RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-06-01 09:18:11 +00:00
Code Issues Activity Actions

strace: Fix out-of-bounds read when formatting realpath()

Browse source 
The actual length of the resulting string is encoded in the return
value; treating the entire buffer as a string leads to reading
uninitialized memory.
This commit is contained in:
Daniel Bertalan 2021-12-22 13:49:14 +01:00 committed by Andreas Kling
parent 8e3d1a42e3
commit a73c71e877
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Userland/Utilities/strace.cpp
View file

@ -452,10 +452,10 @@ static void format_getrandom(FormattedSyscallBuilder& builder, void* buffer, siz
builder.add_arguments(buffer, size, flags);
}
static void format_realpath(FormattedSyscallBuilder& builder, Syscall::SC_realpath_params* params_p)
static void format_realpath(FormattedSyscallBuilder& builder, Syscall::SC_realpath_params* params_p, size_t length)
{
auto params = copy_from_process(params_p).release_value_but_fixme_should_propagate_errors();
builder.add_arguments(StringArgument { params.path }, StringArgument { { params.buffer.data, params.buffer.size } });
builder.add_arguments(StringArgument { params.path }, StringArgument { { params.buffer.data, min(params.buffer.size, length) } });
}
static void format_exit(FormattedSyscallBuilder& builder, int status)
@ -748,7 +748,7 @@ static void format_syscall(FormattedSyscallBuilder& builder, Syscall::Function s
result_type = Ssize;
break;
case SC_realpath:
format_realpath(builder, (Syscall::SC_realpath_params*)arg1);
format_realpath(builder, (Syscall::SC_realpath_params*)arg1, (size_t)res);
break;
case SC_recvmsg:
format_recvmsg(builder, (int)arg1, (struct msghdr*)arg2, (int)arg3);