From e02940564326fa36c7ed23547ee9ebb3a004b167 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Sat, 24 Jun 2023 17:17:36 +0200 Subject: [PATCH] ambind: fix unsecure use of FD_SET() ambind does not check user-provided fd value given on its command-line. This fd is then used in calls to FD_SET() and then select(). from man(3) fd_set: > An fd_set is a fixed size buffer. Executing FD_CLR() or FD_SET() with a value of fd that is negative or is equal to or larger than FD_SETSIZE will result in undefined > behavior. Moreover, POSIX requires fd to be a valid file descriptor. For example, it can be triggered with an int overflow: $ LD_LIBRARY_PATH=./common-src/.libs/:"$LD_LIBRARY_PATH" ./common-src/.libs/ambind 2147483648 zsh: segmentation fault LD_LIBRARY_PATH=./common-src/.libs/:"$LD_LIBRARY_PATH" 2147483648 ltrace stack: $ LD_LIBRARY_PATH=./common-src/.libs/:"$LD_LIBRARY_PATH" ltrace ./common-src/.libs/ambind 2147483648 atoi(0x7ffefcb73354, 0x7ffefcb728e8, 0x7ffefcb72900, 0x55797923ddb8) = 0x80000000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Current patch fix this behaviour by checking for fd being in range ]0;FD_SETSIZE[. Note that FD_SETSIZE is often 1024 but it is not guaranteed. --- common-src/ambind.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common-src/ambind.c b/common-src/ambind.c index 6a4c9d887b..d9fee46b1d 100644 --- a/common-src/ambind.c +++ b/common-src/ambind.c @@ -58,6 +58,11 @@ main( } sockfd = atoi(argv[1]); + if (sockfd < 0 || sockfd >= FD_SETSIZE) { + fprintf(stderr, "ambind: incorrect file descriptor provided: %d\n", sockfd); + return -1; + } + do { struct timeval timeout = { 5, 0 }; fd_set readSet;