public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory
@ 2011-03-14 14:43 thoger at redhat dot com
2011-03-16 15:19 ` [Bug libc/12583] " thoger at redhat dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: thoger at redhat dot com @ 2011-03-14 14:43 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12583
Summary: fnmatch: integer overflow in computation of the
required memory
Product: glibc
Version: 2.13
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: thoger@redhat.com
Bug #11883 describes a problem of an unbound alloca() use in fnmatch(), leading
to crash when unexpectedly long string is passed to fnmatch() as either pattern
or string. The issue seems to have been addressed in the following commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f15ce4d8
which makes fnmatch() use malloc() when arguments exceed certain length. That
bug report does not explicitly mention integer overflow in malloc ((n + 1) *
sizeof (wchar_t)), which got mentioned in reporter's blog post about the issue:
http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html
That integer overflow was not addressed in the patch and with certain patterns,
it's possible to trigger out-of-bounds read crash.
The corner case is when n is 1073741823 / 0x3fffffff, (n + 1) * sizeof
(wchar_t) is 0 on IA32, which usually causes malloc() to return non-NULL.
string_end argument passed to internal_fnwmatch is computed as wstring + n,
resulting in internal_fnwmatch being called with string > string_end. As some
checks for end-of-string are done as n == string_end rather than n >=
string_end, oob read may occur.
I was able to trigger the crash on Fedora Rawhide glibc-2.13.90-3.i686 using
the following modified version of the original reproducer:
#include <err.h>
#include <fnmatch.h>
#include <locale.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
int main(int argc, const char* argv[]) {
char *pat, *str;
size_t pat_len = 1000000, str_len = 0x3fffffff;
setlocale(LC_ALL, "en_US.UTF8");
if (argc > 1)
str_len = atol(argv[1]);
if (argc > 2)
pat_len = atol(argv[2]);
pat = malloc(pat_len + 1);
str = malloc(str_len + 1);
if (!pat || !str)
errx(1, "malloc() failed.");
memset(pat, '?', pat_len);
pat[pat_len] = '\0';
memset(str, 'A', str_len);
str[str_len] = '\0';
printf("running fnmatch(\"?\"x%zu, \"A\"x%zu, 0)...\n", pat_len, str_len);
printf("return: %d\n", fnmatch(pat, str, 0));
return 0;
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/12583] fnmatch: integer overflow in computation of the required memory
2011-03-14 14:43 [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory thoger at redhat dot com
@ 2011-03-16 15:19 ` thoger at redhat dot com
2011-03-18 9:31 ` drepper.fsp at gmail dot com
2014-06-27 13:44 ` [Bug libc/12583] fnmatch: integer overflow in computation of the required memory (CVE-2011-1659) fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: thoger at redhat dot com @ 2011-03-16 15:19 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12583
--- Comment #1 from Tomas Hoger <thoger at redhat dot com> 2011-03-16 15:19:29 UTC ---
I believe a check like this should be consistent with how other integer
overflow checks are done in glibc:
--- fnmatch.c.orig
+++ fnmatch.c
@@ -370,7 +370,8 @@
{
prepare_wpattern:
n = mbsrtowcs (NULL, &pattern, 0, &ps);
- if (__builtin_expect (n == (size_t) -1, 0))
+ if (__builtin_expect (n == (size_t) -1
+ || n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
/* Something wrong.
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
@@ -414,7 +415,8 @@
{
prepare_wstring:
n = mbsrtowcs (NULL, &string, 0, &ps);
- if (__builtin_expect (n == (size_t) -1, 0))
+ if (__builtin_expect (n == (size_t) -1
+ || n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
/* Something wrong.
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
Or something like this for readability:
--- fnmatch.c.orig
+++ fnmatch.c
@@ -420,8 +420,11 @@
already done? */
goto free_return;
- wstring_malloc = wstring
- = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
+ if (__builtin_expect (n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
+ wstring = NULL;
+ else
+ wstring_malloc = wstring
+ = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
if (wstring == NULL)
{
free (wpattern_malloc);
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/12583] fnmatch: integer overflow in computation of the required memory
2011-03-14 14:43 [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory thoger at redhat dot com
2011-03-16 15:19 ` [Bug libc/12583] " thoger at redhat dot com
@ 2011-03-18 9:31 ` drepper.fsp at gmail dot com
2014-06-27 13:44 ` [Bug libc/12583] fnmatch: integer overflow in computation of the required memory (CVE-2011-1659) fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-03-18 9:31 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12583
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-03-18 09:31:10 UTC ---
Should be fixed correctly in git.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/12583] fnmatch: integer overflow in computation of the required memory (CVE-2011-1659)
2011-03-14 14:43 [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory thoger at redhat dot com
2011-03-16 15:19 ` [Bug libc/12583] " thoger at redhat dot com
2011-03-18 9:31 ` drepper.fsp at gmail dot com
@ 2014-06-27 13:44 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 13:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12583
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Summary|fnmatch: integer overflow |fnmatch: integer overflow
|in computation of the |in computation of the
|required memory |required memory
| |(CVE-2011-1659)
Alias| |CVE-2011-1659
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-06-27 13:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-03-14 14:43 [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory thoger at redhat dot com
2011-03-16 15:19 ` [Bug libc/12583] " thoger at redhat dot com
2011-03-18 9:31 ` drepper.fsp at gmail dot com
2014-06-27 13:44 ` [Bug libc/12583] fnmatch: integer overflow in computation of the required memory (CVE-2011-1659) fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).