[Bug libc/13656] New: vfprintf nargs integer overflow

[Bug libc/13656] New: vfprintf nargs integer overflow

[kees at outflux dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

             Bug #: 13656
           Summary: vfprintf nargs integer overflow
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: kees@outflux.net
    Classification: Unclassified


The nargs value can overflow when doing allocations, and argument-based offsets
are not bounds-checked, allowing arbitrary memory writes via format strings,
bypassing _FORTIFY_SOURCE protections:

http://www.phrack.org/issues.html?issue=67&id=9

Patch in progress:
http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13656] vfprintf nargs integer overflow

[thoger at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

Tomas Hoger <thoger at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |thoger at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[jsm28 at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |stdio

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[aj at suse dot de]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

Andreas Jaeger <aj at suse dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |glibc_2.14, glibc_2.15
         AssignedTo|drepper.fsp at gmail dot    |carlos at systemhalted dot
                   |com                         |org

--- Comment #1 from Andreas Jaeger <aj at suse dot de> 2012-03-05 09:38:00 UTC ---
Fixed in git head, this should be backported to all active branches.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[thoger at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

--- Comment #2 from Tomas Hoger <thoger at redhat dot com> 2012-03-05 09:56:50 UTC ---
FYI, a comment form Laszlo Ersek in Red Hat BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8


The easiest fix would have been to restrict "nargs" to NL_ARGMAX.

http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[aj at suse dot de]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

Andreas Jaeger <aj at suse dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aj at suse dot de

--- Comment #3 from Andreas Jaeger <aj at suse dot de> 2012-03-05 10:09:26 UTC ---
Tomas, could you or Laszlo bring this up on libc-alpha, please?

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[thoger at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

--- Comment #4 from Tomas Hoger <thoger at redhat dot com> 2012-03-06 14:42:32 UTC ---
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?

This was posted in:
  http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html

Replies indicate it is preferred to limit nargs by available memory rather than
using an arbitrary limit, i.e. what Kees' patch was doing already.

Related commit links for posterity:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[eggert at gnu dot org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

Paul Eggert <eggert at gnu dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |eggert at gnu dot org
         Resolution|                            |FIXED

--- Comment #5 from Paul Eggert <eggert at gnu dot org> 2012-03-09 08:36:47 UTC ---
Fix committed:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e

so I am marking this bug as fixed.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[jackie.rosen at hushmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13656

Jackie Rosen <jackie.rosen at hushmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jackie.rosen at hushmail dot com

--- Comment #6 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow

[schwab at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=13656

Andreas Schwab <schwab at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|jackie.rosen at hushmail dot com   |

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/13656] vfprintf nargs integer overflow (CVE-2012-0864)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13656

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
            Summary|vfprintf nargs integer      |vfprintf nargs integer
                   |overflow                    |overflow (CVE-2012-0864)
              Alias|                            |CVE-2012-0864
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.