From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 44408 invoked by alias); 26 Feb 2015 13:58:14 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 44301 invoked by uid 48); 26 Feb 2015 13:58:10 -0000 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch Date: Thu, 26 Feb 2015 13:58:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: cc flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00392.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D18032 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security+ --- Comment #1 from Florian Weimer --- Self-contained test case below. We skip over the terminating NUL character: 946 else if (c =3D=3D L('[') && *p =3D=3D L('.')) 947 { 948 ++p; 949 while (1) 950 { 951 c =3D *++p; 952 if (c =3D=3D '\0') 953 return FNM_NOMATCH; 954=20=20=20=20 955 if (*p =3D=3D L('.') && p[1] =3D=3D L(']')) 956 break; 957 } 958 p +=3D 2; 959 } May initial hunch is that line 948 (=E2=80=9C++p;=E2=80=9D) should be dropp= ed. I'm flagging this security+ because it's not far-fetched that this could ca= use application crashes. #include #include #include #include #include int main (int argc, char **argv) { long page_size =3D sysconf (_SC_PAGESIZE); if (page_size < 0) { printf ("sysconf (_SC_PAGESIZE) failed: %m\n"); return 1; } char *page =3D mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page =3D=3D MAP_FAILED) { printf ("mmap failed: %m\n"); return 1; } if (mprotect (page + page_size, page_size, PROT_NONE)) { printf ("mprotect failed: %m\n"); return 1; } memset (page, ' ', page_size); strcpy (page, "[,[."); fnmatch (page, ",\\[,[.", 0); } --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-return-27658-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Feb 26 14:18:53 2015 Return-Path: Delivered-To: listarch-glibc-bugs@sources.redhat.com Received: (qmail 130201 invoked by alias); 26 Feb 2015 14:18:53 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Delivered-To: mailing list glibc-bugs@sourceware.org Received: (qmail 129756 invoked by uid 48); 26 Feb 2015 14:18:48 -0000 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/18035] New: pldd does no longer work, enters infinite loop Date: Thu, 26 Feb 2015 14:18:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.20 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00393.txt.bz2 Content-length: 1536 https://sourceware.org/bugzilla/show_bug.cgi?id=18035 Bug ID: 18035 Summary: pldd does no longer work, enters infinite loop Product: glibc Version: 2.20 Status: NEW Severity: normal Priority: P2 Component: dynamic-link Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com Flags: security- This just hangs: $ pldd $$ 17928: /usr/bin/bash It loops around in pldd-xx.c, here (line numbers are from glibc 2.20 in Fedora 21): 201 again: 202 while (1) 203 { 204 ssize_t n = pread64 (memfd, str, strsize, name_offset); 205 if (n == -1) 206 { 207 error (0, 0, gettext ("cannot read object name")); 208 return EXIT_FAILURE; 209 } 210 211 if (memchr (str, '\0', n) != NULL) 212 break; 213 214 str = extend_alloca (str, strsize, strsize * 2); 215 } 216 217 if (str[0] == '\0' && name_offset == m.l_name 218 && m.l_libname != 0) 219 { 220 /* Try the l_libname element. */ 221 struct E(libname_list) ln; 222 if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln)) 223 { 224 name_offset = ln.name; 225 goto again; 226 } 227 } (I see a similar issue in master.) -- You are receiving this mail because: You are on the CC list for the bug.