Dear all, My apologies for a clumsy bug report. It's the first time I'm submitting one.
Beside details about my OS in the initial email, here is what I wanted to write. Package: hostname Version: 3.15 and 3.17 When hostname is invoked with an argument "-F/" (without quotes), it reads from uninitialized memory. I found this bug together with professors Cristian Cadar and Zvonimir Rakamaric while working on a project that aims to analyze programs from Debian GNU/Linux with a tool called KLEE: https://klee.github.io/ In particular, Cristian Cadar described the error in hostname as follows (line numbers are for version 3.15): "I have debugged "hostname -F/" and it is indeed a bug in hostname, a rather interesting one which could cause hostname to perform an unbounded number of out-of-bound reads. Here is what happens: 1) On line 413, a buf is allocated using malloc(): buf = (char *) malloc(st.st_size + 1) 2) Nothing is ever written into this buffer 3) set_name(enum type_t type, char *name) is invoked with buf as the second argument 4) On line 220 in set_name, strlen(name) is called. Since the memory to which name points was allocated but _never_ initialized, the entire buffer could have no NUL characters inside, in which case strlen will continue to dereference invalid memory. It will keep doing this until it encounters a NUL character. Depending on when this happens, the program could segfault." The bug can be fixed if the call to malloc from step 1) is replaced with: buf = (char *) calloc(st.st_size + 1, sizeof(char)) -- Kind regards, Marko Dimjašević <ma...@cs.utah.edu> . University of Utah https://dimjasevic.net/marko . PGP key ID: 1503F0AA Learn email self-defense! https://emailselfdefense.fsf.org
signature.asc
Description: This is a digitally signed message part
