[Bug libc/11883] New: fnmatch() alloca() abuse, with security consequence

[Bug libc/11883] New: fnmatch() alloca() abuse, with security consequence

[scarybeasts at gmail dot com]

Demo:

#include <err.h>
#include <fnmatch.h>
#include <locale.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, const char* argv[]) {
  size_t num_as;
  char* p;
  setlocale(LC_ALL, "en_US.UTF8");
  if (argc < 2) {
    errx(1, "Missing argument.");
  }
  num_as = atoi(argv[1]);
  if (num_as < 5) {
    errx(1, "Need 5.");
  }
  p = malloc(num_as);
  if (!p) {
    errx(1, "malloc() failed.");
  }
  memset(p, 'A', num_as);
  p[num_as - 1] = '\0';
  p[0] = 'f';
  p[1] = 'o';
  p[2] = 'o';
  p[3] = '.';
  fnmatch("*.anim[1-9j]", p, 0);
  return 0;
}

./a.out 3000000
Segmentation fault

(If your default max stack size is greater than the default 8MB then you may 
need a larger number)

I chatted to some people and they suggested that there's probably a missing 
__libc_use_alloca() somewhere.

This was the source of a nasty Chromium bug which was worked around for now.

[Random aside: I can't seem to find the default value for __libc_alloca_cutoff 
but if it is > PAGE_SIZE then that in of itself would cause serious issues since 
most people don't compile glibc with -fstack-check, combined with the fact that 
pthread stacks by default are separated with a single guard page]

-- 
           Summary: fnmatch() alloca() abuse, with security consequence
           Product: glibc
           Version: 2.9
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: scarybeasts at gmail dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=11883

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11883] fnmatch() alloca() abuse, with security consequence

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2010-08-10 04:27 -------
I cannot reproduce any problem.  I did check in changes to keep the alloca use
limited.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=11883

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11883] fnmatch() alloca() abuse, with security consequence

[schwab at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=11883

Andreas Schwab <schwab at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|jackie.rosen at hushmail dot com   |

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/11883] fnmatch() alloca() abuse, with security consequence

[jackie.rosen at hushmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11883

Jackie Rosen <jackie.rosen at hushmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jackie.rosen at hushmail dot com

--- Comment #2 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.

-- 
You are receiving this mail because:
You are on the CC list for the bug.