mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
@ 2021-04-17 18:52 Neeraj Pal
  2021-05-07  8:41 ` Sascha Hauer
  0 siblings, 1 reply; 6+ messages in thread
From: Neeraj Pal @ 2021-04-17 18:52 UTC (permalink / raw)
  To: barebox

Hi,

While reviewing the code of barebox-2021.04.0 and git commit
af0f068a6edad45b033e772056ac0352e1ba3613  I found a stack buffer
overflow WRITE of size 1 in
nfs_start() net/nfs.c L664 through strcpy call which furthers crashes at
function strcpy in lib/string.c L96.

Host information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"


Reproducer:
- Use the command as given below in the Crash log-1:
nfs
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE" tst

OR

- Use the below command in shell script and share it through NFS share
and execute is inside the barebox

Command on host: python -c "print'nfs ' + 'A'*2099 + 'B' + ' ' +
'test'" > /mnt/sharedfolder/ff2
nfs AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
test

then execute inside the barebox: sh /mnt/nfs/ff2

Crash log-2:
=================================================================
==44327==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000619aa0 at pc 0x00000048c7ec bp 0x7ffccbf05200 sp
0x7ffccbf051f0
WRITE of size 1 at 0x000000619aa0 thread T0
    #0 0x48c7eb in strcpy lib/string.c:96
    #1 0x4ce8ad in nfs_start net/nfs.c:664
    #2 0x4ce8ad in do_nfs net/nfs.c:706
    #3 0x4124f1 in execute_command common/command.c:62
    #4 0x425f88 in run_pipe_real common/hush.c:837
    #5 0x425f88 in run_list_real common/hush.c:961
    #6 0x425f88 in run_list_real common/hush.c:849
    #7 0x42440a in run_list common/hush.c:1078
    #8 0x42440a in parse_stream_outer common/hush.c:1705
    #9 0x4248ba in parse_string_outer common/hush.c:1753
    #10 0x4262b2 in source_script common/hush.c:1906
    #11 0x426bdd in execute_script common/hush.c:1883
    #12 0x426bdd in do_sh common/hush.c:1944
    #13 0x4124f1 in execute_command common/command.c:62
    #14 0x425f88 in run_pipe_real common/hush.c:837
    #15 0x425f88 in run_list_real common/hush.c:961
    #16 0x425f88 in run_list_real common/hush.c:849
    #17 0x42440a in run_list common/hush.c:1078
    #18 0x42440a in parse_stream_outer common/hush.c:1705
    #19 0x426b21 in run_shell common/hush.c:1928
    #20 0x408ec1 in run_init common/startup.c:378
    #21 0x408f9a in start_barebox common/startup.c:421
    #22 0x51ad2c in main (/home/bsdboy/barebox-2021.04.0/barebox+0x51ad2c)
    #23 0x7f3fd1c8c0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #24 0x405ebd in _start (/home/bsdboy/barebox-2021.04.0/barebox+0x405ebd)

0x000000619aa0 is located 32 bytes to the left of global variable
'nfs_path' defined in 'net/nfs.c:150:14' (0x619ac0) of size 8
0x000000619aa0 is located 0 bytes to the right of global variable
'nfs_path_buff' defined in 'net/nfs.c:151:13' (0x6192a0) of size 2048
SUMMARY: AddressSanitizer: global-buffer-overflow lib/string.c:96 in strcpy
Shadow bytes around the buggy address:
  0x0000800bb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb350: 00 00 00 00[f9]f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb360: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb370: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb380: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
  0x0000800bb390: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb3a0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==44327==ABORTING


Crash log-1:

barebox 2021.04.0 #1 Sat Apr 17 22:08:54 IST 2021


Board: Sandbox
console: registered as cs0
netconsole: registered as netconsole-1
hostfile 7f7d729eb000.stickypage.of: registered as character device
sandbox-watchdog watchdog.of: probed
malloc space: 0x7f7d712ff800 -> 0x7f7d722ff7ff (size 16 MiB)
state: New state registered 'state'
ERROR: state: No meta data header found
ERROR: state: No meta data header found
ERROR: state: No meta data header found
ERROR: state: Failed to find any valid state copy in any bucket
ERROR: state: Failed to read state with format raw, -2
WARNING: state state.of: Failed to load persistent state, continuing
with defaults, -2
super: JFFS version 2.2. © 2001-2006 Red Hat, Inc.
envfs: no envfs (magic mismatch) - envfs never written?

******************************************************************
*** Inconsistent barebox state buckets detected on first boot ***
***         barebox will repair them on next shutdown         ***
*****************************************************************

Hit m for menu or any to stop autoboot:    2
barebox@Sandbox:/ dhcp eth0
WARNING: eth0: No MAC address set. Using random address 42:37:c2:ad:c7:b8
T T eth0: DHCP client bound to address 192.168.122.2
barebox@Sandbox:/ mount -t nfs 192.168.122.1:/mnt/sharedfolder /mnt/nfs
barebox@Sandbox:/ nfs
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE" tst
=================================================================
==38553==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000619a60 at pc 0x00000048c7ec bp 0x7ffc07339ac0 sp
0x7ffc07339ab0
WRITE of size 1 at 0x000000619a60 thread T0
    #0 0x48c7eb in strcpy lib/string.c:96
    #1 0x4ce8a0 in nfs_start net/nfs.c:664
    #2 0x4ce8a0 in do_nfs net/nfs.c:706
    #3 0x4124f1 in execute_command common/command.c:62
    #4 0x425f88 in run_pipe_real common/hush.c:837
    #5 0x425f88 in run_list_real common/hush.c:961
    #6 0x425f88 in run_list_real common/hush.c:849
    #7 0x42440a in run_list common/hush.c:1078
    #8 0x42440a in parse_stream_outer common/hush.c:1705
    #9 0x426b21 in run_shell common/hush.c:1928
    #10 0x408ec1 in run_init common/startup.c:378
    #11 0x408f9a in start_barebox common/startup.c:421
    #12 0x51ad15 in main (/home/bsdboy/barebox-2021.04.0/barebox+0x51ad15)
    #13 0x7f7d757ff0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #14 0x405ebd in _start (/home/bsdboy/barebox-2021.04.0/barebox+0x405ebd)

0x000000619a60 is located 32 bytes to the left of global variable
'nfs_path' defined in 'net/nfs.c:150:14' (0x619a80) of size 8
0x000000619a60 is located 0 bytes to the right of global variable
'nfs_path_buff' defined in 'net/nfs.c:151:13' (0x619260) of size 2048
SUMMARY: AddressSanitizer: global-buffer-overflow lib/string.c:96 in strcpy
Shadow bytes around the buggy address:
  0x0000800bb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb340: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0000800bb350: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb360: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb370: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
  0x0000800bb380: 00 00 00 00 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb390: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38553==ABORTING


.config file:
#
# Automatically generated file; DO NOT EDIT.
# Barebox/sandbox 2021.04.0 Configuration
#
CONFIG_SANDBOX=y
CONFIG_ARCH_TEXT_BASE=0x00000000
CONFIG_SANDBOX_REEXEC=y
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_CC_IS_64BIT=y
CONFIG_CC_HAS_LINUX_I386_SUPPORT=y
CONFIG_64BIT=y
# CONFIG_SANDBOX_LINUX_I386 is not set
CONFIG_GREGORIAN_CALENDER=y
CONFIG_HAS_DMA=y
CONFIG_HAS_ARCH_SJLJ=y
CONFIG_GENERIC_GPIO=y
CONFIG_BLOCK=y
CONFIG_BLOCK_WRITE=y
CONFIG_FILETYPE=y
CONFIG_BINFMT=y
CONFIG_UIMAGE=y
CONFIG_LOGBUF=y
CONFIG_STDDEV=y
CONFIG_MENUTREE=y
CONFIG_FILE_LIST=y
CONFIG_ARCH_DMA_ADDR_T_64BIT=y
CONFIG_BOOT=y
CONFIG_FASTBOOT_BASE=y

#
# General Settings
#
CONFIG_LOCALVERSION=""
CONFIG_LOCALVERSION_AUTO=y
CONFIG_BANNER=y
CONFIG_MEMINFO=y
CONFIG_ENVIRONMENT_VARIABLES=y
CONFIG_GLOBALVAR=y
CONFIG_NVVAR=y

#
# memory layout
#
# CONFIG_MMU is not set
CONFIG_BAREBOX_MAX_IMAGE_SIZE=0xffffffff
CONFIG_BAREBOX_MAX_BARE_INIT_SIZE=0xffffffff
CONFIG_STACK_SIZE=0x8000
CONFIG_MALLOC_SIZE=0x1000000
# end of memory layout

# CONFIG_EXPERIMENTAL is not set
CONFIG_MALLOC_DLMALLOC=y
# CONFIG_MALLOC_TLSF is not set
# CONFIG_MALLOC_LIBC is not set
# CONFIG_PANIC_HANG is not set
CONFIG_PROMPT="barebox:"
CONFIG_BAUDRATE=115200
CONFIG_CBSIZE=1024
CONFIG_SHELL_HUSH=y
# CONFIG_SHELL_SIMPLE is not set
# CONFIG_SHELL_NONE is not set
CONFIG_GLOB=y
CONFIG_GLOB_SORT=y
CONFIG_PROMPT_HUSH_PS2="> "
CONFIG_HUSH_FANCY_PROMPT=y
CONFIG_CMDLINE_EDITING=y
CONFIG_AUTO_COMPLETE=y
CONFIG_MENU=y
CONFIG_PASSWORD=y
CONFIG_PASSWORD_DEFAULT=""
CONFIG_PASSWD_SUM_MD5=y
# CONFIG_PASSWD_SUM_SHA1 is not set
# CONFIG_PASSWD_SUM_SHA256 is not set
# CONFIG_PASSWD_SUM_SHA512 is not set
# CONFIG_PASSWD_CRYPTO_PBKDF2 is not set
CONFIG_DYNAMIC_CRC_TABLE=y
CONFIG_ERRNO_MESSAGES=y
CONFIG_TIMESTAMP=y
CONFIG_BOOTM=y
# CONFIG_BOOTM_SHOW_TYPE is not set
# CONFIG_BOOTM_VERBOSE is not set
# CONFIG_BOOTM_INITRD is not set
# CONFIG_BOOTM_OFTREE is not set
# CONFIG_BOOTM_ELF is not set
# CONFIG_BLSPEC is not set
CONFIG_FLEXIBLE_BOOTARGS=y
# CONFIG_BAREBOX_UPDATE is not set
CONFIG_IMD=y
# CONFIG_IMD_TARGET is not set
CONFIG_CONSOLE_FULL=y
# CONFIG_CONSOLE_SIMPLE is not set
# CONFIG_CONSOLE_NONE is not set
CONFIG_CONSOLE_ACTIVATE_FIRST=y
# CONFIG_CONSOLE_ACTIVATE_ALL is not set
# CONFIG_CONSOLE_ACTIVATE_NONE is not set
CONFIG_CONSOLE_ALLOW_COLOR=y
# CONFIG_CONSOLE_RATP is not set
CONFIG_PARTITION=y
CONFIG_PARTITION_DISK=y
CONFIG_PARTITION_DISK_DOS=y
CONFIG_PARTITION_DISK_EFI=y
CONFIG_PARTITION_DISK_EFI_GPT_NO_FORCE=y
CONFIG_PARTITION_DISK_EFI_GPT_COMPARE=y
CONFIG_ENV_HANDLING=y
CONFIG_DEFAULT_ENVIRONMENT=y
CONFIG_DEFAULT_COMPRESSION_GZIP=y
# CONFIG_DEFAULT_COMPRESSION_BZIP2 is not set
# CONFIG_DEFAULT_COMPRESSION_LZO is not set
# CONFIG_DEFAULT_COMPRESSION_LZ4 is not set
# CONFIG_DEFAULT_COMPRESSION_XZ is not set
# CONFIG_DEFAULT_COMPRESSION_NONE is not set
CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW=y
CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_MENU=y
CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_REBOOT_MODE=y
CONFIG_DEFAULT_ENVIRONMENT_PATH="arch/sandbox/board/env"
CONFIG_POLLER=y
# CONFIG_BTHREAD is not set
CONFIG_STATE=y
CONFIG_STATE_CRYPTO=y
# CONFIG_STATE_BACKWARD_COMPATIBLE is not set
# CONFIG_BOOTCHOOSER is not set
CONFIG_RESET_SOURCE=y
# CONFIG_MACHINE_ID is not set
# CONFIG_SYSTEMD_OF_WATCHDOG is not set

#
# OP-TEE loading
#
# end of OP-TEE loading

#
# Android Fastboot
#
# CONFIG_FASTBOOT_SPARSE is not set
# CONFIG_FASTBOOT_CMD_OEM is not set
# end of Android Fastboot
# end of General Settings

#
# Debugging
#
CONFIG_COMPILE_LOGLEVEL=6
CONFIG_DEFAULT_LOGLEVEL=7
# CONFIG_DEBUG_INITCALLS is not set
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
# CONFIG_UBSAN is not set
CONFIG_CC_HAS_KASAN_GENERIC=y
CONFIG_ASAN=y
# CONFIG_COMPILE_TEST is not set
# end of Debugging

CONFIG_DDR_SPD=y
CONFIG_HAVE_ARCH_ASAN=y
CONFIG_COMMAND_SUPPORT=y
CONFIG_COMPILE_HASH=y

#
# Commands
#

#
# Information
#
CONFIG_CMD_DEVINFO=y
CONFIG_CMD_DMESG=y
CONFIG_CMD_DRVINFO=y
CONFIG_CMD_HELP=y
CONFIG_LONGHELP=y
CONFIG_CMD_IOMEM=y
CONFIG_CMD_IMD=y
CONFIG_CMD_MEMINFO=y
CONFIG_CMD_VERSION=y
CONFIG_CMD_POLLER=y
CONFIG_CMD_SLICE=y
# end of Information

#
# Boot
#
CONFIG_CMD_BOOT=y
CONFIG_CMD_BOOTM=y
CONFIG_CMD_GO=y
CONFIG_CMD_LOADB=y
CONFIG_CMD_LOADS=y
CONFIG_CMD_LOADY=y
CONFIG_CMD_RESET=y
CONFIG_CMD_SAVES=y
CONFIG_CMD_UIMAGE=y
# end of Boot

#
# Partition
#
CONFIG_CMD_PARTITION=y
CONFIG_CMD_AUTOMOUNT=y
CONFIG_CMD_MOUNT=y
CONFIG_CMD_UMOUNT=y
# end of Partition

#
# Environment
#
CONFIG_CMD_NV=y
CONFIG_CMD_EXPORT=y
CONFIG_CMD_DEFAULTENV=y
CONFIG_CMD_GLOBAL=y
CONFIG_CMD_LOADENV=y
CONFIG_CMD_PRINTENV=y
CONFIG_CMD_MAGICVAR=y
CONFIG_CMD_MAGICVAR_HELP=y
CONFIG_CMD_SAVEENV=y
CONFIG_CMD_SETENV=y
# end of Environment

#
# File
#
CONFIG_CMD_BASENAME=y
CONFIG_CMD_CAT=y
CONFIG_CMD_CD=y
CONFIG_CMD_CP=y
CONFIG_CMD_CMP=y
CONFIG_CMD_DIGEST=y
CONFIG_CMD_DIRNAME=y
CONFIG_CMD_FILETYPE=y
CONFIG_CMD_LN=y
CONFIG_CMD_LS=y
CONFIG_CMD_MD5SUM=y
CONFIG_CMD_MKDIR=y
CONFIG_CMD_PWD=y
CONFIG_CMD_READLINK=y
CONFIG_CMD_RM=y
CONFIG_CMD_RMDIR=y
CONFIG_CMD_SHA1SUM=y
CONFIG_CMD_SHA224SUM=y
CONFIG_CMD_SHA256SUM=y
CONFIG_CMD_SHA384SUM=y
CONFIG_CMD_SHA512SUM=y
CONFIG_CMD_UNCOMPRESS=y
# end of File

#
# Shell scripting
#
CONFIG_CMD_FALSE=y
CONFIG_CMD_GETOPT=y
CONFIG_CMD_LET=y
CONFIG_CMD_MSLEEP=y
CONFIG_CMD_READF=y
CONFIG_CMD_SLEEP=y
CONFIG_CMD_TEST=y
CONFIG_CMD_TRUE=y
# end of Shell scripting

#
# Network
#
CONFIG_CMD_DHCP=y
CONFIG_CMD_HOST=y
CONFIG_NET_CMD_IFUP=y
CONFIG_CMD_PING=y
CONFIG_CMD_TFTP=y
CONFIG_CMD_IP_ROUTE_GET=y
# end of Network

#
# Console and Framebuffer interaction
#
CONFIG_CMD_CLEAR=y
CONFIG_CMD_ECHO=y
CONFIG_CMD_ECHO_E=y
CONFIG_CMD_EDIT=y
CONFIG_CMD_LOGIN=y
CONFIG_CMD_MENU=y
CONFIG_CMD_MENU_MANAGEMENT=y
CONFIG_CMD_MENUTREE=y
CONFIG_CMD_PASSWD=y
CONFIG_PASSWD_MODE_HIDE=y
# CONFIG_PASSWD_MODE_STAR is not set
# CONFIG_PASSWD_MODE_CLEAR is not set
CONFIG_CMD_SPLASH=y
CONFIG_CMD_FBTEST=y
CONFIG_CMD_BEEP=y
CONFIG_CMD_READLINE=y
CONFIG_CMD_TIMEOUT=y
# end of Console and Framebuffer interaction

#
# Memory
#
CONFIG_CMD_CRC=y
CONFIG_CMD_CRC_CMP=y
CONFIG_CMD_MD=y
CONFIG_CMD_MEMCMP=y
CONFIG_CMD_MEMCPY=y
CONFIG_CMD_MEMSET=y
CONFIG_CMD_MEMTEST=y
# CONFIG_CMD_MEMTESTER is not set
CONFIG_CMD_MM=y
CONFIG_CMD_MW=y
# end of Memory

#
# Hardware manipulation
#
CONFIG_CMD_DETECT=y
CONFIG_CMD_FLASH=y
CONFIG_CMD_GPIO=y
CONFIG_CMD_HWCLOCK=y
CONFIG_CMD_I2C=y
CONFIG_CMD_LED=y
CONFIG_CMD_POWEROFF=y
CONFIG_CMD_SPI=y
CONFIG_CMD_LED_TRIGGER=y
CONFIG_CMD_WD=y
CONFIG_CMD_WD_DEFAULT_TIMOUT=0
# end of Hardware manipulation

#
# Miscellaneous
#
CONFIG_CMD_2048=y
# CONFIG_CMD_BAREBOX_UPDATE is not set
# CONFIG_CMD_BLOBGEN is not set
# CONFIG_CMD_FIRMWARELOAD is not set
CONFIG_CMD_KEYSTORE=y
CONFIG_CMD_LINUX_EXEC=y
CONFIG_CMD_OF_DIFF=y
CONFIG_CMD_OF_DUMP=y
CONFIG_CMD_OF_NODE=y
CONFIG_CMD_OF_PROPERTY=y
CONFIG_CMD_OF_DISPLAY_TIMINGS=y
CONFIG_CMD_OF_FIXUP_STATUS=y
CONFIG_CMD_OF_OVERLAY=y
CONFIG_CMD_OFTREE=y
CONFIG_CMD_TIME=y
CONFIG_CMD_STATE=y
CONFIG_CMD_DHRYSTONE=y
CONFIG_CMD_SPD_DECODE=y
CONFIG_CMD_SEED=y
# end of Miscellaneous
# end of Commands

CONFIG_NET=y
CONFIG_NET_NFS=y
CONFIG_NET_NETCONSOLE=y
CONFIG_NET_RESOLV=y
CONFIG_NET_IFUP=y
CONFIG_NET_DHCP=y
CONFIG_NET_SNTP=y
CONFIG_NET_FASTBOOT=y

#
# Drivers
#
CONFIG_OFTREE=y
CONFIG_OFTREE_MEM_GENERIC=y
CONFIG_DTC=y
CONFIG_OFDEVICE=y
CONFIG_OF_GPIO=y
CONFIG_OF_BAREBOX_DRIVERS=y
CONFIG_OF_BAREBOX_ENV_IN_FS=y
CONFIG_OF_OVERLAY=y
CONFIG_OF_OVERLAY_LIVE=y
# CONFIG_AIODEV is not set

#
# serial drivers
#
# CONFIG_SERIAL_DEV_BUS is not set
CONFIG_DRIVER_SERIAL_LINUX_CONSOLE=y
# CONFIG_DRIVER_SERIAL_NS16550 is not set
# CONFIG_DRIVER_SERIAL_CADENCE is not set
# end of serial drivers

#
# Network drivers
#
# CONFIG_DRIVER_NET_ARC_EMAC is not set
# CONFIG_DRIVER_NET_CALXEDA_XGMAC is not set
# CONFIG_DRIVER_NET_DESIGNWARE is not set
# CONFIG_DRIVER_NET_ENC28J60 is not set
# CONFIG_DRIVER_NET_FSL_FMAN is not set
# CONFIG_DRIVER_NET_KS8851_MLL is not set
# CONFIG_DRIVER_NET_MICREL is not set
# CONFIG_DRIVER_NET_SMC911X is not set
# CONFIG_DRIVER_NET_SMC91111 is not set
CONFIG_DRIVER_NET_TAP=y

#
# phylib
#
# end of phylib
# end of Network drivers

#
# SPI drivers
#
CONFIG_SPI=y
CONFIG_SPI_MEM=y
# CONFIG_DRIVER_SPI_FSL_QUADSPI is not set
CONFIG_DRIVER_SPI_GPIO=y
# end of SPI drivers

CONFIG_I2C=y
CONFIG_I2C_ALGOBIT=y

#
# I2C Hardware Bus support
#
CONFIG_I2C_GPIO=y
# CONFIG_I2C_DESIGNWARE is not set
# end of I2C Hardware Bus support

# CONFIG_I2C_MUX is not set
CONFIG_MTD=y
CONFIG_MTD_WRITE=y
CONFIG_MTD_OOB_DEVICE=y
# CONFIG_MTD_RAW_DEVICE is not set
# CONFIG_MTD_CONCAT is not set

#
# MTD debug options
#
# CONFIG_MTD_PEB_DEBUG is not set

#
# Self contained MTD devices
#
# CONFIG_MTD_DATAFLASH is not set
CONFIG_MTD_M25P80=y
# CONFIG_MTD_SST25L is not set
# CONFIG_MTD_DOCG3 is not set
# CONFIG_MTD_MTDRAM is not set
# end of Self contained MTD devices

# CONFIG_DRIVER_CFI is not set
# CONFIG_NAND is not set
CONFIG_MTD_SPI_NOR=y
# CONFIG_MTD_SPI_NOR_USE_4K_SECTORS is not set
# CONFIG_SPI_CADENCE_QUADSPI is not set
# CONFIG_MTD_UBI is not set
# CONFIG_DISK is not set
# CONFIG_USB_HOST is not set
# CONFIG_USB_GADGET is not set
# CONFIG_USB_MUSB is not set
CONFIG_VIDEO=y
CONFIG_FRAMEBUFFER_CONSOLE=y
# CONFIG_DRIVER_VIDEO_FB_SSD1307 is not set
# CONFIG_DRIVER_VIDEO_SDL is not set
# CONFIG_DRIVER_VIDEO_BOCHS_ISA is not set
# CONFIG_DRIVER_VIDEO_SIMPLEFB_CLIENT is not set
# CONFIG_DRIVER_VIDEO_SIMPLEFB is not set
# CONFIG_DRIVER_VIDEO_EDID is not set
# CONFIG_DRIVER_VIDEO_BACKLIGHT is not set

#
# Video encoder chips
#
# CONFIG_DRIVER_VIDEO_MTL017 is not set
# CONFIG_DRIVER_VIDEO_SIMPLE_PANEL is not set
CONFIG_SOUND=y
# CONFIG_SOUND_SDL is not set
# CONFIG_GPIO_BEEPER is not set
# CONFIG_SYNTH_SQUARES is not set
# CONFIG_MCI is not set

#
# Clocksource
#
CONFIG_CLOCKSOURCE_DUMMY_RATE=1000
# CONFIG_CLOCKSOURCE_DW_APB_TIMER is not set
# end of Clocksource

#
# Multifunction device drivers
#
# CONFIG_MFD_ACT8846 is not set
# CONFIG_MFD_DA9053 is not set
# CONFIG_MFD_DA9063 is not set
# CONFIG_MFD_LP3972 is not set
# CONFIG_MFD_MC13XXX is not set
# CONFIG_MFD_MC34704 is not set
# CONFIG_MFD_MC9SDZ60 is not set
# CONFIG_MFD_STMPE is not set
CONFIG_MFD_SYSCON=y
# CONFIG_MFD_TWL4030 is not set
# CONFIG_MFD_TWL6030 is not set
# CONFIG_MFD_STPMIC1 is not set
# CONFIG_MFD_ATMEL_FLEXCOM is not set
# end of Multifunction device drivers

#
# Misc devices
#
# CONFIG_JTAG is not set
# CONFIG_SRAM is not set
CONFIG_STATE_DRV=y
CONFIG_DEV_MEM=y
CONFIG_UBOOTVAR=y
# end of Misc devices

CONFIG_LED=y
CONFIG_LED_GPIO=y
CONFIG_LED_GPIO_OF=y
CONFIG_LED_GPIO_RGB=y
CONFIG_LED_GPIO_BICOLOR=y
CONFIG_LED_TRIGGERS=y
# CONFIG_LED_PCA955X is not set

#
# EEPROM support
#
CONFIG_EEPROM_AT25=y
CONFIG_EEPROM_AT24=y
# end of EEPROM support

#
# Input device support
#
# CONFIG_KEYBOARD_GPIO is not set
# CONFIG_KEYBOARD_QT1070 is not set
# CONFIG_INPUT_SPECIALKEYS is not set
# end of Input device support

CONFIG_WATCHDOG=y
CONFIG_WATCHDOG_POLLER=y
# CONFIG_WATCHDOG_DW is not set
# CONFIG_PWM is not set
# CONFIG_HWRNG is not set

#
# DMA support
#
# end of DMA support

CONFIG_GPIOLIB=y

#
# GPIO
#
# CONFIG_GPIO_74164 is not set
# CONFIG_GPIO_GENERIC_PLATFORM is not set
# CONFIG_GPIO_PCA953X is not set
# CONFIG_GPIO_PCF857X is not set
# CONFIG_GPIO_DESIGNWARE is not set
# CONFIG_GPIO_SX150X is not set
# CONFIG_GPIO_LIBFTDI1 is not set
# end of GPIO

# CONFIG_W1 is not set

#
# Pin controllers
#
# CONFIG_PINCTRL is not set
# end of Pin controllers

CONFIG_NVMEM=y
# CONFIG_NVMEM_SNVS_LPGPR is not set
# CONFIG_EEPROM_93XX46 is not set

#
# Bus devices
#
# end of Bus devices

# CONFIG_REGULATOR is not set

#
# Remoteproc drivers
#
# CONFIG_REMOTEPROC is not set
# end of Remoteproc drivers

# CONFIG_RESET_CONTROLLER is not set
CONFIG_RTC_LIB=y
CONFIG_RTC_CLASS=y

#
# I2C RTC drivers
#
CONFIG_RTC_DRV_DS1307=y
# CONFIG_RTC_DRV_ABRACON is not set

#
# Firmware Drivers
#
# CONFIG_FIRMWARE_ALTERA_SERIAL is not set
# end of Firmware Drivers

# CONFIG_GENERIC_PHY is not set
# CONFIG_CRYPTO_HW is not set

#
# Memory controller drivers
#
# end of Memory controller drivers

#
# i.MX SoC drivers
#
# end of i.MX SoC drivers

#
# NVME Support
#
# end of NVME Support

CONFIG_REBOOT_MODE=y
CONFIG_SYSCON_REBOOT_MODE=y
# CONFIG_POWER_RESET_SYSCON is not set
# CONFIG_POWER_RESET_SYSCON_POWEROFF is not set
CONFIG_VIRTIO_MENU=y
# CONFIG_VIRTIO_MMIO is not set
# end of Drivers

#
# Filesystem support
#
CONFIG_FS=y
CONFIG_FS_LEGACY=y

#
# Some selected filesystems still use the legacy FS API.
#

#
# Consider updating them.
#
CONFIG_FS_AUTOMOUNT=y
CONFIG_FS_CRAMFS=y
CONFIG_FS_EXT4=y
CONFIG_FS_RAMFS=y
CONFIG_FS_DEVFS=y
CONFIG_FS_TFTP=y
CONFIG_FS_NFS=y
CONFIG_FS_FAT=y
CONFIG_FS_FAT_WRITE=y
CONFIG_FS_FAT_LFN=y
CONFIG_FS_JFFS2=y
CONFIG_FS_JFFS2_FS_DEBUG=0
# CONFIG_FS_JFFS2_COMPRESSION_OPTIONS is not set
CONFIG_FS_BPKFS=y
CONFIG_FS_UIMAGEFS=y
CONFIG_FS_PSTORE=y
CONFIG_FS_PSTORE_CONSOLE=y
CONFIG_FS_SQUASHFS=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y

#
# ZSTD support disabled
#
CONFIG_FS_UBOOTVARFS=y
# end of Filesystem support

#
# Library routines
#
CONFIG_PARAMETER=y
CONFIG_UNCOMPRESS=y
CONFIG_ZLIB=y
CONFIG_BZLIB=y
CONFIG_LZ4_DECOMPRESS=y
# CONFIG_ZSTD_DECOMPRESS is not set
CONFIG_XZ_DECOMPRESS=y
CONFIG_XZ_DEC_X86=y
CONFIG_XZ_DEC_POWERPC=y
CONFIG_XZ_DEC_IA64=y
CONFIG_XZ_DEC_ARM=y
CONFIG_XZ_DEC_ARMTHUMB=y
CONFIG_XZ_DEC_SPARC=y
CONFIG_BASE64=y
CONFIG_GENERIC_FIND_NEXT_BIT=y
CONFIG_PROCESS_ESCAPE_SEQUENCE=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_FNMATCH=y
CONFIG_QSORT=y
CONFIG_XYMODEM=y
# CONFIG_RATP is not set
# CONFIG_ALLOW_PRNG_FALLBACK is not set
# CONFIG_CRC_CCITT is not set
# CONFIG_CRC8 is not set

#
# Library gui routines
#
CONFIG_IMAGE_RENDERER=y
CONFIG_2D_PRIMITIVES=y
CONFIG_BMP=y
CONFIG_PNG=y
CONFIG_LODEPNG=y
# CONFIG_PICOPNG is not set
# end of Library gui routines

CONFIG_FONTS=y
CONFIG_FONT_8x16=y
# CONFIG_FONT_8x8 is not set
CONFIG_FONT_7x14=y
CONFIG_FONT_MINI_4x6=y
# CONFIG_FONT_CUSTOM_16X is not set
# CONFIG_FONT_6x8 is not set
CONFIG_BAREBOX_LOGO=y
CONFIG_BAREBOX_LOGO_64=y
CONFIG_BAREBOX_LOGO_240=y
CONFIG_BAREBOX_LOGO_320=y
CONFIG_BAREBOX_LOGO_400=y
CONFIG_BAREBOX_LOGO_640=y
CONFIG_PRINTF_UUID=y
# CONFIG_NLS is not set
# CONFIG_BLOBGEN is not set
CONFIG_ARCH_HAS_STACK_DUMP=y
# end of Library routines

#
# Crypto support
#
CONFIG_CRC32=y
CONFIG_CRC_ITU_T=y
CONFIG_DIGEST=y
CONFIG_MD5=y
CONFIG_SHA1=y
CONFIG_SHA224=y
CONFIG_SHA256=y
CONFIG_SHA384=y
CONFIG_SHA512=y
CONFIG_DIGEST_HMAC=y
# CONFIG_DIGEST_CRC32_GENERIC is not set
CONFIG_DIGEST_MD5_GENERIC=y
CONFIG_DIGEST_SHA1_GENERIC=y
CONFIG_DIGEST_SHA224_GENERIC=y
CONFIG_DIGEST_SHA256_GENERIC=y
CONFIG_DIGEST_SHA384_GENERIC=y
CONFIG_DIGEST_SHA512_GENERIC=y
CONFIG_DIGEST_HMAC_GENERIC=y
CONFIG_CRYPTO_KEYSTORE=y
# end of Crypto support

#
# Firmware files
#
CONFIG_EXTRA_FIRMWARE_DIR="firmware"
# end of Firmware files

#
# Host Tools
#
# CONFIG_COMPILE_HOST_TOOLS is not set
# end of Host Tools

Please let me know for further information.

Thanks and regards,
Neeraj

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
  2021-04-17 18:52 [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function Neeraj Pal
@ 2021-05-07  8:41 ` Sascha Hauer
  2021-05-10 11:08   ` Neeraj Pal
  0 siblings, 1 reply; 6+ messages in thread
From: Sascha Hauer @ 2021-05-07  8:41 UTC (permalink / raw)
  To: Neeraj Pal; +Cc: barebox

Hi,

On Sun, Apr 18, 2021 at 12:22:30AM +0530, Neeraj Pal wrote:
> Hi,
> 
> While reviewing the code of barebox-2021.04.0 and git commit
> af0f068a6edad45b033e772056ac0352e1ba3613  I found a stack buffer
> overflow WRITE of size 1 in
> nfs_start() net/nfs.c L664 through strcpy call which furthers crashes at
> function strcpy in lib/string.c L96.

Thanks for reporting this. Indeed the nfs filename is stored in a fixed
size buffer which can easily overflow with the right input.

This patch should fix this issue.

Regards,
  Sascha

-----------------------------8<---------------------------------
>From 3978396bf88c4ab567ddf36dff1218502e32a94d Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Fri, 7 May 2021 10:26:51 +0200
Subject: [PATCH] nfs command: Fix possible buffer overflow

the nfs command stores the nfs filename in a fixed size buffer without
checking its length. Instead of using a static buffer use strdup() to
dynamically allocate a suitably sized buffer.

Reported-by: Neeraj Pal <neerajpal09@gmail.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 net/nfs.c | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/net/nfs.c b/net/nfs.c
index 591417e0de..440e410a83 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -148,7 +148,6 @@ static int	nfs_state;
 
 static char *nfs_filename;
 static char *nfs_path;
-static char nfs_path_buff[2048];
 
 static int net_store_fd;
 static struct net_connection *nfs_con;
@@ -522,11 +521,26 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 	path = (char *)data;
 
 	if (*path != '/') {
-		strcat(nfs_path, "/");
-		strncat(nfs_path, path, rlen);
+		char *n;
+
+		n = calloc(strlen(nfs_path) + sizeof('/') + rlen + 1, 1);
+		if (!n)
+			return -ENOMEM;
+
+		strcpy(n, nfs_path);
+		strcat(n, "/");
+		strncat(n, path, rlen);
+
+		free(nfs_path);
+		nfs_path = n;
 	} else {
+		free(nfs_path);
+
+		nfs_path = calloc(rlen + 1, 1);
+		if (!nfs_path)
+			return -ENOMEM;
+
 		memcpy(nfs_path, path, rlen);
-		nfs_path[rlen] = 0;
 	}
 	return 0;
 }
@@ -655,13 +669,13 @@ err_out:
 	nfs_err = ret;
 }
 
-static void nfs_start(char *p)
+static int nfs_start(char *p)
 {
 	debug("%s\n", __func__);
 
-	nfs_path = (char *)nfs_path_buff;
-
-	strcpy(nfs_path, p);
+	nfs_path = strdup(p);
+	if (nfs_path)
+		return -ENOMEM;
 
 	nfs_filename = basename (nfs_path);
 	nfs_path     = dirname (nfs_path);
@@ -671,6 +685,8 @@ static void nfs_start(char *p)
 	nfs_state = STATE_PRCLOOKUP_PROG_MOUNT_REQ;
 
 	nfs_send();
+
+	return 0;
 }
 
 static int do_nfs(int argc, char *argv[])
@@ -701,9 +717,9 @@ static int do_nfs(int argc, char *argv[])
 	}
 	net_udp_bind(nfs_con, 1000);
 
-	nfs_err = 0;
-
-	nfs_start(remotefile);
+	nfs_err = nfs_start(remotefile);
+	if (nfs_err)
+		goto err_udp;
 
 	while (nfs_state != STATE_DONE) {
 		if (ctrlc()) {
@@ -727,6 +743,9 @@ err_udp:
 
 	printf("\n");
 
+	free(nfs_path);
+	nfs_path = NULL;
+
 	return nfs_err == 0 ? 0 : 1;
 }
 
-- 
2.29.2


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
  2021-05-07  8:41 ` Sascha Hauer
@ 2021-05-10 11:08   ` Neeraj Pal
  2021-05-10 13:18     ` Neeraj Pal
  2021-05-11  8:58     ` Sascha Hauer
  0 siblings, 2 replies; 6+ messages in thread
From: Neeraj Pal @ 2021-05-10 11:08 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox

Hi Sascha,

Thank you for the patches.

I have confirmed it and observed no crashes as reported earlier but I
think there is a small typo in the nfs_start() function in
net/nfs.c#L677.

672    static int nfs_start(char *p)
673    {
674        debug("%s\n", __func__);
675
676        nfs_path = strdup(p);
677        if (nfs_path)
678            return -ENOMEM;
679

In line 677, if strdup is successful then it is returning ENOMEM so I
think there is a typo, it is supposed to check for NULL so it would be
if (!nfs_path) or if (nfs_path == NULL) then it should return ENOMEM.

Please confirm and also sending a small patch.

Thanks and regards,
Neeraj

On Fri, May 7, 2021 at 2:11 PM Sascha Hauer <sha@pengutronix.de> wrote:
>
> Hi,
>
> On Sun, Apr 18, 2021 at 12:22:30AM +0530, Neeraj Pal wrote:
> > Hi,
> >
> > While reviewing the code of barebox-2021.04.0 and git commit
> > af0f068a6edad45b033e772056ac0352e1ba3613  I found a stack buffer
> > overflow WRITE of size 1 in
> > nfs_start() net/nfs.c L664 through strcpy call which furthers crashes at
> > function strcpy in lib/string.c L96.
>
> Thanks for reporting this. Indeed the nfs filename is stored in a fixed
> size buffer which can easily overflow with the right input.
>
> This patch should fix this issue.
>
> Regards,
>   Sascha
>
> -----------------------------8<---------------------------------
> From 3978396bf88c4ab567ddf36dff1218502e32a94d Mon Sep 17 00:00:00 2001
> From: Sascha Hauer <s.hauer@pengutronix.de>
> Date: Fri, 7 May 2021 10:26:51 +0200
> Subject: [PATCH] nfs command: Fix possible buffer overflow
>
> the nfs command stores the nfs filename in a fixed size buffer without
> checking its length. Instead of using a static buffer use strdup() to
> dynamically allocate a suitably sized buffer.
>
> Reported-by: Neeraj Pal <neerajpal09@gmail.com>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  net/nfs.c | 41 ++++++++++++++++++++++++++++++-----------
>  1 file changed, 30 insertions(+), 11 deletions(-)
>
> diff --git a/net/nfs.c b/net/nfs.c
> index 591417e0de..440e410a83 100644
> --- a/net/nfs.c
> +++ b/net/nfs.c
> @@ -148,7 +148,6 @@ static int  nfs_state;
>
>  static char *nfs_filename;
>  static char *nfs_path;
> -static char nfs_path_buff[2048];
>
>  static int net_store_fd;
>  static struct net_connection *nfs_con;
> @@ -522,11 +521,26 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
>         path = (char *)data;
>
>         if (*path != '/') {
> -               strcat(nfs_path, "/");
> -               strncat(nfs_path, path, rlen);
> +               char *n;
> +
> +               n = calloc(strlen(nfs_path) + sizeof('/') + rlen + 1, 1);
> +               if (!n)
> +                       return -ENOMEM;
> +
> +               strcpy(n, nfs_path);
> +               strcat(n, "/");
> +               strncat(n, path, rlen);
> +
> +               free(nfs_path);
> +               nfs_path = n;
>         } else {
> +               free(nfs_path);
> +
> +               nfs_path = calloc(rlen + 1, 1);
> +               if (!nfs_path)
> +                       return -ENOMEM;
> +
>                 memcpy(nfs_path, path, rlen);
> -               nfs_path[rlen] = 0;
>         }
>         return 0;
>  }
> @@ -655,13 +669,13 @@ err_out:
>         nfs_err = ret;
>  }
>
> -static void nfs_start(char *p)
> +static int nfs_start(char *p)
>  {
>         debug("%s\n", __func__);
>
> -       nfs_path = (char *)nfs_path_buff;
> -
> -       strcpy(nfs_path, p);
> +       nfs_path = strdup(p);
> +       if (nfs_path)
> +               return -ENOMEM;
>
>         nfs_filename = basename (nfs_path);
>         nfs_path     = dirname (nfs_path);
> @@ -671,6 +685,8 @@ static void nfs_start(char *p)
>         nfs_state = STATE_PRCLOOKUP_PROG_MOUNT_REQ;
>
>         nfs_send();
> +
> +       return 0;
>  }
>
>  static int do_nfs(int argc, char *argv[])
> @@ -701,9 +717,9 @@ static int do_nfs(int argc, char *argv[])
>         }
>         net_udp_bind(nfs_con, 1000);
>
> -       nfs_err = 0;
> -
> -       nfs_start(remotefile);
> +       nfs_err = nfs_start(remotefile);
> +       if (nfs_err)
> +               goto err_udp;
>
>         while (nfs_state != STATE_DONE) {
>                 if (ctrlc()) {
> @@ -727,6 +743,9 @@ err_udp:
>
>         printf("\n");
>
> +       free(nfs_path);
> +       nfs_path = NULL;
> +
>         return nfs_err == 0 ? 0 : 1;
>  }
>
> --
> 2.29.2
>
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
  2021-05-10 11:08   ` Neeraj Pal
@ 2021-05-10 13:18     ` Neeraj Pal
  2021-05-11  8:58     ` Sascha Hauer
  1 sibling, 0 replies; 6+ messages in thread
From: Neeraj Pal @ 2021-05-10 13:18 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox

Hi Sascha,

to confirm the suggestion that I have mentioned in the previous mail
regarding the check on strdup return value, I have modified the
condition to "if (!nfs_path)" then compiled the sandbox and observed
the following crash with the mentioned input, after configuring the
network and nfs-server on the host:

barebox@Sandbox:/ nfs hh h
Filename './hh'.
NFS failed: Permission denied

=================================================================
==2828613==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000955ea0 at pc 0x000000422a2c bp 0x7ffec7bc9670 sp
0x7ffec7bc9660
READ of size 8 at 0x000000955ea0 thread T0
    #0 0x422a2b in barebox_free common/dlmalloc.c:1397
    #1 0x522fdf in do_nfs net/nfs.c:746
    #2 0x419e85 in execute_command common/command.c:62
    #3 0x434342 in run_pipe_real common/hush.c:837
    #4 0x434342 in run_list_real common/hush.c:961
    #5 0x434342 in run_list_real common/hush.c:849
    #6 0x431dc7 in run_list common/hush.c:1078
    #7 0x431dc7 in parse_stream_outer common/hush.c:1705
    #8 0x434fab in run_shell common/hush.c:1928
    #9 0x40a2ac in run_init common/startup.c:378
    #10 0x40a385 in start_barebox common/startup.c:421
    #11 0x590e63 in main (/home/bsdboy/barebox-9may/barebox/barebox+0x590e63)
    #12 0x7fdaf187f0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #13 0x4061bd in _start (/home/bsdboy/barebox-9may/barebox/barebox+0x4061bd)

0x000000955ea2 is located 0 bytes to the right of global variable
'str' defined in 'lib/libgen.c:51:14' (0x955ea0) of size 2
  'str' is ascii string '.'
SUMMARY: AddressSanitizer: global-buffer-overflow
common/dlmalloc.c:1397 in barebox_free
Shadow bytes around the buggy address:
  0x000080122b80: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x000080122b90: 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080122ba0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x000080122bb0: 00 00 00 06 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080122bc0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
=>0x000080122bd0: 00 00 00 00[02]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080122be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080122bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080122c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080122c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080122c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2828613==ABORTING


So, it seems that we also need to handle this issue as well.
Please confirm and let me know for further information.

Thanks and regards,
Neeraj

On Mon, May 10, 2021 at 4:38 PM Neeraj Pal <neerajpal09@gmail.com> wrote:
>
> Hi Sascha,
>
> Thank you for the patches.
>
> I have confirmed it and observed no crashes as reported earlier but I
> think there is a small typo in the nfs_start() function in
> net/nfs.c#L677.
>
> 672    static int nfs_start(char *p)
> 673    {
> 674        debug("%s\n", __func__);
> 675
> 676        nfs_path = strdup(p);
> 677        if (nfs_path)
> 678            return -ENOMEM;
> 679
>
> In line 677, if strdup is successful then it is returning ENOMEM so I
> think there is a typo, it is supposed to check for NULL so it would be
> if (!nfs_path) or if (nfs_path == NULL) then it should return ENOMEM.
>
> Please confirm and also sending a small patch.
>
> Thanks and regards,
> Neeraj
>
> On Fri, May 7, 2021 at 2:11 PM Sascha Hauer <sha@pengutronix.de> wrote:
> >
> > Hi,
> >
> > On Sun, Apr 18, 2021 at 12:22:30AM +0530, Neeraj Pal wrote:
> > > Hi,
> > >
> > > While reviewing the code of barebox-2021.04.0 and git commit
> > > af0f068a6edad45b033e772056ac0352e1ba3613  I found a stack buffer
> > > overflow WRITE of size 1 in
> > > nfs_start() net/nfs.c L664 through strcpy call which furthers crashes at
> > > function strcpy in lib/string.c L96.
> >
> > Thanks for reporting this. Indeed the nfs filename is stored in a fixed
> > size buffer which can easily overflow with the right input.
> >
> > This patch should fix this issue.
> >
> > Regards,
> >   Sascha
> >
> > -----------------------------8<---------------------------------
> > From 3978396bf88c4ab567ddf36dff1218502e32a94d Mon Sep 17 00:00:00 2001
> > From: Sascha Hauer <s.hauer@pengutronix.de>
> > Date: Fri, 7 May 2021 10:26:51 +0200
> > Subject: [PATCH] nfs command: Fix possible buffer overflow
> >
> > the nfs command stores the nfs filename in a fixed size buffer without
> > checking its length. Instead of using a static buffer use strdup() to
> > dynamically allocate a suitably sized buffer.
> >
> > Reported-by: Neeraj Pal <neerajpal09@gmail.com>
> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> > ---
> >  net/nfs.c | 41 ++++++++++++++++++++++++++++++-----------
> >  1 file changed, 30 insertions(+), 11 deletions(-)
> >
> > diff --git a/net/nfs.c b/net/nfs.c
> > index 591417e0de..440e410a83 100644
> > --- a/net/nfs.c
> > +++ b/net/nfs.c
> > @@ -148,7 +148,6 @@ static int  nfs_state;
> >
> >  static char *nfs_filename;
> >  static char *nfs_path;
> > -static char nfs_path_buff[2048];
> >
> >  static int net_store_fd;
> >  static struct net_connection *nfs_con;
> > @@ -522,11 +521,26 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
> >         path = (char *)data;
> >
> >         if (*path != '/') {
> > -               strcat(nfs_path, "/");
> > -               strncat(nfs_path, path, rlen);
> > +               char *n;
> > +
> > +               n = calloc(strlen(nfs_path) + sizeof('/') + rlen + 1, 1);
> > +               if (!n)
> > +                       return -ENOMEM;
> > +
> > +               strcpy(n, nfs_path);
> > +               strcat(n, "/");
> > +               strncat(n, path, rlen);
> > +
> > +               free(nfs_path);
> > +               nfs_path = n;
> >         } else {
> > +               free(nfs_path);
> > +
> > +               nfs_path = calloc(rlen + 1, 1);
> > +               if (!nfs_path)
> > +                       return -ENOMEM;
> > +
> >                 memcpy(nfs_path, path, rlen);
> > -               nfs_path[rlen] = 0;
> >         }
> >         return 0;
> >  }
> > @@ -655,13 +669,13 @@ err_out:
> >         nfs_err = ret;
> >  }
> >
> > -static void nfs_start(char *p)
> > +static int nfs_start(char *p)
> >  {
> >         debug("%s\n", __func__);
> >
> > -       nfs_path = (char *)nfs_path_buff;
> > -
> > -       strcpy(nfs_path, p);
> > +       nfs_path = strdup(p);
> > +       if (nfs_path)
> > +               return -ENOMEM;
> >
> >         nfs_filename = basename (nfs_path);
> >         nfs_path     = dirname (nfs_path);
> > @@ -671,6 +685,8 @@ static void nfs_start(char *p)
> >         nfs_state = STATE_PRCLOOKUP_PROG_MOUNT_REQ;
> >
> >         nfs_send();
> > +
> > +       return 0;
> >  }
> >
> >  static int do_nfs(int argc, char *argv[])
> > @@ -701,9 +717,9 @@ static int do_nfs(int argc, char *argv[])
> >         }
> >         net_udp_bind(nfs_con, 1000);
> >
> > -       nfs_err = 0;
> > -
> > -       nfs_start(remotefile);
> > +       nfs_err = nfs_start(remotefile);
> > +       if (nfs_err)
> > +               goto err_udp;
> >
> >         while (nfs_state != STATE_DONE) {
> >                 if (ctrlc()) {
> > @@ -727,6 +743,9 @@ err_udp:
> >
> >         printf("\n");
> >
> > +       free(nfs_path);
> > +       nfs_path = NULL;
> > +
> >         return nfs_err == 0 ? 0 : 1;
> >  }
> >
> > --
> > 2.29.2
> >
> >
> > --
> > Pengutronix e.K.                           |                             |
> > Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> > 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> > Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
  2021-05-10 11:08   ` Neeraj Pal
  2021-05-10 13:18     ` Neeraj Pal
@ 2021-05-11  8:58     ` Sascha Hauer
  2021-05-11 18:06       ` Neeraj Pal
  1 sibling, 1 reply; 6+ messages in thread
From: Sascha Hauer @ 2021-05-11  8:58 UTC (permalink / raw)
  To: Neeraj Pal; +Cc: barebox

On Mon, May 10, 2021 at 04:38:51PM +0530, Neeraj Pal wrote:
> Hi Sascha,
> 
> Thank you for the patches.
> 
> I have confirmed it and observed no crashes as reported earlier but I
> think there is a small typo in the nfs_start() function in
> net/nfs.c#L677.
> 
> 672    static int nfs_start(char *p)
> 673    {
> 674        debug("%s\n", __func__);
> 675
> 676        nfs_path = strdup(p);
> 677        if (nfs_path)
> 678            return -ENOMEM;
> 679
> 
> In line 677, if strdup is successful then it is returning ENOMEM so I
> think there is a typo, it is supposed to check for NULL so it would be
> if (!nfs_path) or if (nfs_path == NULL) then it should return ENOMEM.
> 
> Please confirm and also sending a small patch.

Ok, so my patch doesn't resolve the whole issue. I just tried the nfs
command once after a long time now and this really seems to be broken
in other ways as well. I tend to entirely remove the command instead
of further trying to fix it. The normal way to handle nfs should be
to use the NFS filesystem implementation anyway which would be

mount -t nfs $server:/path/to/share /foo

I don't think we have the manpower to maintain two NFS implementations,
so we shouldn't try to.

Sascha


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function
  2021-05-11  8:58     ` Sascha Hauer
@ 2021-05-11 18:06       ` Neeraj Pal
  0 siblings, 0 replies; 6+ messages in thread
From: Neeraj Pal @ 2021-05-11 18:06 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox

On Tue, May 11, 2021 at 2:28 PM Sascha Hauer <sha@pengutronix.de> wrote:
> Ok, so my patch doesn't resolve the whole issue. I just tried the nfs
> command once after a long time now and this really seems to be broken
> in other ways as well. I tend to entirely remove the command instead
> of further trying to fix it. The normal way to handle nfs should be
> to use the NFS filesystem implementation anyway which would be
>
> mount -t nfs $server:/path/to/share /foo
>
> I don't think we have the manpower to maintain two NFS implementations,
> so we shouldn't try to.

Ok, so, it resolves the issue in some way but I think not completely
as it seems that after modifying the strdup return value condition, it
later again got crashed, and, it definitely makes sense and I
completely agree with that as we already have one working
implementation of NFS available so no need to maintain or add the
additional code which provides the similar functionality. So, I also
think that it would be better if we remove any unnecessary code so
that will reduce future issues.

Thanks and regards,
Neeraj

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-05-11 18:07 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-17 18:52 [BUG] Stack buffer overflow WRITE of size 1 in nfs_start function Neeraj Pal
2021-05-07  8:41 ` Sascha Hauer
2021-05-10 11:08   ` Neeraj Pal
2021-05-10 13:18     ` Neeraj Pal
2021-05-11  8:58     ` Sascha Hauer
2021-05-11 18:06       ` Neeraj Pal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox