Bug 683799

Summary: Unsafe initialization of bufpos in i18n patch
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Vasik <ovasik>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: azelinka, kdudka, meyering, mhusnain, prc
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the internalization patch for coreutils had an unsafe initialization of char* bufops that left bufops uninitialized or initialized to NULL on the first usage. This behaviour called memmove from an incorrect address, namely from address 0 and size 0. This is now fixed and bufops is correctly initialized for the first use.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:51:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Vasik 2011-03-10 11:59:15 UTC
Description of problem:
When trying Coverity static analysis run for coreutils, it was discovered that i18n patch has unsafe initialization of char* bufpos, leaving it for first call unitialized or initialized to NULL. It should be initialized to buf (as is already done in one case). Current behaviour is unsafe, as it calls memmove from wrong address (uninitialized or NULL) - although of size of 0 bytes. This should be fixed, although there is no known reproducer how to abuse that (and crash the program) atm.


How reproducible:
Always

Steps to Reproduce:
1. check memmove calls of e.g. fold, expand and some others via ltrace and multibyte locales on multibyte text
  
Actual results:
Memmove from address 0 with size of 0 is performed 

Expected results:
No such thing happens

Additional info:
I don't expect that this could be tested via automated test, just sanity only check should be enough.

Comment 6 Misha H. Ali 2011-05-11 04:52:21 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the internalization patch for coreutils had an unsafe initialization of char* bufops that left bufops uninitialized or initialized to NULL on the first usage. This behaviour called memmove from an incorrect address, namely from address 0 and size 0. This is now fixed and bufops is correctly initialized for the first use.

Comment 7 errata-xmlrpc 2011-05-19 13:51:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0646.html