[systemd-devel] [PATCH] Re: timedatectl regression in 218: crash with Etc/UTC

Mon Dec 15 04:08:34 PST 2014

Martin Pitt [2014-12-15 12:50 +0100]:
> #7  0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810, 
>     dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820, zone_next=0xffffd814, dst_next=0xffffd80a)
>     at src/shared/time-dst.c:104
>     at src/shared/time-dst.c:104
>         type_idxs = 0x565b98d8 ""
>         num_types = 1
>         types = 0x565b98d8
>         zone_names = 0x565b98e0 "UTC"
>         st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0, 
>           __pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1418641254, tv_nsec = 924653672}, 
>           st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim = {tv_sec = 1418641254, tv_nsec = 920653672}, 
>           st_ino = 351284}
>         num_isstd = 1
>         num_isgmt = 1
>         tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved = '\000' <repeats 14 times>, 
>           tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt = "\000\000\000\001", tzh_leapcnt = "\000\000\000", 
>           tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001", tzh_charcnt = "\000\000\000\004"}
>         chars = 4
>         i = 1
>         total_size = 12
>         types_idx = 0
>         trans_width = 4
>         tzspec_len = 0
>         num_leaps = 0
>         lo = 4294956851
>         hi = 1
>         num_transitions = 0
>         transitions = 0x565b98d8
>         f = 0x565b9970

To clarify:

186         transitions = malloc0(total_size + tzspec_len);

transitions gets 12 bytes allocated (see above frame for values of
variables).

192        types = (struct ttinfo *)((char *)transitions + types_idx);

As types_idx == 0, types == transitions, thus 12 bytes long.

193        zone_names = (char *)types + num_types * sizeof(struct ttinfo);

num_types == 1, thus zone_names == types + 8, i. e. zone_names is 4
bytes. chars is 4 bytes, thus

247        zone_names[chars] = '\0';

writes at zone_names[4] aka transitions[12] which is one byte past the
allocated buffer.

I think the most robust solution would be to just allocate an extra
byte so that we can always actually fit that null byte. Does that
sound ok?

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-shared-time-dst-Avoid-buffer-overflow.patch
Type: text/x-diff
Size: 942 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141215/c06d0ba1/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141215/c06d0ba1/attachment.sig>