public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping
@ 2022-10-27 11:42 nsz at gcc dot gnu.org
2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org
2022-11-04 9:36 ` nsz at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: nsz at gcc dot gnu.org @ 2022-10-27 11:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29727
Bug ID: 29727
Summary: __strtol_internal out-of-bounds read when parsing
thousands grouping
Product: glibc
Version: 2.35
Status: NEW
Severity: normal
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: nsz at gcc dot gnu.org
Target Milestone: ---
__correctly_grouped_prefixmb reads past end if the locale specific thousands
separator is more than 1 byte.
crash can be triggered via __strto{l,ll,ul,ull}_internal and
__strto{f,d,ld}_internal.
plain strtol and strtof don't parse grouping, scanf %'d and %'f do, but scanf
parses from an internal buffer in a way such that OOB read unlikely to cause a
crash.
e.g. using LC_NUMERIC=cs_CZ.UTF-8 the following code crashes
#include <locale.h>
#include <stdio.h>
#include <sys/mman.h>
long __strtol_internal(const char *, char **, int, int, locale_t);
int main()
{
if(setlocale(LC_ALL,"")==0) return -1;
char *p = mmap(0, 4096*2, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
mprotect(p, 4096, PROT_READ|PROT_WRITE);
char *s = p + 4096 - 2;
s[0] = '1';
s[1] = 0;
int x;
sscanf(s, "%'d", &x); // may copy s
printf("%d\n", x);
x = __strtol_internal(s, 0, 0, 1, LC_GLOBAL_LOCALE); // segfaults
printf("%d\n", x);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping
2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org
@ 2022-11-02 15:47 ` cvs-commit at gcc dot gnu.org
2022-11-04 9:36 ` nsz at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-11-02 15:47 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29727
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17bfe5954baee1f18672aea94caa1126ec36fb81
commit 17bfe5954baee1f18672aea94caa1126ec36fb81
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Tue Oct 11 15:24:41 2022 +0100
Fix OOB read in stdlib thousand grouping parsing [BZ #29727]
__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.
This affects scanf formats like %'d, %'f and the internal but
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
and an LC_NUMERIC locale where thousands_len > 1.
Avoid OOB access by considering thousands_len when initializing cp.
This fixes bug 29727.
Found by the morello port with strict bounds checking where
FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i
crashed using a locale with thousands_len==3.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping
2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org
2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org
@ 2022-11-04 9:36 ` nsz at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: nsz at gcc dot gnu.org @ 2022-11-04 9:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29727
Szabolcs Nagy <nsz at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Target Milestone|--- |2.37
--- Comment #2 from Szabolcs Nagy <nsz at gcc dot gnu.org> ---
fixed for 2.37
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-04 9:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-27 11:42 [Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping nsz at gcc dot gnu.org
2022-11-02 15:47 ` [Bug locale/29727] " cvs-commit at gcc dot gnu.org
2022-11-04 9:36 ` nsz at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).