[Bug network/15698] New: Memory overrun in getifaddrs_internal

[Bug network/15698] New: Memory overrun in getifaddrs_internal

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15698

            Bug ID: 15698
           Summary: Memory overrun in getifaddrs_internal
           Product: glibc
           Version: 2.18
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: hjl.tools at gmail dot com

When the netmask length is the same as address size, getifaddrs_internal
has memory overrun in

                 if (cp != NULL)
                    {
                      char c;
                      unsigned int preflen;

                      if ((max_prefixlen > 0) &&
                          (ifam->ifa_prefixlen > max_prefixlen))
                        preflen = max_prefixlen;
                      else
                        preflen = ifam->ifa_prefixlen;

                      for (i = 0; i < (preflen / 8); i++)
                        *cp++ = 0xff;
                      c = 0xff;
                      c <<= (8 - (preflen % 8));
                      *cp = c;
                    }

It should check if preflen < max_prefixlen before updating
the last byte of netmask.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15698] Memory overrun in getifaddrs_internal

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=15698

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
        at  029183a4ca3f765f63e7b64bc260622f02b04539 (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=029183a4ca3f765f63e7b64bc260622f02b04539

commit 029183a4ca3f765f63e7b64bc260622f02b04539
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Fri Aug 30 18:37:28 2013 +0400

    Implemented bound check support for string/memory routines for x86_64.
    TODO: Fix bound check support in strcmp-sse2 and implement in strspn,
strstr and strcspn.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=01d5454d13d2c21b9a08b28441d37a7ddce089a6

commit 01d5454d13d2c21b9a08b28441d37a7ddce089a6
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Fri May 24 13:18:17 2013 +0400

    Implemented bounds check support for string/memory routines for x86_32.
    Warning: Not completed and haven't tested.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c57d11da52265f7ae5368669f8340f31818b6474

commit c57d11da52265f7ae5368669f8340f31818b6474
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Sun May 19 18:30:05 2013 +0400

    Support new siginfo in Glibc for Intel MPX.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7838e39881b61895ae13a15cf86ad041c75593de

commit 7838e39881b61895ae13a15cf86ad041c75593de
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Fri Jan 25 18:40:50 2013 +0400

    Intel MPX support for x86_64 and x86_32  pthread routines.
    Always use INIT bounds in __tls_get_addr.
    Set bounds manually in _Unwind_Resume.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36aee6bb45b54f2d242e256b5e596838c18c0b85

commit 36aee6bb45b54f2d242e256b5e596838c18c0b85
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Thu Aug 29 16:33:47 2013 +0400

    Buffer overrun detected by Intel MPX in wcschr test. Fixed.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3bfd26d36c5ec07910d1cf6b6df7c8f331964824

commit 3bfd26d36c5ec07910d1cf6b6df7c8f331964824
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Sat Dec 22 20:51:45 2012 +0400

    Buffer overrun detected by Intel MPX at sysdeps/unix/sysv/linux/ifaddrs.c
[BZ 15698]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=90cb32ab6fc7f40d9c16aada2cfc34d9beb0b3e8

commit 90cb32ab6fc7f40d9c16aada2cfc34d9beb0b3e8
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Wed Sep 18 15:02:30 2013 +0400

    Buffer overrun detected by Intel MPX in stdlib/strtod_l.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2b9f19a28fc9d6a5c2b21df41e7b9b6f725915fd

commit 2b9f19a28fc9d6a5c2b21df41e7b9b6f725915fd
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Wed Dec 19 18:56:40 2012 +0400

    Buffer overrun detected by Intel MPX in stdio-common/scanf13.c. Fixed.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5fb331d20bb10ce4cb19734728bf51d28dde42b8

commit 5fb331d20bb10ce4cb19734728bf51d28dde42b8
Author: ienkovic <ilya.enkovich@intel.com>
Date:   Tue Dec 25 15:16:28 2012 +0400

    Do not block SIGSEGV signal because Intel MPX runtime uses it.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f93ec08c4a30887c516ea7a6d4c2d8af8d541e03

commit f93ec08c4a30887c516ea7a6d4c2d8af8d541e03
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Thu Aug 29 17:08:14 2013 +0400

    Inappropriate code style for Intel MPX in string/strcpy.c and
wcsmbc/wcscpy.c
    Fix the code if MPX is enabled.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0e036f35e545b187f4ee71bb48cffb8e9cc855b9

commit 0e036f35e545b187f4ee71bb48cffb8e9cc855b9
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Thu Aug 29 19:25:35 2013 +0400

    Inappropriate code style for Intel MPX in debug/wcscpy_chk.c. Fix the code
if MPX is enabled.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f5505c12769e739442d52bf29903f93ff2322c2

commit 7f5505c12769e739442d52bf29903f93ff2322c2
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon Mar 11 17:06:38 2013 +0400

    Inappropriate code style for Intel MPX in debug/wcpcpy_chk. Fix the code if
MPX is enabled.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c9cc287b7b0c55e2dcf17919d733c9db9aa8d64

commit 9c9cc287b7b0c55e2dcf17919d733c9db9aa8d64
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon May 27 18:54:53 2013 +0400

    Inappropriate code style for Intel MPX at wcsmbs/wcpcpy.c. Use other
implementation if MPX is enabled.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f36742ee7f5b437cc12bf4edcc8ee6b21c0d82dd

commit f36742ee7f5b437cc12bf4edcc8ee6b21c0d82dd
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Thu Dec 20 18:46:38 2012 +0400

    Inappropriate code style for Intel MPX at posix/fnmatch_loop.c. Fixed.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=144b4bd88eb1c164c4e193cc04f8e29139a15c08

commit 144b4bd88eb1c164c4e193cc04f8e29139a15c08
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Thu Dec 20 18:23:10 2012 +0400

    Inappropriate code style for Intel MPX at argp/argp-help.c. Fixed.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e5e177e61eea5dbf33a2bc5e7fc56aeba254b4fa

commit e5e177e61eea5dbf33a2bc5e7fc56aeba254b4fa
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Wed Dec 19 17:03:44 2012 +0400

    Inappropriate code style for Intel MPX. Expand bounds in crypt/crypt.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=aacd42d25354ff7b1692cbb534f93c6160e57d19

commit aacd42d25354ff7b1692cbb534f93c6160e57d19
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Wed Dec 19 14:55:21 2012 +0400

    Inappropriate code style for Intel MPX in libio/fileops.c.
    Use INIT (maximum) bounds as it is hard to rewrite the algorithm.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5dad50d8242a59291294a71c0d48aec966880c32

commit 5dad50d8242a59291294a71c0d48aec966880c32
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Thu Nov 8 16:35:39 2012 +0400

    Inappropriate code style for Intel MPX in elf/dl-close.c
    A cast implies memory access with bounds violation.
    Let allow that.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=333921bb7baa01cd8255901c642b0ab39e9459ab

commit 333921bb7baa01cd8255901c642b0ab39e9459ab
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Tue Dec 18 19:42:52 2012 +0400

    Inappropriate code style for Intel MPX in crypt/crypt_util.c. Fixed.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ff922ed8bdf38971bee571a4574bf20e083782ad

commit ff922ed8bdf38971bee571a4574bf20e083782ad
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon Oct 15 15:01:09 2012 +0400

    Inappropriate code style for Intel MPX. Fix missing of bounds in
sysdeps/generic/unwind-dw2-fde.h

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=304c5527fb95a038cb115dce3a16dde4a68c99f4

commit 304c5527fb95a038cb115dce3a16dde4a68c99f4
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Fri Dec 14 18:41:37 2012 +0400

    Inappropriate code style for Intel MPX in debug/strcpy_chk.c  Use different
version if MPX enabled.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cc433f63434c62a737f553a59eee5dfd359ef740

commit cc433f63434c62a737f553a59eee5dfd359ef740
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Fri Nov 23 18:50:27 2012 +0400

    If Intel MPX enabled: always compile with -fno-check-pointers file
elf/dl-init.c
    because this file contains the code excecuting before runtime library
    initialization happens.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f1079a9d27c2c91206f707f4e6b332752cba39d2

commit f1079a9d27c2c91206f707f4e6b332752cba39d2
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon Dec 17 13:44:21 2012 +0400

    Add attribute __bnd_variable_size to make using flexible size arrays Intel
MPX complient.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1ad69ea0d84ca18e834146032178d827ce928729

commit 1ad69ea0d84ca18e834146032178d827ce928729
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon Jan 21 15:35:12 2013 +0400

    Use C code instead of inline assembler in macros of tls.h for i386 (for
Intel MPX only).

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6499e6a1571f79cd73d6a7124a683b7797638a57

commit 6499e6a1571f79cd73d6a7124a683b7797638a57
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Sat Nov 10 12:22:56 2012 +0400

    Use C code instead of inline assembler in macros of tls.h for x86_64 (for
Intel MPX only).

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=acc53d3aea3db1d1dfe714a825abda83588ecc48

commit acc53d3aea3db1d1dfe714a825abda83588ecc48
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Wed Oct 24 16:00:49 2012 +0400

    Intel MPX support for mmap and mremap wrappers of syscalls for x86_32 and
x86_64.
    Create bounds.
    Use C wrapper of syscall instead of assembler wrapper for x86_64.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=805b4bcb83ca924e3437c4918b68a081ff3a1862

commit 805b4bcb83ca924e3437c4918b68a081ff3a1862
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Wed Oct 10 19:28:57 2012 +0400

    Save/restore bounds in x86_64 and x86_32 version of _dl_runtime_resolve.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8c98301cfcc3402c0c5dcb6b1b7d96d8290555ee

commit 8c98301cfcc3402c0c5dcb6b1b7d96d8290555ee
Author: Liubov Dmitrieva <liubov.dmitrieva@intel.com>
Date:   Mon Jul 23 19:39:27 2012 +0400

    Add Intel MPX support to malloc allocator.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=851ab32c89bba91205e11ddd5dfe8a041d999479

commit 851ab32c89bba91205e11ddd5dfe8a041d999479
Author: Liubov Dmitrieva <ldmitrie@sourceware.org>
Date:   Mon Sep 2 13:21:47 2013 +0400

    Add --enable-mpx and --enable-mpx-write-only option to configure for Intel
MPX support.

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15698] Memory overrun in getifaddrs_internal

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15698

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  d89b3d80f92035acda41010b8d68b32bc471b846 (commit)
      from  bd1b9d956b9ce90a5fa265bde97d984129cffae9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d89b3d80f92035acda41010b8d68b32bc471b846

commit d89b3d80f92035acda41010b8d68b32bc471b846
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Thu Jun 5 19:21:32 2014 +0200

    Fix memory overrun in getifaddrs_internal. Fixes bug 15698.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                         |    6 ++++++
 NEWS                              |   22 +++++++++++-----------
 sysdeps/unix/sysv/linux/ifaddrs.c |    4 ++--
 3 files changed, 19 insertions(+), 13 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-22672-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Jun 05 17:29:45 2014
Return-Path: <glibc-bugs-return-22672-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 10298 invoked by alias); 5 Jun 2014 17:29:44 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 10231 invoked by uid 48); 5 Jun 2014 17:29:41 -0000
From: "neleai at seznam dot cz" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/15698] Memory overrun in getifaddrs_internal
Date: Thu, 05 Jun 2014 17:29:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: network
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: neleai at seznam dot cz
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status cc resolution
Message-ID: <bug-15698-131-gRFOJkBR5i@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15698-131@http.sourceware.org/bugzilla/>
References: <bug-15698-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-06/txt/msg00048.txt.bz2
Content-length: 572

https://sourceware.org/bugzilla/show_bug.cgi?id\x15698

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |neleai at seznam dot cz
         Resolution|---                         |FIXED

--- Comment #3 from Ondrej Bilka <neleai at seznam dot cz> ---
fixed.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15698] Memory overrun in getifaddrs_internal

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15698

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
I think this has no security implications because changing interface parameters
requires administrative privileges.  No trust boundary is crossed, so this is
just a regular bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15698] Memory overrun in getifaddrs_internal

[simongmzlj at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15698

Simon Gomizelj <simongmzlj at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simongmzlj at gmail dot com

--- Comment #6 from Simon Gomizelj <simongmzlj at gmail dot com> ---
Created attachment 7776
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7776&action=edit
core file

Coredump from process

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15698] Memory overrun in getifaddrs_internal

[simongmzlj at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15698

--- Comment #7 from Simon Gomizelj <simongmzlj at gmail dot com> ---
(In reply to Simon Gomizelj from comment #6)
> Created attachment 7776 [details]
> core file
> 
> Coredump from process

I'm really sorry for the noice, ment to attach this to a different issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.