search

i3 / i3status

Generates status bar to use with i3bar, dzen2 or xmobar
BSD 3-Clause "New" or "Revised" License
598 stars 251 forks source link

maybe_escape_markup: Make function memory-safe #526

Closed orestisfl closed 4 months ago

orestisfl commented 4 months ago

This fixes #492 and an additional buffer overflow that can happen when pango markup is enabled.

Using config

general {
        output_format = "none"
        markup = "pango"
}

order += "wireless _first_"

wireless _first_ {
  format_up = "W: (%quality at %essid, %bitrate) %ip"
}

and renaming my phone's hotspot to Hello world &<<<<<<hello world>> i3status will throw an AddressSanitizer error:

==1373240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7411d720923e at pc 0x7411daa7cee9 bp 0x7ffdae6ce070 sp 0x7ffdae6cd800
WRITE of size 5 at 0x7411d720923e thread T0
    #0 0x7411daa7cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765
    #1 0x7411daa7d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808
    #2 0x653b2764cdaf in maybe_escape_markup ../src/output.c:102
    #3 0x653b27677df9 in print_wireless_info ../src/print_wireless_info.c:607
    #4 0x653b27640bf1 in main ../i3status.c:709
    #5 0x7411da641ccf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #6 0x7411da641d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #7 0x653b27633f24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275)

Address 0x7411d720923e is located in stack of thread T0 at offset 574 in frame
    #0 0x653b276750ed in print_wireless_info ../src/print_wireless_info.c:513

  This frame has 10 object(s):
    [48, 56) 'tmp' (line 604)
    [80, 168) 'info' (line 516)
    [208, 320) 'placeholders' (line 623)
    [352, 382) 'string_quality' (line 569)
    [416, 446) 'string_signal' (line 570)
    [480, 510) 'string_noise' (line 571)
    [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable
    [608, 638) 'string_frequency' (line 573)
    [672, 702) 'string_ip' (line 574)
    [736, 766) 'string_bitrate' (line 575)

With pango disabled, the error is thrown elsewhere (#492):

==1366779==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bab43a0923e at pc 0x7bab4727cee9 bp 0x7ffc289d2540 sp 0x7ffc289d1cd0
WRITE of size 33 at 0x7bab43a0923e thread T0
    #0 0x7bab4727cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765
    #1 0x7bab4727d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808
    #2 0x5dd180858aa4 in maybe_escape_markup ../src/output.c:93
    #3 0x5dd180883df9 in print_wireless_info ../src/print_wireless_info.c:607
    #4 0x5dd18084cbf1 in main ../i3status.c:709
    #5 0x7bab46843ccf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #6 0x7bab46843d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #7 0x5dd18083ff24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275)

Address 0x7bab43a0923e is located in stack of thread T0 at offset 574 in frame
    #0 0x5dd1808810ed in print_wireless_info ../src/print_wireless_info.c:513

  This frame has 10 object(s):
    [48, 56) 'tmp' (line 604)
    [80, 168) 'info' (line 516)
    [208, 320) 'placeholders' (line 623)
    [352, 382) 'string_quality' (line 569)
    [416, 446) 'string_signal' (line 570)
    [480, 510) 'string_noise' (line 571)
    [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable
    [608, 638) 'string_frequency' (line 573)
    [672, 702) 'string_ip' (line 574)
    [736, 766) 'string_bitrate' (line 575)

With the patch output is correct:

W: ( 72% at Hello world &amp;&lt;&lt;&lt;&lt;&lt;&lt;hello world&gt;&gt;, 1,2009 Gb/s) 192.168.26.237

and

W: ( 73% at Hello world &<<<<<<hello world>>, 1,1342 Gb/s) 192.168.26.237

The patch changes the maybe_escape_markup function to use dynamic allocation instead of a static buffer. Confusing pointer arithmetic is replaced with index-based memory access. The buffer pointer does not move around except for reallocations.

Fixes #492 Closes #525 (alternative PR) CC @stapelberg @xstefank @raefko @mahrud