public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug stdio/27124] New: libio vtable hardening bypass via obstack files @ 2020-12-28 23:15 willcoster at gmail dot com 2022-04-26 9:18 ` [Bug stdio/27124] " fweimer at redhat dot com ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: willcoster at gmail dot com @ 2020-12-28 23:15 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27124 Bug ID: 27124 Summary: libio vtable hardening bypass via obstack files Product: glibc Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: stdio Assignee: unassigned at sourceware dot org Reporter: willcoster at gmail dot com Target Milestone: --- It is possible to bypass existing libio vtable hardening by using the _IO_obstack_jumps vtable and a forged obstack. The obstack struct contains unmangled pointers to a custom allocator [1] which is used when growing an obstack [2, 3, 4]. Both of the methods listed in the _IO_obstack_jumps vtable attempt to grow an obstack when certain conditions are met [5, 6]. This is similar to Bug 23236 and would allow an attacker with the ability to corrupt FILE objects to gain code execution. I have tested and confirmed that this works on glibc 2.32. I am filing this in the public tracker in accordance with the guidance that hardening bypasses are not considered security issues in and of themselves [7]. [1] https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/obstack.h;h=4b1ba80047b378fa63739e5dbbbf748ca026e197;hb=refs/heads/release/2.32/master#l153 [2] https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/obstack.h;h=4b1ba80047b378fa63739e5dbbbf748ca026e197;hb=refs/heads/release/2.32/master#l296 [3] https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/obstack.c;h=0d652be9f5d4c0e88e55bf84bbc1053c20d7ce83;hb=refs/heads/release/2.32/master#l261 [4] https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/obstack.c;h=0d652be9f5d4c0e88e55bf84bbc1053c20d7ce83;hb=refs/heads/release/2.32/master#l121 [5] https://sourceware.org/git/?p=glibc.git;a=blob;f=libio/obprintf.c;h=e440cd74c3caf3ee5bbfec9aa1e3ff880f0b3fb7;hb=refs/heads/release/2.32/master#l48 [6] https://sourceware.org/git/?p=glibc.git;a=blob;f=libio/obprintf.c;h=e440cd74c3caf3ee5bbfec9aa1e3ff880f0b3fb7;hb=refs/heads/release/2.32/master#l76 [7] https://sourceware.org/glibc/wiki/Security%20Exceptions#Post-exploitation_countermeasures -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug stdio/27124] libio vtable hardening bypass via obstack files 2020-12-28 23:15 [Bug stdio/27124] New: libio vtable hardening bypass via obstack files willcoster at gmail dot com @ 2022-04-26 9:18 ` fweimer at redhat dot com 2022-12-19 18:56 ` cvs-commit at gcc dot gnu.org 2023-07-05 8:30 ` fweimer at redhat dot com 2 siblings, 0 replies; 4+ messages in thread From: fweimer at redhat dot com @ 2022-04-26 9:18 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27124 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Patch posted: [PATCH 25/26] libio: Convert __obstack_vprintf_internal to buffers (bug 27124) <https://sourceware.org/pipermail/libc-alpha/2022-March/137157.html> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug stdio/27124] libio vtable hardening bypass via obstack files 2020-12-28 23:15 [Bug stdio/27124] New: libio vtable hardening bypass via obstack files willcoster at gmail dot com 2022-04-26 9:18 ` [Bug stdio/27124] " fweimer at redhat dot com @ 2022-12-19 18:56 ` cvs-commit at gcc dot gnu.org 2023-07-05 8:30 ` fweimer at redhat dot com 2 siblings, 0 replies; 4+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2022-12-19 18:56 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27124 --- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5365acc567a49270b4341b9d325794ec554258d9 commit 5365acc567a49270b4341b9d325794ec554258d9 Author: Florian Weimer <fweimer@redhat.com> Date: Mon Dec 19 18:56:55 2022 +0100 libio: Convert __obstack_vprintf_internal to buffers (bug 27124) This fixes bug 27124 because the problematic built-in vtable is gone. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug stdio/27124] libio vtable hardening bypass via obstack files 2020-12-28 23:15 [Bug stdio/27124] New: libio vtable hardening bypass via obstack files willcoster at gmail dot com 2022-04-26 9:18 ` [Bug stdio/27124] " fweimer at redhat dot com 2022-12-19 18:56 ` cvs-commit at gcc dot gnu.org @ 2023-07-05 8:30 ` fweimer at redhat dot com 2 siblings, 0 replies; 4+ messages in thread From: fweimer at redhat dot com @ 2023-07-05 8:30 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=27124 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |security- Target Milestone|--- |2.37 Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #3 from Florian Weimer <fweimer at redhat dot com> --- Fixed in glibc 2.37. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-07-05 8:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-28 23:15 [Bug stdio/27124] New: libio vtable hardening bypass via obstack files willcoster at gmail dot com 2022-04-26 9:18 ` [Bug stdio/27124] " fweimer at redhat dot com 2022-12-19 18:56 ` cvs-commit at gcc dot gnu.org 2023-07-05 8:30 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).