[Bug stdio/17269] New: _IO_wstr_overflow integer overflow

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug stdio/17269] New: _IO_wstr_overflow integer overflow
@ 2014-08-14 16:45 jsm28 at gcc dot gnu.org
  2015-02-18 13:25 ` [Bug stdio/17269] " fweimer at redhat dot com
                   ` (9 more replies)
  0 siblings, 10 replies; 11+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2014-08-14 16:45 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

            Bug ID: 17269
           Summary: _IO_wstr_overflow integer overflow
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org

libio/wstrops.c:_IO_wstr_overflow does:

          _IO_size_t new_size = 2 * old_wblen + 100;
          if (new_size < old_wblen)
            return EOF;
          new_buf
            = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer)
(new_size
                                                                        *
sizeof (wchar_t));

This allows for overflow in calculating the new size in wide characters, but
not for overflow in the multiplication to compute the size in bytes, which
could thus overflow and result in a buffer overrun copying data into the new
buffer.

(I don't know about the practical exploitability with a stream opened with
open_wmemstream.  At the doubling before the one resulting in the overflow
you'd have buffers of (nearly) 1/4 and 1/2 of the address space or more
allocated simultaneously, so it needs to be possible to allocate 3/4 of the
address space in those two contiguous regions in order to get to the point
where the overflow occurs.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
@ 2015-02-18 13:25 ` fweimer at redhat dot com
  2015-02-18 14:20 ` fweimer at redhat dot com
                   ` (8 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2015-02-18 13:25 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security?

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
  2015-02-18 13:25 ` [Bug stdio/17269] " fweimer at redhat dot com
@ 2015-02-18 14:20 ` fweimer at redhat dot com
  2015-02-22  5:23 ` ppluzhnikov at google dot com
                   ` (7 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2015-02-18 14:20 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|security?                   |security+

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
With a 64 bit kernel, it is possible to allocate three hunks of 1U << 31, 1U <<
30, 1U << 29, all within the same process, so we probably should treat this as
a security issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
  2015-02-18 13:25 ` [Bug stdio/17269] " fweimer at redhat dot com
  2015-02-18 14:20 ` fweimer at redhat dot com
@ 2015-02-22  5:23 ` ppluzhnikov at google dot com
  2015-02-22 20:03 ` cvs-commit at gcc dot gnu.org
                   ` (6 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-22  5:23 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot com
           Assignee|unassigned at sourceware dot org   |ppluzhnikov at google dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2015-02-22  5:23 ` ppluzhnikov at google dot com
@ 2015-02-22 20:03 ` cvs-commit at gcc dot gnu.org
  2015-02-22 20:05 ` ppluzhnikov at google dot com
                   ` (5 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-02-22 20:03 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  bdf1ff052a8e23d637f2c838fa5642d78fcedc33 (commit)
      from  9529611240b612fec59e289673d05f83396aede4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33

commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    6 ++++++
 NEWS            |    6 +++---
 libio/wstrops.c |    8 +++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (3 preceding siblings ...)
  2015-02-22 20:03 ` cvs-commit at gcc dot gnu.org
@ 2015-02-22 20:05 ` ppluzhnikov at google dot com
  2015-07-21  2:34 ` vapier at gentoo dot org
                   ` (4 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-22 20:05 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed by bdf1ff052a8e23d637f2c838fa5642d78fcedc33

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (4 preceding siblings ...)
  2015-02-22 20:05 ` ppluzhnikov at google dot com
@ 2015-07-21  2:34 ` vapier at gentoo dot org
  2015-07-21  2:36 ` vapier at gentoo dot org
                   ` (3 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: vapier at gentoo dot org @ 2015-07-21  2:34 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.22

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (5 preceding siblings ...)
  2015-07-21  2:34 ` vapier at gentoo dot org
@ 2015-07-21  2:36 ` vapier at gentoo dot org
  2015-07-21  2:38 ` cvs-commit at gcc dot gnu.org
                   ` (2 subsequent siblings)
  9 siblings, 0 replies; 11+ messages in thread
From: vapier at gentoo dot org @ 2015-07-21  2:36 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.gentoo.org/sho
                   |                            |w_bug.cgi?id=541246,
                   |                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=1195762

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (6 preceding siblings ...)
  2015-07-21  2:36 ` vapier at gentoo dot org
@ 2015-07-21  2:38 ` cvs-commit at gcc dot gnu.org
  2015-07-21  3:52 ` cvs-commit at gcc dot gnu.org
  2015-10-19  9:51 ` cvs-commit at gcc dot gnu.org
  9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-07-21  2:38 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.21/master has been updated
       via  8a4e5cc6574a419d5724bef6be98d705d58db48d (commit)
      from  fe7b1136e5753c85b3ccc8395dfc66b82052d73c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8a4e5cc6574a419d5724bef6be98d705d58db48d

commit 8a4e5cc6574a419d5724bef6be98d705d58db48d
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow

    (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    6 ++++++
 NEWS            |    2 +-
 libio/wstrops.c |    8 +++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (7 preceding siblings ...)
  2015-07-21  2:38 ` cvs-commit at gcc dot gnu.org
@ 2015-07-21  3:52 ` cvs-commit at gcc dot gnu.org
  2015-10-19  9:51 ` cvs-commit at gcc dot gnu.org
  9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-07-21  3:52 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.21 has been updated
       via  15ec5f09005dd20b65d0a5de3afba391707bce2f (commit)
      from  5af500db3c6abef8810253e51d428b406f24320d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=15ec5f09005dd20b65d0a5de3afba391707bce2f

commit 15ec5f09005dd20b65d0a5de3afba391707bce2f
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow

    (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
    (cherry picked from commit 8a4e5cc6574a419d5724bef6be98d705d58db48d)

-----------------------------------------------------------------------

Summary of changes:
 libio/wstrops.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Bug stdio/17269] _IO_wstr_overflow integer overflow
  2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
                   ` (8 preceding siblings ...)
  2015-07-21  3:52 ` cvs-commit at gcc dot gnu.org
@ 2015-10-19  9:51 ` cvs-commit at gcc dot gnu.org
  9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-19  9:51 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  012adb33827608d3b78e3832a1948b468b549946 (commit)
       via  fc843f6e48737d3d6690c5cf355d9719274efee1 (commit)
      from  3fd498242948b1fa944c56646ec9b156387dd310 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=012adb33827608d3b78e3832a1948b468b549946

commit 012adb33827608d3b78e3832a1948b468b549946
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow

    (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

    Conflicts:
        ChangeLog
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc843f6e48737d3d6690c5cf355d9719274efee1

commit fc843f6e48737d3d6690c5cf355d9719274efee1
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 26 14:55:24 2015 +0100

    Fix read past end of pattern in fnmatch (bug 18032)

    (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)

    Conflicts:
        ChangeLog
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |   12 ++++++++++++
 NEWS                 |    2 +-
 libio/wstrops.c      |    8 +++++++-
 posix/fnmatch_loop.c |    5 ++---
 4 files changed, 22 insertions(+), 5 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2015-10-19  9:51 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-14 16:45 [Bug stdio/17269] New: _IO_wstr_overflow integer overflow jsm28 at gcc dot gnu.org
2015-02-18 13:25 ` [Bug stdio/17269] " fweimer at redhat dot com
2015-02-18 14:20 ` fweimer at redhat dot com
2015-02-22  5:23 ` ppluzhnikov at google dot com
2015-02-22 20:03 ` cvs-commit at gcc dot gnu.org
2015-02-22 20:05 ` ppluzhnikov at google dot com
2015-07-21  2:34 ` vapier at gentoo dot org
2015-07-21  2:36 ` vapier at gentoo dot org
2015-07-21  2:38 ` cvs-commit at gcc dot gnu.org
2015-07-21  3:52 ` cvs-commit at gcc dot gnu.org
2015-10-19  9:51 ` cvs-commit at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).