buffer overflow in kbmap.c

Question

buffer overflow in kbmap.c

Closed this issue 9 years ago · 1 comments

GoogleCodeExporter commented 9 years ago

A buffer can be overflowed in the init function of kbmap.c by using a filename 
of more than 112 characters.

sample output:

% cd /sys/lib/kbmap
% touch 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
% kbmap
kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df

offending code is most likely the call to sprint in the init function of 
/sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 
128-bit buffer.

I'm willing to submit a patch for this myself along with a few minor 
improvements/fixes to kbmap if I can figure out the nuances of doing so.

--silasm

Original issue reported on code.google.com by inksw...@gmail.com on 10 Dec 2014 at 10:07

Answer 1 · 2015-07-08T12:38:41.000Z

fixed, thanks!

Original comment by cinap_le...@felloff.net on 11 Dec 2014 at 5:33

Changed state: Fixed