Skip to content

Buffer overrun in format_timespan #23928

Closed
@yiyuaner

Description

@yiyuaner

systemd version the issue has been seen with

251

Used distribution

No response

Linux kernel version used

No response

CPU architectures issue was seen on

No response

Component

No response

Expected behaviour you didn't see

No response

Unexpected behaviour you saw

In the file time-util.c, the function format_timespan has the following code:

char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
    char *p = buf;
    for (size_t i = 0; i < ELEMENTSOF(table); i++) {
        size_t n;
        ....
        if (!done) {
            k = snprintf(p, l,
                                "%s"USEC_FMT"%s",
                                p > buf ? " " : "",
                                a,
                                table[i].suffix);

            t = b;
        }
        n = MIN((size_t) k, l);
        l -= n;
        p += n;
    }
    *p = 0;
    return buf;
}

The problem of the above code is that n = MIN((size_t) k, l); can assign the buffer size l to n. Then p += n; will cause p to point to one byte after the buffer buf, leading to a buffer overwrite in *p=0 (an off-by-one error).

Steps to reproduce the problem

To reproduce the buffer overrun, just run the following test code

int main() {
    char buf[5];
    char *p;
    usec_t t = 100005;
    usec_t accuracy = 1000;
    p = format_timespan(buf, sizeof(buf), t, accuracy);
    printf("%s\n",p);
    return 0;
}

format_timespan will write to buf[5], which is an error.

Additional program output to the terminal or log subsystem illustrating the issue

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐛Programming errors, that need preferential fixing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions