[commit: ghc] master: [RTS] Harden against buffer overflow (e62391a)

Wed Sep 13 15:17:32 UTC 2017

Repository : ssh://git@git.haskell.org/ghc

On branch  : master
Link       : http://ghc.haskell.org/trac/ghc/changeset/e62391a75c8dc304f902e732fc63eefb21930aca/ghc

>---------------------------------------------------------------

commit e62391a75c8dc304f902e732fc63eefb21930aca
Author: Bartosz Nitka <niteria at gmail.com>
Date:   Wed Sep 13 08:28:00 2017 -0400

    [RTS] Harden against buffer overflow
    
    This sprintf is safe thanks to the guarantees on the format strings that
    we pass to it.  Well, almost. The GR_FILENAME_FMT_GUM format would not
    have satisfied them if it was still used.
    
    If someone makes a mistake that's a potential privilege escalation,
    so I think it's reasonable to switch to snprintf to protect against
    that remote possibility.
    
    Test Plan: it builds, CI
    
    Reviewers: simonmar, bgamari, austin, erikd
    
    Reviewed By: bgamari
    
    Subscribers: rwbarton, thomie
    
    Differential Revision: https://phabricator.haskell.org/D3944


>---------------------------------------------------------------

e62391a75c8dc304f902e732fc63eefb21930aca
 includes/rts/Flags.h | 1 -
 rts/RtsFlags.c       | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/rts/Flags.h b/includes/rts/Flags.h
index 6700f9d..6040201 100644
--- a/includes/rts/Flags.h
+++ b/includes/rts/Flags.h
@@ -263,7 +263,6 @@ extern RTS_FLAGS RtsFlags;
 #define STATS_FILENAME_MAXLEN	128
 
 #define GR_FILENAME_FMT		"%0.124s.gr"
-#define GR_FILENAME_FMT_GUM	"%0.120s.%03d.%s"
 #define HP_FILENAME_FMT		"%0.124s.hp"
 #define LIFE_FILENAME_FMT	"%0.122s.life"
 #define PROF_FILENAME_FMT	"%0.122s.prof"
diff --git a/rts/RtsFlags.c b/rts/RtsFlags.c
index 06d59f0..ec21ef1 100644
--- a/rts/RtsFlags.c
+++ b/rts/RtsFlags.c
@@ -1636,7 +1636,8 @@ openStatsFile (char *filename,           // filename, or NULL
             }
             /* default <program>.<ext> */
             char stats_filename[STATS_FILENAME_MAXLEN];
-            sprintf(stats_filename, filename_fmt, prog_name);
+            snprintf(stats_filename, STATS_FILENAME_MAXLEN, filename_fmt,
+                prog_name);
             f = fopen(stats_filename,"w");
         }
         if (f == NULL) {

