[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Out of bounds va_arg access in rpl_fcntl
From: |
Frank Busse |
Subject: |
Out of bounds va_arg access in rpl_fcntl |
Date: |
Wed, 5 Sep 2018 11:33:30 +0100 |
Hi,
this was found by using KLEE [1] on Coreutils 8.30 (shred, stty, sync,
tail, and probably also in dd (untested)). These tools call
fcntl (fd, F_GETFL)
F_GETFL is not handled in fcntl.c:rpl_fcntl and the default case tries
to access a non-existing argument:
--
default:
{
#if HAVE_FCNTL
void *p = va_arg (arg, void *); <---
result = fcntl (fd, action, p);
#else
errno = EINVAL;
#endif
break;
}
}
va_end (arg);
return result;
--
Kind regards,
Frank
[1] https://klee.github.io/
- Out of bounds va_arg access in rpl_fcntl,
Frank Busse <=
- Re: Out of bounds va_arg access in rpl_fcntl, Eric Blake, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Paul Eggert, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Bruno Haible, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Paul Eggert, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Bruno Haible, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Paul Eggert, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Bruno Haible, 2018/09/05
- Re: Out of bounds va_arg access in rpl_fcntl, Bruno Haible, 2018/09/06
- Re: Out of bounds va_arg access in rpl_fcntl, Frank Busse, 2018/09/07
- Re: Out of bounds va_arg access in rpl_fcntl, Eric Blake, 2018/09/05