From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 1E4353858C78; Mon,  7 Nov 2022 07:26:57 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1E4353858C78
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1667806017;
	bh=Mn11Ki2Z1XLS7VzGGjvNBXiSyv7DctjpgEuIJUifvV0=;
	h=From:To:Subject:Date:From;
	b=UgXqySUPcaU+BAiaj1s2wQmXtyrMr0O/LiqyGGtPkaIgp8MTi5Vq0g1wiPrUZxy7C
	 OAfxv72XZ0cXS7vJpJaqiTjXCKON/3P6EKteBNDFoQmkuY8rDUKTzy92pF022evhlP
	 BiraRxD21iVEx8YiL3KSrU3LeCn+20Rm617P1WUM=
From: "zhuorong.lin at outlook dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nptl/29755] New: pthread_getname_np() have out-of-bounds memory
 access
Date: Mon, 07 Nov 2022 07:26:56 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nptl
X-Bugzilla-Version: 2.34
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: minor
X-Bugzilla-Who: zhuorong.lin at outlook dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-29755-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29755

            Bug ID: 29755
           Summary: pthread_getname_np() have out-of-bounds memory access
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: minor
          Priority: P2
         Component: nptl
          Assignee: unassigned at sourceware dot org
          Reporter: zhuorong.lin at outlook dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

When the return value of buf is n =3D 0, the following buf[n-1] will
out-of-bounds memory access


#define FMT "/proc/self/task/%u/comm"
  char fname[sizeof (FMT) + 8];
  sprintf (fname, FMT, (unsigned int) pd->tid);

  int fd =3D __open64_nocancel (fname, O_RDONLY);
  if (fd =3D=3D -1)
    return errno;

  int res =3D 0;
  ssize_t n =3D TEMP_FAILURE_RETRY (__read_nocancel (fd, buf, len)); // if =
n =3D=3D 0
  if (n < 0)
    res =3D errno;
  else
    {
      if (buf[n - 1] =3D=3D '\n') // out-of-bounds memory access
        buf[n - 1] =3D '\0';
      else if (n =3D=3D len)
        res =3D ERANGE;
      else
        buf[n] =3D '\0';
    }

  __close_nocancel_nostatus (fd);

--=20
You are receiving this mail because:
You are on the CC list for the bug.=