public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch @ 2015-02-26 2:43 konstantin.s.serebryany at gmail dot com 2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com ` (5 more replies) 0 siblings, 6 replies; 7+ messages in thread From: konstantin.s.serebryany at gmail dot com @ 2015-02-26 2:43 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 Bug ID: 18032 Summary: buffer overflow (read past end of buffer) in internal_fnmatch Product: glibc Version: 2.21 Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: konstantin.s.serebryany at gmail dot com CC: drepper.fsp at gmail dot com #include <fnmatch.h> #include <string.h> int main(int argc, const char* argv[]) { const char text[] = {44, 92, 91, 44, 91, 46, 0}; const char p[] = {91, 44, 91, 46, 0}; const char *Pat = strdup(p); fnmatch(Pat, text, 0); } gcc -g fn2.c && valgrind ./a.out # 2.19 ==32342== Invalid read of size 1 ==32342== at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965) ==32342== by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458) ==32342== by 0x400663: main (fn2.c:7) ==32342== Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd ==32342== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==32342== by 0x4EBF3C9: strdup (strdup.c:42) ==32342== by 0x400647: main (fn2.c:6) Reproduced on 2.19 and on fresh trunk; initially found with an experimental AddressSanitizer build of glibc and a coverage guided fuzzer. # trunk ==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8 READ of size 1 at 0x60200000eff5 thread T0 #0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8 #1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10 #2 0x4c1e3f in main 0x60200000eff5 is located 0 bytes to the right of 5-byte region [0x60200000eff0,0x60200000eff5) allocated by thread T0 here: #0 0x48d23c in __interceptor_strdup #1 0x4c1dfe in main See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different bug somewhere similar. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com @ 2015-02-26 13:58 ` fweimer at redhat dot com 2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: fweimer at redhat dot com @ 2015-02-26 13:58 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security+ --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Self-contained test case below. We skip over the terminating NUL character: 946 else if (c == L('[') && *p == L('.')) 947 { 948 ++p; 949 while (1) 950 { 951 c = *++p; 952 if (c == '\0') 953 return FNM_NOMATCH; 954 955 if (*p == L('.') && p[1] == L(']')) 956 break; 957 } 958 p += 2; 959 } May initial hunch is that line 948 (“++p;”) should be dropped. I'm flagging this security+ because it's not far-fetched that this could cause application crashes. #include <fnmatch.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> #include <stdio.h> int main (int argc, char **argv) { long page_size = sysconf (_SC_PAGESIZE); if (page_size < 0) { printf ("sysconf (_SC_PAGESIZE) failed: %m\n"); return 1; } char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { printf ("mmap failed: %m\n"); return 1; } if (mprotect (page + page_size, page_size, PROT_NONE)) { printf ("mprotect failed: %m\n"); return 1; } memset (page, ' ', page_size); strcpy (page, "[,[."); fnmatch (page, ",\\[,[.", 0); } -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-return-27658-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Feb 26 14:18:53 2015 Return-Path: <glibc-bugs-return-27658-listarch-glibc-bugs=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs@sources.redhat.com Received: (qmail 130201 invoked by alias); 26 Feb 2015 14:18:53 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs.sourceware.org> List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs@sourceware.org> List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-owner@sourceware.org Delivered-To: mailing list glibc-bugs@sourceware.org Received: (qmail 129756 invoked by uid 48); 26 Feb 2015 14:18:48 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/18035] New: pldd does no longer work, enters infinite loop Date: Thu, 26 Feb 2015 14:18:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.20 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: <bug-18035-131@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00393.txt.bz2 Content-length: 1536 https://sourceware.org/bugzilla/show_bug.cgi?id\x18035 Bug ID: 18035 Summary: pldd does no longer work, enters infinite loop Product: glibc Version: 2.20 Status: NEW Severity: normal Priority: P2 Component: dynamic-link Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com Flags: security- This just hangs: $ pldd $$ 17928: /usr/bin/bash It loops around in pldd-xx.c, here (line numbers are from glibc 2.20 in Fedora 21): 201 again: 202 while (1) 203 { 204 ssize_t n = pread64 (memfd, str, strsize, name_offset); 205 if (n == -1) 206 { 207 error (0, 0, gettext ("cannot read object name")); 208 return EXIT_FAILURE; 209 } 210 211 if (memchr (str, '\0', n) != NULL) 212 break; 213 214 str = extend_alloca (str, strsize, strsize * 2); 215 } 216 217 if (str[0] == '\0' && name_offset == m.l_name 218 && m.l_libname != 0) 219 { 220 /* Try the l_libname element. */ 221 struct E(libname_list) ln; 222 if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln)) 223 { 224 name_offset = ln.name; 225 goto again; 226 } 227 } (I see a similar issue in master.) -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com 2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com @ 2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org 2015-02-26 15:15 ` schwab@linux-m68k.org ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2015-02-26 15:06 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 --- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via 4a28f4d55a6cc33474c0792fe93b5942d81bf185 (commit) from 524ae9ea2e3ae9f5bf5d655595fda827e9dc50a1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185 commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185 Author: Andreas Schwab <schwab@suse.de> Date: Thu Feb 26 14:55:24 2015 +0100 Fix read past end of pattern in fnmatch (bug 18032) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 2 +- posix/fnmatch_loop.c | 5 ++--- posix/tst-fnmatch3.c | 8 +++++--- 4 files changed, 15 insertions(+), 7 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com 2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com 2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org @ 2015-02-26 15:15 ` schwab@linux-m68k.org 2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: schwab@linux-m68k.org @ 2015-02-26 15:15 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 Andreas Schwab <schwab@linux-m68k.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Target Milestone|--- |2.22 --- Comment #3 from Andreas Schwab <schwab@linux-m68k.org> --- Fixed in 2.22. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com ` (2 preceding siblings ...) 2015-02-26 15:15 ` schwab@linux-m68k.org @ 2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org 2015-07-21 2:36 ` vapier at gentoo dot org 2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org 5 siblings, 0 replies; 7+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2015-07-21 2:32 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 --- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.21/master has been updated via fe7b1136e5753c85b3ccc8395dfc66b82052d73c (commit) from d679497db20c23e3aaaa150821ce9134cc666a18 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe7b1136e5753c85b3ccc8395dfc66b82052d73c commit fe7b1136e5753c85b3ccc8395dfc66b82052d73c Author: Andreas Schwab <schwab@suse.de> Date: Thu Feb 26 14:55:24 2015 +0100 Fix read past end of pattern in fnmatch (bug 18032) (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 2 +- posix/fnmatch_loop.c | 5 ++--- posix/tst-fnmatch3.c | 8 +++++--- 4 files changed, 15 insertions(+), 7 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com ` (3 preceding siblings ...) 2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org @ 2015-07-21 2:36 ` vapier at gentoo dot org 2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org 5 siblings, 0 replies; 7+ messages in thread From: vapier at gentoo dot org @ 2015-07-21 2:36 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 Mike Frysinger <vapier at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.gentoo.org/sho | |w_bug.cgi?id=541542 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/18032] buffer overflow (read past end of buffer) in internal_fnmatch 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com ` (4 preceding siblings ...) 2015-07-21 2:36 ` vapier at gentoo dot org @ 2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org 5 siblings, 0 replies; 7+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2015-07-21 3:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=18032 --- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, gentoo/2.21 has been updated via 5af500db3c6abef8810253e51d428b406f24320d (commit) from 1c416311f5d92922788c1bef42de5b9ccd812bac (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5af500db3c6abef8810253e51d428b406f24320d commit 5af500db3c6abef8810253e51d428b406f24320d Author: Andreas Schwab <schwab@suse.de> Date: Thu Feb 26 14:55:24 2015 +0100 Fix read past end of pattern in fnmatch (bug 18032) (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185) (cherry picked from commit fe7b1136e5753c85b3ccc8395dfc66b82052d73c) ----------------------------------------------------------------------- Summary of changes: posix/fnmatch_loop.c | 5 ++--- posix/tst-fnmatch3.c | 8 +++++--- 2 files changed, 7 insertions(+), 6 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-07-21 3:50 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-02-26 2:43 [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch konstantin.s.serebryany at gmail dot com 2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com 2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org 2015-02-26 15:15 ` schwab@linux-m68k.org 2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org 2015-07-21 2:36 ` vapier at gentoo dot org 2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).