public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
@ 2011-05-02 15:20 ` bressers at redhat dot com
2011-05-03 0:32 ` drepper.fsp at gmail dot com
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bressers at redhat dot com @ 2011-05-02 15:20 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10352
Josh Bressers <bressers at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bressers at redhat dot com
--- Comment #2 from Josh Bressers <bressers at redhat dot com> 2011-05-02 15:19:21 UTC ---
Ulrich,
Could I convince you to revisit this bug? This issue is currently being hit by
some enterprise sized daemons (lots of open fds). The biggest issue is that
almost every use of select is wrong, so fixing them all in a timely manner is
rather impractical. Some projects like Samba have already moved to poll(), but
they're now hitting fd issues in various libraries.
I do agree that this is a library bug, but I think given the situation, it
could make sense to add a fix for this to glibc to prevent buggy select use
from overwriting arbitrary bits in memory. It's obvious that most projects
don't use select() properly, even though its correct use is documented in the
man pages.
Thanks.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
2011-05-02 15:20 ` [Bug libc/10352] no protection against using fd_set with fd>1024 bressers at redhat dot com
@ 2011-05-03 0:32 ` drepper.fsp at gmail dot com
2011-05-03 20:05 ` bugdal at aerifal dot cx
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-05-03 0:32 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10352
--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-05-03 00:31:51 UTC ---
(In reply to comment #2)
> Could I convince you to revisit this bug?
No. Any such change breaks existing code since there are programs which
redefine the set size and do other stupid things.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
2011-05-02 15:20 ` [Bug libc/10352] no protection against using fd_set with fd>1024 bressers at redhat dot com
2011-05-03 0:32 ` drepper.fsp at gmail dot com
@ 2011-05-03 20:05 ` bugdal at aerifal dot cx
2014-06-13 11:02 ` fweimer at redhat dot com
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugdal at aerifal dot cx @ 2011-05-03 20:05 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=10352
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugdal at aerifal dot cx
--- Comment #4 from Rich Felker <bugdal at aerifal dot cx> 2011-05-03 20:05:03 UTC ---
Wouldn't it be reasonable to range-check the file descriptor when
security-related feature test macros (perhaps FORTIFY_SOURCE) are enabled?
By the way, POSIX specifies that passing fd values greater than or equal to
FD_SETSIZE to the FD_* macros/functions results in undefined behavior, so
programs which want to *try* using select with higher fds should do it by
allocating an *array of fd_set objects* with (maxfd+FD_SETSIZE)/FD_SETSIZE
elements, then performing operations like FD_SET(fd%FD_SETSIZE,
&fds[fd/FD_SETSIZE]); -- this also avoids dependency on nonstandard and
nonportable macros like NFDBITS.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2011-05-03 20:05 ` bugdal at aerifal dot cx
@ 2014-06-13 11:02 ` fweimer at redhat dot com
2014-06-13 11:02 ` fweimer at redhat dot com
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 11:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10352
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Resolution|WONTFIX |FIXED
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
FD_SET fortification was implemented in glibc 2.15.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2014-06-13 11:02 ` fweimer at redhat dot com
@ 2014-06-13 11:02 ` fweimer at redhat dot com
2014-06-13 18:19 ` kees at outflux dot net
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 11:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10352
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2014-06-13 11:02 ` fweimer at redhat dot com
@ 2014-06-13 18:19 ` kees at outflux dot net
2014-10-01 0:05 ` djm at djm dot net.au
2020-07-28 4:45 ` meave390 at gmail dot com
7 siblings, 0 replies; 9+ messages in thread
From: kees at outflux dot net @ 2014-06-13 18:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10352
--- Comment #6 from Kees Cook <kees at outflux dot net> ---
commit a0f33f996f7986dbf37631a4577f8565b42df29e
Author: Ulrich Drepper <drepper@gmail.com>
Date: Thu Sep 8 19:48:47 2011 -0400
Add range checking for FD_SET, FD_CLR, and FD_ISSET
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
` (5 preceding siblings ...)
2014-06-13 18:19 ` kees at outflux dot net
@ 2014-10-01 0:05 ` djm at djm dot net.au
2020-07-28 4:45 ` meave390 at gmail dot com
7 siblings, 0 replies; 9+ messages in thread
From: djm at djm dot net.au @ 2014-10-01 0:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10352
Damien Miller <djm at djm dot net.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at djm dot net.au
Version|unspecified |2.15
--- Comment #7 from Damien Miller <djm at djm dot net.au> ---
These checks break programs compiled with _FORTIFY_SOURCE that allocate fd_sets
on the heap. This has long been supported by Linux, all BSDs and many
commercial Unix as a way to avoid FD_SETSIZE limits.
Please consider revising the checks to detect explicitly allocated fd_sets or
add a preprocessor flag to disable the check.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread* [Bug libc/10352] no protection against using fd_set with fd>1024
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
` (6 preceding siblings ...)
2014-10-01 0:05 ` djm at djm dot net.au
@ 2020-07-28 4:45 ` meave390 at gmail dot com
7 siblings, 0 replies; 9+ messages in thread
From: meave390 at gmail dot com @ 2020-07-28 4:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10352
jack <meave390 at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |meave390 at gmail dot com
--- Comment #8 from jack <meave390 at gmail dot com> ---
There are player can be exited for this great fun zone just look it here
https://www.teamapp.com/clubs/548827 and connect the hurry online fortnite v
bucks generator games forever here.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10352] New: no protection against using fd_set with fd>1024
@ 2009-06-30 20:06 kees at outflux dot net
2009-10-30 6:31 ` [Bug libc/10352] " drepper at redhat dot com
0 siblings, 1 reply; 9+ messages in thread
From: kees at outflux dot net @ 2009-06-30 20:06 UTC (permalink / raw)
To: glibc-bugs
When a program using select() starts tracking file descriptors above 1024,
the fd_set vector (128 bytes) will overflow, writing to whatever is
beyond the vector, leading to stack/heap corruption.
This is a known, old, issue. Examples:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1500
http://marc.info/?l=bugtraq&m=110660879328901
It is perfectly valid to use select() on a user-allocated vector that IS large
enough to handle the the fds being tracked, but it seems that glibc should take
some proactive measures to help applications that are not checking FD_SETSIZE.
It was pointed out that SSH, e.g. uses this to work around the issue:
fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS)
Some ideas could be to flag FD_ZERO as dangerous? Or to check sizeof(...) on
select() inputs?
I would love to see a reasonable approach to protecting applications that aren't
prepared for RLIMIT_NOFILE to be >1024. :)
Also being tracked here: https://bugs.launchpad.net/bugs/386558
Thanks!
--
Summary: no protection against using fd_set with fd>1024
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: kees at outflux dot net
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=10352
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-07-28 4:45 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-10352-131@http.sourceware.org/bugzilla/>
2011-05-02 15:20 ` [Bug libc/10352] no protection against using fd_set with fd>1024 bressers at redhat dot com
2011-05-03 0:32 ` drepper.fsp at gmail dot com
2011-05-03 20:05 ` bugdal at aerifal dot cx
2014-06-13 11:02 ` fweimer at redhat dot com
2014-06-13 11:02 ` fweimer at redhat dot com
2014-06-13 18:19 ` kees at outflux dot net
2014-10-01 0:05 ` djm at djm dot net.au
2020-07-28 4:45 ` meave390 at gmail dot com
2009-06-30 20:06 [Bug libc/10352] New: " kees at outflux dot net
2009-10-30 6:31 ` [Bug libc/10352] " drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).