https://bugs.exim.org/show_bug.cgi?id=2634
Bug ID: 2634
Summary: Taint check (is_tainted) is slightly overzealous
Product: Exim
Version: 4.94
Hardware: x86-64
OS: NetBSD
Status: NEW
Severity: bug
Priority: medium
Component: Unfiled
Assignee: unallocated@???
Reporter: gavan@???
CC: exim-dev@???
The taint check (is_tainted_fn) works by checking a given pointer to see if it
falls within the bounds of one of the allocated blocks in the tainted pools.
Unfortunately, the upper boundary check uses a <= rather than a <, which means
that if a block is allocated *immediately* after a tainted block, then the
taint check will incorrectly return true when passed a pointer to that block,
even though it is (just) outside the tainted block.
On my NetBSD/amd64 9.0 machine, it just so happens that the first tainted block
is allocated immediately below the log_buffer, which causes any call to
log_write to result in an infinite recursive loop calling itself to report a
Taint mismatch, until it runs out of stack and crashes, because it considers
file_path to be tainted.
The fix is pretty straightforward - to change <= to < in both places where it
occurs within is_tainted_fn.
I have tested the fix on my NetBSD machine, and applied it as a patch in pkgsrc
for other users of NetBSD and other systems that use pkgsrc until the bug is
fixed upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
