| Subject: | Buffer overflow in readlink() and readlinkat() due to failure to add null terminator |
| Date: | Sun, 22 Jun 2014 19:32:51 -0700 |
| To: | bug-POSIX-2008 [...] rt.cpan.org |
| From: | "Matt T. Yourst" <yourst [...] yourst.com> |
I found a fairly serious bug in POSIX::2008's implementation of readlink()
and readlinkat(). The underlying syscalls do not add any null terminator
byte at the end of the output buffer, but _readlink50c() in 2008.XS also
fails to add a null terminator before returning the result string to perl.
This results in arbitrary memory contents being visible in the result
returned to perl code by readlink() and readlinkat(). At the very least,
this causes failures in any downstream code that attempts to access
whatever filename (plus the erroneous garbage) was linked to.
In theory it could also be a major security leak (depending on what was in
the returned string before it was partially overwritten by readlink()),
since it's basically the read-only equivalent of a buffer overflow.
I've attached a patch for 2008.XS that fixes this (apply with 'patch -p1'),
and also replaces the unnecessary choice between readlink() and
readlinkat() syscalls with AT_FDCWD and readlinkat().
I'm not sure how this went unnoticed for this long, but I suspect it was
probably because it's unusual to import readlink() from POSIX::2008 when
there is already a built-in equivalent, plus readlinkat() is not used very
often (which is unfortunate since it can really improve efficiency).
Hopefully you can merge the attached patch to finally fix this bug...
- Matt
-------------------------------------------------------
Matt T. Yourst yourst@yourst.com
-------------------------------------------------------
Message body is not shown because sender requested not to inline it.