From dan@dan.emsphone.com  Mon Nov 27 23:16:13 2000
Return-Path: <dan@dan.emsphone.com>
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by hub.freebsd.org (Postfix) with ESMTP id 5895D37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Nov 2000 23:16:12 -0800 (PST)
Received: (from dan@localhost)
	by dan.emsphone.com (8.11.1/8.11.1) id eAS7GBO13859;
	Tue, 28 Nov 2000 01:16:11 -0600 (CST)
	(envelope-from dan)
Message-Id: <200011280716.eAS7GBO13859@dan.emsphone.com>
Date: Tue, 28 Nov 2000 01:16:11 -0600 (CST)
From: dnelson@emsphone.com (Dan Nelson)
Sender: dan@dan.emsphone.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: gcore sscanf buffer overflow
X-Send-Pr-Version: 3.2

>Number:         23150
>Category:       bin
>Synopsis:       sscanf is used on a buffer that is not NULL-terminated
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 27 23:20:00 PST 2000
>Closed-Date:    Wed Jun 6 22:26:39 PDT 2001
>Last-Modified:  Wed Jun 06 22:26:51 PDT 2001
>Originator:     Dan Nelson
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:

FreeBSD dan.emsphone.com 5.0-CURRENT FreeBSD 5.0-CURRENT #90: Sun Nov 26 13:36:50 CST 2000     dan@dan.emsphone.com:/usr/src/sys/compile/DANSMP  i386
	

>Description:

In elfcore.c, a buffer is allocated to hold the memory map for the
processess being dumped.  This buffer is created with realloc, the map
is read() into it, then sscanf()'d.  Since -current's malloc defaults
to filling malloced buffers with junk, this guarantees a buffer
overflow.

	

>How-To-Repeat:

run gcore on -current; see it coredump in sscanf.
	

>Fix:

Index: elfcore.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/gcore/elfcore.c,v
retrieving revision 1.6
diff -b -u -p -r1.6 elfcore.c
--- elfcore.c	2000/04/18 02:39:25	1.6
+++ elfcore.c	2000/11/28 07:08:24
@@ -455,7 +455,7 @@ readmap(pid_t pid)
 	bufsize = 8 * 1024;
 	mapbuf = NULL;
 	for ( ; ; ) {
-		if ((mapbuf = realloc(mapbuf, bufsize)) == NULL)
+		if ((mapbuf = realloc(mapbuf, bufsize + 1)) == NULL)
 			errx(1, "out of memory");
 		mapsize = read(mapfd, mapbuf, bufsize);
 		if (mapsize != -1 || errno != EFBIG)
@@ -470,6 +470,7 @@ readmap(pid_t pid)
 		errx(1, "empty map file %s", mapname);
 	close(mapfd);
 
+	mapbuf[mapsize] = 0;
 	pos = 0;
 	map = NULL;
 	linkp = &map;

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: jedgar 
Responsible-Changed-When: Thu Nov 30 08:31:12 PST 2000 
Responsible-Changed-Why:  
Misfiled PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23150 
State-Changed-From-To: open->closed 
State-Changed-By: jlemon 
State-Changed-When: Wed Jun 6 22:26:39 PDT 2001 
State-Changed-Why:  
Fix committed, thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=23150 
>Unformatted:
 Dan Nelson
