This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH v3] [BZ #17273] fix incorrect mount table entry parsing in __getmntent_r()

On 04 Oct 2014 13:31, Vladimir A. Nazarenko wrote:
> --- a/misc/mntent_r.c
> +++ b/misc/mntent_r.c
> @@ -135,7 +135,11 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz)
>        end_ptr = strchr (buffer, '\n');
>        if (end_ptr != NULL)	/* chop newline */
> -	*end_ptr = '\0';
> +	{
> +	  while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
> +            end_ptr--;
> +	  *end_ptr = '\0';
> +	}

this randomly corrupts memory when you get a blank line which is pretty
common i think in /etc/fstab.  buffer = "\n" which means end_ptr will be
buffer which means end_ptr[-1] is random stack memory.  if it happens to
be 0x20 or 0x09, you corrupt a single byte.  happens whenever the line is
just whitespace as you walk back to the start of the buffer allocation.

the way the malloc heaps are laid out, it doesn't seem to be noticed for
most arches, but it's easily reproducible on ppc32.

Attachment: signature.asc
Description: Digital signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]