[Bug libc/15670] New: Unchecked alloca in __tzfile_read

[Bug libc/15670] New: Unchecked alloca in __tzfile_read

[jsm28 at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15670

            Bug ID: 15670
           Summary: Unchecked alloca in __tzfile_read
           Product: glibc
           Version: 2.17
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com

time/tzfile.c:__tzfile_read uses alloca when computing a path to a timezone
file:

      unsigned int len, tzdir_len;
 ...
        tzdir_len = strlen (tzdir);
      len = strlen (file) + 1;
      new = (char *) __alloca (tzdir_len + 1 + len);

There is no check that this length calculation results in a length suitable for
stack allocation, and strlen returns a size_t that could be outside the range
of unsigned int; the addition in unsigned int could also overflow.

I don't think this is exploitable via the environment on Linux, because the
kernel limits the length of environment strings, although one could imagine an
application that obtains a timezone name from the user without checking its
length and uses that as an arbitrarily long TZ setting.  (Even then,
exploitability would require that the stack overwrite from memcpy of the long
setting doesn't cause a segfault before the function returns.)  But of course
it's still a bug - such a long TZ string should simply result in a file not
being read because the name passed to open is too long, not in a segfault.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/15670] Unchecked alloca in __tzfile_read

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15670

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
       via  45c30c61c9001867c1891f5862764f084e53f348 (commit)
      from  3d7dc513b782407bd397b13771a631d9080d3aac (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=45c30c61c9001867c1891f5862764f084e53f348

commit 45c30c61c9001867c1891f5862764f084e53f348
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Oct 20 08:25:25 2013 +0200

    Replace alloca in __tzfile_read by malloc. Fixes bug 15670

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |    5 +++++
 NEWS          |   10 +++++-----
 time/tzfile.c |   26 ++++++++------------------
 3 files changed, 18 insertions(+), 23 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-19878-listarch-glibc-bugs=sources.redhat.com@sourceware.org Sun Oct 20 06:35:40 2013
Return-Path: <glibc-bugs-return-19878-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 7795 invoked by alias); 20 Oct 2013 06:35:39 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 7747 invoked by uid 48); 20 Oct 2013 06:35:34 -0000
From: "neleai at seznam dot cz" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/15670] Unchecked alloca in __tzfile_read
Date: Sun, 20 Oct 2013 06:35:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.17
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: neleai at seznam dot cz
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status cc resolution
Message-ID: <bug-15670-131-k27n5hClDH@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15670-131@http.sourceware.org/bugzilla/>
References: <bug-15670-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-10/txt/msg00237.txt.bz2
Content-length: 572

https://sourceware.org/bugzilla/show_bug.cgi?id\x15670

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |neleai at seznam dot cz
         Resolution|---                         |FIXED

--- Comment #2 from Ondrej Bilka <neleai at seznam dot cz> ---
Fixed.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/15670] Unchecked alloca in __tzfile_read

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15670

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.