lib/54399: [PATCH] Uninitialized memory access in libedit

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/54399: [PATCH] Uninitialized memory access in libedit
From: soeren+netbsd%soeren-tempel.net@localhost
Date: Tue, 23 Jul 2019 09:05:01 +0000 (UTC)

>Number:         54399
>Category:       lib
>Synopsis:       [PATCH] Uninitialized memory access in libedit
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 23 09:05:01 +0000 2019
>Originator:     Sören Tempel
>Release:        libedit from 2019-03-24
>Organization:
>Environment:
Unfortunately, I use the portable version of netbsd libedit that Jess Thrysøe distributes on Linux. However, I verified that the problem wasn't fix in NetBSD CVS yet.
>Description:
I believe I found an uninitialized memory access in libedit's hist_get
function. The uninitialized memory access is due to the fact that the
history initialization function (hist_init) doesn't initialize the
memory for el->el_history.buf. However hist_get makes the assumption
that el->el_history.buf is always null-terminated.

If hist_get is called directly after hist_init it accesses
el->el_history.buf, even though it is not initialized, when invoking
wcsncpy(el->el_history.buf, el->el_line.buffer, EL_BUFSIZ). This is,
for instance, the case when hist_get is called through ed_next_history
using ^N directly after starting a history-enabled libedit program.
>How-To-Repeat:
Use a history-enabled program linked against libedit, start it in valgrind and immediately press Ctrl+N. Example with sftp from OpenSSH:

$ valgrind sftp <host>
sftp>
==32040== Conditional jump or move depends on uninitialised value(s)
==32040==    at 0x404ED2B: wcsncpy (wcsncpy.c:6)
==32040==    by 0x4F35376: wcsncpy (wchar.h:169)
==32040==    by 0x4F35376: hist_get (hist.c:108)
==32040==    by 0x4F32E69: ed_next_history (common.c:610)
==32040==    by 0x4F37DB3: el_wgets (read.c:538)
==32040==    by 0x4F34287: el_gets (eln.c:75)
==32040==    by 0x1118F5: ??? (in /usr/bin/sftp)
==32040==    by 0x10D070: ??? (in /usr/bin/sftp)
==32040==    by 0x401C230: libc_start_main_stage2 (__libc_start_main.c:94)
==32040==    by 0x10D115: ??? (in /usr/bin/sftp)
==32040==    by 0x1: ???
==32040==    by 0x1FFF000B9E: ???
==32040==    by 0x1FFF000BA3: ???
>Fix:
The following patch uses calloc(3) instead of malloc(3) in hist_init to fix the problem. Using memset after invoking malloc would also be possible. Not sure what you prefer.

diff -upr libedit-20190324-3.1.orig/src/hist.c libedit-20190324-3.1/src/hist.c
--- libedit-20190324-3.1.orig/src/hist.c        2019-07-20 21:19:08.374826681 +0200
+++ libedit-20190324-3.1/src/hist.c     2019-07-20 21:28:43.394825734 +0200
@@ -59,7 +59,7 @@ hist_init(EditLine *el)
 
        el->el_history.fun = NULL;
        el->el_history.ref = NULL;
-       el->el_history.buf = el_malloc(EL_BUFSIZ * sizeof(*el->el_history.buf));
+       el->el_history.buf = calloc(EL_BUFSIZ, sizeof(*el->el_history.buf));
        el->el_history.sz  = EL_BUFSIZ;
        if (el->el_history.buf == NULL)
                return -1;

Prev by Date: PR/24883 CVS commit: src/sys/arch/mac68k
Next by Date: PR/54397 CVS commit: src/external/cddl/osnet/dev/dtrace
Previous by Thread: PR/24883 CVS commit: src/sys/arch/mac68k
Next by Thread: PR/54397 CVS commit: src/external/cddl/osnet/dev/dtrace
Indexes:

Home | Main Index | Thread Index | Old Index