* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
@ 2010-08-05 5:12 ` cdn at chromium dot org
2010-08-05 5:14 ` cdn at chromium dot org
` (8 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: cdn at chromium dot org @ 2010-08-05 5:12 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
Summary|Unbound alloca() in node |Unbounded alloca() in node
|parameter of getaddrinfo() |parameter of getaddrinfo()
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
2010-08-05 5:12 ` [Bug libc/11884] Unbounded " cdn at chromium dot org
@ 2010-08-05 5:14 ` cdn at chromium dot org
2010-08-18 17:12 ` cdn at chromium dot org
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: cdn at chromium dot org @ 2010-08-05 5:14 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From cdn at chromium dot org 2010-08-05 05:14 -------
getaddra() should be getaddrinfo()... thats what I get for not proof reading.
(In reply to comment #0)
> getaddra() uses the provided node parameter to determine the size of an
> alloca(). When compiled without the -fstack-check option alloca() will be
> inlined as "SUB esp, size". For large values of size this can result in
several
> consequences which allow subsequent writes to the stack to overwrite arbitrary
> memory.
>
> The following POC can be used to demonstrate this vulnerability.
>
> #include <sys/mman.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netdb.h>
>
> void main(int argc, char **argv) {
> struct addrinfo hints, *res;
> char serv[] = "";
> char *host;
> host = mmap(0, atoi(argv[1]), PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
> memset(host, 0x41, atoi(argv[1]));
> host[atoi(argv[1]) - 1] = '\0';
> memset ((char *)&hints, 0, sizeof (hints));
> hints.ai_family = PF_INET;
> hints.ai_socktype = SOCK_STREAM;
> getaddrinfo(host, 0, &hints, &res);
> exit(0);
> }
>
> On a 32bit arch try values in the range of 9mb to demonstrate a crash.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
2010-08-05 5:12 ` [Bug libc/11884] Unbounded " cdn at chromium dot org
2010-08-05 5:14 ` cdn at chromium dot org
@ 2010-08-18 17:12 ` cdn at chromium dot org
2010-09-12 15:27 ` kees at outflux dot net
` (6 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: cdn at chromium dot org @ 2010-08-18 17:12 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From cdn at chromium dot org 2010-08-18 17:12 -------
ping... Any movement on this?
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (2 preceding siblings ...)
2010-08-18 17:12 ` cdn at chromium dot org
@ 2010-09-12 15:27 ` kees at outflux dot net
2010-09-12 15:41 ` kees at outflux dot net
` (5 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: kees at outflux dot net @ 2010-09-12 15:27 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2010-09-12 15:27 -------
I'm not able to reproduce this at all. What versions of glibc, compiler, etc are
you using?
The problem sounds more like stack limits are being hit, causing a crash rather
than having arbitrary overwrite controls.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (3 preceding siblings ...)
2010-09-12 15:27 ` kees at outflux dot net
@ 2010-09-12 15:41 ` kees at outflux dot net
2010-09-12 15:51 ` kees at outflux dot net
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: kees at outflux dot net @ 2010-09-12 15:41 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2010-09-12 15:41 -------
Ah, as pointed out by the reporter in separate email, this could be a serious
problem for threaded applications.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |NEW
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (4 preceding siblings ...)
2010-09-12 15:41 ` kees at outflux dot net
@ 2010-09-12 15:51 ` kees at outflux dot net
2010-09-12 20:41 ` cdn at chromium dot org
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: kees at outflux dot net @ 2010-09-12 15:51 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2010-09-12 15:51 -------
Looks like this issue may be getting mitigated in other ways already:
$ ./getaddrinfo 100
getaddrinfo: Connection timed out
$ ./getaddrinfo 1000
getaddrinfo: Invalid argument
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (5 preceding siblings ...)
2010-09-12 15:51 ` kees at outflux dot net
@ 2010-09-12 20:41 ` cdn at chromium dot org
2010-09-12 22:56 ` kees at outflux dot net
` (2 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: cdn at chromium dot org @ 2010-09-12 20:41 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From cdn at chromium dot org 2010-09-12 20:41 -------
Interesting.. are you testing against 2.12/13?
I only have woefully out of date versions at home but I know this worked on a very
recent install of Lucid. I'll post the version tomorrow when I get in to work and
see if we can track down where this may have changed.
Looking through the 2.11 code quickly there may be a similar bug in getnameinfo()
but controlled through the query response. Not sure how big this can be. I'll test
it out this week and report a new bug if it pans out.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (6 preceding siblings ...)
2010-09-12 20:41 ` cdn at chromium dot org
@ 2010-09-12 22:56 ` kees at outflux dot net
2010-09-14 0:15 ` cdn at chromium dot org
2010-09-14 0:36 ` pasky at suse dot cz
9 siblings, 0 replies; 14+ messages in thread
From: kees at outflux dot net @ 2010-09-12 22:56 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |kees at outflux dot net
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (7 preceding siblings ...)
2010-09-12 22:56 ` kees at outflux dot net
@ 2010-09-14 0:15 ` cdn at chromium dot org
2010-09-14 0:36 ` pasky at suse dot cz
9 siblings, 0 replies; 14+ messages in thread
From: cdn at chromium dot org @ 2010-09-14 0:15 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From cdn at chromium dot org 2010-09-14 00:15 -------
The most recent version I have tested on is apparently 2.7
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
2010-08-05 5:12 [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo() cdn at chromium dot org
` (8 preceding siblings ...)
2010-09-14 0:15 ` cdn at chromium dot org
@ 2010-09-14 0:36 ` pasky at suse dot cz
9 siblings, 0 replies; 14+ messages in thread
From: pasky at suse dot cz @ 2010-09-14 0:36 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From pasky at suse dot cz 2010-09-14 00:36 -------
So, can you please try to reproduce this with current glibc?
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 14+ messages in thread