Bug 7347 - localization related buffer overflows in fdisk
localization related buffer overflows in fdisk
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: util-linux (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-26 06:22 EST by Christian Hechelmann
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-03 19:30:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Christian Hechelmann 1999-11-26 06:22:03 EST
util-linux-2.9w has some buffer overflows when printing localized
messages, causing core dumps.

Just run "LC_MESSAGES=de /sbin/fdisk /dev/whatever", add a partition and
watch it die after querying the partition size, as the stack frame will
be clobbered by the sprintf() at line 1458 in fdisk/fdisk.c.

There are possible buffer overflows in other areas too
(BSD/SUN/SGI-Disklabel).

In util-linux-2.10c at least the overflow in fdisk.c/add_partition() has
been "fixed". Using snprintf() would certainly stop the core dumps, with
only leaving mangled messages.

Patch follows:

--- util-linux-2.9w/fdisk/fdisk.c.overflow	Fri Nov 26 12:12:04 1999
+++ util-linux-2.9w/fdisk/fdisk.c	Fri Nov 26 12:13:41 1999
@@ -1370,7 +1370,7 @@

 void add_partition(int n, int sys)
 {
-	char mesg[48];
+	char mesg[256]; /* localized message strings *are* longer than 48, go
figure... */
 	int i, read = 0;
 	struct partition *p = part_table[n], *q = part_table[ext_index];
 	uint start, stop = 0, limit, temp,
--- util-linux-2.9w/fdisk/fdisksgilabel.c.overflow	Fri Nov 26 12:12:18 1999
+++ util-linux-2.9w/fdisk/fdisksgilabel.c	Fri Nov 26 12:15:15 1999
@@ -671,7 +671,7 @@
 void
 sgi_add_partition( int n, int sys )
 {
-    char mesg[48];
+    char mesg[256]; /* localized message strings *are* longer than 48, go
figure... */
     int first=0, last=0;

     if( n == 10 ) {
--- util-linux-2.9w/fdisk/fdisksunlabel.c.overflow	Fri Nov 26 12:12:23 1999
+++ util-linux-2.9w/fdisk/fdisksunlabel.c	Fri Nov 26 12:16:10 1999
@@ -472,7 +472,7 @@
 	uint starts[8], lens[8];
 	int whole_disk = 0;

-	char mesg[48];
+	char mesg[256]; /* localized message strings *are* longer than 48 */
 	int i, first, last;

 	if (sunlabel->partitions[n].num_sectors && sunlabel->infos[n].id) {
--- util-linux-2.9w/fdisk/fdiskbsdlabel.c.overflow	Fri Nov 26 12:12:29 1999
+++ util-linux-2.9w/fdisk/fdiskbsdlabel.c	Fri Nov 26 12:14:35 1999
@@ -235,7 +235,7 @@
 xbsd_new_part (void)
 {
   uint begin, end;
-  char mesg[48];
+  char mesg[256]; /* localized message strings *are* longer than 48, go
figure */
   int i;

   if (!xbsd_check_new_partition (&i))
Comment 1 Elliot Lee 2000-02-03 19:30:59 EST
This seems to have been already fixed in the latest util-linux package.

Note You need to log in before you can comment on or make changes to this bug.