Bug 114661

Summary: Possible buffer overflows in kudzu code (readlink usage)
Product: [Fedora] Fedora Reporter: Yaroslav Popovitch <yp>
Component: kudzuAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: mitr, rvokal, yp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.1.116-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-28 18:08:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
examples of code with errors none

Description Yaroslav Popovitch 2004-01-30 20:11:42 UTC 
Description of problem:
Possible buffer overflows in kudzu's readlink code, possible security
vulnerability. 

<FYI>
int readlink(const char *path, char *buf, size_t bufsiz);

readlink  places  the  contents of the symbolic link path in the
buffer buf, which has size bufsiz.  readlink does not append a  NUL 
character to  buf. It will truncate the contents (to a length of
bufsiz characters), in case the buffer is too small to hold all of the
contents.
<FYI/>

Readlink does not append a NULL character to buf. In kudzu's code 
NULL character is set using memset, before calling readlink. In some
cases if bufsiz is equal to the lenght of the buffer, we have string,
which is not terminated by NULL, as result, there are possible buffer
overflows.

hwconf.c:227:   if (readlink(path,path2,256)>0) {
serial.c:954:   if (readlink("/dev/modem",lockfile,32)>0) {

Version-Release number of selected component (if applicable):
- the latest CVS version, kudzu-1.1.36-1

How reproducible:
General idea to create link with the same name, which are used by
kudzu. The contents of link must be longer or equal to the buffer lenght.

Expected results:
Possible seg. faults.
Comment 1 Bill Nottingham 2004-01-30 20:17:26 UTC 
All of these links are in root-writable only directories, so I don't
see how this is a security issue. But it should be fixed, yes.
Comment 2 Yaroslav Popovitch 2004-01-30 20:18:37 UTC 
Created attachment 97374 [details]
examples of code with errors
Comment 3 Bill Nottingham 2005-04-28 18:08:45 UTC 
Fixed in CVS, will be in 1.1.116-1 or later.