search

cptaffe / plan9front

Automatically exported from code.google.com/p/plan9front
0 stars 0 forks source link

buffer overflow in kbmap.c #230

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
A buffer can be overflowed in the init function of kbmap.c by using a filename 
of more than 112 characters.

sample output:

% cd /sys/lib/kbmap
% touch 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df

offending code is most likely the call to sprint in the init function of 
/sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 
128-bit buffer.

I'm willing to submit a patch for this myself along with a few minor 
improvements/fixes to kbmap if I can figure out the nuances of doing so.

--silasm

Original issue reported on code.google.com by inksw...@gmail.com on 10 Dec 2014 at 10:07

GoogleCodeExporter commented 9 years ago 
fixed, thanks!

Original comment by cinap_le...@felloff.net on 11 Dec 2014 at 5:33