Page MenuHomePhabricator

enlightenment_system: _cb_stdio_in_read(): potentially large memory allocation based on untrusted user data
Closed, ResolvedPublic

Description

h) _cb_stdio_in_read(): potentially large memory allocation based on
untrusted user data

The line buf = malloc(head.size) takes the untrusted size specification
provided by the unprivileged user to allocate a potentially large chunk of
data. On Linux this is mostly uncritical, because the kernel overcommits
memory. On other OSs this could be used to hog memory in a root process.

I suggest to implement a reasonable maximum message size and reject everything
else.

http://bugzilla.suse.com/show_bug.cgi?id=1170177

simotek created this task.Apr 22 2020, 4:08 AM
simotek triaged this task as High priority.

well it can alloc up to 2gb... which these days... isnt an issue :) as its a signed int and it checks for < 0 already but ii guess i can put an upper bound on it being silly. indeed overcommit would have helped and it'd need to actually read() in all that data to touch all the pages.