Bug #75623 for Socket: Socket.xs heap-buffer-overflow with abstract AF

Thu Mar 08 11:26:09 2012 leonerd-cpan [...] leonerd.org.uk - Ticket created

Subject:

Socket.xs heap-buffer-overflow with abstract AF_UNIX paths

See https://rt.perl.org/rt3/Public/Bug/Display.html?id=111594 -- Paul Evans

Thu Mar 08 11:26:59 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

Attached patch -- Paul Evans

Subject:

0001-Socket.xs-heap-buffer-overflow-with-abstract-AF_UNIX.patch

From 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00:00:00 2001 From: Reini Urban <rurban@x-ray.at> Date: Tue, 6 Mar 2012 17:07:35 -0600 Subject: [PATCH] Socket.xs heap-buffer-overflow with abstract AF_UNIX paths AddressSanitizer heap-buffer-overflow on Socket.xs:718 Copy(sun_ad, &addr, sizeof(addr), char); on linux with cpan/Socket/t/Socket.t test 17 sockaddr_un can handle abstract AF_UNIX. Avoid reading past sun_ad->pv size and zero the uninitialized data. --- cpan/Socket/Socket.xs | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs index 665553c..4e69cb8 100644 --- a/cpan/Socket/Socket.xs +++ b/cpan/Socket/Socket.xs @@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv) if (sockaddrlen != sizeof(addr)) croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf, "Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr)); -# endif - Copy(sun_ad, &addr, sizeof(addr), char); +# else + if (sockaddrlen < sizeof(addr)) { + Copy(sun_ad, &addr, sockaddrlen, char); + Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); + } else { + Copy(sun_ad, &addr, sizeof(addr), char); + } +# endif if (addr.sun_family != AF_UNIX) croak("Bad address family for %s, got %d, should be %d", -- 1.7.5.4

Thu Mar 08 11:27:00 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'new' to 'open'

Thu Mar 08 11:33:44 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

Applied (modified) in latest source code. Will be in next release; which may be a 1.99_ddd devel, or the real 2.000. -- Paul Evans

Thu Mar 08 11:33:50 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'patched'

Sat Mar 10 07:10:57 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

Released as 2.000 -- Paul Evans

Sat Mar 10 07:10:59 2012 The RT System itself - Status changed from 'patched' to 'open'

Sat Mar 10 07:10:59 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'

Sat Mar 10 07:11:09 2012 leonerd-cpan [...] leonerd.org.uk - Fixed in 2.000 added

Bug #75623 for Socket: Socket.xs heap-buffer-overflow with abstract AF_UNIX paths