From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-29210-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 100714 invoked by alias); 9 Aug 2015 14:10:58 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 100682 invoked by uid 48); 9 Aug 2015 14:10:55 -0000
From: "zackw at panix dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18795] New: stpncpy fortification misses buffer lengths that are statically too large
Date: Sun, 09 Aug 2015 14:10:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: zackw at panix dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-18795-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-08/txt/msg00250.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=18795

            Bug ID: 18795
           Summary: stpncpy fortification misses buffer lengths that are
                    statically too large
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: zackw at panix dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

This test program will exhibit a fortify-check failure if compiled with
-DNON_CONSTANT, but not if compiled without:

#define _GNU_SOURCE 1
#define _FORTIFY_SOURCE 2
#include <string.h>

#ifdef NON_CONSTANT
volatile size_t zero;
#define LENGTH (zero + sizeof buf + 1)
#else
#define LENGTH (sizeof buf + 1)
#endif

int main(int argc, char **argv)
{
  char buf[8];
  return *stpncpy(buf, argv[0], LENGTH) != 0;
}

This is because a conditional in bits/string3.h is backward:

__fortify_function char *
__NTH (stpncpy (char *__dest, const char *__src, size_t __n))
{
  if (__bos (__dest) != (size_t) -1
      && (!__builtin_constant_p (__n) || __n <= __bos (__dest)))
    return __stpncpy_chk (__dest, __src, __n, __bos (__dest));
  return __stpncpy_alias (__dest, __src, __n);
}

That should be '__n > __bos (__dest)'.

This is arguably a security flaw, but I don't think it's serious enough to
warrant the whole CVE dance - still, the patch (to follow) should probably be
backported to all active branches.

-- 
You are receiving this mail because:
You are on the CC list for the bug.