From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24309 invoked by alias); 24 Jun 2013 17:09:55 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 24179 invoked by uid 48); 24 Jun 2013 17:09:46 -0000 From: "jsm28 at gcc dot gnu.org" To: glibc-bugs@sourceware.org Subject: [Bug libc/15670] New: Unchecked alloca in __tzfile_read Date: Mon, 24 Jun 2013 17:09:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.17 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: jsm28 at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-06/txt/msg00188.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=15670 Bug ID: 15670 Summary: Unchecked alloca in __tzfile_read Product: glibc Version: 2.17 Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: jsm28 at gcc dot gnu.org CC: drepper.fsp at gmail dot com time/tzfile.c:__tzfile_read uses alloca when computing a path to a timezone file: unsigned int len, tzdir_len; ... tzdir_len = strlen (tzdir); len = strlen (file) + 1; new = (char *) __alloca (tzdir_len + 1 + len); There is no check that this length calculation results in a length suitable for stack allocation, and strlen returns a size_t that could be outside the range of unsigned int; the addition in unsigned int could also overflow. I don't think this is exploitable via the environment on Linux, because the kernel limits the length of environment strings, although one could imagine an application that obtains a timezone name from the user without checking its length and uses that as an arbitrarily long TZ setting. (Even then, exploitability would require that the stack overwrite from memcpy of the long setting doesn't cause a segfault before the function returns.) But of course it's still a bug - such a long TZ string should simply result in a file not being read because the name passed to open is too long, not in a segfault. -- You are receiving this mail because: You are on the CC list for the bug.