From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2155)
 id CDE263858D35; Mon,  6 Jul 2020 11:18:18 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CDE263858D35
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Corinna Vinschen <corinna@sourceware.org>
To: cygwin-cvs@sourceware.org
Subject: [newlib-cygwin] Cygwin: fix buffer overrun in cygwin_strcasecmp
X-Act-Checkin: newlib-cygwin
X-Git-Author: Corinna Vinschen <corinna@vinschen.de>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: f095752167343ac10eeeba9007a84d51151aad3d
X-Git-Newrev: bb96bd03b0b9be5ed63127771687ac4877092ef8
Message-Id: <20200706111818.CDE263858D35@sourceware.org>
Date: Mon,  6 Jul 2020 11:18:18 +0000 (GMT)
X-BeenThere: cygwin-cvs@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Cygwin core component git logs <cygwin-cvs.cygwin.com>
List-Unsubscribe: <http://cygwin.com/mailman/options/cygwin-cvs>,
 <mailto:cygwin-cvs-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin-cvs/>
List-Help: <mailto:cygwin-cvs-request@cygwin.com?subject=help>
List-Subscribe: <http://cygwin.com/mailman/listinfo/cygwin-cvs>,
 <mailto:cygwin-cvs-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 11:18:18 -0000

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=bb96bd03b0b9be5ed63127771687ac4877092ef8

commit bb96bd03b0b9be5ed63127771687ac4877092ef8
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Mon Jul 6 13:17:53 2020 +0200

    Cygwin: fix buffer overrun in cygwin_strcasecmp
    
    sys_mbstowcs is called with the destination buffer length
    set to MaximumLength from the receiving UNICODE_STRING buffer.
    This is twice as much as the actual size of the buffer in
    wchar_t units, which is the unit expected by sys_mbstowcs.
    
    sys_mbstowcs always attaches a NUL, within the destination
    buffersize given.  But if the string is exactly one wchar_t
    less than the actual buffer, and the buffersize is given too
    large, sys_mbstowcs writes a NUL one wchar_t beyond the buffer.
    
    This has only been exposed with Cygwin 3.1.5 because alloca
    on newer gcc 9 apparently allocates more tightly.  The alloca
    buffer here is requested with 16 bytes, which is exactly the
    number of bytes required for the string L"cmd.exe".  Older gcc
    apparently allocated a few more bytes on the stack, while gcc 9
    allocates in 16 byte granularity...
    
    Fix this by giving the correct destination buffer size to
    sys_mbstowcs.
    
    Fixes: https://cygwin.com/pipermail/cygwin/2020-June/245226.html
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/release/3.1.6 |  3 +++
 winsup/cygwin/strfuncs.cc   | 34 ++++++++++++++++++++--------------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/winsup/cygwin/release/3.1.6 b/winsup/cygwin/release/3.1.6
index d64ee4c92..e06c0bc9a 100644
--- a/winsup/cygwin/release/3.1.6
+++ b/winsup/cygwin/release/3.1.6
@@ -9,3 +9,6 @@ Bug Fixes:
 ----------
 
 - Fix IPPROTO_TCP option handling, especially in terms of TCP_MAXSEG.
+
+- Fix a buffer overrun in Cygwin-internal string comparison.
+  Fixes: https://cygwin.com/pipermail/cygwin/2020-June/245226.html
diff --git a/winsup/cygwin/strfuncs.cc b/winsup/cygwin/strfuncs.cc
index e0a4c7182..604d7611c 100644
--- a/winsup/cygwin/strfuncs.cc
+++ b/winsup/cygwin/strfuncs.cc
@@ -635,7 +635,7 @@ sys_cp_mbstowcs (mbtowc_p f_mbtowc, wchar_t *dst, size_t dlen,
 	  /* The technique is based on a discussion here:
 	     http://www.mail-archive.com/linux-utf8@nl.linux.org/msg00080.html
 
-	     Invalid bytes in a multibyte secuence are converted to
+	     Invalid bytes in a multibyte sequence are converted to
 	     the private use area which is already used to store ASCII
 	     chars invalid in Windows filenames.  This technque allows
 	     to store them in a symmetric way. */
@@ -801,14 +801,18 @@ extern "C" int __stdcall
 cygwin_strcasecmp (const char *cs, const char *ct)
 {
   UNICODE_STRING us, ut;
-  ULONG len;
-
-  len = (strlen (cs) + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (len), len);
-  us.Length = sys_mbstowcs (us.Buffer, us.MaximumLength, cs) * sizeof (WCHAR);
-  len = (strlen (ct) + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (len), len);
-  ut.Length = sys_mbstowcs (ut.Buffer, ut.MaximumLength, ct) * sizeof (WCHAR);
+  ULONG len, ulen;
+
+  len = strlen (cs) + 1;
+  ulen = len * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (ulen), ulen);
+  us.Length = sys_mbstowcs (us.Buffer, len, cs) * sizeof (WCHAR);
+
+  len = strlen (ct) + 1;
+  ulen = len * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (ulen), ulen);
+  ut.Length = sys_mbstowcs (ut.Buffer, len, ct) * sizeof (WCHAR);
+
   return RtlCompareUnicodeString (&us, &ut, TRUE);
 }
 
@@ -816,19 +820,21 @@ extern "C" int __stdcall
 cygwin_strncasecmp (const char *cs, const char *ct, size_t n)
 {
   UNICODE_STRING us, ut;
-  ULONG len;
+  ULONG ulen;
   size_t ls = 0, lt = 0;
 
   while (cs[ls] && ls < n)
     ++ls;
-  len = (ls + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (len), len);
+  ulen = (ls + 1) * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (ulen), ulen);
   us.Length = sys_mbstowcs (us.Buffer, ls + 1, cs, ls) * sizeof (WCHAR);
+
   while (ct[lt] && lt < n)
     ++lt;
-  len = (lt + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (len), len);
+  ulen = (lt + 1) * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (ulen), ulen);
   ut.Length = sys_mbstowcs (ut.Buffer, lt + 1, ct, lt)  * sizeof (WCHAR);
+
   return RtlCompareUnicodeString (&us, &ut, TRUE);
 }