From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id CB8B93857C53; Mon, 10 Aug 2020 04:27:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CB8B93857C53 From: "wangxuszcn at foxmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/26353] ftw/nftw:When a large nopenfd parameter is entered, ftw() or nftw() triggers stack overflow. Date: Mon, 10 Aug 2020 04:27:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.31 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: wangxuszcn at foxmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Aug 2020 04:27:03 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D26353 wangxu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wangxuszcn at foxmail dot = com --- Comment #3 from wangxu --- (In reply to nixiaoming from comment #0) > Invoke ftw_startup() in ftw()/nftw().=20 > ftw_startup() does not verify the upper limit of descriptors, and alloca = is > used to apply for stack space, triggering stack overflow.=20 >=20 > ------- code ----- > io/ftw.c: > 814 /* Entry points. */ > 815 > 816 int > 817 FTW_NAME (const char *path, FTW_FUNC_T func, int descriptors) > 818 { > 819 return ftw_startup (path, 0, func, descriptors, 0);=20 > 820 } >=20 > 833 int > 834 NFTW_NAME (const char *path, NFTW_FUNC_T func, int descriptors, int > flags) > 835 { > 836 return ftw_startup (path, 1, func, descriptors, flags); > 837 } >=20 >=20 > io/ftw.c: >=20 > 627 static int > 628 __attribute ((noinline)) > 629 ftw_startup (const char *dir, int is_nftw, void *func, int descriptor= s, > 630 int flags) > 631 { > 632 struct ftw_data data; > 633 struct STAT st; > 634 int result =3D 0; > 635 int save_err; > 636 int cwdfd =3D -1; > 637 char *cwd =3D NULL; > 638 char *cp; > 639 > 640 /* First make sure the parameters are reasonable. */ > 641 if (dir[0] =3D=3D '\0') > 642 { > 643 __set_errno (ENOENT); > 644 return -1; > 645 } > 646 > 647 data.maxdir =3D descriptors < 1 ? 1 : descriptors; /*No check upper > limit. */=20 > 648 data.actdir =3D 0; > 649 data.dirstreams =3D (struct dir_data **) alloca (data.maxdir > 650 * sizeof (struct > dir_data *)); /* Here, the stack overflows. */ > 651 memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data > *)); > 652 >=20 > ----- testcase test_ftw.c ----- > #include > #include > #include >=20 > #include >=20 > int my_func(const char *file , const struct stat *sb ,int flag) > { > printf("%s\n", file); > return 0; > } >=20 > int main(int argc, char *argv[]) > { > printf("start\n"); > ftw("/", my_func, 8192*1024); > printf("end\n"); > return 0; > } >=20 > ------ message ----- > test_ftw[15882]: segfault at fdb18398 ip 00000000f76028f5 sp > 00000000fdb1839c error 6 in libc-2.29.so[f752e000+152000] >=20 > ----- coredump ----=20 > Type "apropos word" to search for commands related to "word"... > Reading symbols from ./test_ftw...done. > [New LWP 15882] > Core was generated by `./test_ftw'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 0xf76028f5 in ftw_startup () from /lib/libc.so.6 > readline: /etc/inputrc: line 13: term: unknown variable name > (gdb) bt > #0 0xf76028f5 in ftw_startup () from /lib/libc.so.6 > #1 0x0804852b in main (argc=3D1, argv=3D0xffb18554) at test_ftw.c:25 > (gdb) i r > eax 0x2000000 33554432 > ecx 0x0 0 > edx 0xfdb183af -38698065 > ebx 0xf76f2e24 -143708636 > esp 0xfdb1839c 0xfdb1839c > ebp 0xffb18468 0xffb18468 > esi 0x80485f6 134514166 > edi 0x8048492 134513810 > eip 0xf76028f5 0xf76028f5 > eflags 0x10296 [ PF AF SF IF RF ] > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x0 0 > gs 0x63 99 > (gdb) shell readelf -e core-15882-test_ftw |tail > LOAD 0x002000 0xf76f4000 0x00000000 0x00000 0x03000 RW 0x1000 > LOAD 0x002000 0xf76f7000 0x00000000 0x02000 0x02000 RW 0x1000 > LOAD 0x004000 0xf76f9000 0x00000000 0x03000 0x03000 R 0x1000 > LOAD 0x007000 0xf76fc000 0x00000000 0x01000 0x01000 R E 0x1000 > LOAD 0x008000 0xf76fd000 0x00000000 0x01000 0x01000 R 0x1000 > LOAD 0x009000 0xf76fe000 0x00000000 0x1c000 0x1c000 R E 0x1000 > LOAD 0x025000 0xf771a000 0x00000000 0x0a000 0x0a000 R 0x1000 > LOAD 0x02f000 0xf7725000 0x00000000 0x01000 0x01000 R 0x1000 > LOAD 0x030000 0xf7726000 0x00000000 0x01000 0x01000 RW 0x1000 > LOAD 0x031000 0xffaf8000 0x00000000 0x21000 0x21000 RW 0x1000 > (gdb) q In ftw, alloca is equal to __builtin_alloca, and as the gcc manual says," Since the __builtin_alloca function doesn=E2=80=99t validate its argument i= t is the responsibility of its caller to make sure the argument doesn=E2=80=99t caus= e it to exceed the stack size limit."[1] Stack may be corrupted here, Can we apply for a CVE ? [1] __builtin_alloca do not validate args: https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html --=20 You are receiving this mail because: You are on the CC list for the bug.=