Re: [hatari-devel] Buffer overflow in Paths

Re: [hatari-devel] Buffer overflow in Paths_Init()

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ]

To: hatari-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [hatari-devel] Buffer overflow in Paths_Init()
From: Thomas Huth <th.huth@xxxxxxxxx>
Date: Fri, 18 Jan 2019 06:44:39 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1547790281; bh=1MEBFAreI7MzT82sLJPmbCT8Y3kngJgY+zEGT5UhfkM=; h=Date:From:To:Subject:From; b=LDv/1cWGuvl6Ub8yud0P92WdegX5cEFzVFCj6YWyoshpl6dJNQeVvoNciydqfo7N/ JWzH9+LXnyw3pUl6g7d4ZRsOQRVAOCCTXp/pLjeY2+dKusp+jGpUTb5KhCRKaWMCPS YCGjxEWENK0cel8EGRzxSVAqGMGMJ8qAsK3Q/ZFxkRY9E0D4ZctqdLS6A5xcLmNQ+G IE2CRezRALvQPU15VrFGqP9cluZcnnNt+1SHmrV5hTvIoqgVucOspow6Dsb7DtvLVe 4lpj1wXyZ1vstZt34Z0twWHqDCmkHjMS7XlbdKlAD8bp4HsLK1ryJLoKQEGLs+6xJX DdBebB8AjvhDg==

Am Fri, 18 Jan 2019 01:13:08 +0200
schrieb Eero Tamminen <oak@xxxxxxxxxxxxxx>:

> Hi,
> 
> On 1/17/19 9:17 PM, Christian Zietz wrote:
> > for quite some time I have been puzzled why Hatari (snapshot builds
> > for Windows from antarctica.no) sometimes worked and sometimes
> > crashed with an HEAP_CORRUPTION error directly after start. Today,
> > I finally figured out that it works if I start it from the Windows
> > command line with an absolute path to the executable, but crashes
> > if I start it with just a relative path to the executable.
> > 
> > With that knowledge and a debugger I found the reason: a buffer
> > overflow in Paths_Init(). When started from cmd.exe giving a
> > relative path to the executable, psExecDir [1] will also only
> > contain a relative path. Notice how in [2] only just enough memory
> > is allocated for sDataDir to hold psExecDir, the path separator
> > ("\" under Windows) and BIN2DATADIR, which is "." for the Windows
> > build.
> > 
> > However, File_MakeAbsoluteName, called from [3], will in the end
> > write back the full, absolute filename into that buffer [4], thereby
> > overflowing it.  

Ouch.

> > Since Windows 10 has very good checkers for heap
> > corruption (e.g. by buffer overflow), it then almost immediately
> > terminates the offending process.  
> 
> I've always though Linux has better / more accessible ones, but
> strangely enough e.g. Valgrind doesn't complain about this.

The bug normally does not happen on Linux: Paths_InitExecDir() returns
an absolute path here since we can read the location with readlink().

> > Solution: Always allocate a sufficiently sized buffer
> > (FILENAME_MAX+1?) for sDataDir.  
> 
> I think FILENAME_MAX is supposed to include the terminating nil, as
> that's also specified part of the filename (given to Linux system
> calls).

Right.

> Attached is patch for you to test.

Please also check the return code of malloc for NULL (or use
Str_Alloc() to get the memory), otherwise static analyzers will
complain again.

 Thanks,
  Thomas

Follow-Ups:
- Re: [hatari-devel] Buffer overflow in Paths_Init()
  - From: Eero Tamminen

References:
- [hatari-devel] Buffer overflow in Paths_Init()
  - From: Christian Zietz
- Re: [hatari-devel] Buffer overflow in Paths_Init()
  - From: Eero Tamminen

Messages sorted by: [ date | thread ]
Prev by Date: Re: [hatari-devel] Buffer overflow in Paths_Init()
Next by Date: Re: [hatari-devel] Buffer overflow in Paths_Init()
Previous by thread: Re: [hatari-devel] Buffer overflow in Paths_Init()
Next by thread: Re: [hatari-devel] Buffer overflow in Paths_Init()

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/