public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
@ 2015-02-26 18:12 konstantin.s.serebryany at gmail dot com
2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-02-26 18:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Bug ID: 18036
Summary: buffer overflow (read past end of buffer) in
internal_fnmatch=>end_pattern with "**(!()" pattern
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Flags: security+
Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=18032
but in a different place:
#include <fnmatch.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <assert.h>
int main(int argc, const char* argv[]) {
long page_size = sysconf (_SC_PAGESIZE);
assert(page_size > 0);
char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
assert(page != MAP_FAILED);
assert(!mprotect (page + page_size, page_size, PROT_NONE));
memset (page, ' ', page_size);
const char p[] = "**(!()";
strcpy(page, p);
fnmatch(page, p, FNM_EXTMATCH);
}
gcc fn3.c && ./a.out
Segmentation fault (core dumped)
gdb:
(gdb) bt
#0 0x00007ffff7adaf4b in end_pattern (pattern=pattern@entry=0x7ffff7ff6002
"(!()") at fnmatch_loop.c:1032
#1 0x00007ffff7adcbb9 in internal_fnmatch (pattern=<optimized out>,
string=string@entry=0x7fffffffdcd0 "**(!()", string_end=0x7fffffffdcd6 "",
no_leading_period=no_leading_period@entry=0,
flags=flags@entry=32, ends=ends@entry=0x0, alloca_used=alloca_used@entry=0)
at fnmatch_loop.c:128
#2 0x00007ffff7addf72 in __fnmatch (pattern=0x7ffff7ff6000 "**(!()",
string=0x7fffffffdcd0 "**(!()", flags=32) at fnmatch.c:458
#3 0x000000000040084a in main ()
Reproduces on 2.19 and fresh trunk. Marking as security+ similar to bug 18032
Since bug 18032 has been fixed promptly I assume you don't mind these reports.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
@ 2015-02-26 18:22 ` ppluzhnikov at google dot com
2015-02-28 5:07 ` ppluzhnikov at google dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-26 18:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot com
--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
> I assume you don't mind these reports
We welcome our new fuzzing overlords!
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
@ 2015-02-28 5:07 ` ppluzhnikov at google dot com
2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-02-28 5:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
2015-02-28 5:07 ` ppluzhnikov at google dot com
@ 2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
2015-03-02 21:38 ` ppluzhnikov at google dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-03-02 21:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61 (commit)
from e8b6be0016f131c2ac72bf3213eabdb59800e63b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
commit c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Mon Mar 2 13:34:22 2015 -0800
Fix BZ 18036 buffer overflow (read past end of buffer) in internal_fnmatch
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 4 ++--
posix/fnmatch_loop.c | 7 ++++++-
posix/tst-fnmatch3.c | 22 +++++++++++++++++++++-
4 files changed, 35 insertions(+), 4 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
` (2 preceding siblings ...)
2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
@ 2015-03-02 21:38 ` ppluzhnikov at google dot com
2023-06-06 12:24 ` helmut at subdivi dot de
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-03-02 21:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
` (3 preceding siblings ...)
2015-03-02 21:38 ` ppluzhnikov at google dot com
@ 2023-06-06 12:24 ` helmut at subdivi dot de
2023-06-25 20:38 ` carnil at debian dot org
2023-06-25 20:38 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: helmut at subdivi dot de @ 2023-06-06 12:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Helmut Grohne <helmut at subdivi dot de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |helmut at subdivi dot de
--- Comment #5 from Helmut Grohne <helmut at subdivi dot de> ---
While this bug has been tracked together with
https://sourceware.org/bugzilla/show_bug.cgi?id=18032 as CVE-2015-8984 e.g. in
RedHat https://bugzilla.redhat.com/show_bug.cgi?id=1197730#c3, that's not
universally the case and e.g. Debian missed this fix in Debian 8 while
including the other. As such, I think it would be best to track these
separately using separate CVE identifiers. Would you want to request one or
should I request via the standard mitre interface?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
` (4 preceding siblings ...)
2023-06-06 12:24 ` helmut at subdivi dot de
@ 2023-06-25 20:38 ` carnil at debian dot org
2023-06-25 20:38 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: carnil at debian dot org @ 2023-06-25 20:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
Salvatore Bonaccorso <carnil at debian dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2015-20109
CC| |carnil at debian dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
` (5 preceding siblings ...)
2023-06-25 20:38 ` carnil at debian dot org
@ 2023-06-25 20:38 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: carnil at debian dot org @ 2023-06-25 20:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18036
--- Comment #6 from Salvatore Bonaccorso <carnil at debian dot org> ---
CVE-2015-20109 got assigned for this issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-06-25 20:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-26 18:12 [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern konstantin.s.serebryany at gmail dot com
2015-02-26 18:22 ` [Bug libc/18036] " ppluzhnikov at google dot com
2015-02-28 5:07 ` ppluzhnikov at google dot com
2015-03-02 21:37 ` cvs-commit at gcc dot gnu.org
2015-03-02 21:38 ` ppluzhnikov at google dot com
2023-06-06 12:24 ` helmut at subdivi dot de
2023-06-25 20:38 ` carnil at debian dot org
2023-06-25 20:38 ` carnil at debian dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).