git: a877965fa3da - main - dtrace: fix an out of bound read and a NULL pointer increment

Thu, 17 Jun 2021 10:53:51 -0700 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=a877965fa3da218bceaaa0f51c4d7770e64e6df0

commit a877965fa3da218bceaaa0f51c4d7770e64e6df0
Author:     Domagoj Stolfa <domagoj.sto...@gmail.com>
AuthorDate: 2021-06-17 17:35:33 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2021-06-17 17:52:32 +0000

    dtrace: fix an out of bound read and a NULL pointer increment
    
    In dt_cc.c when the provider is an empty string, accessing
    strlen(pdp->dtpd_provider) - 1 will result in a pdp->dtpd_provider[-1]
    access.
    
    Similarly, in dt_ident.c, if p2 is a NULL pointer, doing a p2++ on it is
    undefined behaviour.
    
    Reviewed by:    markj
    MFC after:      1 week
    Sponsored by:   Google
    Differential Revision:  https://reviews.freebsd.org/D30778
---
 cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c    | 6 +++++-
 cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c | 4 +++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c 
b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c
index 8ec5dd61b8ee..e63771c91e08 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_cc.c
@@ -1691,6 +1691,7 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
        dt_ident_t *idp;
        char attrstr[8];
        int err;
+       size_t prov_len;
 
        /*
         * Both kernel and pid based providers are allowed to have names
@@ -1704,7 +1705,10 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
         * On an error, dt_pid_create_probes() will set the error message
         * and tag -- we just have to longjmp() out of here.
         */
-       if (isdigit(pdp->dtpd_provider[strlen(pdp->dtpd_provider) - 1]) &&
+
+       prov_len = strlen(pdp->dtpd_provider);
+
+       if ((prov_len > 0 && isdigit(pdp->dtpd_provider[prov_len - 1])) &&
            ((pvp = dt_provider_lookup(dtp, pdp->dtpd_provider)) == NULL ||
            pvp->pv_desc.dtvd_priv.dtpp_flags & DTRACE_PRIV_PROC) &&
            dt_pid_create_probes(pdp, dtp, yypcb) != 0) {
diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c 
b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c
index b9164ac26cf9..5ff772be041d 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_ident.c
@@ -210,8 +210,10 @@ dt_idcook_func(dt_node_t *dnp, dt_ident_t *idp, int argc, 
dt_node_t *args)
                        }
                }
 
-               for (p2 = strchr(p2, ','); p2++ != NULL; i++)
+               for (p2 = strchr(p2, ','); p2 != NULL; i++) {
+                       p2++;
                        p2 = strchr(p2, ',');
+               }
 
                /*
                 * We first allocate a new ident signature structure with the
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to