[systemd-bugs] [Bug 69887] New: Buffer overrun when enumerating files

Fri Sep 27 10:51:12 PDT 2013

https://bugs.freedesktop.org/show_bug.cgi?id=69887

          Priority: medium
            Bug ID: 69887
          Assignee: systemd-bugs at lists.freedesktop.org
           Summary: Buffer overrun when enumerating files
        QA Contact: systemd-bugs at lists.freedesktop.org
          Severity: major
    Classification: Unclassified
                OS: All
          Reporter: hpj at copyleft.no
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: general
           Product: systemd

Created attachment 86736
  --> https://bugs.freedesktop.org/attachment.cgi?id=86736&action=edit
Patch that fixes the bug

There is a buffer overrun in src/shared/util.c:get_files_in_directory() when
the number of files in the directory to be enumerated exceeds 15.

It does not account for the sentinel NULL when resizing the buffer, and the
NULL is re-added after each new item, causing an overrun whenever the buffer is
about to be realloc()ed.

This can cause e.g. gnome-shell to crash and display a blank screen in gdm when
the user has more than 15 files in /run/systemd/sessions/. I've seen user
reports of this, and verified it experimentally with valgrind.

I'm attaching a patch that fixes the issue by ensuring there's enough space for
the sentinel.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20130927/c8354201/attachment.html>