[exim-dev] [Bug 2634] New: Taint check (is_tainted) is sligh…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2634] Taint check (is_tainted) is slightly overzealous
Subject: [exim-dev] [Bug 2634] New: Taint check (is_tainted) is slightly overzealous
https://bugs.exim.org/show_bug.cgi?id=2634

            Bug ID: 2634
           Summary: Taint check (is_tainted) is slightly overzealous
           Product: Exim
           Version: 4.94
          Hardware: x86-64
                OS: NetBSD
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Unfiled
          Assignee: unallocated@???
          Reporter: gavan@???
                CC: exim-dev@???


The taint check (is_tainted_fn) works by checking a given pointer to see if it
falls within the bounds of one of the allocated blocks in the tainted pools.

Unfortunately, the upper boundary check uses a <= rather than a <, which means
that if a block is allocated *immediately* after a tainted block, then the
taint check will incorrectly return true when passed a pointer to that block,
even though it is (just) outside the tainted block.

On my NetBSD/amd64 9.0 machine, it just so happens that the first tainted block
is allocated immediately below the log_buffer, which causes any call to
log_write to result in an infinite recursive loop calling itself to report a
Taint mismatch, until it runs out of stack and crashes, because it considers
file_path to be tainted.

The fix is pretty straightforward - to change <= to < in both places where it
occurs within is_tainted_fn.

I have tested the fix on my NetBSD machine, and applied it as a patch in pkgsrc
for other users of NetBSD and other systems that use pkgsrc until the bug is
fixed upstream.

--
You are receiving this mail because:
You are on the CC list for the bug.