Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-4938

PATCH: iomgr: Off-by-one bug in arcname::IopAssignArcNamesToCdrom();

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 0.4.0
    • NTCore
    • None

    • Operating System: ReactOS
      Platform: x86 Hardware

    Description

      Submitted to ros-bugs maillist directly, from zhitong.wangzt@alibaba-inc.com

      off-by-one errors on ntoskrnl/io/iomgr/arcname.c,
      IopAssignArcNamesToCdrom() doesn’t check the
      KeLoaderBlock->ArcBootDeviceName length, using sprintf cloud
      cause kernel stack buffer overflow
      Or an off-by-one error.

      BOOLEAN
      INIT_FUNCTION
      NTAPI
      IopAssignArcNamesToCdrom(IN PULONG Buffer, IN ULONG DiskNumber)
      {
      CHAR ArcBuffer[128];

      if (IopApplyRosCdromArcHack(DiskNumber))
      {
      /* Not check the KeLoaderBlock->ArcBootDeviceName length, sprintf could cause
      Kernel stack buffer overflow with ArcBuffer. Even if
      KeLoaderBlock->ArcBootDeviceName length eval 128,
      it will miss ‘\0’ */
      sprintf(ArcBuffer, "\\ArcName
      %s", KeLoaderBlock->ArcBootDeviceName);

      }
      So IopAssignArcNamesToCdrom() should check the
      KeLoaderBlock->ArcBootDeviceName length or replace
      Sprintf to snprintf. The same errors also in
      IopCreateArcNames(),IopReassignSystemRoot().

      Thanks.

      Attachments

        Activity

          People

            Heis Spiter Pierre Schweitzer
            haos Haos
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: