[Bug libc/18043] New: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[Bug libc/18043] New: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

            Bug ID: 18043
           Summary: buffer-overflow (read past the end) in
                    wordexp/parse_dollars/parse_param
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

#include <wordexp.h>
#include <string.h>
int main() {
  char *p = strdup("${");
  wordexp_t w;
  wordexp(p, &w, 0);
}

==15405== Invalid read of size 1
==15405==    at 0x4F1DE5C: parse_param (wordexp.c:1428)
==15405==    by 0x4F1DE5C: parse_dollars (wordexp.c:2102)
==15405==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15405==    by 0x4005AA: main
==15405==  Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15405==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15405==    by 0x4EBE839: strdup (strdup.c:42)
==15405==    by 0x40058E: main

This time it's unclear to me how bad this bug is because 
the man page explicitly says that 
"there must not be any unescaped newline or |, &, ;, <, >, (, ), {, }
characters"
OTOH, buffer overflow is still a bit too much. 

2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot com
           Assignee|unassigned at sourceware dot org   |ppluzhnikov at google dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  895c30cb003857b52c1675f9078e6a799b231bcb (commit)
      from  5df56c7e3a236b39b3395e042015b541172f652b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=895c30cb003857b52c1675f9078e6a799b231bcb

commit 895c30cb003857b52c1675f9078e6a799b231bcb
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Fri Mar 6 09:13:16 2015 -0800

    Fix BZ #18043: buffer-overflow (read past the end) in
wordexp/parse_dollars/parse_param

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    6 ++++++
 NEWS                 |    2 +-
 posix/wordexp-test.c |   31 +++++++++++++++++++++++++++++++
 posix/wordexp.c      |    2 +-
 4 files changed, 39 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  36103ba2f5db530bff24896dfc9076955fba3b5f (commit)
      from  18d26750dd8fd328a78cf639fd0ec2494680a2a4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36103ba2f5db530bff24896dfc9076955fba3b5f

commit 36103ba2f5db530bff24896dfc9076955fba3b5f
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Mar 8 21:37:31 2015 -0700

    Refactor wordexp-test.c such that words always ends at the edge of
    unreadable page.

    This makes it easy to catch overflows, such as BZ #18043 (and BZ #18042).

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    8 ++++++
 posix/wordexp-test.c |   67 ++++++++++++++++++++++++++-----------------------
 2 files changed, 44 insertions(+), 31 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #4 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Thanks for the fix. There is one more, very similar looking bug, 
but it still reproduces after your fix. 

#include <wordexp.h>
#include <string.h>
int main() {
  char *p = strdup("L${a:");
  wordexp_t w;
  wordexp(p, &w, 0);
}

==26576== Invalid read of size 1
==26576==    at 0x4F1DEB4: parse_param (wordexp.c:1366)
==26576==    by 0x4F1DEB4: parse_dollars (wordexp.c:2102)
==26576==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==26576==    by 0x4005AA: main (we4.c:6)
==26576==  Address 0x51fb046 is 0 bytes after a block of size 6 alloc'd
==26576==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==26576==    by 0x4EBE839: strdup (strdup.c:42)
==26576==    by 0x40058E: main (we4.c:4)
==26576== 

(reopening this bug instead of creating a new one for simplicity)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  5f85a4bf9460b953a35f2beae54acaa8c1310a29 (commit)
      from  95f386609f378063b35e0c4ede8c2d2ceea91f51 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5f85a4bf9460b953a35f2beae54acaa8c1310a29

commit 5f85a4bf9460b953a35f2beae54acaa8c1310a29
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Mon Mar 9 07:22:36 2015 -0700

    Fix BZ #18043 (c4): buffer-overflow (read past the end) in
wordexp/parse_dollars/parse_param

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    6 ++++++
 posix/wordexp-test.c |    5 +++--
 posix/wordexp.c      |    3 ++-
 3 files changed, 11 insertions(+), 3 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Second case fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #7 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Paul Pluzhnikov from comment #6)
> Second case fixed.

I've tweaked the fuzzer a bit and it produced something else: 

pattern: "${Ca+da}"

This time reproducible only on glibc trunk so I can't reproduce with valgrind.
Can you see it? 

==22916==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020001625f2 at pc 0x7f58e333187e bp 0x7fff8223fe90 sp 0x7fff8223fe88
READ of size 1 at 0x6020001625f2 thread T0
    #0 0x7f58e333187d in parse_param posix/wordexp.c:1581:18
    #1 0x7f58e333187d in parse_dollars posix/wordexp.c:2103
    #2 0x7f58e33212ac in parse_glob posix/wordexp.c:490:12
    #3 0x7f58e33212ac in wordexp posix/wordexp.c:2416


0x6020001625f2 is located 0 bytes to the right of 2-byte region
[0x6020001625f0,0x6020001625f2)
allocated by thread T0 here:
    #0 0x4a1eab in malloc 
    #1 0x7f58e321a546 in __add_to_environ stdlib/setenv.c:202
    #2 0x7f58e332d8c3 in parse_param posix/wordexp.c:1916:4
    #3 0x7f58e332d8c3 in parse_dollars posix/wordexp.c:2103
    #4 0x7f58e332102b in wordexp posix/wordexp.c:2348:10

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #8 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
and another variation with a slightly different stack

"?:${Ba=}"

    #0 0x7f060128a71e in parse_param posix/wordexp.c:1571:20

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #9 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
(In reply to Kostya Serebryany from comment #7)

> Can you see it? 

I can not see either c#7 or c#8 with trunk :-(

Note that the allocation in c#7 is coming from setenv() and is possibly
sensitive to current environment.

Do you have "Ca", "Ba" or "da" set to something?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #10 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---

> Do you have "Ca", "Ba" or "da" set to something?
Nope.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #11 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Kostya Serebryany from comment #10)
> > Do you have "Ca", "Ba" or "da" set to something?
> Nope.

Ah, Apparently one of the previous fuzzing iterations has set such env var.
(which also means that wordexp is not an ideal target for in-process fuzzing)
Is this still interesting? 
If not, close the bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #12 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
(In reply to Kostya Serebryany from comment #11)

> Ah, Apparently one of the previous fuzzing iterations has set such env var.
> (which also means that wordexp is not an ideal target for in-process fuzzing)
> Is this still interesting? 

It's still a bug (AFAICT) -- GLIBC shouldn't be accessing env strings out of
bounds.

I've tried setting these variables myself, to various values, but still do not
see violations.

What do you have them set at (and which ones) ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #13 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
here it is: 

#include <wordexp.h>
#include <string.h>
#include <unistd.h>
int main() {
  setenv("Ca", NULL, 1);
  char *p = strdup("${Ca=}");
  wordexp_t w;
  wordexp(p, &w, 0);
}


==15178== Invalid read of size 1
==15178==    at 0x4F1DC84: parse_param (wordexp.c:1570)
==15178==    by 0x4F1DC84: parse_dollars (wordexp.c:2102)
==15178==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15178==    by 0x400613: main
==15178==  Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15178==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15178==    by 0x4E71DEC: __add_to_environ (setenv.c:267)
==15178==    by 0x4C321FF: setenv (vg_replace_strmem.c:1844)
==15178==    by 0x4005ED: main


In my fuzzer one of the runs of wordexp is setting the env var to NULL
and then the other iteration tries to read that env. var.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #14 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
same happens with 
  setenv("Ca", "", 1);

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #15 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
(In reply to Kostya Serebryany from comment #14)
> same happens with 
>   setenv("Ca", "", 1);

This one is not reproducing for me with either 2.19 or trunk.

OTOH, with test from comment #13, both from glibc-2.19 and trunk give me two
separate overflows:

==3325== Invalid read of size 1
==3325==    at 0x48EBF9E: parse_dollars (/glibc-git/posix/wordexp.c:1573)
==3325==    by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325==    by 0x400613: main (/tmp/t.c:8)
==3325==  Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325==    at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325==    by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325==    by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325==    by 0x4005ED: main (/tmp/t.c:5)
==3325==
==3325== Invalid read of size 1
==3325==    at 0x48EBD15: parse_dollars (/glibc-git/posix/wordexp.c:1897)
==3325==    by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325==    by 0x400613: main (/tmp/t.c:8)
==3325==  Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325==    at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325==    by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325==    by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325==    by 0x4005ED: main (/tmp/t.c:5)

Thanks for the test!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #16 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Nice. 
WDYT about wordexp changing the env? 
the man page does not mention it and it looks like a weird behavior.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #17 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
The test from comment #13 is invalid. Small repro:

#include <stdio.h>
#include <stdlib.h>

int main() {
  setenv("Ca", NULL, 1);
  char *p = getenv("Ca");
  printf("p: %s\n", p);
  return 0;
}


$ gcc t2.c
t2.c: In function ‘main’:
t2.c:5:3: warning: null argument where non-null required (argument 2)
[-Wnonnull]
   setenv("Ca", NULL, 1);
   ^

That is, setenv(..., NULL, ...) is explicitly disallowed.


valgrind ./a.out

==30371== Invalid read of size 1
==30371==    at 0x4A70A03: vfprintf
(/build/buildd/eglibc-2.19/stdio-common/vfprintf.c:1661)
==30371==    by 0x4A79498: printf
(/build/buildd/eglibc-2.19/stdio-common/printf.c:33)
==30371==    by 0x40060C: main (in /tmp/a.out)
==30371==  Address 0x4dea2d3 is 0 bytes after a block of size 3 alloc'd
==30371==    at 0x40307C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==30371==    by 0x4A60C59: __add_to_environ
(/build/buildd/eglibc-2.19/stdlib/setenv.c:193)
==30371==    by 0x40344BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==30371==    by 0x4005E8: main (in /tmp/a.out)


Now, arguably GLIBC could do something smarter and make these equivalent:

  setenv("Ca", NULL, 1);
  setenv("Ca", "", 1);

But if that NULL should be handled at all, it's a separate bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27800-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon Mar 09 22:27:30 2015
Return-Path: <glibc-bugs-return-27800-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 50682 invoked by alias); 9 Mar 2015 22:27:30 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 50648 invoked by uid 48); 9 Mar 2015 22:27:27 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Date: Mon, 09 Mar 2015 22:27:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: ppluzhnikov at google dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-18043-131-Z2oOXM3iVP@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18043-131@http.sourceware.org/bugzilla/>
References: <bug-18043-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-03/txt/msg00093.txt.bz2
Content-length: 320

https://sourceware.org/bugzilla/show_bug.cgi?id\x18043

--- Comment #18 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
The problem here is that setenv("Ca", NULL, 1); is performed by wordexp.
I'll file a separate bug.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #19 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Ah, let's continue here if you don't mind. 

#include <wordexp.h>
#include <string.h>
int main() {
  wordexp_t w1, w2;
  wordexp("${Ca=}", &w1, 0);
  wordexp("${Ca=}", &w2, 0);
}


==11533== Invalid read of size 1
==11533==    at 0x4F1DC84: parse_param (wordexp.c:1570)
==11533==    by 0x4F1DC84: parse_dollars (wordexp.c:2102)
==11533==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==11533==  Address 0x51fb4a3 is 0 bytes after a block of size 3 alloc'd
==11533==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==11533==    by 0x4E71C59: __add_to_environ (setenv.c:193)
==11533==    by 0x4C321FF: setenv (vg_replace_strmem.c:1844)
==11533==    by 0x4F1F045: parse_param (wordexp.c:1915)
==11533==    by 0x4F1F045: parse_dollars (wordexp.c:2102)
==11533==    by 0x4F1FFEB: wordexp (wordexp.c:2348)

==11533== 
==11533== Invalid read of size 1
==11533==    at 0x4F1DB39: parse_param (wordexp.c:1894)
==11533==    by 0x4F1DB39: parse_dollars (wordexp.c:2102)
==11533==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==11533==  Address 0x51fb4a3 is 0 bytes after a block of size 3 alloc'd
==11533==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==11533==    by 0x4E71C59: __add_to_environ (setenv.c:193)
==11533==    by 0x4C321FF: setenv (vg_replace_strmem.c:1844)
==11533==    by 0x4F1F045: parse_param (wordexp.c:1915)
==11533==    by 0x4F1F045: parse_dollars (wordexp.c:2102)
==11533==    by 0x4F1FFEB: wordexp (wordexp.c:2348)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #20 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Patch mailed: https://sourceware.org/ml/libc-alpha/2015-03/msg00402.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #21 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  a2d4cf72c0ab07d4e58b42c01ac3ed2b95ca8d9b (commit)
      from  5ca10a0c9ad1edb3b2e2e59ac6dccdd879cf84ae (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a2d4cf72c0ab07d4e58b42c01ac3ed2b95ca8d9b

commit a2d4cf72c0ab07d4e58b42c01ac3ed2b95ca8d9b
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Wed Mar 11 08:55:50 2015 -0700

    Fix BZ #18043 comment # 19: don't call undefined setenv(..., NULL, 1).

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    5 +++++
 posix/wordexp.c |    2 +-
 2 files changed, 6 insertions(+), 1 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[ppluzhnikov at google dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #22 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Third case fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #23 from Florian Weimer <fweimer at redhat dot com> ---
Happens with WRDE_COMMAND as well, so indeed a security issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.