public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libc/27083] New: Unsafe unbounded alloca in addmntent @ 2020-12-16 14:12 siddhesh at sourceware dot org 2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org ` (3 more replies) 0 siblings, 4 replies; 5+ messages in thread From: siddhesh at sourceware dot org @ 2020-12-16 14:12 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27083 Bug ID: 27083 Summary: Unsafe unbounded alloca in addmntent Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: siddhesh at sourceware dot org CC: drepper.fsp at gmail dot com Target Milestone: --- addmntent duplicates strings in its input struct mntent using alloca due to which very long strings could blow up the stack. Example: #include <stdlib.h> #include <mntent.h> #include <stdio.h> #include <string.h> #define LARGE_VALUE 2*1024*1024*1024ULL int main(int argc, char **argv) { FILE *f = fopen("/dev/null", "w"); struct mntent bad; bad.mnt_fsname = calloc (LARGE_VALUE, 1); memset (bad.mnt_fsname, ' ', LARGE_VALUE - 1); bad.mnt_dir = calloc (LARGE_VALUE, 1); memset (bad.mnt_dir, ' ', LARGE_VALUE - 1); bad.mnt_type = calloc (LARGE_VALUE, 1); memset (bad.mnt_type, ' ', LARGE_VALUE - 1); bad.mnt_opts = calloc (LARGE_VALUE, 1); memset (bad.mnt_opts, ' ', LARGE_VALUE - 1); bad.mnt_freq = 1; bad.mnt_passno = 2; addmntent (f, &bad); endmntent(f); return 0; } -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent 2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org @ 2020-12-16 14:18 ` siddhesh at sourceware dot org 2020-12-16 16:32 ` siddhesh at sourceware dot org ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: siddhesh at sourceware dot org @ 2020-12-16 14:18 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27083 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|unassigned at sourceware dot org |siddhesh at sourceware dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent 2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org 2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org @ 2020-12-16 16:32 ` siddhesh at sourceware dot org 2020-12-18 16:04 ` siddhesh at sourceware dot org 2020-12-22 16:05 ` siddhesh at sourceware dot org 3 siblings, 0 replies; 5+ messages in thread From: siddhesh at sourceware dot org @ 2020-12-16 16:32 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27083 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |security- --- Comment #1 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- It is unlikely for this bug to have a security impact given the very limited use of the function. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent 2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org 2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org 2020-12-16 16:32 ` siddhesh at sourceware dot org @ 2020-12-18 16:04 ` siddhesh at sourceware dot org 2020-12-22 16:05 ` siddhesh at sourceware dot org 3 siblings, 0 replies; 5+ messages in thread From: siddhesh at sourceware dot org @ 2020-12-18 16:04 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27083 --- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- To elaborate on my previous comment, the glibc Security Process[1] specifies that stack overflows due to an unbounded alloca may be considered a security issue if the data triggering the overflow could come from an untrusted source. Our assessment is that this is not true for addmntent, i.e. applications using addmntent already run in a trusted context. We can revisit this if it is found that this is not true. [1] https://sourceware.org/glibc/wiki/Security%20Process -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent 2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org ` (2 preceding siblings ...) 2020-12-18 16:04 ` siddhesh at sourceware dot org @ 2020-12-22 16:05 ` siddhesh at sourceware dot org 3 siblings, 0 replies; 5+ messages in thread From: siddhesh at sourceware dot org @ 2020-12-22 16:05 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27083 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.33 Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Fixed in master: commit 9798906a426fc458b949271bcc9b8ad1608de867 (HEAD -> master) Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Dec 22 17:18:12 2020 +0530 addmntent: Remove unbounded alloca usage from getmntent [BZ#27083] The addmntent function replicates elements of struct mnt on stack using alloca, which is unsafe. Put characters directly into the stream, escaping them as they're being written out. Also add a test to check all escaped characters with addmntent and getmntent. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-22 16:05 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org 2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org 2020-12-16 16:32 ` siddhesh at sourceware dot org 2020-12-18 16:04 ` siddhesh at sourceware dot org 2020-12-22 16:05 ` siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).