public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch
Date: Thu, 26 Feb 2015 02:43:00 -0000 [thread overview]
Message-ID: <bug-18032-131@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Bug ID: 18032
Summary: buffer overflow (read past end of buffer) in
internal_fnmatch
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
#include <fnmatch.h>
#include <string.h>
int main(int argc, const char* argv[]) {
const char text[] = {44, 92, 91, 44, 91, 46, 0};
const char p[] = {91, 44, 91, 46, 0};
const char *Pat = strdup(p);
fnmatch(Pat, text, 0);
}
gcc -g fn2.c && valgrind ./a.out # 2.19
==32342== Invalid read of size 1
==32342== at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965)
==32342== by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458)
==32342== by 0x400663: main (fn2.c:7)
==32342== Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd
==32342== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==32342== by 0x4EBF3C9: strdup (strdup.c:42)
==32342== by 0x400647: main (fn2.c:6)
Reproduced on 2.19 and on fresh trunk;
initially found with an experimental AddressSanitizer build of glibc and
a coverage guided fuzzer.
# trunk
==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8
READ of size 1 at 0x60200000eff5 thread T0
#0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8
#1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10
#2 0x4c1e3f in main
0x60200000eff5 is located 0 bytes to the right of 5-byte region
[0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
#0 0x48d23c in __interceptor_strdup
#1 0x4c1dfe in main
See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different
bug somewhere similar.
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2015-02-26 2:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-26 2:43 konstantin.s.serebryany at gmail dot com [this message]
2015-02-26 13:58 ` [Bug libc/18032] " fweimer at redhat dot com
2015-02-26 15:06 ` cvs-commit at gcc dot gnu.org
2015-02-26 15:15 ` schwab@linux-m68k.org
2015-07-21 2:32 ` cvs-commit at gcc dot gnu.org
2015-07-21 2:36 ` vapier at gentoo dot org
2015-07-21 3:50 ` cvs-commit at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-18032-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).