From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29443 invoked by alias); 14 Mar 2011 14:43:35 -0000 Received: (qmail 29433 invoked by uid 22791); 14 Mar 2011 14:43:34 -0000 X-SWARE-Spam-Status: No, hits=-49.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,TW_FN,URI_BLOGSPOT X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 14 Mar 2011 14:43:30 +0000 From: "thoger at redhat dot com" To: glibc-bugs@sources.redhat.com Subject: [Bug libc/12583] New: fnmatch: integer overflow in computation of the required memory X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: thoger at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Mon, 14 Mar 2011 14:43:00 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2011-03/txt/msg00059.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=12583 Summary: fnmatch: integer overflow in computation of the required memory Product: glibc Version: 2.13 Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: drepper.fsp@gmail.com ReportedBy: thoger@redhat.com Bug #11883 describes a problem of an unbound alloca() use in fnmatch(), leading to crash when unexpectedly long string is passed to fnmatch() as either pattern or string. The issue seems to have been addressed in the following commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f15ce4d8 which makes fnmatch() use malloc() when arguments exceed certain length. That bug report does not explicitly mention integer overflow in malloc ((n + 1) * sizeof (wchar_t)), which got mentioned in reporter's blog post about the issue: http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html That integer overflow was not addressed in the patch and with certain patterns, it's possible to trigger out-of-bounds read crash. The corner case is when n is 1073741823 / 0x3fffffff, (n + 1) * sizeof (wchar_t) is 0 on IA32, which usually causes malloc() to return non-NULL. string_end argument passed to internal_fnwmatch is computed as wstring + n, resulting in internal_fnwmatch being called with string > string_end. As some checks for end-of-string are done as n == string_end rather than n >= string_end, oob read may occur. I was able to trigger the crash on Fedora Rawhide glibc-2.13.90-3.i686 using the following modified version of the original reproducer: #include #include #include #include #include #include int main(int argc, const char* argv[]) { char *pat, *str; size_t pat_len = 1000000, str_len = 0x3fffffff; setlocale(LC_ALL, "en_US.UTF8"); if (argc > 1) str_len = atol(argv[1]); if (argc > 2) pat_len = atol(argv[2]); pat = malloc(pat_len + 1); str = malloc(str_len + 1); if (!pat || !str) errx(1, "malloc() failed."); memset(pat, '?', pat_len); pat[pat_len] = '\0'; memset(str, 'A', str_len); str[str_len] = '\0'; printf("running fnmatch(\"?\"x%zu, \"A\"x%zu, 0)...\n", pat_len, str_len); printf("return: %d\n", fnmatch(pat, str, 0)); return 0; } -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.