Bug 7347 - localization related buffer overflows in fdisk
Summary: localization related buffer overflows in fdisk
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: util-linux
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-26 11:22 UTC by Christian Hechelmann
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-02-04 00:30:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Christian Hechelmann 1999-11-26 11:22:03 UTC 
util-linux-2.9w has some buffer overflows when printing localized
messages, causing core dumps.

Just run "LC_MESSAGES=de /sbin/fdisk /dev/whatever", add a partition and
watch it die after querying the partition size, as the stack frame will
be clobbered by the sprintf() at line 1458 in fdisk/fdisk.c.

There are possible buffer overflows in other areas too
(BSD/SUN/SGI-Disklabel).

In util-linux-2.10c at least the overflow in fdisk.c/add_partition() has
been "fixed". Using snprintf() would certainly stop the core dumps, with
only leaving mangled messages.

Patch follows:

--- util-linux-2.9w/fdisk/fdisk.c.overflow	Fri Nov 26 12:12:04 1999
+++ util-linux-2.9w/fdisk/fdisk.c	Fri Nov 26 12:13:41 1999
@@ -1370,7 +1370,7 @@

 void add_partition(int n, int sys)
 {
-	char mesg[48];
+	char mesg[256]; /* localized message strings *are* longer than 48, go
figure... */
 	int i, read = 0;
 	struct partition *p = part_table[n], *q = part_table[ext_index];
 	uint start, stop = 0, limit, temp,
--- util-linux-2.9w/fdisk/fdisksgilabel.c.overflow	Fri Nov 26 12:12:18 1999
+++ util-linux-2.9w/fdisk/fdisksgilabel.c	Fri Nov 26 12:15:15 1999
@@ -671,7 +671,7 @@
 void
 sgi_add_partition( int n, int sys )
 {
-    char mesg[48];
+    char mesg[256]; /* localized message strings *are* longer than 48, go
figure... */
     int first=0, last=0;

     if( n == 10 ) {
--- util-linux-2.9w/fdisk/fdisksunlabel.c.overflow	Fri Nov 26 12:12:23 1999
+++ util-linux-2.9w/fdisk/fdisksunlabel.c	Fri Nov 26 12:16:10 1999
@@ -472,7 +472,7 @@
 	uint starts[8], lens[8];
 	int whole_disk = 0;

-	char mesg[48];
+	char mesg[256]; /* localized message strings *are* longer than 48 */
 	int i, first, last;

 	if (sunlabel->partitions[n].num_sectors && sunlabel->infos[n].id) {
--- util-linux-2.9w/fdisk/fdiskbsdlabel.c.overflow	Fri Nov 26 12:12:29 1999
+++ util-linux-2.9w/fdisk/fdiskbsdlabel.c	Fri Nov 26 12:14:35 1999
@@ -235,7 +235,7 @@
 xbsd_new_part (void)
 {
   uint begin, end;
-  char mesg[48];
+  char mesg[256]; /* localized message strings *are* longer than 48, go
figure */
   int i;

   if (!xbsd_check_new_partition (&i))
Comment 1 Elliot Lee 2000-02-04 00:30:59 UTC 
This seems to have been already fixed in the latest util-linux package.
Note You need to log in before you can comment on or make changes to this bug.