public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory @ 2012-09-25 15:44 jsm28 at gcc dot gnu.org 2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org ` (3 more replies) 0 siblings, 4 replies; 5+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-09-25 15:44 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14621 Bug #: 14621 Summary: glob uses int rather than size_t for variables counting objects in memory Product: glibc Version: 2.16 Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: unassigned@sourceware.org ReportedBy: jsm28@gcc.gnu.org CC: drepper.fsp@gmail.com Classification: Unclassified glob uses int rather than size_t for variables called old_pathc and newcount, which are assigned values from fields whose type is size_t (or arithmetic on such size_t values). I haven't attempted to construct a test showing incorrect behavior from glob resulting from these size_t values overflowing the range of int, but I suspect that it would be possible to produce exploitable memory corruption, given a 64-bit system with several tens of GB of memory and a privileged process using glob with an untrusted pattern and filesystem contents. The variable depth in next_brace_sub is unsigned int and similarly should be size_t, though that looks less likely to be exploitable. Testing a patch. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory 2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org @ 2012-09-25 19:46 ` jsm28 at gcc dot gnu.org 2012-09-27 18:07 ` jsm28 at gcc dot gnu.org ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-09-25 19:46 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14621 Joseph Myers <jsm28 at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-25 19:46:25 UTC --- Fixed for 2.17 by: commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Sep 25 19:38:15 2012 +0000 Use size_t instead of int for internal variables in glob (bug 14621). -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory 2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org 2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org @ 2012-09-27 18:07 ` jsm28 at gcc dot gnu.org 2012-09-27 21:43 ` jsm28 at gcc dot gnu.org 2014-06-17 4:20 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-09-27 18:07 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14621 --- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-27 18:07:09 UTC --- Fixed for 2.16.1 by: commit 6c62f10874ddbab671255ce85ec85233c67f8bfc Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Sep 25 19:38:15 2012 +0000 Use size_t instead of int for internal variables in glob (bug 14621). (cherry picked from commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc) -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory 2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org 2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org 2012-09-27 18:07 ` jsm28 at gcc dot gnu.org @ 2012-09-27 21:43 ` jsm28 at gcc dot gnu.org 2014-06-17 4:20 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-09-27 21:43 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14621 --- Comment #3 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-27 21:43:11 UTC --- Fixed for 2.15.1 by: commit 6d3997c51bad9d5d64135a7b4a92201ea158cf60 Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Sep 25 19:38:15 2012 +0000 Use size_t instead of int for internal variables in glob (bug 14621). (cherry picked from commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc) -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/14621] glob uses int rather than size_t for variables counting objects in memory 2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org ` (2 preceding siblings ...) 2012-09-27 21:43 ` jsm28 at gcc dot gnu.org @ 2014-06-17 4:20 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2014-06-17 4:20 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=14621 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security+ -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-06-17 4:20 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-09-25 15:44 [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory jsm28 at gcc dot gnu.org 2012-09-25 19:46 ` [Bug libc/14621] " jsm28 at gcc dot gnu.org 2012-09-27 18:07 ` jsm28 at gcc dot gnu.org 2012-09-27 21:43 ` jsm28 at gcc dot gnu.org 2014-06-17 4:20 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).