[Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory

["thoger at redhat dot com" <sourceware-bugzilla@sourceware.org>]

http://sourceware.org/bugzilla/show_bug.cgi?id=12583

           Summary: fnmatch: integer overflow in computation of the
                    required memory
           Product: glibc
           Version: 2.13
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: thoger@redhat.com


Bug #11883 describes a problem of an unbound alloca() use in fnmatch(), leading
to crash when unexpectedly long string is passed to fnmatch() as either pattern
or string.  The issue seems to have been addressed in the following commit:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f15ce4d8

which makes fnmatch() use malloc() when arguments exceed certain length.  That
bug report does not explicitly mention integer overflow in malloc ((n + 1) *
sizeof (wchar_t)), which got mentioned in reporter's blog post about the issue:

http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html

That integer overflow was not addressed in the patch and with certain patterns,
it's possible to trigger out-of-bounds read crash.

The corner case is when n is 1073741823 / 0x3fffffff, (n + 1) * sizeof
(wchar_t) is 0 on IA32, which usually causes malloc() to return non-NULL. 
string_end argument passed to internal_fnwmatch is computed as wstring + n,
resulting in internal_fnwmatch being called with string > string_end.  As some
checks for end-of-string are done as n == string_end rather than n >=
string_end, oob read may occur.

I was able to trigger the crash on Fedora Rawhide glibc-2.13.90-3.i686 using
the following modified version of the original reproducer:

#include <err.h>
#include <fnmatch.h>
#include <locale.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

int main(int argc, const char* argv[]) {
  char *pat, *str;
  size_t pat_len = 1000000, str_len = 0x3fffffff;

  setlocale(LC_ALL, "en_US.UTF8");

  if (argc > 1)
    str_len = atol(argv[1]);
  if (argc > 2)
    pat_len = atol(argv[2]);

  pat = malloc(pat_len + 1);
  str = malloc(str_len + 1);
  if (!pat || !str)
    errx(1, "malloc() failed.");

  memset(pat, '?', pat_len);
  pat[pat_len] = '\0';
  memset(str, 'A', str_len);
  str[str_len] = '\0';

  printf("running fnmatch(\"?\"x%zu, \"A\"x%zu, 0)...\n", pat_len, str_len);
  printf("return: %d\n", fnmatch(pat, str, 0));
  return 0;
}

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.