Buffer overflow in libfuse patch #35

Bqleine · 2024-07-02T14:26:34Z

// For i = 4...99, check if there is a binary called "fusermount" + i
// It is not yet known whether this will work for our purposes, but it is better than not even attempting
for (int i = 4; i < 100; i++) {
prog = findBinaryInFusermountDir("fusermount" + i);
if (access(prog, X_OK) == 0)
return prog;
}

This adds to the string's pointer, it does not make a string concatenation at all. e.g it will lead to the following tries:

"rmountXXXX"
"mountXXXXX"
etc...
With Xs being invalid memory addresses.

@Bqleine

Closes #35 Thanks @Bqleine

probonopd · 2024-07-02T22:01:01Z

Actually... won't

https://github.com/AppImage/type2-runtime/pull/32/files

fix this once it finally gets reviewed and merged?

Bqleine · 2024-07-03T22:36:11Z

The issue also got copied into these repositories:
https://github.com/feather-wallet/feather/blob/c0a5a549f4f78b6e65efd12d4813aa2149afa7f9/contrib/depends/patches/libfuse/mount.c.diff#L4
https://github.com/probonopd/static-tools/blob/f0f6e679a001c4ad0e393f829a2396bf41f59cfe/patches/libfuse/mount.c.diff#L4

probonopd added a commit that referenced this issue Jul 2, 2024

Fix #35

63a422b

Closes #35 Thanks @Bqleine

probonopd mentioned this issue Jul 2, 2024

Try to fix #35 #36

Closed

Bqleine mentioned this issue Jul 4, 2024

Update libfuse patch #37

Closed

probonopd mentioned this issue Nov 24, 2024

Find usermountN and set FUSERMOUNT_PROG if not set #82

Merged

probonopd closed this as completed Nov 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Buffer overflow in libfuse patch #35

Buffer overflow in libfuse patch #35

Bqleine commented Jul 2, 2024

probonopd commented Jul 2, 2024

Bqleine commented Jul 3, 2024

Buffer overflow in libfuse patch #35

Buffer overflow in libfuse patch #35

Comments

Bqleine commented Jul 2, 2024

probonopd commented Jul 2, 2024

Bqleine commented Jul 3, 2024