[Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling
@ 2012-06-24  3:41 bugdal at aerifal dot cx
  2012-06-24  3:49 ` [Bug stdio/14286] " bugdal at aerifal dot cx
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: bugdal at aerifal dot cx @ 2012-06-24  3:41 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14286

             Bug #: 14286
           Summary: Integer overflow in computing allocation size in
                    vfwprintf %s handling
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
        AssignedTo: unassigned@sourceware.org
        ReportedBy: bugdal@aerifal.cx
    Classification: Unclassified

Lines 1050-1052 of vfprintf.c (used for vfwprintf) contain an integer overflow
computing the allocation size for a wide string buffer:

    if (__libc_use_alloca (len * sizeof (wchar_t)))
      string = (CHAR_T *) alloca (len * sizeof (wchar_t));
    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))

If len (the computed strlen of the input string) is at least 1GB on a 32-bit
machine, the multiplication overflows and results in an allocation too small
for the string. The undersized buffer is later passed as the destination to
__mbsrtowcs.

I originally assumed this would be highly exploitable: unlike with many
under-allocation bugs, you should be able to control how much is written by
including an invalid multibyte sequence in the input where you want copying to
stop, so that the overflow does not run off the end of valid writable memory
and segfault. However, it turns out mbsrtowcs_l.c has the exact same overflow
at line 113:

   data.__outbufend = data.__outbuf + len * sizeof (wchar_t);

thereby causing it to write no more data than vfwprintf allocated space for.

In any case, this overflow still leads to incorrect behavior. I will upload a
test case right away.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug stdio/14286] Integer overflow in computing allocation size in vfwprintf %s handling
  2012-06-24  3:41 [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling bugdal at aerifal dot cx
@ 2012-06-24  3:49 ` bugdal at aerifal dot cx
  2012-06-24 15:24 ` ppluzhnikov at google dot com
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: bugdal at aerifal dot cx @ 2012-06-24  3:49 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14286

--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-06-24 03:48:25 UTC ---
Created attachment 6476
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6476
test case

Ideally, this program should print -1 after the first wprintf fails with
EILSEQ, possibly after printing "hello world". Or if it fails due to memory
exhaustion, it should print -1 with errno set to ENOMEM.

Instead (on 32-bit machines) it simply prints "h\n" followed by a 2 (the return
value of the first wprintf).

Apologies that the test program is not the best-tuned to demonstrate the bug. I
designed it from a standpoint of wanting to see if the bug caused exploitable
memory corruption, rather than best demonstrating the non-exploitable problem.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug stdio/14286] Integer overflow in computing allocation size in vfwprintf %s handling
  2012-06-24  3:41 [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling bugdal at aerifal dot cx
  2012-06-24  3:49 ` [Bug stdio/14286] " bugdal at aerifal dot cx
@ 2012-06-24 15:24 ` ppluzhnikov at google dot com
  2014-01-07 11:06 ` cvs-commit at gcc dot gnu.org
  2014-06-13 10:48 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: ppluzhnikov at google dot com @ 2012-06-24 15:24 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14286

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug stdio/14286] Integer overflow in computing allocation size in vfwprintf %s handling
  2012-06-24  3:41 [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling bugdal at aerifal dot cx
  2012-06-24  3:49 ` [Bug stdio/14286] " bugdal at aerifal dot cx
  2012-06-24 15:24 ` ppluzhnikov at google dot com
@ 2014-01-07 11:06 ` cvs-commit at gcc dot gnu.org
  2014-06-13 10:48 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2014-01-07 11:06 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14286

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  94c8a4bc574c58f90a41c5a0fd719608741d3bae (commit)
      from  b513cbf751bc891f5f9dce96fba4a5b295f8f840 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94c8a4bc574c58f90a41c5a0fd719608741d3bae

commit 94c8a4bc574c58f90a41c5a0fd719608741d3bae
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Tue Jan 7 12:02:15 2014 +0100

    Fix integer overflow in vfwprintf. Fixes bug 14286.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog               |    5 +++++
 NEWS                    |   28 ++++++++++++++--------------
 stdio-common/vfprintf.c |    8 +++++++-
 3 files changed, 26 insertions(+), 15 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-20684-listarch-glibc-bugs=sources.redhat.com@sourceware.org Tue Jan 07 11:07:27 2014
Return-Path: <glibc-bugs-return-20684-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 5570 invoked by alias); 7 Jan 2014 11:07:26 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 5534 invoked by uid 48); 7 Jan 2014 11:07:23 -0000
From: "neleai at seznam dot cz" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/14286] Integer overflow in computing allocation size in vfwprintf %s handling
Date: Tue, 07 Jan 2014 11:07:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: neleai at seznam dot cz
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status cc resolution
Message-ID: <bug-14286-131-YaPrP4N2M8@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-14286-131@http.sourceware.org/bugzilla/>
References: <bug-14286-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-01/txt/msg00085.txt.bz2
Content-length: 571

https://sourceware.org/bugzilla/show_bug.cgi?id\x14286

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |neleai at seznam dot cz
         Resolution|---                         |FIXED

--- Comment #3 from Ondrej Bilka <neleai at seznam dot cz> ---
Fixed

--
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug stdio/14286] Integer overflow in computing allocation size in vfwprintf %s handling
  2012-06-24  3:41 [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling bugdal at aerifal dot cx
                   ` (2 preceding siblings ...)
  2014-01-07 11:06 ` cvs-commit at gcc dot gnu.org
@ 2014-06-13 10:48 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 10:48 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14286

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-06-13 10:48 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-06-24  3:41 [Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling bugdal at aerifal dot cx
2012-06-24  3:49 ` [Bug stdio/14286] " bugdal at aerifal dot cx
2012-06-24 15:24 ` ppluzhnikov at google dot com
2014-01-07 11:06 ` cvs-commit at gcc dot gnu.org
2014-06-13 10:48 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).