[Reproducible-commits] [dpkg] 15/25: s-s-d: Fix off-by-one stack buffer overrun on GNU/Linux and GNU/kFreeBSD

Holger Levsen holger at layer-acht.org
Tue May 3 08:43:55 UTC 2016 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag 1.16.16
in repository dpkg.

commit 019a62ac5f047fa9dbe5f8597faedfacdba84e6b
Author: Guillem Jover <guillem at debian.org>
Date:   Mon Apr 28 22:15:58 2014 +0200

    s-s-d: Fix off-by-one stack buffer overrun on GNU/Linux and GNU/kFreeBSD
    
    Cherry picked from commit 00e2aadcdc9d86655963df13068afd85eca2ed83.
    
    This might happen if the executable pathname is longer than
    _POSIX_PATH_MAX. Although this should not have security implications
    as the buffer is surrounded by two arrays (so those catch accesses
    even if the stack grows up or down), and we are compiling with
    -fstack-protector anyway.
    
    We just need to always leave room for the final NUL character.
    
    Warned-by: coverity
---
 debian/changelog          | 5 +++++
 utils/start-stop-daemon.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 930ffe6..472c608 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low
     Closes: #751021
   * Fix a descriptor leak on dselect subprocesses when --debug is used.
   * Do not run qsort() over the scandir() list in libcompat if it is NULL.
+  * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
+    GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
+    Although this should not have security implications as the buffer is
+    surrounded by two arrays (so those catch accesses even if the stack
+    grows up or down), and we are compiling with -fstack-protector anyway.
 
   [ Updated scripts translations ]
   * Fix typos in German (Helge Kreutzmann)
diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c
index 818d7eb..11afbaf 100644
--- a/utils/start-stop-daemon.c
+++ b/utils/start-stop-daemon.c
@@ -1021,13 +1021,13 @@ static bool
 pid_is_exec(pid_t pid, const struct stat *esb)
 {
 	char lname[32];
-	char lcontents[_POSIX_PATH_MAX];
+	char lcontents[_POSIX_PATH_MAX + 1];
 	const char deleted[] = " (deleted)";
 	int nread;
 	struct stat sb;
 
 	sprintf(lname, "/proc/%d/exe", pid);
-	nread = readlink(lname, lcontents, sizeof(lcontents));
+	nread = readlink(lname, lcontents, sizeof(lcontents) - 1);
 	if (nread == -1)
 		return false;
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list