public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large
@ 2015-08-09 14:10 zackw at panix dot com
2015-08-09 14:20 ` [Bug libc/18795] " zackw at panix dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: zackw at panix dot com @ 2015-08-09 14:10 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
Bug ID: 18795
Summary: stpncpy fortification misses buffer lengths that are
statically too large
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: zackw at panix dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
This test program will exhibit a fortify-check failure if compiled with
-DNON_CONSTANT, but not if compiled without:
#define _GNU_SOURCE 1
#define _FORTIFY_SOURCE 2
#include <string.h>
#ifdef NON_CONSTANT
volatile size_t zero;
#define LENGTH (zero + sizeof buf + 1)
#else
#define LENGTH (sizeof buf + 1)
#endif
int main(int argc, char **argv)
{
char buf[8];
return *stpncpy(buf, argv[0], LENGTH) != 0;
}
This is because a conditional in bits/string3.h is backward:
__fortify_function char *
__NTH (stpncpy (char *__dest, const char *__src, size_t __n))
{
if (__bos (__dest) != (size_t) -1
&& (!__builtin_constant_p (__n) || __n <= __bos (__dest)))
return __stpncpy_chk (__dest, __src, __n, __bos (__dest));
return __stpncpy_alias (__dest, __src, __n);
}
That should be '__n > __bos (__dest)'.
This is arguably a security flaw, but I don't think it's serious enough to
warrant the whole CVE dance - still, the patch (to follow) should probably be
backported to all active branches.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/18795] stpncpy fortification misses buffer lengths that are statically too large
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
@ 2015-08-09 14:20 ` zackw at panix dot com
2015-08-09 21:30 ` fweimer at redhat dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: zackw at panix dot com @ 2015-08-09 14:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
Zack Weinberg <zackw at panix dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|unassigned at sourceware dot org |zackw at panix dot com
--- Comment #1 from Zack Weinberg <zackw at panix dot com> ---
Created attachment 8498
--> https://sourceware.org/bugzilla/attachment.cgi?id=8498&action=edit
patch
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/18795] stpncpy fortification misses buffer lengths that are statically too large
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
2015-08-09 14:20 ` [Bug libc/18795] " zackw at panix dot com
@ 2015-08-09 21:30 ` fweimer at redhat dot com
2015-08-15 2:45 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2015-08-09 21:30 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Zack Weinberg from comment #0)
> This is arguably a security flaw, but I don't think it's serious enough to
> warrant the whole CVE dance - still, the patch (to follow) should probably
> be backported to all active branches.
Thanks for reporting this.
Just to be absolutely clear: The impact here is that a buffer size
specification which is a compile-time constant and which is too large results
in a lack of fortification. The result can be an undetected buffer overflow if
the supplied input string argument is too large.
Backporting does not help directly because the bug is a macro. After
recompilation, it will also introduce crashes into programs which at least
appeared to work fine before, so it is a fairly risky change.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/18795] stpncpy fortification misses buffer lengths that are statically too large
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
` (2 preceding siblings ...)
2015-08-15 2:45 ` cvs-commit at gcc dot gnu.org
@ 2015-08-15 2:45 ` vapier at gentoo dot org
2015-10-29 17:02 ` jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: vapier at gentoo dot org @ 2015-08-15 2:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
CC| |vapier at gentoo dot org
Resolution|--- |FIXED
--- Comment #4 from Mike Frysinger <vapier at gentoo dot org> ---
pushed now, thanks
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/18795] stpncpy fortification misses buffer lengths that are statically too large
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
2015-08-09 14:20 ` [Bug libc/18795] " zackw at panix dot com
2015-08-09 21:30 ` fweimer at redhat dot com
@ 2015-08-15 2:45 ` cvs-commit at gcc dot gnu.org
2015-08-15 2:45 ` vapier at gentoo dot org
2015-10-29 17:02 ` jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-08-15 2:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 3cda1b6d56335a101ec3de0053248f68f010eee1 (commit)
from 8ff5e0ec497613e578219c9c3d49053c550b9269 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3cda1b6d56335a101ec3de0053248f68f010eee1
commit 3cda1b6d56335a101ec3de0053248f68f010eee1
Author: Mike Frysinger <vapier@gentoo.org>
Date: Fri Aug 14 22:43:52 2015 -0400
stpncpy: fix bug number [BZ #18795]
The previous commit used 18975 instead of 18795.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 2 +-
NEWS | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/18795] stpncpy fortification misses buffer lengths that are statically too large
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
` (3 preceding siblings ...)
2015-08-15 2:45 ` vapier at gentoo dot org
@ 2015-10-29 17:02 ` jsm28 at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-10-29 17:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18795
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.23
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-10-29 17:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-09 14:10 [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large zackw at panix dot com
2015-08-09 14:20 ` [Bug libc/18795] " zackw at panix dot com
2015-08-09 21:30 ` fweimer at redhat dot com
2015-08-15 2:45 ` cvs-commit at gcc dot gnu.org
2015-08-15 2:45 ` vapier at gentoo dot org
2015-10-29 17:02 ` jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).