git: ca927128bf6a - stable/13 - When parsing a rule to rotate log files on a specific week day, parseDWM() can advance the time to the next week. If the next week is in the next month, then tm_mon is incremented. However, the increment was failing to handle the wraparound from December to January, so when parsing a rule during the last week of the December, the month would advance to month 12. This triggered an out-of-bounds read of the mtab[] array in days_pmonth() after parseDWM() returned. To fix, this change resets the month to January and increment the year when the month increment wraps.

Reply: Garance A Drosehn : "Re: git: ca927128bf6a - stable/13 - When parsing a rule to rotate log files ... MFC"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Garance A Drosehn <gad_at_FreeBSD.org>
Date: Sat, 23 Sep 2023 21:09:04 UTC

The branch stable/13 has been updated by gad:

URL: https://cgit.FreeBSD.org/src/commit/?id=ca927128bf6a92abce27151fbb1ab112fd2a8385

commit ca927128bf6a92abce27151fbb1ab112fd2a8385
Author:     Garance A Drosehn <gad@FreeBSD.org>
AuthorDate: 2021-12-30 20:45:13 +0000
Commit:     Garance A Drosehn <gad@FreeBSD.org>
CommitDate: 2023-09-23 21:04:40 +0000

    When parsing a rule to rotate log files on a specific week day,
    parseDWM() can advance the time to the next week. If the next week is
    in the next month, then tm_mon is incremented. However, the increment
    was failing to handle the wraparound from December to January, so when
    parsing a rule during the last week of the December, the month would
    advance to month 12. This triggered an out-of-bounds read of the
    mtab[] array in days_pmonth() after parseDWM() returned.  To fix,
    this change resets the month to January and increment the year when
    the month increment wraps.
    
    The default rule for /var/log/weekly.log triggers this during the
    last week of December each year.
    Reported by:    CHERI
    Obtained from:  CheriBSD
    Reviewed by:    jhb
    Sponsored by:   The University of Cambridge, Google Inc.
    Differential Revision:  <https://reviews.freebsd.org/D33687>
    
    (cherry picked from commit b7b447fd4ca327faa99b2f16e6cbd61c86c75f04)
---
 usr.sbin/newsyslog/ptimes.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr.sbin/newsyslog/ptimes.c b/usr.sbin/newsyslog/ptimes.c
index 06bdffdda084..792ad3e1727d 100644
--- a/usr.sbin/newsyslog/ptimes.c
+++ b/usr.sbin/newsyslog/ptimes.c
@@ -277,6 +277,10 @@ parseDWM(struct ptime_data *ptime, const char *s)
 				if (tm.tm_mday > daysmon) {
 					tm.tm_mon++;
 					tm.tm_mday = tm.tm_mday - daysmon;
+					if (tm.tm_mon >= 12) {
+						tm.tm_mon = 0;
+						tm.tm_year++;
+					}
 				}
 			}
 			break;