public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
@ 2015-03-09 21:08 konstantin.s.serebryany at gmail dot com
2015-03-19 15:08 ` [Bug libc/18099] " fweimer at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-03-09 21:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18099
Bug ID: 18099
Summary: a.out: wordexp.c:1937: parse_param: Assertion `value
!= ((void *)0)' failed.
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
#include <wordexp.h>
int main() {
wordexp_t w;
wordexp("*??\\\\/::${#r-}", &w, 0);
}
gcc we12.c && ./a.out
a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
Aborted (core dumped)
2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
2015-03-09 21:08 [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed konstantin.s.serebryany at gmail dot com
@ 2015-03-19 15:08 ` fweimer at redhat dot com
2015-07-12 8:08 ` neleai at seznam dot cz
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2015-03-19 15:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18099
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Reachable even with WRDE_NOCMD, so this is a security issue in builds with
asserts enabled (which we support).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
2015-03-09 21:08 [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed konstantin.s.serebryany at gmail dot com
2015-03-19 15:08 ` [Bug libc/18099] " fweimer at redhat dot com
@ 2015-07-12 8:08 ` neleai at seznam dot cz
2015-07-21 10:39 ` fweimer at redhat dot com
2015-08-27 22:26 ` [Bug glob/18099] " jsm28 at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: neleai at seznam dot cz @ 2015-07-12 8:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18099
Ondrej Bilka <neleai at seznam dot cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |neleai at seznam dot cz
--- Comment #2 from Ondrej Bilka <neleai at seznam dot cz> ---
I am not sure if we should fix that by removing that assert or refactoring
code.
That assertion is false because we do following:
value = pattern ? __strdup (pattern) : pattern;
free_value = 1;
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
2015-03-09 21:08 [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed konstantin.s.serebryany at gmail dot com
2015-03-19 15:08 ` [Bug libc/18099] " fweimer at redhat dot com
2015-07-12 8:08 ` neleai at seznam dot cz
@ 2015-07-21 10:39 ` fweimer at redhat dot com
2015-08-27 22:26 ` [Bug glob/18099] " jsm28 at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2015-07-21 10:39 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18099
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Florian Weimer from comment #1)
> Reachable even with WRDE_NOCMD, so this is a security issue in builds with
> asserts enabled (which we support).
This is incorrect because wordexp is inherently DoS-prone with crafted
patterns.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug glob/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
2015-03-09 21:08 [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed konstantin.s.serebryany at gmail dot com
` (2 preceding siblings ...)
2015-07-21 10:39 ` fweimer at redhat dot com
@ 2015-08-27 22:26 ` jsm28 at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-08-27 22:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18099
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |glob
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-08-27 22:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-09 21:08 [Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed konstantin.s.serebryany at gmail dot com
2015-03-19 15:08 ` [Bug libc/18099] " fweimer at redhat dot com
2015-07-12 8:08 ` neleai at seznam dot cz
2015-07-21 10:39 ` fweimer at redhat dot com
2015-08-27 22:26 ` [Bug glob/18099] " jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).