h) _cb_stdio_in_read(): potentially large memory allocation based on
untrusted user data
The line buf = malloc(head.size) takes the untrusted size specification
provided by the unprivileged user to allocate a potentially large chunk of
data. On Linux this is mostly uncritical, because the kernel overcommits
memory. On other OSs this could be used to hog memory in a root process.
I suggest to implement a reasonable maximum message size and reject everything
else.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | raster | T8669 enlightenment_system security issue tracker bug. | ||
| Resolved | raster | T8677 enlightenment_system: _cb_stdio_in_read(): potentially large memory allocation based on untrusted user data |
well it can alloc up to 2gb... which these days... isnt an issue :) as its a signed int and it checks for < 0 already but ii guess i can put an upper bound on it being silly. indeed overcommit would have helped and it'd need to actually read() in all that data to touch all the pages.