From 09a3687547c1e1a66a0f1e0e32a03e9c7ab2de11 Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Tue, 29 May 2018 13:20:00 +0200 Subject: [PATCH] procio: fix potential out-of-bounds access when write fails When writing to procfs via `proc_write` fails, we try to chunk the buffer into smaller pieces to work around that issue. When searching for the next location to split the buffer, though, we can underflow the buffer in case the current offset is smaller than `LINELEN`. Fix the issue by passing `cookie->offset` instead of `LINELEN` into `memrchr` in case `cookie->offset` is smaller than `LINELEN`. This bug can be triggered on musl-based systems, e.g. by executing $ sysctl kernel.printk_ratelimit=1000000000000000 As the value is out-of-range, `write` will return an error and set `errno` to `EINVAL`. As we're only trying to write a smallish buffer with a length smaller than `LINELEN` and as the buffer does not contain any newlines, the call token = (char*)memrchr(cookie->buf+offset, '\n', LINELEN); will underflow the buffer and crash the program. Signed-off-by: Patrick Steinhardt --- lib/procio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/procio.c b/lib/procio.c index 5cc7af66..bbd7c84b 100644 --- a/lib/procio.c +++ b/lib/procio.c @@ -251,7 +251,7 @@ ssize_t proc_write(void *c, const char *buf, size_t count) if (cookie->offset > LINELEN) token = (char*)memrchr(cookie->buf+offset, cookie->delim, LINELEN); else - token = (char*)memrchr(cookie->buf+offset, '\n', LINELEN); + token = (char*)memrchr(cookie->buf+offset, '\n', cookie->offset); if (token) *token = '\n'; else {