From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-27643-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 30896 invoked by alias); 26 Feb 2015 02:43:43 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 30850 invoked by uid 48); 26 Feb 2015 02:43:39 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch
Date: Thu, 26 Feb 2015 02:43:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-18032-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00378.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=18032

            Bug ID: 18032
           Summary: buffer overflow (read past end of buffer) in
                    internal_fnmatch
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

#include <fnmatch.h>
#include <string.h>
int main(int argc, const char* argv[]) {
  const char text[] = {44, 92, 91, 44, 91, 46, 0};
  const char p[] = {91, 44, 91, 46, 0};
  const char *Pat = strdup(p);
  fnmatch(Pat, text, 0);
}

gcc -g fn2.c && valgrind ./a.out # 2.19

==32342== Invalid read of size 1
==32342==    at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965)
==32342==    by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458)
==32342==    by 0x400663: main (fn2.c:7)
==32342==  Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd
==32342==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==32342==    by 0x4EBF3C9: strdup (strdup.c:42)
==32342==    by 0x400647: main (fn2.c:6)

Reproduced on 2.19 and on fresh trunk; 
initially found with an experimental AddressSanitizer build of glibc and
a coverage guided fuzzer. 

# trunk

==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8
READ of size 1 at 0x60200000eff5 thread T0
    #0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8
    #1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10
    #2 0x4c1e3f in main

0x60200000eff5 is located 0 bytes to the right of 5-byte region
[0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
    #0 0x48d23c in __interceptor_strdup 
    #1 0x4c1dfe in main


See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different
bug somewhere similar.

-- 
You are receiving this mail because:
You are on the CC list for the bug.