xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
plan9fox/sys
History
cinap_lenrek 86e63c36ed kbmap: fix sprint() buffer overflow (thanks silasm) 
A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters.

sample output:
% cd /sys/lib/kbmap
% touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df
offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c,
which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer.
I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap
if I can figure out the nuances of doing so.

--silasm
2014-12-11 18:32:50 +01:00
..
doc /sys/doc: permissions for cleanps, mkdirlist, mkfilelist 2012-10-20 19:09:54 +02:00
games/lib fortunes: (no plan9 to hand) 2014-11-14 12:11:42 -05:00
include libsec: add diffie-hellman functions 2014-09-14 02:29:18 +02:00
lib hgwebfs: add fake add_handler method for HTTPRangeHandler() 2014-12-09 23:11:05 +01:00
man plan9.ini(8): fix typo (thanks ftrvxmtrx) 2014-12-11 17:03:01 +01:00
src kbmap: fix sprint() buffer overflow (thanks silasm) 2014-12-11 18:32:50 +01:00