From patchwork Thu Nov 9 13:18:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcus Haehnel X-Patchwork-Id: 1861986 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernkonzept.com header.i=@kernkonzept.com header.a=rsa-sha256 header.s=mx1 header.b=cJzknLQN; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=uclibc-ng.org (client-ip=2a00:1828:2000:679::23; helo=helium.openadk.org; envelope-from=devel-bounces@uclibc-ng.org; receiver=patchwork.ozlabs.org) Received: from helium.openadk.org (helium.openadk.org [IPv6:2a00:1828:2000:679::23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SR2dM2qT7z1yRF for ; Fri, 10 Nov 2023 00:20:37 +1100 (AEDT) Received: from helium.openadk.org (localhost [IPv6:::1]) by helium.openadk.org (Postfix) with ESMTP id 7C1293520EE3; Thu, 9 Nov 2023 14:20:29 +0100 (CET) Authentication-Results: helium.openadk.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernkonzept.com header.i=@kernkonzept.com header.a=rsa-sha256 header.s=mx1 header.b=cJzknLQN; dkim-atps=neutral Received: from mx.kernkonzept.com (serv1.kernkonzept.com [159.69.200.6]) by helium.openadk.org (Postfix) with ESMTPS id 1F9153520E13 for ; Thu, 9 Nov 2023 14:20:00 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kernkonzept.com; s=mx1; h=Content-Transfer-Encoding:MIME-Version:Message-ID :Date:Subject:Cc:To:From:References:In-Reply-To:Reply-To:Content-Type: Content-ID:Content-Description; bh=FvGdGrZiYAdLRGMOSi5PrBceyBUsy7U7dLijgvoL4pw=; b=cJzknLQNyIB8lDyvf2h/tr8kNQ vEDEmI25zbKgkeb8hM/Hbkji/5Ts7J0ZX1NZaU312Vt8Cijz8xgKBAI9gmCZN/WrT88tVVv3UertS z5Wap4xKerNGT5Bht9iGGorba1JTIW2zxeWh/wpIfzimAGTOfGOxkYZ92bTI0JNM1JsMoKw+IDZLd nQb84iN/lJy0rZA2HJhwQ0z4Y7hXdJrSEABvEi4GIFLoRN4U0BkuAeczEYUSYU4whne6dUGhdGmbS Ufl6TMSAW+p1zMefmwAIMcsBpOyNunlRjNG60J1UxqdP/E6voUR3ZvyzDLzBYJ4Vxp8iXpvHcJYuG THfvH3kA==; Received: from [10.22.3.160] (helo=amethyst.dd1.int.kernkonzept.com) by mx.kernkonzept.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) id 1r14wx-0042mr-14; Thu, 09 Nov 2023 14:19:59 +0100 From: Marcus Haehnel To: devel@uclibc-ng.org Date: Thu, 9 Nov 2023 14:18:46 +0100 Message-ID: <20231109131954.6570-1-marcus.haehnel@kernkonzept.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Message-ID-Hash: NB5KHTPSB4INV76CNPBVFDPER65LORY3 X-Message-ID-Hash: NB5KHTPSB4INV76CNPBVFDPER65LORY3 X-MailFrom: marcus.haehnel@kernkonzept.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Marcus Haehnel , Frank Mehnert X-Mailman-Version: 3.3.3 Precedence: list Subject: [uclibc-ng-devel] [PATCH] fnmatch: fix possible access beyond of parameter string List-Id: uClibc-ng Development Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: In certain cases, fnmatch() could access the next byte beyond the end of he passed pattern. A triggering pattern to match is the following invocation: fnmatch("[A-Z[.", "F", 0) The normal A-Z group match gets us to fnmatch_loop.c:421 and then to fnmatch_loop:599. The F in the filaname matches this expression and we end up in fnmatch_loop:867 which handles skipping the rest of a bracked expression that already matched. Here we enter the case where the next chars to parse are a collating symbol starting with "[." (fnmatch_loop:918). Currently the p pointer is then advanced by one, moving it beyond the "." and to the \0 byte of the pattern string (fnmatch_loop:920). Inside the while loop the pointer is then incremented again and immediately dereferenced, reaching beyond the end of the pattern string. The increment before the while loop must be removed, because only inside the while loop (after the other increment) a check for the end of the string is performend. This is sufficient and the check of the end of the collating symbol is only performed if p[1] is at most the terminating \0 byte. Signed-Off-By: Frank Mehnert --- libc/misc/fnmatch/fnmatch_loop.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libc/misc/fnmatch/fnmatch_loop.c b/libc/misc/fnmatch/fnmatch_loop.c index 32ee079a3..025510de6 100644 --- a/libc/misc/fnmatch/fnmatch_loop.c +++ b/libc/misc/fnmatch/fnmatch_loop.c @@ -917,7 +917,6 @@ FCT (const CHAR *pattern, const CHAR *string, const CHAR *string_end, } else if (c == L('[') && *p == L('.')) { - ++p; while (1) { c = *++p;