sigil/packages/genodelabs/patches/label-fail.patch

From 4250346b87b8e24a48d04ddacc77512eaa20ce0e Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Sat, 7 Nov 2020 11:23:03 +0100
Subject: [PATCH 1/2] base: fail on label truncation

---
 repos/base/include/base/session_label.h | 27 ++++++++++++++++++++++---
 repos/base/include/util/arg_string.h    |  6 ++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/repos/base/include/base/session_label.h b/repos/base/include/base/session_label.h
index d5e752d120..85034904e5 100644
--- a/repos/base/include/base/session_label.h
+++ b/repos/base/include/base/session_label.h
@@ -16,10 +16,14 @@
 #define _INCLUDE__BASE__SESSION_LABEL_H_
 
 #include <base/snprintf.h>
+#include <base/log.h>
 #include <util/arg_string.h>
 #include <util/string.h>
 
-namespace Genode { struct Session_label; }
+namespace Genode {
+	struct Session_label;
+	class Label_overflow : Exception { };
+}
 
 struct Genode::Session_label : String<160>
 {
@@ -33,6 +37,8 @@ struct Genode::Session_label : String<160>
 		using String = String<capacity()>;
 		using String::String;
 
+		/* TODO: String::String can still truncate and break labels */
+
 		/**
 		 * Copy constructor
 		 *
@@ -41,7 +47,13 @@ struct Genode::Session_label : String<160>
 		 */
 		template <size_t N>
 		Session_label(Genode::String<N> const &other)
-		: Genode::String<160>(other) { }
+		: Genode::String<160>(other)
+		{
+			if (length() < other.length()) {
+				error(__func__, " overflow - «", other, "»");
+				throw Label_overflow();
+			}
+		}
 
 		Session_label last_element() const
 		{
@@ -90,8 +102,13 @@ namespace Genode {
 	inline Session_label label_from_args(char const *args)
 	{
 		char buf[Session_label::capacity()];
-		Arg_string::find_arg(args, "label").string(buf, sizeof(buf), "");
+		auto arg = Arg_string::find_arg(args, "label");
+		if (Session_label::capacity() <= arg.length()) {
+			error(__func__, " overflow - «", (char const *)args, "»");
+			throw Label_overflow();
+		}
 
+		arg.string(buf, sizeof(buf), "");
 		return Session_label(Cstring(buf));
 	}
 
@@ -103,6 +120,10 @@ namespace Genode {
 	                                    String<N2> const &label)
 	{
 		String<N1 + N2 + 4> const prefixed_label(prefix, " -> ", label);
+		if (Session_label::capacity() <= prefixed_label.length()) {
+			error(__func__, " overflow - «", prefix, "» - «", label, "»");
+			throw Label_overflow();
+		}
 		return Session_label(prefixed_label);
 	}
 }
diff --git a/repos/base/include/util/arg_string.h b/repos/base/include/util/arg_string.h
index 610fbb16b3..48777e0c2a 100644
--- a/repos/base/include/util/arg_string.h
+++ b/repos/base/include/util/arg_string.h
@@ -114,6 +114,12 @@ class Genode::Arg
 
 		inline bool valid() const { return _key; }
 
+		size_t length() const
+		{
+			return _value.type() == Token::STRING
+				? _value.len() - 2 : _value.len();
+		}
+
 		unsigned long ulong_value(unsigned long default_value) const
 		{
 			unsigned long value = 0;
-- 
2.30.0


From 252c08cf61ad7feef83bd2e542465330633ba41f Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Wed, 10 Feb 2021 13:32:42 +0100
Subject: [PATCH 2/2] Detect destroyed argument buffers at Env::session

Session request arguments are silently zeroed when their length
exceedes some buffer size.
---
 repos/base/src/lib/base/component.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/repos/base/src/lib/base/component.cc b/repos/base/src/lib/base/component.cc
index 568be31efb..913687ea7f 100644
--- a/repos/base/src/lib/base/component.cc
+++ b/repos/base/src/lib/base/component.cc
@@ -122,6 +122,10 @@ namespace {
 		                           Affinity             const &affinity) override
 		{
 			Mutex::Guard guard(_mutex);
+			if (!args.valid_string()) {
+				error("invalid args for ", name.string(), " service request");
+				throw Service_denied();
+			}
 
 			/*
 			 * Since we account for the backing store for session meta data on
-- 
2.30.0