Issue metadata
Sign in to add a comment
|
Security: Chrome OS buffer overflow syren.c
Reported by
eternalg...@gmail.com,
Mar 29 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Buffer Overflow [CWE-120] VERSION ChromeOs Version: Current Stable Operating System: Chromeos REPRODUCTION CASE A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. VULNERABLE CODE https://android.googlesource.com/platform/system/core/+/froyo/toolbox/syren.c#126 r = find_reg(argv[2]); if (r == NULL) { strcpy(name, argv[2]); char *addr_str = strchr(argv[2], ':'); if (addr_str == NULL) return usage(); *addr_str++ = 0; sio.page = strtoul(argv[2], 0, 0); sio.addr = strtoul(addr_str, 0, 0); } else { strcpy(name, r->name); sio.page = r->page; sio.addr = r->addr; } If r returns null and argv[2] is bigger then char name[32] a buffer overflow will occur. Strcpy does not check the size before copying it into name. You're better off using strncpy since that requires you to put a lenght in it. Kind Regards, Jordy Zomer
,
Mar 29 2016
I don't have a chromebook, would it be a viable thing to do on a virtual machine? :)
,
Mar 30 2016
Thank you for providing more feedback. Adding requester "mbarbella@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 30 2016
https://www.chromium.org/chromium-os/how-tos-and-troubleshooting/running-chromeos-image-under-virtual-machines seems to have documentation for doing this, though I'm not sure how recent it is.
,
Mar 30 2016
Thank you, I'll look into it soon.
,
Mar 30 2016
,
Apr 7 2016
Closing for now. This can be re-opened or you can file a new bug if this bug is reachable by a proof of concept.
,
Apr 7 2016
,
Jul 15 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Mar 29 2016