public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18660] New: Fix overflow in getusershell
@ 2015-07-12 16:03 tobias at stoeckmann dot org
2015-07-24 12:37 ` [Bug libc/18660] " fweimer at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: tobias at stoeckmann dot org @ 2015-07-12 16:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18660
Bug ID: 18660
Summary: Fix overflow in getusershell
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: tobias at stoeckmann dot org
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 8428
--> https://sourceware.org/bugzilla/attachment.cgi?id=8428&action=edit
patch in git diff format
The function initshells is prone to a buffer overflow in two cases:
1) if /etc/shells is empty, 0 bytes of memory for "shells" will be
reserved, but value NULL written into it.
2) if /etc/shells contains only 2 bytes, or generally entries which are
that small, the calculation "st_size / 3" will round down due to
integer precision. two values will be written into 0 bytes allocated
are.
This fix has been applied in OpenBSD.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18660] Fix overflow in getusershell
2015-07-12 16:03 [Bug libc/18660] New: Fix overflow in getusershell tobias at stoeckmann dot org
@ 2015-07-24 12:37 ` fweimer at redhat dot com
2015-08-10 4:36 ` ppluzhnikov at google dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2015-07-24 12:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18660
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18660] Fix overflow in getusershell
2015-07-12 16:03 [Bug libc/18660] New: Fix overflow in getusershell tobias at stoeckmann dot org
2015-07-24 12:37 ` [Bug libc/18660] " fweimer at redhat dot com
@ 2015-08-10 4:36 ` ppluzhnikov at google dot com
2015-08-11 17:25 ` tobias at stoeckmann dot org
2015-08-15 18:05 ` ppluzhnikov at google dot com
3 siblings, 0 replies; 5+ messages in thread
From: ppluzhnikov at google dot com @ 2015-08-10 4:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18660
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot com
--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
> This fix has been applied in OpenBSD.
The fix is wrong: it adds 2 bytes to "shells".
Did you intend to add "2 * sizeof (char *)" ?
It seems to me that even adding 2 * sizeof (char *) is insufficient: if
/etc/shells contains 10 two-byte lines "/\n", then "shells" will point to an
array of 20/3 + 2 == 8 pointers, and we'll try to write 11 entries into it.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18660] Fix overflow in getusershell
2015-07-12 16:03 [Bug libc/18660] New: Fix overflow in getusershell tobias at stoeckmann dot org
2015-07-24 12:37 ` [Bug libc/18660] " fweimer at redhat dot com
2015-08-10 4:36 ` ppluzhnikov at google dot com
@ 2015-08-11 17:25 ` tobias at stoeckmann dot org
2015-08-15 18:05 ` ppluzhnikov at google dot com
3 siblings, 0 replies; 5+ messages in thread
From: tobias at stoeckmann dot org @ 2015-08-11 17:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18660
Tobias Stoeckmann <tobias at stoeckmann dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #8428|0 |1
is obsolete| |
--- Comment #2 from Tobias Stoeckmann <tobias at stoeckmann dot org> ---
Created attachment 8502
--> https://sourceware.org/bugzilla/attachment.cgi?id=8502&action=edit
updated patch
Updated diff which fixes Paul Pluzhnikov's spottings.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/18660] Fix overflow in getusershell
2015-07-12 16:03 [Bug libc/18660] New: Fix overflow in getusershell tobias at stoeckmann dot org
` (2 preceding siblings ...)
2015-08-11 17:25 ` tobias at stoeckmann dot org
@ 2015-08-15 18:05 ` ppluzhnikov at google dot com
3 siblings, 0 replies; 5+ messages in thread
From: ppluzhnikov at google dot com @ 2015-08-15 18:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18660
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-08-15 18:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-12 16:03 [Bug libc/18660] New: Fix overflow in getusershell tobias at stoeckmann dot org
2015-07-24 12:37 ` [Bug libc/18660] " fweimer at redhat dot com
2015-08-10 4:36 ` ppluzhnikov at google dot com
2015-08-11 17:25 ` tobias at stoeckmann dot org
2015-08-15 18:05 ` ppluzhnikov at google dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).