[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: More buffer overflow and memory bugs
From: Zach van Rijn <me () zv ! io>
Date: 2018-09-01 22:47:27
Message-ID: 1535842047.5857.60.camel () zv ! io
[Download RAW message or body]
BusyBox version 1.29.2 (though some of these may exist in prior
versions) has a few more buffer overflow bugs:
(1) procps/powertop.c:173, 'buf' [1] (192 bytes) is too small:
sprintf(buf, "%s/%s/power", "/proc/acpi/processor", d->d_name);
(struct dirent)->d_name is 256 bytes [2], plus the format
string brings it up to at least 283 bytes (exceeding 192).
(2) procps/smemcap.c:54, 'header.checksum' [3] (8 bytes)
The format string [4] can be between 7 and 12 bytes, which
may exceed the 8-byte buffer.
(3) miscutils/i2c_tools.c:1118-1208
Multiple 'printf'-family functions may overflow their buffer
in this function [5].
(4) libbb/copy_file.c:375, variable used after freed [6].
(5) libbb/unicode.c:1124, dereference NULL pointer possible [7].
ZV
[1]: https://git.busybox.net
/busybox/tree/procps/powertop.c?h=1_29_2#n173
[2]: http://man7.org/linux/man-pages/man3/readdir.3.html
[3]: https://git.busybox.net
/busybox/tree/include/bb_archive.h?h=1_29_2#n151
[4]: https://git.busybox.net
/busybox/tree/procps/smemcap.c?h=1_29_2#n54
[5]: https://git.busybox.net
/busybox/tree/miscutils/i2c_tools.c?h=1_29_2#n1118
[6]: https://git.busybox.net
/busybox/tree/libbb/copy_file.c?h=1_29_2#n375
[7]: https://git.busybox.net
/busybox/tree/libbb/unicode.c?h=1_29_2#n1124
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic