| Summary: |
Buffer overrun when enumerating files |
| Product: |
systemd
|
Reporter: |
Hans Petter Jansson <hpj> |
| Component: |
general | Assignee: |
systemd-bugs |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
systemd-bugs |
| Severity: |
major
|
|
|
| Priority: |
medium
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Attachments: |
Patch that fixes the bug
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 86736 [details] Patch that fixes the bug There is a buffer overrun in src/shared/util.c:get_files_in_directory() when the number of files in the directory to be enumerated exceeds 15. It does not account for the sentinel NULL when resizing the buffer, and the NULL is re-added after each new item, causing an overrun whenever the buffer is about to be realloc()ed. This can cause e.g. gnome-shell to crash and display a blank screen in gdm when the user has more than 15 files in /run/systemd/sessions/. I've seen user reports of this, and verified it experimentally with valgrind. I'm attaching a patch that fixes the issue by ensuring there's enough space for the sentinel.