[Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

            Bug ID: 18036
           Summary: buffer overflow (read past end of buffer) in
                    internal_fnmatch=>end_pattern with "**(!()" pattern
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=18032
but in a different place: 

#include <fnmatch.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <assert.h>
int main(int argc, const char* argv[]) {
  long page_size = sysconf (_SC_PAGESIZE);
  assert(page_size > 0);
  char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  assert(page != MAP_FAILED);
  assert(!mprotect (page + page_size, page_size, PROT_NONE));
  memset (page, ' ', page_size);
  const char p[] = "**(!()";
  strcpy(page, p); 
  fnmatch(page, p, FNM_EXTMATCH);
} 


gcc fn3.c && ./a.out 
Segmentation fault (core dumped)


gdb: 
(gdb) bt
#0  0x00007ffff7adaf4b in end_pattern (pattern=pattern@entry=0x7ffff7ff6002
"(!()") at fnmatch_loop.c:1032
#1  0x00007ffff7adcbb9 in internal_fnmatch (pattern=<optimized out>,
string=string@entry=0x7fffffffdcd0 "**(!()", string_end=0x7fffffffdcd6 "",
no_leading_period=no_leading_period@entry=0, 
    flags=flags@entry=32, ends=ends@entry=0x0, alloca_used=alloca_used@entry=0)
at fnmatch_loop.c:128
#2  0x00007ffff7addf72 in __fnmatch (pattern=0x7ffff7ff6000 "**(!()",
string=0x7fffffffdcd0 "**(!()", flags=32) at fnmatch.c:458
#3  0x000000000040084a in main ()

Reproduces on 2.19 and fresh trunk. Marking as security+ similar to bug 18032
Since bug 18032 has been fixed promptly I assume you don't mind these reports.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot com

--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
> I assume you don't mind these reports

We welcome our new fuzzing overlords!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |ppluzhnikov at google dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (commit)
      from  e8b6be0016f131c2ac72bf3213eabdb59800e63b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61

commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Mon Mar 2 13:34:22 2015 -0800

    Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    6 ++++++
 NEWS                 |    4 ++--
 posix/fnmatch_loop.c |    7 ++++++-
 posix/tst-fnmatch3.c |   22 +++++++++++++++++++++-
 4 files changed, 35 insertions(+), 4 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[helmut at subdivi dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Helmut Grohne <helmut at subdivi dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |helmut at subdivi dot de

--- Comment #5 from Helmut Grohne <helmut at subdivi dot de> ---
While this bug has been tracked together with
https://sourceware.org/bugzilla/show_bug.cgi?id=18032 as CVE-2015-8984 e.g. in
RedHat https://bugzilla.redhat.com/show_bug.cgi?id=1197730#c3, that's not
universally the case and e.g. Debian missed this fix in Debian 8 while
including the other. As such, I think it would be best to track these
separately using separate CVE identifiers. Would you want to request one or
should I request via the standard mitre interface?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[carnil at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

Salvatore Bonaccorso <carnil at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2015-20109
                 CC|                            |carnil at debian dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

[carnil at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

--- Comment #6 from Salvatore Bonaccorso <carnil at debian dot org> ---
CVE-2015-20109 got assigned for this issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.