Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible buffer overflow #24

Closed
milabs opened this issue Nov 13, 2019 · 1 comment
Closed

Possible buffer overflow #24

milabs opened this issue Nov 13, 2019 · 1 comment

Comments

@milabs
Copy link
Contributor

milabs commented Nov 13, 2019
edited
Loading

plthook/plthook_elf.c

Line 383 in a1bbcea

char buf[PATH_MAX];

PATH_MAX is not enough to have as buffer size as it may be the reason of overflow in fgets used below

Probably, it's better to use something like char buf[PATH_MAX + 128] ...

UPDATE:
Here is the kernel part which generates content of /proc/self/maps and there are no explicit limits in line length: https://elixir.bootlin.com/linux/latest/source/fs/proc/task_mmu.c#L300
@kubo kubo closed this as completed in ecb60c6 Nov 14, 2019
@kubo
Copy link
Owner

kubo commented Nov 14, 2019

PATH_MAX is not enough to have as buffer size as it may be the reason of overflow in fgets used below

There is no buffer overflow. Because fgets writes at most PATH_MAX bytes to buf even when one line is longer than PATH_MAX. However when a line is too long and the line after PATH_MAX bytes is accidentally similar format with the beginning of a line, plthook may read it as memory protection mode of a memory region. I fixed it by ecb60c6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kubo @milabs