public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/28011] New: Wild read in wordexp (parse_param)
@ 2021-06-25 12:24 p.antoine at catenacyber dot fr
2021-06-25 13:31 ` [Bug libc/28011] " fweimer at redhat dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: p.antoine at catenacyber dot fr @ 2021-06-25 12:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Bug ID: 28011
Summary: Wild read in wordexp (parse_param)
Product: glibc
Version: 2.23
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: p.antoine at catenacyber dot fr
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Found by oss-fuzz
Quick reproducer is :
```
#include <wordexp.h>
int main() {
wordexp_t p;
int ret =
wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap
gi37
},},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888
##sioiondata:ap gi37
TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\
xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap )", &p, 0);
return ret;
}
```
Stack trace is
```
==797==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff8ed1c2b28 (pc
0x7f11b008eee0 bp 0x616000001880 sp 0x7ffc14979fa0 T0)
==797==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
#0 0x7f11b008eee0 in parse_param
/build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:1466
#1 0x7f11b008eee0 in parse_dollars
/build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2112
#2 0x7f11b0090ed7 in parse_dquote
/build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2198
#3 0x7f11b0090ed7 in wordexp
/build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2379
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
@ 2021-06-25 13:31 ` fweimer at redhat dot com
2021-06-27 17:39 ` schwab@linux-m68k.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2021-06-25 13:31 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
2021-06-25 13:31 ` [Bug libc/28011] " fweimer at redhat dot com
@ 2021-06-27 17:39 ` schwab@linux-m68k.org
2021-06-27 19:44 ` p.antoine at catenacyber dot fr
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: schwab@linux-m68k.org @ 2021-06-27 17:39 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.34
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed in 2.34.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
2021-06-25 13:31 ` [Bug libc/28011] " fweimer at redhat dot com
2021-06-27 17:39 ` schwab@linux-m68k.org
@ 2021-06-27 19:44 ` p.antoine at catenacyber dot fr
2021-06-29 16:01 ` siddhesh at sourceware dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: p.antoine at catenacyber dot fr @ 2021-06-27 19:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
--- Comment #2 from Philippe Antoine <p.antoine at catenacyber dot fr> ---
Thanks Andreas
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
` (2 preceding siblings ...)
2021-06-27 19:44 ` p.antoine at catenacyber dot fr
@ 2021-06-29 16:01 ` siddhesh at sourceware dot org
2021-06-30 4:17 ` [Bug libc/28011] Wild read in wordexp (parse_param) (CVE-2021-35942) siddhesh at sourceware dot org
2021-06-30 4:27 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-06-29 16:01 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security+
CC| |siddhesh at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param) (CVE-2021-35942)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
` (3 preceding siblings ...)
2021-06-29 16:01 ` siddhesh at sourceware dot org
@ 2021-06-30 4:17 ` siddhesh at sourceware dot org
2021-06-30 4:27 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-06-30 4:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2021-35942
Summary|Wild read in wordexp |Wild read in wordexp
|(parse_param) |(parse_param)
| |(CVE-2021-35942)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/28011] Wild read in wordexp (parse_param) (CVE-2021-35942)
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
` (4 preceding siblings ...)
2021-06-30 4:17 ` [Bug libc/28011] Wild read in wordexp (parse_param) (CVE-2021-35942) siddhesh at sourceware dot org
@ 2021-06-30 4:27 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-06-30 4:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
The fix:
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Fri, 25 Jun 2021 13:02:47 +0000 (+0200)
Subject: wordexp: handle overflow in positional parameter number (bug 28011)
X-Git-Url:
https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
wordexp: handle overflow in positional parameter number (bug 28011)
Use strtoul instead of atoi so that overflow can be detected.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-30 4:27 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-25 12:24 [Bug libc/28011] New: Wild read in wordexp (parse_param) p.antoine at catenacyber dot fr
2021-06-25 13:31 ` [Bug libc/28011] " fweimer at redhat dot com
2021-06-27 17:39 ` schwab@linux-m68k.org
2021-06-27 19:44 ` p.antoine at catenacyber dot fr
2021-06-29 16:01 ` siddhesh at sourceware dot org
2021-06-30 4:17 ` [Bug libc/28011] Wild read in wordexp (parse_param) (CVE-2021-35942) siddhesh at sourceware dot org
2021-06-30 4:27 ` siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).