpdb.c
trunk/coregrind/m_libcfile.c
trunk/coregrind/m_main.c
trunk/coregrind/pub_core_libcfile.h
Modified: trunk/coregrind/m_main.c (+1 -1)
===================================================================
--- trunk/coregrind/m_main.c 2013-05-22 21:43:25 +01:00 (rev 13408)
+++ trunk/coregrind/m_main.c 2013-05-26 22:09:20 +01:00 (rev 13409)
@@ -1837,7 +1837,7 @@
VG_(cl_auxv_fd) = -1;
#else
if (!need_help) {
- HChar buf[50], buf2[50+64];
+ HChar buf[50], buf2[VG_(mkstemp_fullname_bufsz)(50-1)];
HChar nul[1];
Int fd, r;
const HChar* exename;
Modified: trunk/NEWS (+1 -0)
===================================================================
--- trunk/NEWS 2013-05-22 21:43:25 +01:00 (rev 13408)
+++ trunk/NEWS 2013-05-26 22:09:20 +01:00 (rev 13409)
@@ -344,6 +344,7 @@
introduction of new Iops for AVX2, BMI, FMA support
FIXED 13347
+320211 Stack buffer overflow in ./coregrind/m_main.c with huge TMPDIR
Release 3.8.1 (19 September 2012)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Modified: trunk/coregrind/pub_core_libcfile.h (+5 -1)
===================================================================
--- trunk/coregrind/pub_core_libcfile.h 2013-05-22 21:43:25 +01:00 (rev 13408)
+++ trunk/coregrind/pub_core_libcfile.h 2013-05-26 22:09:20 +01:00 (rev 13409)
@@ -84,10 +84,14 @@
in terms of pread()?) */
extern SysRes VG_(pread) ( Int fd, void* buf, Int count, OffT offset );
+/* Size of fullname buffer needed for a call to VG_(mkstemp) with
+ part_of_name having the given part_of_name_len. */
+extern SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len );
+
/* Create and open (-rw------) a tmp file name incorporating said arg.
Returns -1 on failure, else the fd of the file. If fullname is
non-NULL, the file's name is written into it. The number of bytes
- written is guaranteed not to exceed 64+strlen(part_of_name). */
+ written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */
extern Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname );
/* Record the process' working directory at startup. Is intended to
Modified: trunk/coregrind/m_debuginfo/readpdb.c (+1 -1)
===================================================================
--- trunk/coregrind/m_debuginfo/readpdb.c 2013-05-22 21:43:25 +01:00 (rev 13408)
+++ trunk/coregrind/m_debuginfo/readpdb.c 2013-05-26 22:09:20 +01:00 (rev 13409)
@@ -2407,7 +2407,7 @@
/* This is a giant kludge, of the kind "you did WTF?!?", but it
works. */
Bool do_cleanup = False;
- HChar tmpname[100], tmpnameroot[50];
+ HChar tmpname[VG_(mkstemp_fullname_bufsz)(50-1)], tmpnameroot[50];
Int fd, r;
HChar* res = NULL;
Modified: trunk/coregrind/m_libcfile.c (+14 -2)
===================================================================
--- trunk/coregrind/m_libcfile.c 2013-05-22 21:43:25 +01:00 (rev 13408)
+++ trunk/coregrind/m_libcfile.c 2013-05-26 22:09:20 +01:00 (rev 13409)
@@ -653,14 +653,26 @@
return tmpdir;
}
+static const HChar *mkstemp_format = "%s/valgrind_%s_%08x";
+
+SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len )
+{
+ return VG_(strlen)(mkstemp_format)
+ + VG_(strlen)(VG_(tmpdir)()) - 2 // %s tmpdir
+ + part_of_name_len - 2 // %s part_of_name
+ + 8 - 4 // %08x
+ + 1; // trailing 0
+}
+
+
/* Create and open (-rw------) a tmp file name incorporating said arg.
Returns -1 on failure, else the fd of the file. If fullname is
non-NULL, the file's name is written into it. The number of bytes
- written is guaranteed not to exceed 64+strlen(part_of_name). */
+ written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */
Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname )
{
- HChar buf[200];
+ HChar buf[VG_(mkstemp_fullname_bufsz)(VG_(strlen)(part_of_name))];
Int n, tries, fd;
UInt seed;
SysRes sres;
|