[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    More buffer overflow and memory bugs
From:       Zach van Rijn <me () zv ! io>
Date:       2018-09-01 22:47:27
Message-ID: 1535842047.5857.60.camel () zv ! io
[Download RAW message or body]

BusyBox version 1.29.2 (though some of these may exist in prior
versions) has a few more buffer overflow bugs:

(1) procps/powertop.c:173, 'buf' [1] (192 bytes) is too small:

sprintf(buf, "%s/%s/power", "/proc/acpi/processor", d->d_name);

    (struct dirent)->d_name is 256 bytes [2], plus the format
    string brings it up to at least 283 bytes (exceeding 192).

(2) procps/smemcap.c:54, 'header.checksum' [3] (8 bytes)

    The format string  [4] can be between 7 and 12 bytes, which
    may exceed the 8-byte buffer.

(3) miscutils/i2c_tools.c:1118-1208

    Multiple 'printf'-family functions may overflow their buffer
    in this function [5].

(4) libbb/copy_file.c:375, variable used after freed [6].

(5) libbb/unicode.c:1124, dereference NULL pointer possible [7].


ZV


[1]: https://git.busybox.net
/busybox/tree/procps/powertop.c?h=1_29_2#n173

[2]: http://man7.org/linux/man-pages/man3/readdir.3.html

[3]: https://git.busybox.net
/busybox/tree/include/bb_archive.h?h=1_29_2#n151

[4]: https://git.busybox.net
/busybox/tree/procps/smemcap.c?h=1_29_2#n54

[5]: https://git.busybox.net
/busybox/tree/miscutils/i2c_tools.c?h=1_29_2#n1118

[6]: https://git.busybox.net
/busybox/tree/libbb/copy_file.c?h=1_29_2#n375

[7]: https://git.busybox.net
/busybox/tree/libbb/unicode.c?h=1_29_2#n1124



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

[prev in list] [next in list] [prev in thread] [next in thread]