Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
Operating System: ReactOS
Platform: x86 Hardware
Description
Submitted to ros-bugs maillist directly, from zhitong.wangzt@alibaba-inc.com
off-by-one errors on ntoskrnl/io/iomgr/arcname.c,
IopAssignArcNamesToCdrom() doesn’t check the
KeLoaderBlock->ArcBootDeviceName length, using sprintf cloud
cause kernel stack buffer overflow
Or an off-by-one error.
BOOLEAN
INIT_FUNCTION
NTAPI
IopAssignArcNamesToCdrom(IN PULONG Buffer, IN ULONG DiskNumber)
{
CHAR ArcBuffer[128];
…
if (IopApplyRosCdromArcHack(DiskNumber))
{
/* Not check the KeLoaderBlock->ArcBootDeviceName length, sprintf could cause
Kernel stack buffer overflow with ArcBuffer. Even if
KeLoaderBlock->ArcBootDeviceName length eval 128,
it will miss ‘\0’ */
sprintf(ArcBuffer, "\\ArcName
%s", KeLoaderBlock->ArcBootDeviceName);
…
}
So IopAssignArcNamesToCdrom() should check the
KeLoaderBlock->ArcBootDeviceName length or replace
Sprintf to snprintf. The same errors also in
IopCreateArcNames(),IopReassignSystemRoot().
Thanks.