From patchwork Sat Sep 22 22:30:13 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: morganamilo <morganamilo@gmail.com>
X-Patchwork-Id: 789
X-Patchwork-Delegate: andrew.gregory.8@gmail.com
Return-Path: <pacman-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 1B0F070F0BEC
	for <patchwork@archlinux.org>; Sat, 22 Sep 2018 22:30:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on apollo
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00=-1,
	DKIM_ADSP_CUSTOM_MED=0.001,DKIM_SIGNED=0.1,FREEMAIL_FROM=0.5,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,T_DKIM_INVALID=1 autolearn=ham
	autolearn_force=no version=3.4.1
X-Spam-BL-Results: <dns:112.39.109.88.zen.spamhaus.org> [127.0.0.11]
	<dns:112.39.109.88.dnsbl.sorbs.net> [127.0.0.10]
	<dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
 [127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Sat, 22 Sep 2018 22:30:35 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 2F6C8D99D0CCE;
	Sat, 22 Sep 2018 22:30:27 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org
 [IPv6:2a01:4f8:160:3033::2])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by orion.archlinux.org (Postfix) with ESMTPS;
	Sat, 22 Sep 2018 22:30:27 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id E64F22C98D;
	Sat, 22 Sep 2018 22:30:26 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=gmail.com header.i=@gmail.com header.b=L/uYByyV
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 0BD182C98B
 for <pacman-dev@lists.archlinux.org>; Sat, 22 Sep 2018 22:30:23 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <pacman-dev@lists.archlinux.org>; Sat, 22 Sep 2018 22:30:22 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 1613DD99D0CCB
 for <pacman-dev@archlinux.org>; Sat, 22 Sep 2018 22:30:17 +0000 (UTC)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com
 [IPv6:2a00:1450:4864:20::32d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <pacman-dev@archlinux.org>; Sat, 22 Sep 2018 22:30:16 +0000 (UTC)
Received: by mail-wm1-x32d.google.com with SMTP id q8-v6so6575939wmq.4
 for <pacman-dev@archlinux.org>; Sat, 22 Sep 2018 15:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=FJGCv0k8ZGtFhXmoBpOCoZsZVMaOkDfHiHJDOy1UiY8=;
 b=L/uYByyVe+tkBSm8anLUDMSLf2IVDCdgwSat1j0Vqz8ZSG+1spSYCe57NeESEAdeu2
 IBnxAT50FCE/0GntYbqXYWYixqu5PcOlCvq44joF6SuhFMZeREzY2JXg8AB2qVo00QPg
 AvSdcJMvYCexj0Y5fHskT5rlSv/KSlm3unXa/6bxjKtygJI9u+1+30tkXQ+tVC2hE8LU
 HWU0O/otgjJzSqrtd7BE/FUUhjK2sxitpn97ecw0fOa4kL2SqJhDmdczt/rXwFsd7UDT
 yJ48Gu3QomgIZpU9RIHT+mwgZH9qJVFygcgAMC8y+wihxoHmc4KlBmDiYiGAKco2TG1g
 IFPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=FJGCv0k8ZGtFhXmoBpOCoZsZVMaOkDfHiHJDOy1UiY8=;
 b=jTCa7u5MBwXEvYEyaJwmWtYaLgBB98KD9EzF1IcWv3Hi4OxWOKgIVoGGUeqJebnAem
 MvLMMSbv4YRhN/QQD2r8FJw49Q94/5SMQHHtz6rNJjQBtxPoIN+oQzI1LQoFWe7CZ+YT
 Xj8+S0F2bkahPYaT3qVY6zpfYjvMRVg5g3YXQ8eqPL7E7Ibzr6sNcGmgoTGSQC46ZNmK
 prV3OX+KghEEJZxVVvwcZUhcPIWuJ+DK1oXWal55+XtMsaH8AjY5OvSPBttEBAzfDq9z
 uUXqEfy/q8vB0lXj9JJO18Cb9gk1QQDfnSfJiXazcEmaH2xLZi7ZVHxDEsOV4BV19W8l
 ARSQ==
X-Gm-Message-State: APzg51BECVXTvdjRP5hKMXFjXnnHGfy+vmf2Yedj+y4cDsV5pQPkmwNK
 Upm0OKOCM3eam4wbxtkEQZuvfPEB
X-Google-Smtp-Source: 
 ANB0VdZTB269a5/IkjYaJNzU0C1dqozjXXORUhaN+73PGSfdYsbay8PPB3KL4EOBMD/K9qs9+jMQpQ==
X-Received: by 2002:a1c:628b:: with SMTP id
 w133-v6mr2424158wmb.16.1537655416185;
 Sat, 22 Sep 2018 15:30:16 -0700 (PDT)
Received: from Vinyl.localdomain (88-109-39-112.dynamic.dsl.as9105.com.
 [88.109.39.112])
 by smtp.gmail.com with ESMTPSA id y11-v6sm1732628wrp.30.2018.09.22.15.30.15
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 22 Sep 2018 15:30:15 -0700 (PDT)
From: morganamilo <morganamilo@gmail.com>
To: pacman-dev@archlinux.org
Date: Sat, 22 Sep 2018 23:30:13 +0100
Message-Id: <20180922223013.14333-1-morganamilo@gmail.com>
X-Mailer: git-send-email 2.19.0
In-Reply-To: 
 <CAGaUFO_V9rfBCgJPW0yXfOEdKa3D4E+TVWmGQe8gx=+5it8aKw@mail.gmail.com>
References: 
 <CAGaUFO_V9rfBCgJPW0yXfOEdKa3D4E+TVWmGQe8gx=+5it8aKw@mail.gmail.com>
MIME-Version: 1.0
Subject: [pacman-dev] [PATCH v2] pacman: fix possible buffer overflow
X-BeenThere: pacman-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion list for pacman development <pacman-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/pacman-dev>,
 <mailto:pacman-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/pacman-dev/>
List-Post: <mailto:pacman-dev@archlinux.org>
List-Help: <mailto:pacman-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/pacman-dev>,
 <mailto:pacman-dev-request@archlinux.org?subject=subscribe>
Reply-To: Discussion list for pacman development <pacman-dev@archlinux.org>
Errors-To: pacman-dev-bounces@archlinux.org
Sender: "pacman-dev" <pacman-dev-bounces@archlinux.org>

in the function query_fileowner, if the user enters a string longer
than PATH_MAX then rpath will buffer overflow when lrealpath tries to
strcat everything together.

So make sure to bail early if the generated path is going to be bigger
than PATH_MAX.

This also fixes the compiler warning:
query.c: In function ‘query_fileowner’:
query.c:192:4: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
    strncpy(rpath, filename, PATH_MAX);

Signed-off-by: morganamilo <morganamilo@gmail.com>

diff --git a/src/pacman/query.c b/src/pacman/query.c
index 00c39638..c661fafb 100644
--- a/src/pacman/query.c
+++ b/src/pacman/query.c
@@ -102,7 +102,7 @@ static char *lrealpath(const char *path, char *resolved_path)
 {
 	const char *bname = mbasename(path);
 	char *rpath = NULL, *dname = NULL;
-	int success = 0;
+	int success = 0, len;
 
 	if(strcmp(bname, ".") == 0 || strcmp(bname, "..") == 0) {
 		/* the entire path needs to be resolved */
@@ -115,8 +115,14 @@ static char *lrealpath(const char *path, char *resolved_path)
 	if(!(rpath = realpath(dname, NULL))) {
 		goto cleanup;
 	}
+
+	len = strlen(rpath) + strlen(bname) + 2;
+	if (len > PATH_MAX) {
+		errno = ENAMETOOLONG;
+		goto cleanup;
+	}
 	if(!resolved_path) {
-		if(!(resolved_path = malloc(strlen(rpath) + strlen(bname) + 2))) {
+		if(!(resolved_path = malloc(len))) {
 			goto cleanup;
 		}
 	}
@@ -187,11 +193,16 @@ static int query_fileowner(alpm_list_t *targets)
 			}
 		}
 
+		errno = 0;
 		if(!lrealpath(filename, rpath)) {
+			if (errno == ENAMETOOLONG) {
+				pm_printf(ALPM_LOG_ERROR, _("path too long: %s/\n"), filename);
+				goto targcleanup;
+			}
 			/* Can't canonicalize path, try to proceed anyway */
-			strncpy(rpath, filename, PATH_MAX);
+			strncpy(rpath, filename, PATH_MAX - 1);
+			rpath[PATH_MAX - 1] = '\0';
 		}
-
 		if(strncmp(rpath, root, rootlen) != 0) {
 			/* file is outside root, we know nothing can own it */
 			pm_printf(ALPM_LOG_ERROR, _("No package owns %s\n"), filename);