From 86e63c36eded29e46a17628264b73d743df9a864 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Thu, 11 Dec 2014 18:32:50 +0100
Subject: [PATCH] kbmap: fix sprint() buffer overflow (thanks silasm)

A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.

sample output:
% cd /sys/lib/kbmap
% touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df
offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c,
which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.
I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap
if I can figure out the nuances of doing so.

--silasm
---
 sys/src/cmd/kbmap.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sys/src/cmd/kbmap.c b/sys/src/cmd/kbmap.c
index 712c27e71..03f9a40da 100644
--- a/sys/src/cmd/kbmap.c
+++ b/sys/src/cmd/kbmap.c
@@ -64,7 +64,6 @@ init(void)
 {
 	int i, fd, nr;
 	Dir *pd;
-	char buf[128];
 
 	if((fd = open(dir, OREAD)) < 0)
 		return;
@@ -72,8 +71,8 @@ init(void)
 	nmap = nr = dirreadall(fd, &pd);
 	map = emalloc(nr * sizeof(KbMap));
 	for(i=0; i<nr; i++){
-		sprint(buf, "%s/%s", dir, pd[i].name);
-		map[i].file = estrdup(buf);
+		map[i].file = emalloc(strlen(dir) + strlen(pd[i].name) + 2);
+		sprint(map[i].file, "%s/%s", dir, pd[i].name);
 		map[i].name = estrdup(pd[i].name);
 		map[i].current = 0;
 	}