From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B4BCF384D153; Thu, 20 Oct 2022 19:06:00 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B4BCF384D153 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1666292760; bh=yYR0YUfo34qy7yp+XmtszPCoT8DKOXEtcz0KaaI+cnQ=; h=From:To:Subject:Date:From; b=oDS5TDG2AiUM5/nfD67ADOSAZV7HdcNoJ0vkQ7jT8RADu+JWRciI2lq/b36tGP97D SvZTcmzzf5VtTsbbv7zZFdZsrMREdU8upcFH0hHxdrEnPl8Lx8iI1aLGfVqfzr8JYy 8xWkD81UUvQqTX/tbzJaZrkum1Lb4viANzp1Dpp0= From: "dimosxakis0 at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug malloc/29710] New: Multiple integer overflows on 'memusage.c' Date: Thu, 20 Oct 2022 19:06:00 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: malloc X-Bugzilla-Version: 2.36 X-Bugzilla-Keywords: X-Bugzilla-Severity: minor X-Bugzilla-Who: dimosxakis0 at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D29710 Bug ID: 29710 Summary: Multiple integer overflows on 'memusage.c' Product: glibc Version: 2.36 Status: UNCONFIRMED Severity: minor Priority: P2 Component: malloc Assignee: unassigned at sourceware dot org Reporter: dimosxakis0 at gmail dot com Target Milestone: --- Multiple integer overflows exist on the malloc/calloc wrapper implementatio= ns on 'memusage.c'. void * calloc (size_t n, size_t len) { struct header *result; size_t size =3D n * len; // (1) ... /* Do the real work. */ result =3D (struct header *) (*mallocp)(size + sizeof (struct header)); /= / (2) ... return memset (result + 1, '\0', size); } At (1) there is no check for integer overflow. At (2) size is also padded w= ith a header size that might cause an additional integer overflow if (1) is fix= ed. Eventually the computed size will be passed to the real malloc which will return a small chunk instead of failing with NULL. Similarly in the malloc wrapper there is another integer overflow: void * malloc (size_t len) { ... /* Do the real work. */ result =3D (struct header *) (*mallocp)(len + sizeof (struct header)); //= (3) ... /* Return the pointer to the user buffer. */ return (void *) (result + 1); } At (3) len is padded with the size of the header which may cause an integer overflow returning a small chunk instead of failing with NULL. Fortunately libmemusage.so as far as I know is only used from the linux memusage command. Which is rarely used from anyone in practice.=20 The only scenario that possibly this can introduce security risk to a syste= m, is if attacker controllable input is passed to a program that is being prof= iled with 'memusage' command. If the attacker controls any malloc/calloc size fi= elds then he could cause a heap overflow and possibly compromise the system. Thi= s is unluckily due to the rare usage of memusage. An PoC example that can be used to verify this behavior is given below: #include #include #include int main(int argc, char** argv) { char* overflow_chunk =3D malloc(0xffffffffffffffff); char* overflowed_chunk =3D malloc(0x18); if(overflow_chunk !=3D NULL) { // If we reached this far this is bad. Possible corruption ahead of= us. memset(overflow_chunk, 'A', 40); } else { puts("malloc() failed as it should in this case."); } // Should cause an abort due to chunk size corruption in case of an int= eger overflow. free(overflowed_chunk); free(overflow_chunk); return 0; } Running the above program with: $ gcc test.c -o a.out $ memusage ./a.out We should get an abortion error like this: double free or corruption (out) --=20 You are receiving this mail because: You are on the CC list for the bug.=