From nobody@FreeBSD.org  Thu Nov 18 01:56:50 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF74C1065674
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Nov 2010 01:56:50 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id CD6B18FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Nov 2010 01:56:50 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id oAI1uo8L040150
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Nov 2010 01:56:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id oAI1uoeM040149;
	Thu, 18 Nov 2010 01:56:50 GMT
	(envelope-from nobody)
Message-Id: <201011180156.oAI1uoeM040149@www.freebsd.org>
Date: Thu, 18 Nov 2010 01:56:50 GMT
From: Mateusz Guzik <mjguzik@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: truss writes one byte past the buffer if it is not null-terminated
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         152345
>Category:       bin
>Synopsis:       [patch] truss(1) writes one byte past the buffer if it is not null-terminated
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 18 02:00:31 UTC 2010
>Closed-Date:    Thu Apr 07 16:49:19 UTC 2011
>Last-Modified:  Thu Apr 07 16:49:19 UTC 2011
>Originator:     Mateusz Guzik
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD lap 9.0-CURRENT FreeBSD 9.0-CURRENT #11 r213950+82afb7e: Sun Oct 17 16:57:50 CEST 2010     f@aa:/usr/obj/srv/repos/freebsd/sys/LAP  amd64

>Description:
When copying buffers filled by syscalls, truss does the following (syscalls.c: get_string())

buf = malloc(totalsize);

Later, if buf is not null-terminated truss writes past the buffer:

buf[totalsize] = '\0';

And if buf[totalsize - 1] is not 0, one-byte garbage is printed along with expected data.
>How-To-Repeat:
Download and compile http://student.agh.edu.pl/~mjguzik/truss_garbage.c . It will try to readlink(2) symlink 'foo' to a buffer filled with 0xFF.

$ ln -s bar foo
$ truss ./a.out 2>&1 | grep readlink
readlink("foo","bar",1025)			 = 3 (0x3)

>Fix:
See http://student.agh.edu.pl/~mjguzik/truss_garbage.patch

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Mon Dec 6 09:12:31 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152345 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Mon Dec 6 09:19:31 UTC 2010 
State-Changed-Why:  
Committed to head (r216224). Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152345 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152345: commit references a PR
Date: Mon,  6 Dec 2010 09:18:17 +0000 (UTC)

 Author: jh
 Date: Mon Dec  6 09:18:11 2010
 New Revision: 216224
 URL: http://svn.freebsd.org/changeset/base/216224
 
 Log:
   Don't write the terminating NUL past end of buffer.
   
   PR:		bin/152345
   Submitted by:	Mateusz Guzik
 
 Modified:
   head/usr.bin/truss/syscalls.c
 
 Modified: head/usr.bin/truss/syscalls.c
 ==============================================================================
 --- head/usr.bin/truss/syscalls.c	Mon Dec  6 00:19:56 2010	(r216223)
 +++ head/usr.bin/truss/syscalls.c	Mon Dec  6 09:18:11 2010	(r216224)
 @@ -518,7 +518,7 @@ get_string(pid_t pid, void *offset, int 
  			buf = realloc(buf, totalsize);
  			size = BLOCKSIZE;
  		} else {
 -			buf[totalsize] = '\0';
 +			buf[totalsize - 1] = '\0';
  			return (buf);
  		}
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152345: commit references a PR
Date: Sun,  3 Apr 2011 08:45:17 +0000 (UTC)

 Author: jh
 Date: Sun Apr  3 08:44:57 2011
 New Revision: 220291
 URL: http://svn.freebsd.org/changeset/base/220291
 
 Log:
   MFC r216224:
   
   Don't write the terminating NUL past end of buffer.
   
   PR:		bin/152345
 
 Modified:
   stable/8/usr.bin/truss/syscalls.c
 Directory Properties:
   stable/8/usr.bin/truss/   (props changed)
 
 Modified: stable/8/usr.bin/truss/syscalls.c
 ==============================================================================
 --- stable/8/usr.bin/truss/syscalls.c	Sun Apr  3 05:09:25 2011	(r220290)
 +++ stable/8/usr.bin/truss/syscalls.c	Sun Apr  3 08:44:57 2011	(r220291)
 @@ -516,7 +516,7 @@ get_string(pid_t pid, void *offset, int 
  			buf = realloc(buf, totalsize);
  			size = BLOCKSIZE;
  		} else {
 -			buf[totalsize] = '\0';
 +			buf[totalsize - 1] = '\0';
  			return (buf);
  		}
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152345: commit references a PR
Date: Thu,  7 Apr 2011 16:06:51 +0000 (UTC)

 Author: jh
 Date: Thu Apr  7 16:06:39 2011
 New Revision: 220426
 URL: http://svn.freebsd.org/changeset/base/220426
 
 Log:
   MFC r216224:
   
   Don't write the terminating NUL past end of buffer.
   
   PR:		bin/152345
 
 Modified:
   stable/7/usr.bin/truss/syscalls.c
 Directory Properties:
   stable/7/usr.bin/truss/   (props changed)
 
 Modified: stable/7/usr.bin/truss/syscalls.c
 ==============================================================================
 --- stable/7/usr.bin/truss/syscalls.c	Thu Apr  7 14:17:55 2011	(r220425)
 +++ stable/7/usr.bin/truss/syscalls.c	Thu Apr  7 16:06:39 2011	(r220426)
 @@ -475,7 +475,7 @@ get_string(pid_t pid, void *offset, int 
  			buf = realloc(buf, totalsize);
  			size = BLOCKSIZE;
  		} else {
 -			buf[totalsize] = '\0';
 +			buf[totalsize - 1] = '\0';
  			return (buf);
  		}
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Thu Apr 7 16:49:18 UTC 2011 
State-Changed-Why:  
Fixed in head, stable/8 and stable/7. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152345 
>Unformatted:
