fix 320211 Stack buffer overflow in ./coregrind/m_main.c with huge TMPDIR

* Addition of a function to compute size of buffer needed for VG_(mkstemp)
* Use it to dimension buffers for all VG_(mkstemp) calls.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@13409

diff --git a/NEWS b/NEWS
index e4f6768e3e20970871724eeb072db80422f10ab9..1b3c209ce63f5733f6326ce895aff5e9f4dbb320 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -344,6 +344,7 @@ FIXED r??
         introduction of new Iops for AVX2, BMI, FMA support
         FIXED 13347
 
+320211 Stack buffer overflow in ./coregrind/m_main.c with huge TMPDIR
 
 Release 3.8.1 (19 September 2012)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/coregrind/m_debuginfo/readpdb.c b/coregrind/m_debuginfo/readpdb.c
index 1b051d191a7bcc1ef056c9a990bd91cb05e693c6..f78baa6eaed724640e27a6c999e922c3f3c9277c 100644 (file)
--- a/coregrind/m_debuginfo/readpdb.c
+++ b/coregrind/m_debuginfo/readpdb.c
@@ -2407,7 +2407,7 @@ HChar* ML_(find_name_of_pdb_file)( HChar* pename )
    /* This is a giant kludge, of the kind "you did WTF?!?", but it
       works. */
    Bool   do_cleanup = False;
-   HChar  tmpname[100], tmpnameroot[50];
+   HChar  tmpname[VG_(mkstemp_fullname_bufsz)(50-1)], tmpnameroot[50];
    Int    fd, r;
    HChar* res = NULL;
 

diff --git a/coregrind/m_libcfile.c b/coregrind/m_libcfile.c
index 3364abca5f4501e5d0e358e5e30ca0a311b93bc9..5ba7b3a812d3e0a6f03a443bf23f31d186eea7d8 100644 (file)
--- a/coregrind/m_libcfile.c
+++ b/coregrind/m_libcfile.c
@@ -653,14 +653,26 @@ const HChar *VG_(tmpdir)(void)
    return tmpdir;
 }
 
+static const HChar *mkstemp_format = "%s/valgrind_%s_%08x";
+
+SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len )
+{
+   return VG_(strlen)(mkstemp_format)
+      + VG_(strlen)(VG_(tmpdir)()) - 2 // %s tmpdir
+      + part_of_name_len - 2           // %s part_of_name
+      + 8 - 4                          // %08x
+      + 1;                             // trailing 0
+}
+
+
 /* Create and open (-rw------) a tmp file name incorporating said arg.
    Returns -1 on failure, else the fd of the file.  If fullname is
    non-NULL, the file's name is written into it.  The number of bytes
-   written is guaranteed not to exceed 64+strlen(part_of_name). */
+   written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */
 
 Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname )
 {
-   HChar  buf[200];
+   HChar  buf[VG_(mkstemp_fullname_bufsz)(VG_(strlen)(part_of_name))];
    Int    n, tries, fd;
    UInt   seed;
    SysRes sres;

diff --git a/coregrind/m_main.c b/coregrind/m_main.c
index fe8746616cb7245cac049480dd2b6469b3b709a8..1bb7e1fabe33053941f168040e9d5e5cebc5bad2 100644 (file)
--- a/coregrind/m_main.c
+++ b/coregrind/m_main.c
@@ -1837,7 +1837,7 @@ Int valgrind_main ( Int argc, HChar **argv, HChar **envp )
    VG_(cl_auxv_fd) = -1;
 #else
    if (!need_help) {
-      HChar  buf[50], buf2[50+64];
+      HChar  buf[50], buf2[VG_(mkstemp_fullname_bufsz)(50-1)];
       HChar  nul[1];
       Int    fd, r;
       const HChar* exename;

diff --git a/coregrind/pub_core_libcfile.h b/coregrind/pub_core_libcfile.h
index 1528a5ec14e31423cd9e1da1bc530fec520abf26..a30ff3dc71ceb676be7770a2599d145e58adc1d7 100644 (file)
--- a/coregrind/pub_core_libcfile.h
+++ b/coregrind/pub_core_libcfile.h
@@ -84,10 +84,14 @@ extern Int VG_(check_executable)(/*OUT*/Bool* is_setuid,
    in terms of pread()?) */
 extern SysRes VG_(pread) ( Int fd, void* buf, Int count, OffT offset );
 
+/* Size of fullname buffer needed for a call to VG_(mkstemp) with
+   part_of_name having the given part_of_name_len. */
+extern SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len );
+
 /* Create and open (-rw------) a tmp file name incorporating said arg.
    Returns -1 on failure, else the fd of the file.  If fullname is
    non-NULL, the file's name is written into it.  The number of bytes
-   written is guaranteed not to exceed 64+strlen(part_of_name). */
+   written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */
 extern Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname );
 
 /* Record the process' working directory at startup.  Is intended to