Bug 69887 - Buffer overrun when enumerating files
Summary: Buffer overrun when enumerating files
Status: RESOLVED FIXED
Alias: None
Product: systemd
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: systemd-bugs
QA Contact: systemd-bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-27 17:51 UTC by Hans Petter Jansson
Modified: 2013-09-29 13:32 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Patch that fixes the bug (706 bytes, text/plain)
2013-09-27 17:51 UTC, Hans Petter Jansson 		Details
View All

Description Hans Petter Jansson 2013-09-27 17:51:12 UTC 
Created attachment 86736 [details]
Patch that fixes the bug

There is a buffer overrun in src/shared/util.c:get_files_in_directory() when the number of files in the directory to be enumerated exceeds 15.

It does not account for the sentinel NULL when resizing the buffer, and the NULL is re-added after each new item, causing an overrun whenever the buffer is about to be realloc()ed.

This can cause e.g. gnome-shell to crash and display a blank screen in gdm when the user has more than 15 files in /run/systemd/sessions/. I've seen user reports of this, and verified it experimentally with valgrind.

I'm attaching a patch that fixes the issue by ensuring there's enough space for the sentinel.
Comment 1 Zbigniew Jedrzejewski-Szmek 2013-09-29 13:32:41 UTC 
Fixed in http://cgit.freedesktop.org/systemd/systemd/commit/?id=893fa01.

Thank you for the patch! I didn't apply it, but the fix was correct. I opted to do a bit more extensive clean-up, converting the whole realloc loop to use one of our macros. I also added a test, which shows the off-by-one-error.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.