Project

General

Profile

Bug #11826

Buffer overflow and memory leak in "libbsm"

Added by Matthias Scheler 10 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Category:
lib - userland libraries
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

The code for loading the event map in "libbsm" has at least two serious bugs.

1.) There is a buffer overflow in the load_map() function in "usr/src/lib/libbsm/common/au_preselect.c":

static int
load_map()
{
        register au_event_ent_t *evp;

        event_count = 0;
        setauevent();
        while ((evp = getauevent()) != (au_event_ent_t *)NULL) {
                if (event_count > alloc_count)    <========
                        if (realloc_map() == -1) {
                                endauevent();
                                return (-1);
                        }
                event_map[event_count].event = evp->ae_number;
                event_map[event_count].class = evp->ae_class;
                ++event_count;
        }
        endauevent();

        return (0);
}
It tries to store one more element in the allocated buffer that there is room for.

2.) The code for resizing the map will leak memory if the resize fails and lead to later crashes:

static int
realloc_map()
{
        register size_t rsize;
        rsize = sizeof (event_map_t) * (alloc_count + ALLOC_INCR);

        if ((event_map = (event_map_t *)
            realloc(event_map, rsize)) == (event_map_t *)NULL)
                return (-1);

        return (0);
}
Calling the function reallocf() here would IMHO not be the correct solution as we want to keep the old map.

History

#1

Updated by Matthias Scheler 10 months ago

  • Description updated (diff)
#2

Updated by Matthias Scheler 10 months ago

  • Status changed from New to In Progress
  • Assignee set to Matthias Scheler
#3

Updated by Electric Monk 10 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit b9c9c3595312927fb362936529c5679117843b93

commit  b9c9c3595312927fb362936529c5679117843b93
Author: Matthias Scheler <matthias.scheler@wdc.com>
Date:   2019-10-24T21:23:26.000Z

    11826 Buffer overflow and memory leak in "libbsm" 
    Reviewed by: Andy Fiddaman <andy@omniosce.org>
    Reviewed by: Robert Mustacchi <rm@fingolfin.org>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF