Mailing List Archive

[Bug 2634] New: Taint check (is_tainted) is slightly overzealous
https://bugs.exim.org/show_bug.cgi?id=2634

Bug ID: 2634
Summary: Taint check (is_tainted) is slightly overzealous
Product: Exim
Version: 4.94
Hardware: x86-64
OS: NetBSD
Status: NEW
Severity: bug
Priority: medium
Component: Unfiled
Assignee: unallocated@exim.org
Reporter: gavan@coolfactor.org
CC: exim-dev@exim.org

The taint check (is_tainted_fn) works by checking a given pointer to see if it
falls within the bounds of one of the allocated blocks in the tainted pools.

Unfortunately, the upper boundary check uses a <= rather than a <, which means
that if a block is allocated *immediately* after a tainted block, then the
taint check will incorrectly return true when passed a pointer to that block,
even though it is (just) outside the tainted block.

On my NetBSD/amd64 9.0 machine, it just so happens that the first tainted block
is allocated immediately below the log_buffer, which causes any call to
log_write to result in an infinite recursive loop calling itself to report a
Taint mismatch, until it runs out of stack and crashes, because it considers
file_path to be tainted.

The fix is pretty straightforward - to change <= to < in both places where it
occurs within is_tainted_fn.

I have tested the fix on my NetBSD machine, and applied it as a patch in pkgsrc
for other users of NetBSD and other systems that use pkgsrc until the bug is
fixed upstream.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##