public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
@ 2015-02-26 18:12 konstantin.s.serebryany at gmail dot com
  2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-02-26 18:12 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

            Bug ID: 18036
           Summary: buffer overflow (read past end of buffer) in
                    internal_fnmatch=>end_pattern with "**(!()" pattern
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=18032
but in a different place: 

#include <fnmatch.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <assert.h>
int main(int argc, const char* argv[]) {
  long page_size = sysconf (_SC_PAGESIZE);
  assert(page_size > 0);
  char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  assert(page != MAP_FAILED);
  assert(!mprotect (page + page_size, page_size, PROT_NONE));
  memset (page, ' ', page_size);
  const char p[] = "**(!()";
  strcpy(page, p); 
  fnmatch(page, p, FNM_EXTMATCH);
} 


gcc fn3.c && ./a.out 
Segmentation fault (core dumped)


gdb: 
(gdb) bt
#0  0x00007ffff7adaf4b in end_pattern (pattern=pattern@entry=0x7ffff7ff6002
"(!()") at fnmatch_loop.c:1032
#1  0x00007ffff7adcbb9 in internal_fnmatch (pattern=<optimized out>,
string=string@entry=0x7fffffffdcd0 "**(!()", string_end=0x7fffffffdcd6 "",
no_leading_period=no_leading_period@entry=0, 
    flags=flags@entry=32, ends=ends@entry=0x0, alloca_used=alloca_used@entry=0)
at fnmatch_loop.c:128
#2  0x00007ffff7addf72 in __fnmatch (pattern=0x7ffff7ff6000 "**(!()",
string=0x7fffffffdcd0 "**(!()", flags=32) at fnmatch.c:458
#3  0x000000000040084a in main ()

Reproduces on 2.19 and fresh trunk. Marking as security+ similar to bug 18032
Since bug 18032 has been fixed promptly I assume you don't mind these reports.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
@ 2015-02-26 18:22 ` ppluzhnikov at google dot com
  2015-02-28  5:07 ` ppluzhnikov at google dot com
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-26 18:22 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot com

--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
> I assume you don't mind these reports

We welcome our new fuzzing overlords!

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
  2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
@ 2015-02-28  5:07 ` ppluzhnikov at google dot com
  2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-28  5:07 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |ppluzhnikov at google dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
  2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
  2015-02-28  5:07 ` ppluzhnikov at google dot com
@ 2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
  2015-03-02 21:38 ` ppluzhnikov at google dot com
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-03-02 21:37 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (commit)
      from  e8b6be0016f131c2ac72bf3213eabdb59800e63b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61

commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Mon Mar 2 13:34:22 2015 -0800

    Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    6 ++++++
 NEWS                 |    4 ++--
 posix/fnmatch_loop.c |    7 ++++++-
 posix/tst-fnmatch3.c |   22 +++++++++++++++++++++-
 4 files changed, 35 insertions(+), 4 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
                   ` (2 preceding siblings ...)
  2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
@ 2015-03-02 21:38 ` ppluzhnikov at google dot com
  2023-06-06 12:24 ` helmut at subdivi dot de
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-03-02 21:38 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
                   ` (3 preceding siblings ...)
  2015-03-02 21:38 ` ppluzhnikov at google dot com
@ 2023-06-06 12:24 ` helmut at subdivi dot de
  2023-06-25 20:38 ` carnil at debian dot org
  2023-06-25 20:38 ` carnil at debian dot org
  6 siblings, 0 replies; 8+ messages in thread
From: helmut at subdivi dot de @ 2023-06-06 12:24 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Helmut Grohne <helmut at subdivi dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |helmut at subdivi dot de

--- Comment #5 from Helmut Grohne <helmut at subdivi dot de> ---
While this bug has been tracked together with
https://sourceware.org/bugzilla/show_bug.cgi?id=18032 as CVE-2015-8984 e.g. in
RedHat https://bugzilla.redhat.com/show_bug.cgi?id=1197730#c3, that's not
universally the case and e.g. Debian missed this fix in Debian 8 while
including the other. As such, I think it would be best to track these
separately using separate CVE identifiers. Would you want to request one or
should I request via the standard mitre interface?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
                   ` (4 preceding siblings ...)
  2023-06-06 12:24 ` helmut at subdivi dot de
@ 2023-06-25 20:38 ` carnil at debian dot org
  2023-06-25 20:38 ` carnil at debian dot org
  6 siblings, 0 replies; 8+ messages in thread
From: carnil at debian dot org @ 2023-06-25 20:38 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Salvatore Bonaccorso <carnil at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2015-20109
                 CC|                            |carnil at debian dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
                   ` (5 preceding siblings ...)
  2023-06-25 20:38 ` carnil at debian dot org
@ 2023-06-25 20:38 ` carnil at debian dot org
  6 siblings, 0 replies; 8+ messages in thread
From: carnil at debian dot org @ 2023-06-25 20:38 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

--- Comment #6 from Salvatore Bonaccorso <carnil at debian dot org> ---
CVE-2015-20109 got assigned for this issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2023-06-25 20:38 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
2015-02-28  5:07 ` ppluzhnikov at google dot com
2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
2015-03-02 21:38 ` ppluzhnikov at google dot com
2023-06-06 12:24 ` helmut at subdivi dot de
2023-06-25 20:38 ` carnil at debian dot org
2023-06-25 20:38 ` carnil at debian dot org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).