public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/12852] New: glob(3) contains possibly wrapping arguments to malloc
@ 2011-06-07 12:07 matz at suse dot de
2011-07-21 2:56 ` [Bug libc/12852] " drepper.fsp at gmail dot com
2014-06-13 10:57 ` fweimer at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: matz at suse dot de @ 2011-06-07 12:07 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12852
Summary: glob(3) contains possibly wrapping arguments to malloc
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: matz@suse.de
This problem is related to:
http://securityreason.com/achievement_securityalert/89
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.avaya.com/css/P8/documents/100127892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0418
and is mildly security relevant. The glob implementation (I checked git head)
contains some calls to malloc where the argument is calculated in a way that
integer overflow or wraparound might occur, in effect allocating less memory
than intended, and hence writing to unallocated or unrelated memory. In
particular I believe these calls to be problematic:
pglob->gl_pathv = (char **) malloc ((pglob->gl_offs + 1)
* sizeof (char *));
(gl_offs is size_t, the multiplication by 4/8 can introduce a wraparound,
leading to the malloc to succeed but with less memory allocated than
intended. this could be replaced with calloc as the resulting memory is
cleared anyway)
new_gl_pathv
= (char **) realloc (pglob->gl_pathv,
(newcount + 1 + 1) * sizeof (char *));
(same problem as above, but even worse as newcount is declared as int,
so on overflow anything might happen)
new_gl_pathv = (char **) realloc (pglob->gl_pathv,
(newcount + 2)
* sizeof (char *));
(same as above)
With properly constructed patterns using repeated application of braces
such wraparounds can easily be reproduced.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/12852] glob(3) contains possibly wrapping arguments to malloc
2011-06-07 12:07 [Bug libc/12852] New: glob(3) contains possibly wrapping arguments to malloc matz at suse dot de
@ 2011-07-21 2:56 ` drepper.fsp at gmail dot com
2014-06-13 10:57 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-07-21 2:56 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12852
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-07-21 02:56:00 UTC ---
I added a patch but this has nothing do do with security problems from remote
uses. Only the caller can pass in incorrect values and this feature is hardly
ever used in the first place. It's really only a protection against
programming mistakes.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/12852] glob(3) contains possibly wrapping arguments to malloc
2011-06-07 12:07 [Bug libc/12852] New: glob(3) contains possibly wrapping arguments to malloc matz at suse dot de
2011-07-21 2:56 ` [Bug libc/12852] " drepper.fsp at gmail dot com
@ 2014-06-13 10:57 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 10:57 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12852
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-06-13 10:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-07 12:07 [Bug libc/12852] New: glob(3) contains possibly wrapping arguments to malloc matz at suse dot de
2011-07-21 2:56 ` [Bug libc/12852] " drepper.fsp at gmail dot com
2014-06-13 10:57 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).