[Bug libc/29444] gmon memory corruption due wrong calculation of required buffer size

["siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=29444

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |siddhesh at sourceware dot org
              Flags|                            |security-

--- Comment #11 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
The only way to induce this buffer overflow is to modify the callgraph of an
application that is built with these options(In reply to Leo Yuriev from
comment #10)
> (In reply to Florian Weimer from comment #9)
> > (In reply to Ismail Donmez from comment #8)
> > > Will the glibc maintainers reject the assigned CVE? I don't see how this is
> > > exploitable.
> > 
> > Agreed. I expect us to file a DISPUTE request with MITRE later today.
> 
> Yes, it is not exploitable in usual/common cases.
> 
> However, this bug can be exploited in rare specific scenarios when
> monstartup() and moncontrol() are called explicitly to collect statistics
> from a part of modules compiled with the corresponding options (nonetheless,
> I cannot disclose information about affected software either show the
> exploit).

The inputs that induce this buffer overflow are basically addresses of the
running application that is built with gmon enabled *and* with the patch for
bug 29438, so it's basically trusted input or input that needs an actual
security flaw to be compromised or controlled.  The bug needs to be fixed, but
there's no security issue here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.