lib/42637: Shell tab completion crashes due to libedit stack smashing

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/42637: Shell tab completion crashes due to libedit stack smashing
From: joachim.kuebart%gmail.com@localhost
Date: Mon, 18 Jan 2010 19:05:00 +0000 (UTC)

>Number:         42637
>Category:       lib
>Synopsis:       Shell tab completion crashes due to libedit stack smashing
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 18 19:05:00 +0000 2010
>Originator:     Joachim Kuebart
>Release:        NetBSD-current
>Organization:
>Environment:
NetBSD yacht 5.99.23 NetBSD 5.99.23 (YACHT) #1: Mon Jan 18 07:35:40 GMT 2010  
joki@yacht:/usr/obj/amd64.new/usr/src/sys/arch/amd64/compile/YACHT amd64

>Description:
When using tab completion in the shell, the shell can spontaneously dump core. 
This is due to stack destruction in libedit's fn_complete().

>How-To-Repeat:
On amd64, the problem happens when typing "ls /var/log/Xorg." into the shell 
and hitting tab (with tabcompletion and vi-mode turned on). Due to the nature 
of the problem, the trigger may be different on each machine.
>Fix:
Apply the following patch to lib/libedit/filecomplete.c. This fix corrects the 
size given to malloc()/alloca() to be in bytes, rather than characters, which 
will allocate too little space iff sizeof(Char) > 1.

Index: filecomplete.c
===================================================================
RCS file: /pub/NetBSD-CVS/src/lib/libedit/filecomplete.c,v
retrieving revision 1.17
diff -p -U8 -r1.17 filecomplete.c
--- filecomplete.c      30 Dec 2009 22:37:40 -0000      1.17
+++ filecomplete.c      18 Jan 2010 19:00:13 -0000
@@ -414,19 +414,19 @@ fn_complete(EditLine *el,
        ctemp = li->cursor;
        while (ctemp > li->buffer
            && !Strchr(word_break, ctemp[-1])
            && (!special_prefixes || !Strchr(special_prefixes, ctemp[-1]) ) )
                ctemp--;
 
        len = li->cursor - ctemp;
 #if defined(__SSP__) || defined(__SSP_ALL__)
-       temp = malloc(len + 1);
+       temp = malloc(sizeof(Char) * (len + 1));
 #else
-       temp = alloca(len + 1);
+       temp = alloca(sizeof(Char) * (len + 1));
 #endif
        (void)Strncpy(temp, ctemp, len);
        temp[len] = '\0';
 
        /* these can be used by function called in completion_matches() */
        /* or (*attempted_completion_function)() */
        if (point != 0)
                *point = (int)(li->cursor - li->buffer);

Prev by Date: Re: kern/42205 (kernel panic at activated userquota)
Next by Date: Re: lib/42630: asin(2.0) and acos(2.0) doesn't return NaN
Previous by Thread: lib/42636: [dM] t_getstr potential memory overrun
Next by Thread: PR/42637 CVS commit: src/lib/libedit
Indexes:

Home | Main Index | Thread Index | Old Index