• Address concerns of Chris Palmer from the Android security team

– possible integer overflows in memory allocation, mostly
    ‣ multiplication: all are checked now
    ‣ addition: reviewed them, most were “proven” or guessed to be
      “almost” impossible to run over (e.g. when we have a string
      whose length is taken it is assumed that the length will be
      more than only a few bytes below SIZE_MAX, since code and
      stack have to fit); some are checked now (e.g. when one of
      the summands is an off_t); most of the unchecked ones are
      annotated now
    ⇒ cost (MirBSD/i386 static): +76 .text
    ⇒ cost (Debian sid/i386): +779 .text  -4 .data
  – on Linux targets, setuid() setresuid() setresgid() can fail
    with EAGAIN; check for that and, if so, warn once and retry
    infinitely (other targets to be added later once we know that
    they are “insane”)
    ⇒ cost (Debian sid/i386): +192 .text (includes .rodata)
• setmode.c: Do overflow checking for realloc() too; switch back
  from calloc() to a checked malloc() for simplification while there
• define -DIN_MKSH and let setmode.c look a tad nicer while here
This commit is contained in:
tg
2010-09-14 21:26:19 +00:00
parent 08862021ee
commit 667d792d6a
18 changed files with 204 additions and 96 deletions

View File

@@ -26,7 +26,7 @@
#include <sys/file.h>
#endif
__RCSID("$MirOS: src/bin/mksh/histrap.c,v 1.101 2010/08/28 20:22:18 tg Exp $");
__RCSID("$MirOS: src/bin/mksh/histrap.c,v 1.102 2010/09/14 21:26:13 tg Exp $");
/*-
* MirOS: This is the default mapping type, and need not be specified.
@@ -92,6 +92,8 @@ c_fc(const char **wp)
sflag = true;
else {
size_t len = strlen(p);
/* almost certainly not overflowing */
editor = alloc(len + 4, ATEMP);
memcpy(editor, p, len);
memcpy(editor + len, " $_", 4);
@@ -269,7 +271,17 @@ c_fc(const char **wp)
return (1);
}
n = stat(tf->name, &statb) < 0 ? 128 : statb.st_size + 1;
if (stat(tf->name, &statb) < 0)
n = 128;
else {
if (notoktoadd(statb.st_size, 1 + X_EXTRA)) {
bi_errorf(T_intovfl,
(unsigned long)statb.st_size, '+',
1UL + X_EXTRA);
goto errout;
}
n = statb.st_size + 1;
}
Xinit(xs, xp, n, hist_source->areap);
while ((n = shf_read(xp, Xnleft(xs, xp), shf)) > 0) {
xp += n;
@@ -279,6 +291,7 @@ c_fc(const char **wp)
if (n < 0) {
bi_errorf("can't %s temporary file %s: %s",
"read", tf->name, strerror(shf_errno(shf)));
errout:
shf_close(shf);
return (1);
}
@@ -532,7 +545,7 @@ sethistsize(int n)
cursize = n;
}
history = aresize(history, n * sizeof(char *), APERM);
history = aresize2(history, n, sizeof(char *), APERM);
histsize = n;
histptr = history + cursize;
@@ -583,7 +596,7 @@ init_histvec(void)
{
if (history == (char **)NULL) {
histsize = HISTORYSIZE;
history = alloc(histsize * sizeof(char *), APERM);
history = alloc2(histsize, sizeof(char *), APERM);
histptr = history - 1;
}
}