Re: Buffer Overflow - fvwrite.c and fread.c sources

[nikunj badjatya <nikunjbadjatya%gmail.com@localhost>]

Hi,

Actually I ran a static code analyser on NetBSD source.
Apart from so many issues,  It says possible chance of buffer overflow on
fvwrite.c and fread.c. Or wherever memcpy is coming in those.
This is the reason I asked you question about fp FILE pointer.


Thanks,

Nikunj





On Tue, Jan 4, 2011 at 9:44 AM, nikunj badjatya 
<nikunjbadjatya%gmail.com@localhost>wrote:

> Thanks David,
> Exactly what I needed. !!
>
>
>
> Thanks
> Niks
>
>
>
>
> On Wed, Dec 22, 2010 at 9:39 PM, David Mentis <dmentis%cox.net@localhost> 
> wrote:
>
>> Nikunj,
>> If you know what the struct for FILE is supposed to look like, you can
>> offset the pointer and cast. I don't have the netbsd source, but on
>> freebsd the first few lines look like:
>>
>> unsigned char *_p;
>> int _r;
>>
>> In that case, I could offset my FILE pointer by sizeof(unsigned
>> char*), and cast it to an int to get the value of _r -- assuming
>> proper dereferencing along the way. For example,
>>
>> void *tmp = (void*)f; /* NOTE: this is also _p */
>> tmp = tmp + sizeof(unsigned char*); /* tmp now points to _r */
>> fprintf(stdout, "f->_r : %d\n", *((int*)(tmp)));
>>
>> Cheers,
>> David
>>
>> On Wed, Dec 22, 2010 at 12:34 AM, nikunj badjatya
>> <nikunjbadjatya%gmail.com@localhost> wrote:
>> >
>> > Hi,
>> > @Matthias: Thanks for Replying. ! Pardon me for insufficient information
>> in
>> > the prev mail.!
>> >
>> > 1.
>> > fread.c:
>> >  79    (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
>> >
>> > fvwrite.c:
>> > inside __sfvwrite function.
>> > 166     COPY(w);   /* expansion at line 83, a memcpy call again. */
>> >
>> > 2.
>> > I currently investigating on a "possibility" of buffer overflow at these
>> > places. memcpy can write outside the bounds of allocated memory. !
>> > * Which is why I need to examine from where fp->_p and fp->_r are
>> getting
>> > their values from.
>> > * From where the memory allocation of _p, _r etc. taking place.
>> > * The FILE structure is defined in file STDIO.H . It has all these
>> members.
>> >
>> > 3.
>> > What I mean with knowing the contents of file structure is,
>> > If I write a sample code, which opens a sample text file ( FILE *fp ),
>> > performs read/write operation, and finally prints various FILE structure
>> > members. like fp->_p, _r etc. But when I compile the program it says fp
>> has
>> > no member named _p, _r . !
>> >
>> > 4.
>> > I am using NetBSD 5.1.
>> >
>> > I hope I have made it clear enough.
>> >
>> > Thanks,
>> > Nikunj
>> >
>> >
>> >
>> > On Wed, Dec 22, 2010 at 6:20 AM, Matthias Scheler 
>> > <tron%zhadum.org.uk@localhost
>> >wrote:
>> >
>> > > On Tue, Dec 21, 2010 at 03:38:31PM +0530, nikunj badjatya wrote:
>> > > > I am just 3 months old to Linux and Cprogramming.
>> > >
>> > > This mailing list is about the NetBSD operating system, not about
>> Linux.
>> > >
>> > > > Recently started investigating on Buffer overflow issues with
>> fvwrite.c
>> > > and
>> > > > fread.c sources.
>> > >
>> > > Please explain why you think there is a buffer overflow issue.
>> > > I've just reviewed the implemenetation of fread(3) in "fread.c" and
>> > > it looks fine to me.
>> > >
>> > > > Present in lib/libc/stdio/* folder. Here's my investigation:-
>> > > > {
>> > > > There is a memcpy function.
>> > > >
>> > > > *1. at line 81 in fread.c -
>> > > > (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
>> > >
>> > > Line 81 of "fread.c" looks like this:
>> > >
>> > >        /* fp->_r = 0 ... done in __srefill */
>> > >
>> > > > 2. and at line 168 in fvwrite.c. after expanding COPY macro*.
>> > >
>> > > What COPY macro? There is no COPY macro defined or used in "fread.c".
>> > > Can you please explain which *NetBSD* sources you are looking at?
>> > >
>> > > > How do I know the contents of FILE structure.?
>> > >
>> > > It is private to the library and therefore off limits.
>> > >
>> > >        Kind regards
>> > >
>> > > --
>> > > Matthias Scheler
>> http://zhadum.org.uk/