public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/13506] New: tzfile.c heap overrun/corruption
@ 2011-12-15 20:45 eggert at gnu dot org
  2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
                   ` (11 more replies)
  0 siblings, 12 replies; 13+ messages in thread
From: eggert at gnu dot org @ 2011-12-15 20:45 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

             Bug #: 13506
           Summary: tzfile.c heap overrun/corruption
           Product: glibc
           Version: 2.14
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: eggert@gnu.org
    Classification: Unclassified


Created attachment 6113
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6113
Jeff Law work-in-progress patch

In <http://cygwin.com/ml/libc-alpha/2011-12/msg00037.html>
Jeff Law writes:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As y'all may be aware, there's an integer overflow which can be used
to trigger a heap overrun/corruption in time/tzfile.c

http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/


http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to


I'm not terribly familiar with the code in question, but ISTM we have
to verify the intermediate computations to determine the amount of
memory to malloc don't overflow/wrap.

Here's a WIP.  It catches the cases I've been made aware of
(overflowing total_size to 0 by creating a tzfile with a very large
tzh_charcnt).  But there may be further overflows I've missed.

Obviously it's not commented and it's unclear to me if we also want to
put in some kind of sanity checks on total_size to prevent it from
trying to malloc unreasoanble amounts of memory.

Your feedback would be greatly appreciated.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO6k6gAAoJEBRtltQi2kC7ASQH/0UmQm0wqk3NRmlsVr5M1r3f
fUelY55y8OQssaFCLDZ9LX1vybam9j85gmvGtRJUU4MJ3134hn/v73k8TYCd3rHJ
/QIQY10zPBHkmEwp8G56+3l9QRl418C+ajTq0W4NAzM1rIHtPUgrqZ3AkNJgFVYU
OAF+2afFDGE5vJ3HR7LSL62tuxjDf7m66r4tHHkbhkSSZgkyW/YxfFUPDupZnlz8
Wl87JU/RWHdMJ+RR+fB1ofgFKrNZnGpIsD3sAc07KWTp63S358DSRpZ1IaF2o3vh
N93z28eCQQKIVciOKgAE5q/qYr1KmcyU/6M4xPk+Pqv5YFdKOz8uNiw5NQu2rv0=
=RKgA
-----END PGP SIGNATURE-----

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
@ 2011-12-15 21:01 ` eggert at gnu dot org
  2011-12-15 21:45 ` law at redhat dot com
                   ` (10 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: eggert at gnu dot org @ 2011-12-15 21:01 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Paul Eggert <eggert at gnu dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6113|0                           |1
        is obsolete|                            |

--- Comment #1 from Paul Eggert <eggert at gnu dot org> 2011-12-15 21:00:49 UTC ---
Created attachment 6114
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6114
catch multiplication as well as addition overflows

Jeff Law's work-in-progress patch misses some problematic overflows.  This is
because the integer multiplications may overflow too.  Attached is an
untested patch that catches the problematic overflows that I found
by inspection.  This patch does not attempt to catch all overflows, only
those that might corrupt memory.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
  2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
@ 2011-12-15 21:45 ` law at redhat dot com
  2011-12-15 23:06 ` vapier at gentoo dot org
                   ` (9 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: law at redhat dot com @ 2011-12-15 21:45 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

law at redhat dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |law at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
  2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
  2011-12-15 21:45 ` law at redhat dot com
@ 2011-12-15 23:06 ` vapier at gentoo dot org
  2011-12-16  8:38 ` rguenth at gcc dot gnu.org
                   ` (8 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: vapier at gentoo dot org @ 2011-12-15 23:06 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |toolchain at gentoo dot org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (2 preceding siblings ...)
  2011-12-15 23:06 ` vapier at gentoo dot org
@ 2011-12-16  8:38 ` rguenth at gcc dot gnu.org
  2011-12-16 10:48 ` allan at archlinux dot org
                   ` (7 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-12-16  8:38 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rguenth at gcc dot gnu.org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (3 preceding siblings ...)
  2011-12-16  8:38 ` rguenth at gcc dot gnu.org
@ 2011-12-16 10:48 ` allan at archlinux dot org
  2011-12-16 10:54 ` mpolacek at redhat dot com
                   ` (6 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: allan at archlinux dot org @ 2011-12-16 10:48 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Allan McRae <allan at archlinux dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |allan at archlinux dot org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (4 preceding siblings ...)
  2011-12-16 10:48 ` allan at archlinux dot org
@ 2011-12-16 10:54 ` mpolacek at redhat dot com
  2011-12-18  1:19 ` drepper.fsp at gmail dot com
                   ` (5 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: mpolacek at redhat dot com @ 2011-12-16 10:54 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Marek Polacek <mpolacek at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mpolacek at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (5 preceding siblings ...)
  2011-12-16 10:54 ` mpolacek at redhat dot com
@ 2011-12-18  1:19 ` drepper.fsp at gmail dot com
  2011-12-19  5:36 ` vapier at gentoo dot org
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-12-18  1:19 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Ulrich Drepper <drepper.fsp at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-18 01:19:35 UTC ---
I added a patch.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (6 preceding siblings ...)
  2011-12-18  1:19 ` drepper.fsp at gmail dot com
@ 2011-12-19  5:36 ` vapier at gentoo dot org
  2011-12-19  5:52 ` allan at archlinux dot org
                   ` (3 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: vapier at gentoo dot org @ 2011-12-19  5:36 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vapier at gentoo dot org

--- Comment #3 from Mike Frysinger <vapier at gentoo dot org> 2011-12-19 05:35:35 UTC ---
http://sourceware.org/git/?p=glibc.git;a=commit;h=97ac2654b2d831acaa18a2b018b0736245903fd2

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (7 preceding siblings ...)
  2011-12-19  5:36 ` vapier at gentoo dot org
@ 2011-12-19  5:52 ` allan at archlinux dot org
  2011-12-19  7:59 ` law at redhat dot com
                   ` (2 subsequent siblings)
  11 siblings, 0 replies; 13+ messages in thread
From: allan at archlinux dot org @ 2011-12-19  5:52 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

--- Comment #4 from Allan McRae <allan at archlinux dot org> 2011-12-19 05:50:57 UTC ---
Note that there is a typo in that patch. The "tzspec == 0"  should be
"tzspec_len == 0".  I sent the trivial patch to the mailing list (awaiting
moderation).

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (8 preceding siblings ...)
  2011-12-19  5:52 ` allan at archlinux dot org
@ 2011-12-19  7:59 ` law at redhat dot com
  2011-12-21 23:58 ` drepper.fsp at gmail dot com
  2014-06-27 11:30 ` [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029) fweimer at redhat dot com
  11 siblings, 0 replies; 13+ messages in thread
From: law at redhat dot com @ 2011-12-19  7:59 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

--- Comment #5 from law at redhat dot com 2011-12-19 07:57:44 UTC ---
Also looks like s390 won't build because SIZE_MAX is not defined.  Guessing
stdint.h needs to be included in tzfile.c

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (9 preceding siblings ...)
  2011-12-19  7:59 ` law at redhat dot com
@ 2011-12-21 23:58 ` drepper.fsp at gmail dot com
  2014-06-27 11:30 ` [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029) fweimer at redhat dot com
  11 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-12-21 23:58 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

--- Comment #6 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-21 23:58:14 UTC ---
(In reply to comment #5)
> Also looks like s390 won't build because SIZE_MAX is not defined.  Guessing
> stdint.h needs to be included in tzfile.c

The correct change is to make the s390 header look like the x86-64 headers.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029)
  2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
                   ` (10 preceding siblings ...)
  2011-12-21 23:58 ` drepper.fsp at gmail dot com
@ 2014-06-27 11:30 ` fweimer at redhat dot com
  11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 11:30 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=13506

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
            Summary|tzfile.c heap               |tzfile.c heap
                   |overrun/corruption          |overrun/corruption
                   |                            |(CVE-2009-5029)
              Alias|                            |CVE-2009-5029
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2014-06-27 11:30 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
2011-12-15 21:45 ` law at redhat dot com
2011-12-15 23:06 ` vapier at gentoo dot org
2011-12-16  8:38 ` rguenth at gcc dot gnu.org
2011-12-16 10:48 ` allan at archlinux dot org
2011-12-16 10:54 ` mpolacek at redhat dot com
2011-12-18  1:19 ` drepper.fsp at gmail dot com
2011-12-19  5:36 ` vapier at gentoo dot org
2011-12-19  5:52 ` allan at archlinux dot org
2011-12-19  7:59 ` law at redhat dot com
2011-12-21 23:58 ` drepper.fsp at gmail dot com
2014-06-27 11:30 ` [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029) fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).