JehanneOS/mksh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

• Address concerns of Chris Palmer from the Android security team

Browse Source 
– possible integer overflows in memory allocation, mostly
    ‣ multiplication: all are checked now
    ‣ addition: reviewed them, most were “proven” or guessed to be
      “almost” impossible to run over (e.g. when we have a string
      whose length is taken it is assumed that the length will be
      more than only a few bytes below SIZE_MAX, since code and
      stack have to fit); some are checked now (e.g. when one of
      the summands is an off_t); most of the unchecked ones are
      annotated now
    ⇒ cost (MirBSD/i386 static): +76 .text
    ⇒ cost (Debian sid/i386): +779 .text  -4 .data
  – on Linux targets, setuid() setresuid() setresgid() can fail
    with EAGAIN; check for that and, if so, warn once and retry
    infinitely (other targets to be added later once we know that
    they are “insane”)
    ⇒ cost (Debian sid/i386): +192 .text (includes .rodata)
• setmode.c: Do overflow checking for realloc() too; switch back
  from calloc() to a checked malloc() for simplification while there
• define -DIN_MKSH and let setmode.c look a tad nicer while here
This commit is contained in:
tg
2010-09-14 21:26:19 +00:00
parent 08862021ee
commit 667d792d6a
18 changed files with 204 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lex.c
View File

@@ -22,7 +22,7 @@
#include "sh.h"
__RCSID("$MirOS: src/bin/mksh/lex.c,v 1.120 2010/08/28 20:22:20 tg Exp $");
__RCSID("$MirOS: src/bin/mksh/lex.c,v 1.121 2010/09/14 21:26:14 tg Exp $");
/*
* states while lexing word
@@ -1446,7 +1446,7 @@ getsc_line(Source *s)
int linelen;
linelen = Xlength(s->xs, xp);
XcheckN(s->xs, xp, fc_e_n + /* NUL */ 1);
XcheckN(s->xs, xp, Tn_fc_e_ + /* NUL */ 1);
/* reload after potential realloc */
cp = Xstring(s->xs, xp);
/* change initial '!' into space */
@@ -1454,10 +1454,10 @@ getsc_line(Source *s)
/* NUL terminate the current string */
*xp = '\0';
/* move the actual string forward */
memmove(cp + fc_e_n, cp, linelen + /* NUL */ 1);
xp += fc_e_n;
memmove(cp + Tn_fc_e_, cp, linelen + /* NUL */ 1);
xp += Tn_fc_e_;
/* prepend it with "fc -e -" */
memcpy(cp, fc_e_, fc_e_n);
memcpy(cp, T_fc_e_, Tn_fc_e_);
}
#endif
s->start = s->str = cp;
@@ -1749,7 +1749,7 @@ getsc_bn(void)
static Lex_state *
push_state_(State_info *si, Lex_state *old_end)
{
Lex_state *news = alloc(STATE_BSIZE * sizeof(Lex_state), ATEMP);
Lex_state *news = alloc2(STATE_BSIZE, sizeof(Lex_state), ATEMP);
news[0].ls_info.base = old_end;
si->base = &news[0];