public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory
@ 2012-09-25 15:44 jsm28 at gcc dot gnu.org
  2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-09-25 15:44 UTC (permalink / raw)
  To: glibc-bugs


http://sourceware.org/bugzilla/show_bug.cgi?id=14621

             Bug #: 14621
           Summary: glob uses int rather than size_t for variables
                    counting objects in memory
           Product: glibc
           Version: 2.16
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jsm28@gcc.gnu.org
                CC: drepper.fsp@gmail.com
    Classification: Unclassified


glob uses int rather than size_t for variables called old_pathc and newcount,
which are assigned values from fields whose type is size_t (or arithmetic on
such size_t values).

I haven't attempted to construct a test showing incorrect behavior from glob
resulting from these size_t values overflowing the range of int, but I suspect
that it would be possible to produce exploitable memory corruption, given a
64-bit system with several tens of GB of memory and a privileged process using
glob with an untrusted pattern and filesystem contents.

The variable depth in next_brace_sub is unsigned int and similarly should be
size_t, though that looks less likely to be exploitable.

Testing a patch.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory
  2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org
@ 2012-09-25 19:46 ` jsm28 at gcc dot gnu.org
  2012-09-27 18:07 ` jsm28 at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-09-25 19:46 UTC (permalink / raw)
  To: glibc-bugs


http://sourceware.org/bugzilla/show_bug.cgi?id=14621

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-25 19:46:25 UTC ---
Fixed for 2.17 by:

commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Sep 25 19:38:15 2012 +0000

    Use size_t instead of int for internal variables in glob (bug 14621).

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory
  2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org
  2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org
@ 2012-09-27 18:07 ` jsm28 at gcc dot gnu.org
  2012-09-27 21:43 ` jsm28 at gcc dot gnu.org
  2014-06-17  4:20 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-09-27 18:07 UTC (permalink / raw)
  To: glibc-bugs


http://sourceware.org/bugzilla/show_bug.cgi?id=14621

--- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-27 18:07:09 UTC ---
Fixed for 2.16.1 by:

commit 6c62f10874ddbab671255ce85ec85233c67f8bfc
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Sep 25 19:38:15 2012 +0000

    Use size_t instead of int for internal variables in glob (bug 14621).
    (cherry picked from commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory
  2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org
  2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org
  2012-09-27 18:07 ` jsm28 at gcc dot gnu.org
@ 2012-09-27 21:43 ` jsm28 at gcc dot gnu.org
  2014-06-17  4:20 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-09-27 21:43 UTC (permalink / raw)
  To: glibc-bugs


http://sourceware.org/bugzilla/show_bug.cgi?id=14621

--- Comment #3 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-27 21:43:11 UTC ---
Fixed for 2.15.1 by:

commit 6d3997c51bad9d5d64135a7b4a92201ea158cf60
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Sep 25 19:38:15 2012 +0000

    Use size_t instead of int for internal variables in glob (bug 14621).
    (cherry picked from commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory
  2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2012-09-27 21:43 ` jsm28 at gcc dot gnu.org
@ 2014-06-17  4:20 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2014-06-17  4:20 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14621

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-06-17  4:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org
2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org
2012-09-27 18:07 ` jsm28 at gcc dot gnu.org
2012-09-27 21:43 ` jsm28 at gcc dot gnu.org
2014-06-17  4:20 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).