[Hostname-devel] Bug#829010: hostname: memory error: reading data from uninitialized memory
Marko Dimjašević
marko at cs.utah.edu
Wed Jun 29 19:16:35 UTC 2016
Dear all,
My apologies for a clumsy bug report. It's the first time I'm submitting
one.
Beside details about my OS in the initial email, here is what I wanted
to write.
Package: hostname
Version: 3.15 and 3.17
When hostname is invoked with an argument "-F/" (without quotes), it
reads from uninitialized memory. I found this bug together with
professors Cristian Cadar and Zvonimir Rakamaric while working on a
project that aims to analyze programs from Debian GNU/Linux with a tool
called KLEE:
https://klee.github.io/
In particular, Cristian Cadar described the error in hostname as follows
(line numbers are for version 3.15):
"I have debugged "hostname -F/" and it is indeed a bug in hostname, a
rather interesting one which could cause hostname to perform an
unbounded number of out-of-bound reads.
Here is what happens:
1) On line 413, a buf is allocated using malloc():
buf = (char *) malloc(st.st_size + 1)
2) Nothing is ever written into this buffer
3) set_name(enum type_t type, char *name) is invoked with buf as the
second argument
4) On line 220 in set_name, strlen(name) is called. Since the memory to
which name points was allocated but _never_ initialized, the entire
buffer could have no NUL characters inside, in which case strlen will
continue to dereference invalid memory. It will keep doing this until
it encounters a NUL character. Depending on when this happens, the
program could segfault."
The bug can be fixed if the call to malloc from step 1) is replaced
with:
buf = (char *) calloc(st.st_size + 1, sizeof(char))
--
Kind regards,
Marko Dimjašević <marko at cs.utah.edu> . University of Utah
https://dimjasevic.net/marko . PGP key ID: 1503F0AA
Learn email self-defense! https://emailselfdefense.fsf.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/hostname-devel/attachments/20160629/faf39e02/attachment.sig>
More information about the Hostname-devel
mailing list