public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping @ 2022-10-27 11:42 nsz at gcc dot gnu.org 2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org 2022-11-04 9:36 ` nsz at gcc dot gnu.org 0 siblings, 2 replies; 3+ messages in thread From: nsz at gcc dot gnu.org @ 2022-10-27 11:42 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=29727 Bug ID: 29727 Summary: __strtol_internal out-of-bounds read when parsing thousands grouping Product: glibc Version: 2.35 Status: NEW Severity: normal Priority: P2 Component: locale Assignee: unassigned at sourceware dot org Reporter: nsz at gcc dot gnu.org Target Milestone: --- __correctly_grouped_prefixmb reads past end if the locale specific thousands separator is more than 1 byte. crash can be triggered via __strto{l,ll,ul,ull}_internal and __strto{f,d,ld}_internal. plain strtol and strtof don't parse grouping, scanf %'d and %'f do, but scanf parses from an internal buffer in a way such that OOB read unlikely to cause a crash. e.g. using LC_NUMERIC=cs_CZ.UTF-8 the following code crashes #include <locale.h> #include <stdio.h> #include <sys/mman.h> long __strtol_internal(const char *, char **, int, int, locale_t); int main() { if(setlocale(LC_ALL,"")==0) return -1; char *p = mmap(0, 4096*2, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); mprotect(p, 4096, PROT_READ|PROT_WRITE); char *s = p + 4096 - 2; s[0] = '1'; s[1] = 0; int x; sscanf(s, "%'d", &x); // may copy s printf("%d\n", x); x = __strtol_internal(s, 0, 0, 1, LC_GLOBAL_LOCALE); // segfaults printf("%d\n", x); } -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping 2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org @ 2022-11-02 15:47 ` cvs-commit at gcc dot gnu.org 2022-11-04 9:36 ` nsz at gcc dot gnu.org 1 sibling, 0 replies; 3+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2022-11-02 15:47 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=29727 --- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17bfe5954baee1f18672aea94caa1126ec36fb81 commit 17bfe5954baee1f18672aea94caa1126ec36fb81 Author: Szabolcs Nagy <szabolcs.nagy@arm.com> Date: Tue Oct 11 15:24:41 2022 +0100 Fix OOB read in stdlib thousand grouping parsing [BZ #29727] __correctly_grouped_prefixmb only worked with thousands_len == 1, otherwise it read past the end of cp or thousands. This affects scanf formats like %'d, %'f and the internal but exposed __strto{l,ul,f,d,..}_internal with grouping flag set and an LC_NUMERIC locale where thousands_len > 1. Avoid OOB access by considering thousands_len when initializing cp. This fixes bug 29727. Found by the morello port with strict bounds checking where FAIL: stdlib/tst-strtod4 FAIL: stdlib/tst-strtod5i crashed using a locale with thousands_len==3. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping 2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org 2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org @ 2022-11-04 9:36 ` nsz at gcc dot gnu.org 1 sibling, 0 replies; 3+ messages in thread From: nsz at gcc dot gnu.org @ 2022-11-04 9:36 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=29727 Szabolcs Nagy <nsz at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Target Milestone|--- |2.37 --- Comment #2 from Szabolcs Nagy <nsz at gcc dot gnu.org> --- fixed for 2.37 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-04 9:36 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org 2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org 2022-11-04 9:36 ` nsz at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).