[Bug libc/16976] New: fnmatch unbounded stack VLA for collating symbols

[Bug libc/16976] New: fnmatch unbounded stack VLA for collating symbols

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=16976

            Bug ID: 16976
           Summary: fnmatch unbounded stack VLA for collating symbols
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com

When fnmatch is called in a multibyte locale it converts the strings internally
to wide characters (see bug 14185 for ways in which this is suboptimal).  If
the pattern contains collating symbols ([.collating-element.] inside []) then
an unbounded VLA is used to convert the collating symbol name back to narrow
characters.  Consider the following test (which segfaults for me):

#include <fnmatch.h>
#include <locale.h>
#include <stdio.h>
#include <string.h>

#define LENGTH 20000000

char pattern[LENGTH + 7];

int
main (void)
{
  if (setlocale (LC_ALL, "en_US.UTF-8") == NULL)
    {
      puts ("could not set locale");
      return 1;
    }
  pattern[0] = '[';
  pattern[1] = '[';
  pattern[2] = '.';
  memset (pattern + 3, 'a', LENGTH);
  pattern[LENGTH + 3] = '.';
  pattern[LENGTH + 4] = ']';
  pattern[LENGTH + 5] = ']';
  int ret = fnmatch (pattern, "a", 0);
  if (ret == 0)
    {
      puts ("fnmatch returned 0 for invalid pattern");
      return 1;
    }
  return 0;
}

I'm not aware of any limit on the length of valid collating element names, so I
suppose fnmatch should deal with long names in some sensible way rather than
automatically treating them as errors.

Given previous CVEs for fnmatch stack overflows I suppose this may merit a CVE
as well.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/16976] fnmatch unbounded stack VLA for collating symbols

[joseph at codesourcery dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16976

--- Comment #1 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
Note that there are two copies in fnmatch of the problematic code 
involving "char str[c1];", I think in order to handle ranges.  Both copies 
will need fixing.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/16976] fnmatch unbounded stack VLA for collating symbols

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16976

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/16976] fnmatch unbounded stack VLA for collating symbols

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16976

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug glob/16976] fnmatch unbounded stack VLA for collating symbols

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=16976

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |glob

-- 
You are receiving this mail because:
You are on the CC list for the bug.