diff options
| author | jvoisin | 2024-10-10 15:50:40 +0200 |
|---|---|---|
| committer | jvoisin | 2024-10-10 15:50:40 +0200 |
| commit | e2cfd2879a15db00dfa9a42eeb1baaef6a930aff (patch) | |
| tree | 45c61bbdde9a510ba7125e00399781a98dc39cc5 /include/string.h | |
| parent | c3b48c6b0bf501802295c85b1cf54275d6b74883 (diff) | |
Fix a crash in strncpy/stpncpystrn
```
Core was generated by `scripts/mod/modpost -M -m -o Module.symvers -n -T modules.order vmlinux.o'.
Program terminated with signal SIGSEGV, Segmentation fault.
warning: 17 src/string/strlen.c: No such file or directory
(gdb) bt
```
> I think strncpy logic is broken: `__fh_size_t max_len_s = strlen(__s);` may try read past `size_t __n`.
> Create a buf without any trailing `\0`, do `strncpy(dest, buf, sizeof(buf));`, it should work, since `strncpy` will stop at `sizeof buf`
> but the current fority-headers implementation will do `strlen(buf)`, which will go boom when it is not terminated with \0
Reported-by: ncopa
Diffstat (limited to 'include/string.h')
| -rw-r--r-- | include/string.h | 12 |
1 files changed, 0 insertions, 12 deletions
diff --git a/include/string.h b/include/string.h index 9df99fc..89bf25e 100644 --- a/include/string.h +++ b/include/string.h | |||
| @@ -208,12 +208,6 @@ _FORTIFY_FN(stpncpy) char *stpncpy(char * _FORTIFY_POS0 __d, const char *__s, | |||
| 208 | #if __has_builtin(__builtin___stpncpy_chk) && FORTIFY_USE_NATIVE_CHK | 208 | #if __has_builtin(__builtin___stpncpy_chk) && FORTIFY_USE_NATIVE_CHK |
| 209 | return __builtin___stpncpy_chk(__d, __s, __n, __fh_bos(__d, 0)); | 209 | return __builtin___stpncpy_chk(__d, __s, __n, __fh_bos(__d, 0)); |
| 210 | #else | 210 | #else |
| 211 | __fh_size_t max_len_s = strlen(__s); | ||
| 212 | if (max_len_s > __n) | ||
| 213 | max_len_s = __n; | ||
| 214 | if (__fh_overlap(__d, max_len_s, __s, max_len_s)) | ||
| 215 | __builtin_trap(); | ||
| 216 | |||
| 217 | // If the length strlen(src) is smaller than n, the remaining | 211 | // If the length strlen(src) is smaller than n, the remaining |
| 218 | // characters in the array pointed to by dest are filled with null | 212 | // characters in the array pointed to by dest are filled with null |
| 219 | // bytes ('\0') | 213 | // bytes ('\0') |
| @@ -318,12 +312,6 @@ _FORTIFY_FN(strncpy) char *strncpy(char * _FORTIFY_POS0 __d, | |||
| 318 | #if __has_builtin(__builtin___strncpy_chk) && FORTIFY_USE_NATIVE_CHK | 312 | #if __has_builtin(__builtin___strncpy_chk) && FORTIFY_USE_NATIVE_CHK |
| 319 | return __builtin___strncpy_chk(__d, __s, __n, __fh_bos(__d, 0)); | 313 | return __builtin___strncpy_chk(__d, __s, __n, __fh_bos(__d, 0)); |
| 320 | #else | 314 | #else |
| 321 | __fh_size_t max_len_s = strlen(__s); | ||
| 322 | if (max_len_s > __n) | ||
| 323 | max_len_s = __n; | ||
| 324 | if (__fh_overlap(__d, max_len_s, __s, max_len_s)) | ||
| 325 | __builtin_trap(); | ||
| 326 | |||
| 327 | // If the length of src is less than n, strncpy() writes additional | 315 | // If the length of src is less than n, strncpy() writes additional |
| 328 | // null bytes to dest to ensure that a total of n bytes are written. | 316 | // null bytes to dest to ensure that a total of n bytes are written. |
| 329 | __fh_size_t __b = __fh_bos(__d, 0); | 317 | __fh_size_t __b = __fh_bos(__d, 0); |