Bug#610760: "cal" aborts when compiled with _FORTIFY_SOURCE=2

Fri, 21 Jan 2011 19:27:17 -0800 

Package: bsdmainutils
Version: 8.2.1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch

Hi!

The "cal" program will abort if it is compiled with -D_FORTIFY_SOURCE=2
(the default in Ubuntu) due to a misuse of "sizeof" on a wchar_t string:

Program received signal SIGABRT, Aborted.
0x00007ffff7849ba5 in raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff7849ba5 in raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff784d4f6 in abort () at abort.c:92
#2  0x00007ffff78826bb in __libc_message (do_abort=2, 
    fmt=0x7ffff7958323 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff790e897 in __fortify_fail (
    msg=0x7ffff79582ba "buffer overflow detected") at fortify_fail.c:32
#4  0x00007ffff790d7b0 in __chk_fail () at chk_fail.c:29
#5  0x00007ffff790fe6c in __vswprintf_chk (s=0x7fffffffe020 L"\x609840", 
    maxlen=256, flags=1, slen=18446744073709551615, 
    format=0x404320 L"%-ls %d", args=0x7fffffffb7c0) at vswprintf_chk.c:37
#6  0x00007ffff790fd55 in __swprintf_chk (s=<value optimized out>, 
    n=<value optimized out>, flag=<value optimized out>, 
    s_len=<value optimized out>, format=<value optimized out>)
    at swprintf_chk.c:33
#7  0x0000000000402136 in swprintf (y=<value optimized out>, m=24132, 
    jd_flag=0, before=<value optimized out>, after=<value optimized out>)
    at /usr/include/bits/wchar2.h:290
#8  monthrangeb (y=<value optimized out>, m=24132, jd_flag=0, 
    before=<value optimized out>, after=<value optimized out>) at ncal.c:695
#9  0x000000000040347f in main (argc=<value optimized out>, 
    argv=<value optimized out>) at ncal.c:536

ncal/ncal.c:

    swprintf(ws, sizeof(ws), L"%-ls %d", ...

sizeof(ws) will give the size of the ws array in bytes, not wide
characters, so the __swprintf_chk will always fail. This should be
MAX_WIDTH instead.

Please see the attached patch.

Thanks!

-Kees

-- 
Kees Cook                                            @debian.org

Description: sizeof(ws) != wide characters in ws, this will trigger an
 abort when compiled with -D_FORTIFY_SOURCE=2
Author: Kees Cook <k...@ubuntu.com>

Index: bsdmainutils-8.2.1/usr.bin/ncal/ncal.c
===================================================================
--- bsdmainutils-8.2.1.orig/usr.bin/ncal/ncal.c	2011-01-21 19:17:57.663150640 -0800
+++ bsdmainutils-8.2.1/usr.bin/ncal/ncal.c	2011-01-21 19:18:15.113588903 -0800
@@ -692,7 +692,7 @@
 				wprintf(L"%-*ls  ",
 				    mw, wcenter(ws, year[i].name, mw));
 			else {
-				swprintf(ws, sizeof(ws), L"%-ls %d",
+				swprintf(ws, MAX_WIDTH, L"%-ls %d",
 				    year[i].name, M2Y(m + i));
 				wprintf(L"%-*ls  ", mw, wcenter(ws1, ws, mw));
 			}

Reply via email to