incorrect argument to file_printable in [PATCH] PR/62
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
file (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
In last patch below
+From d65781527c8134a
+From: Christos Zoulas <email address hidden>
+Date: Mon, 18 Feb 2019 17:46:56 +0000
+Subject: [PATCH] PR/62: spinpx: limit size of file_printable.
+======
+--- file-5.
++++ file-5.
+@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsig
+ if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+ file_printable(
+- CAST(char *, pi.cpi_name)),
++ RCAST(char *, pi.cpi_name), sizeof(
+ elf_getu32(swap, pi.cpi_pid),
+ elf_getu32(swap, pi.cpi_euid),
+ elf_getu32(swap, pi.cpi_egid),
+@@ -1564,7 +1564,8 @@ dophn_exec(struct magic_set *ms, int cla
+ return -1;
+ if (interp[0])
+ if (file_printf(ms, ", interpreter %s",
+- file_printable(
++ file_printable(
++ == -1)
+ return -1;
+ return 0;
+ }
sizeof(interp) is passed to file_printable as the `slen' parameter, since interp is of
type `char *', sizeof(interp) will be 8 or 4 const value for different pointer types,
this makes the `interpreter' extraction for elf file limited to 8 bytes under x64.
A example for this, under ubuntu 18.04:
$ file /bin/dash
/bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[
bf8d645219e, stripped
notice that the interpreter portion is `/lib64/l', which is 8 bytes long and only a part
of the actual interpreter path.
the `slen' parameter here should be something like `sizeof(char) * length_of_buffer'
instead of sizeof(char *).
CVE References
tags: | added: regression-update |
Changed in file (Ubuntu Eoan): | |
status: | New → Fix Released |
Changed in file (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in file (Ubuntu Groovy): | |
status: | Confirmed → Fix Released |
Changed in file (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in file (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in file (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in file (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in file (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in file (Ubuntu Bionic): | |
importance: | Undecided → Medium |
The patch creating the issue was added in
https:/ /launchpad. net/ubuntu/ +source/ file/1: 5.25-2ubuntu1. 2