ref: 86e63c36eded29e46a17628264b73d743df9a864
parent: ffa761beae76043ff7630bd45f68cb5ed08a93fa
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Thu Dec 11 13:32:50 EST 2014
kbmap: fix sprint() buffer overflow (thanks silasm) A buffer can be overflowed in the init function of kbmap.c by using a filename of more than 112 characters. sample output: % cd /sys/lib/kbmap % touch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa % kbmap kbmap 1974: suicide: sys: trap: fault write addr=0xa6a96510 pc=0x000011df offending code is most likely the call to sprint in the init function of /sys/src/cmd/kbmap.c, which in this case writes /sys/lib/kbmap/$file to a 128-bit buffer. I'm willing to submit a patch for this myself along with a few minor improvements/fixes to kbmap if I can figure out the nuances of doing so. --silasm