public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/27083] New: Unsafe unbounded alloca in addmntent
@ 2020-12-16 14:12 siddhesh at sourceware dot org
2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2020-12-16 14:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27083
Bug ID: 27083
Summary: Unsafe unbounded alloca in addmntent
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: siddhesh at sourceware dot org
CC: drepper.fsp at gmail dot com
Target Milestone: ---
addmntent duplicates strings in its input struct mntent using alloca due to
which very long strings could blow up the stack.
Example:
#include <stdlib.h>
#include <mntent.h>
#include <stdio.h>
#include <string.h>
#define LARGE_VALUE 2*1024*1024*1024ULL
int main(int argc, char **argv) {
FILE *f = fopen("/dev/null", "w");
struct mntent bad;
bad.mnt_fsname = calloc (LARGE_VALUE, 1);
memset (bad.mnt_fsname, ' ', LARGE_VALUE - 1);
bad.mnt_dir = calloc (LARGE_VALUE, 1);
memset (bad.mnt_dir, ' ', LARGE_VALUE - 1);
bad.mnt_type = calloc (LARGE_VALUE, 1);
memset (bad.mnt_type, ' ', LARGE_VALUE - 1);
bad.mnt_opts = calloc (LARGE_VALUE, 1);
memset (bad.mnt_opts, ' ', LARGE_VALUE - 1);
bad.mnt_freq = 1;
bad.mnt_passno = 2;
addmntent (f, &bad);
endmntent(f);
return 0;
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent
2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org
@ 2020-12-16 14:18 ` siddhesh at sourceware dot org
2020-12-16 16:32 ` siddhesh at sourceware dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2020-12-16 14:18 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27083
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |siddhesh at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent
2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org
2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org
@ 2020-12-16 16:32 ` siddhesh at sourceware dot org
2020-12-18 16:04 ` siddhesh at sourceware dot org
2020-12-22 16:05 ` siddhesh at sourceware dot org
3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2020-12-16 16:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27083
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security-
--- Comment #1 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
It is unlikely for this bug to have a security impact given the very limited
use of the function.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent
2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org
2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org
2020-12-16 16:32 ` siddhesh at sourceware dot org
@ 2020-12-18 16:04 ` siddhesh at sourceware dot org
2020-12-22 16:05 ` siddhesh at sourceware dot org
3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2020-12-18 16:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27083
--- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
To elaborate on my previous comment, the glibc Security Process[1] specifies
that stack overflows due to an unbounded alloca may be considered a security
issue if the data triggering the overflow could come from an untrusted source.
Our assessment is that this is not true for addmntent, i.e. applications using
addmntent already run in a trusted context. We can revisit this if it is found
that this is not true.
[1] https://sourceware.org/glibc/wiki/Security%20Process
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug libc/27083] Unsafe unbounded alloca in addmntent
2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org
` (2 preceding siblings ...)
2020-12-18 16:04 ` siddhesh at sourceware dot org
@ 2020-12-22 16:05 ` siddhesh at sourceware dot org
3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2020-12-22 16:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27083
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.33
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Fixed in master:
commit 9798906a426fc458b949271bcc9b8ad1608de867 (HEAD -> master)
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Tue Dec 22 17:18:12 2020 +0530
addmntent: Remove unbounded alloca usage from getmntent [BZ#27083]
The addmntent function replicates elements of struct mnt on stack
using alloca, which is unsafe. Put characters directly into the
stream, escaping them as they're being written out.
Also add a test to check all escaped characters with addmntent and
getmntent.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-22 16:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-16 14:12 [Bug libc/27083] New: Unsafe unbounded alloca in addmntent siddhesh at sourceware dot org
2020-12-16 14:18 ` [Bug libc/27083] " siddhesh at sourceware dot org
2020-12-16 16:32 ` siddhesh at sourceware dot org
2020-12-18 16:04 ` siddhesh at sourceware dot org
2020-12-22 16:05 ` siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).