public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch
@ 2015-02-26 2:43 konstantin.s.serebryany at gmail dot com
2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-02-26 2:43 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Bug ID: 18032
Summary: buffer overflow (read past end of buffer) in
internal_fnmatch
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
#include <fnmatch.h>
#include <string.h>
int main(int argc, const char* argv[]) {
const char text[] = {44, 92, 91, 44, 91, 46, 0};
const char p[] = {91, 44, 91, 46, 0};
const char *Pat = strdup(p);
fnmatch(Pat, text, 0);
}
gcc -g fn2.c && valgrind ./a.out # 2.19
==32342== Invalid read of size 1
==32342== at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965)
==32342== by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458)
==32342== by 0x400663: main (fn2.c:7)
==32342== Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd
==32342== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==32342== by 0x4EBF3C9: strdup (strdup.c:42)
==32342== by 0x400647: main (fn2.c:6)
Reproduced on 2.19 and on fresh trunk;
initially found with an experimental AddressSanitizer build of glibc and
a coverage guided fuzzer.
# trunk
==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8
READ of size 1 at 0x60200000eff5 thread T0
#0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8
#1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10
#2 0x4c1e3f in main
0x60200000eff5 is located 0 bytes to the right of 5-byte region
[0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
#0 0x48d23c in __interceptor_strdup
#1 0x4c1dfe in main
See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different
bug somewhere similar.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
@ 2015-02-26 13:58 ` fweimer at redhat dot com
2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2015-02-26 13:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Self-contained test case below. We skip over the terminating NUL character:
946 else if (c == L('[') && *p == L('.'))
947 {
948 ++p;
949 while (1)
950 {
951 c = *++p;
952 if (c == '\0')
953 return FNM_NOMATCH;
954
955 if (*p == L('.') && p[1] == L(']'))
956 break;
957 }
958 p += 2;
959 }
May initial hunch is that line 948 (“++p;”) should be dropped.
I'm flagging this security+ because it's not far-fetched that this could cause
application crashes.
#include <fnmatch.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
int
main (int argc, char **argv)
{
long page_size = sysconf (_SC_PAGESIZE);
if (page_size < 0)
{
printf ("sysconf (_SC_PAGESIZE) failed: %m\n");
return 1;
}
char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (page == MAP_FAILED)
{
printf ("mmap failed: %m\n");
return 1;
}
if (mprotect (page + page_size, page_size, PROT_NONE))
{
printf ("mprotect failed: %m\n");
return 1;
}
memset (page, ' ', page_size);
strcpy (page, "[,[.");
fnmatch (page, ",\\[,[.", 0);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27658-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Feb 26 14:18:53 2015
Return-Path: <glibc-bugs-return-27658-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 130201 invoked by alias); 26 Feb 2015 14:18:53 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 129756 invoked by uid 48); 26 Feb 2015 14:18:48 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/18035] New: pldd does no longer work, enters infinite loop
Date: Thu, 26 Feb 2015 14:18:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: 2.20
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter flagtypes.name
Message-ID: <bug-18035-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00393.txt.bz2
Content-length: 1536
https://sourceware.org/bugzilla/show_bug.cgi?id\x18035
Bug ID: 18035
Summary: pldd does no longer work, enters infinite loop
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Flags: security-
This just hangs:
$ pldd $$
17928: /usr/bin/bash
It loops around in pldd-xx.c, here (line numbers are from glibc 2.20 in Fedora
21):
201 again:
202 while (1)
203 {
204 ssize_t n = pread64 (memfd, str, strsize, name_offset);
205 if (n == -1)
206 {
207 error (0, 0, gettext ("cannot read object name"));
208 return EXIT_FAILURE;
209 }
210
211 if (memchr (str, '\0', n) != NULL)
212 break;
213
214 str = extend_alloca (str, strsize, strsize * 2);
215 }
216
217 if (str[0] == '\0' && name_offset == m.l_name
218 && m.l_libname != 0)
219 {
220 /* Try the l_libname element. */
221 struct E(libname_list) ln;
222 if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln))
223 {
224 name_offset = ln.name;
225 goto again;
226 }
227 }
(I see a similar issue in master.)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com
@ 2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org
2015-02-26 15:15 ` schwab@linux-m68k.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-02-26 15:06 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 4a28f4d55a6cc33474c0792fe93b5942d81bf185 (commit)
from 524ae9ea2e3ae9f5bf5d655595fda827e9dc50a1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185
commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Feb 26 14:55:24 2015 +0100
Fix read past end of pattern in fnmatch (bug 18032)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 2 +-
posix/fnmatch_loop.c | 5 ++---
posix/tst-fnmatch3.c | 8 +++++---
4 files changed, 15 insertions(+), 7 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com
2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org
@ 2015-02-26 15:15 ` schwab@linux-m68k.org
2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: schwab@linux-m68k.org @ 2015-02-26 15:15 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
Target Milestone|--- |2.22
--- Comment #3 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed in 2.22.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
` (2 preceding siblings ...)
2015-02-26 15:15 ` schwab@linux-m68k.org
@ 2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org
2015-07-21 2:36 ` vapier at gentoo dot org
2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-07-21 2:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.21/master has been updated
via fe7b1136e5753c85b3ccc8395dfc66b82052d73c (commit)
from d679497db20c23e3aaaa150821ce9134cc666a18 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe7b1136e5753c85b3ccc8395dfc66b82052d73c
commit fe7b1136e5753c85b3ccc8395dfc66b82052d73c
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Feb 26 14:55:24 2015 +0100
Fix read past end of pattern in fnmatch (bug 18032)
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 2 +-
posix/fnmatch_loop.c | 5 ++---
posix/tst-fnmatch3.c | 8 +++++---
4 files changed, 15 insertions(+), 7 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
` (3 preceding siblings ...)
2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org
@ 2015-07-21 2:36 ` vapier at gentoo dot org
2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: vapier at gentoo dot org @ 2015-07-21 2:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.gentoo.org/sho
| |w_bug.cgi?id=541542
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
` (4 preceding siblings ...)
2015-07-21 2:36 ` vapier at gentoo dot org
@ 2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-07-21 3:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, gentoo/2.21 has been updated
via 5af500db3c6abef8810253e51d428b406f24320d (commit)
from 1c416311f5d92922788c1bef42de5b9ccd812bac (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5af500db3c6abef8810253e51d428b406f24320d
commit 5af500db3c6abef8810253e51d428b406f24320d
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Feb 26 14:55:24 2015 +0100
Fix read past end of pattern in fnmatch (bug 18032)
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
(cherry picked from commit fe7b1136e5753c85b3ccc8395dfc66b82052d73c)
-----------------------------------------------------------------------
Summary of changes:
posix/fnmatch_loop.c | 5 ++---
posix/tst-fnmatch3.c | 8 +++++---
2 files changed, 7 insertions(+), 6 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-07-21 3:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com
2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com
2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org
2015-02-26 15:15 ` schwab@linux-m68k.org
2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org
2015-07-21 2:36 ` vapier at gentoo dot org
2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).