From a73c71e87743c366f6b374d38309167717ec362f Mon Sep 17 00:00:00 2001 From: Daniel Bertalan Date: Wed, 22 Dec 2021 13:49:14 +0100 Subject: [PATCH] strace: Fix out-of-bounds read when formatting realpath() The actual length of the resulting string is encoded in the return value; treating the entire buffer as a string leads to reading uninitialized memory. --- Userland/Utilities/strace.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Userland/Utilities/strace.cpp b/Userland/Utilities/strace.cpp index a945e084ac..f8e7c9cf8a 100644 --- a/Userland/Utilities/strace.cpp +++ b/Userland/Utilities/strace.cpp @@ -452,10 +452,10 @@ static void format_getrandom(FormattedSyscallBuilder& builder, void* buffer, siz builder.add_arguments(buffer, size, flags); } -static void format_realpath(FormattedSyscallBuilder& builder, Syscall::SC_realpath_params* params_p) +static void format_realpath(FormattedSyscallBuilder& builder, Syscall::SC_realpath_params* params_p, size_t length) { auto params = copy_from_process(params_p).release_value_but_fixme_should_propagate_errors(); - builder.add_arguments(StringArgument { params.path }, StringArgument { { params.buffer.data, params.buffer.size } }); + builder.add_arguments(StringArgument { params.path }, StringArgument { { params.buffer.data, min(params.buffer.size, length) } }); } static void format_exit(FormattedSyscallBuilder& builder, int status) @@ -748,7 +748,7 @@ static void format_syscall(FormattedSyscallBuilder& builder, Syscall::Function s result_type = Ssize; break; case SC_realpath: - format_realpath(builder, (Syscall::SC_realpath_params*)arg1); + format_realpath(builder, (Syscall::SC_realpath_params*)arg1, (size_t)res); break; case SC_recvmsg: format_recvmsg(builder, (int)arg1, (struct msghdr*)arg2, (int)arg3);