public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
@ 2014-06-17 15:22 konstantin.s.serebryany at gmail dot com
  2014-06-17 17:37 ` [Bug libc/17062] " jsm28 at gcc dot gnu.org
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2014-06-17 15:22 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

            Bug ID: 17062
           Summary: fnmatch: buffer overflow read from pattern
                    "[[:alpha:]'[:alpha:]"
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7641
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7641&action=edit
fn1.c

Given the pattern "[[:alpha:]'[:alpha:]" and locale "en_US.UTF8" fnmatch()
will read at least 1 byte past the end of the pattern buffer (maybe more).

Initially found with ASAN-instrumented glibc, then confirmed without ASAN.
At least 2.19 and fresh trunk are affected.

ASAN report: 
==8418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff5 
READ of size 1 at 0x60300000eff5 thread T0
    #0 0x7f31375019f1 in internal_fnmatch glibc-2.19/posix/fnmatch_loop.c:918
    #1 0x7f3137501cb7 in __GI_fnmatch glibc-2.19/posix/fnmatch.c:454
    #2 0x4b364f in main fn1.c:14

0x60300000eff5 is located 0 bytes to the right of 21-byte region
[0x60300000efe0,0x60300000eff5)
allocated by thread T0 here:
    #0 0x494ff9 in malloc 
    #1 0x7f31374947a5 in __GI___strdup glibc-2.19/string/strdup.c:42
    #2 0x4b363d in main fn1.c:12


Full reproducer attached. 
Currently it's a bit tricky to build ASAN-instrumented glibc,
but this reproducer happily crashes w/o any tool.
    #0 0x7fee9d62d443 in internal_fnmatch glibc-trunk/posix/fnmatch_loop.c:903
    #1 0x7fee9d62dedd in __GI_fnmatch glibc-trunk/posix/fnmatch.c:454
    #2 0x4b3012 in main fn1.c:30

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libc/17062] fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
  2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
@ 2014-06-17 17:37 ` jsm28 at gcc dot gnu.org
  2014-06-18 12:21 ` cvs-commit at gcc dot gnu.org
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2014-06-17 17:37 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|regex                       |libc

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libc/17062] fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
  2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
  2014-06-17 17:37 ` [Bug libc/17062] " jsm28 at gcc dot gnu.org
@ 2014-06-18 12:21 ` cvs-commit at gcc dot gnu.org
  2014-06-18 12:25 ` schwab@linux-m68k.org
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2014-06-18 12:21 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  b3a9f56ba59c3d8eadd3135a1c25c37a63151450 (commit)
      from  85d89278568b4191da3b2fee589553e90b54ffa5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b3a9f56ba59c3d8eadd3135a1c25c37a63151450

commit b3a9f56ba59c3d8eadd3135a1c25c37a63151450
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Jun 18 11:58:45 2014 +0200

    Don't read past end of pattern in fnmatch (BZ #17062)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                   |    8 ++++++++
 NEWS                                        |    2 +-
 posix/Makefile                              |    3 ++-
 posix/fnmatch_loop.c                        |   13 +++----------
 stdlib/tst-system.c => posix/tst-fnmatch3.c |   14 +++++++-------
 5 files changed, 21 insertions(+), 19 deletions(-)
 copy stdlib/tst-system.c => posix/tst-fnmatch3.c (77%)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libc/17062] fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
  2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
  2014-06-17 17:37 ` [Bug libc/17062] " jsm28 at gcc dot gnu.org
  2014-06-18 12:21 ` cvs-commit at gcc dot gnu.org
@ 2014-06-18 12:25 ` schwab@linux-m68k.org
  2014-06-19 15:06 ` bugdal at aerifal dot cx
  2015-02-18 14:32 ` fweimer at redhat dot com
  4 siblings, 0 replies; 6+ messages in thread
From: schwab@linux-m68k.org @ 2014-06-18 12:25 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.20

--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed for 2.20.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libc/17062] fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
  2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
                   ` (2 preceding siblings ...)
  2014-06-18 12:25 ` schwab@linux-m68k.org
@ 2014-06-19 15:06 ` bugdal at aerifal dot cx
  2015-02-18 14:32 ` fweimer at redhat dot com
  4 siblings, 0 replies; 6+ messages in thread
From: bugdal at aerifal dot cx @ 2014-06-19 15:06 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> ---
I would call this an "invalid read" or "read past end of buffer" rather than
"buffer overflow". The latter implies writing to me.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libc/17062] fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
  2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
                   ` (3 preceding siblings ...)
  2014-06-19 15:06 ` bugdal at aerifal dot cx
@ 2015-02-18 14:32 ` fweimer at redhat dot com
  4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2015-02-18 14:32 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security?

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-02-18 14:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com
2014-06-17 17:37 ` [Bug libc/17062] " jsm28 at gcc dot gnu.org
2014-06-18 12:21 ` cvs-commit at gcc dot gnu.org
2014-06-18 12:25 ` schwab@linux-m68k.org
2014-06-19 15:06 ` bugdal at aerifal dot cx
2015-02-18 14:32 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).