[Bug locale/30443] New: heap overflow in duplocale

[Bug locale/30443] New: heap overflow in duplocale

[fasdfasdas at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30443

            Bug ID: 30443
           Summary: heap overflow in duplocale
           Product: glibc
           Version: 2.31
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: fasdfasdas at gmail dot com
  Target Milestone: ---

The issue appears to be an overflow in locale handling code that I've
experienced while using the json-c library.

The problem happens when I launch the program with LC_ALL=en_US.UTF-8, but does
not happen if I launch it with LC_ALL=C.

Here's the simplified valgrind output:

==585411== Thread 117:
==585411== Invalid write of size 1
==585411==    at 0x483EFB4: stpcpy (vg_replace_strmem.c:1155)
==585411==    by 0x517210F: duplocale (duplocale.c:74)
==585411==    by 0x4BEF3B0: json_tokener_parse_ex (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411==    by 0x4BF1B16: json_tokener_parse_verbose (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411==    by 0x4BF1B7D: json_tokener_parse (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0
...
==585411==  Address 0x64d1078 is 0 bytes after a block of size 232 alloc'd
==585411==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==585411==    by 0x51720D2: duplocale (duplocale.c:53)
==585411==    by 0x4BEF3B0: json_tokener_parse_ex (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411==    by 0x4BF1B16: json_tokener_parse_verbose (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411==    by 0x4BF1B7D: json_tokener_parse (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)

I've briefly skimmed the code and it looks like maybe the offset on [1] is not
accounted for during the malloc operation.

[1]:
https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/locale/duplocale.c#L57

If it's not an obvious problem on that malloc/offset, then let me know and I
can try probably come up with a small program to reproduce.

P.S. complete valgrind output looks VERY similar to the one in this report in
case it helps: https://bugzilla.redhat.com/show_bug.cgi?id=1658260

Glibc version is the one in debian-bullseye, 2.31-13+deb11u6,
(glibc-2.31 + glibc_2.31-13+deb11u6 debian patches). Json-c version is
0.15
(https://github.com/json-c/json-c/blob/json-c-0.15-20200726/json_tokener.c).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/30443] heap overflow in duplocale

[fasdfasdas at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30443

Tolga HOŞGÖR <fasdfasdas at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |normal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/30443] heap overflow in duplocale

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30443

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is the program multi-threaded? The valgrind output suggests it is.

Please check if there is a concurrent call to setlocale from another thread. In
glibc, setlocale is not thread-safe, so all kinds of bad things can happen if
it is used in a multi-threaded program. This is technically not a bug because
setlocale is not required to be thread-safe.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/30443] heap overflow in duplocale

[fasdfasdas at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30443

--- Comment #2 from Tolga HOŞGÖR <fasdfasdas at gmail dot com> ---
(In reply to Florian Weimer from comment #1)
> Is the program multi-threaded? The valgrind output suggests it is.

Yes it is.

> 
> Please check if there is a concurrent call to setlocale from another thread.
> In glibc, setlocale is not thread-safe, so all kinds of bad things can
> happen if it is used in a multi-threaded program. This is technically not a
> bug because setlocale is not required to be thread-safe.

Very good guess. Apparently, libnetsnmp's `init_snmp` calls `setlocale` from
another thread.

I've written a small set of hooks to get around this. Posting it here in case
it helps others. I'm not 100% sure whether giving exclusive access to setlocale
is enough but at least it seems to work for me so far.

```
#include <pthread.h>
#include <dlfcn.h>

static pthread_once_t locale_hooks_init_once_flag  = PTHREAD_ONCE_INIT;
static pthread_rwlock_t locale_hooks_rwlock = PTHREAD_RWLOCK_INITIALIZER;

typedef char* (*setlocale_type)(int, const char*);
typedef locale_t (*duplocale_type)(locale_t);
typedef duplocale_type uselocale_type;
typedef void (*freelocale_type)(locale_t);

static setlocale_type real_setlocale = nullptr;
static duplocale_type real_duplocale = nullptr;
static uselocale_type real_uselocale = nullptr;
static freelocale_type real_freelocale = nullptr;

static void init_overrides() {
  real_setlocale = (setlocale_type)dlsym(RTLD_NEXT, "setlocale");
  if (!real_setlocale) {
    fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
    exit(EXIT_FAILURE);
  }

  real_duplocale = (duplocale_type)dlsym(RTLD_NEXT, "duplocale");
  if (!real_duplocale) {
    fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
    exit(EXIT_FAILURE);
  }

  real_uselocale = (uselocale_type)dlsym(RTLD_NEXT, "uselocale");
  if (!real_uselocale) {
    fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
    exit(EXIT_FAILURE);
  }

  real_freelocale = (freelocale_type)dlsym(RTLD_NEXT, "freelocale");
  if (!real_freelocale) {
    fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
    exit(EXIT_FAILURE);
  }
}

char* setlocale(int category, const char* locale) {
  char* ret;

  pthread_once(&locale_hooks_init_once_flag, init_overrides);
  pthread_rwlock_wrlock(&locale_hooks_rwlock);
  ret = real_setlocale(category, locale);
  pthread_rwlock_unlock(&locale_hooks_rwlock);

  return ret;
}

locale_t duplocale(locale_t locale) {
  locale_t ret;

  pthread_once(&locale_hooks_init_once_flag, init_overrides);
  pthread_rwlock_rdlock(&locale_hooks_rwlock);
  ret = real_duplocale(locale);
  pthread_rwlock_unlock(&locale_hooks_rwlock);

  return ret;
}

locale_t uselocale(locale_t locale) {
  locale_t ret;

  pthread_once(&locale_hooks_init_once_flag, init_overrides);
  pthread_rwlock_rdlock(&locale_hooks_rwlock);
  ret = real_uselocale(locale);
  pthread_rwlock_unlock(&locale_hooks_rwlock);

  return ret;
}

void freelocale(locale_t locale) {
  pthread_once(&locale_hooks_init_once_flag, init_overrides);
  pthread_rwlock_rdlock(&locale_hooks_rwlock);
  real_freelocale(locale);
  pthread_rwlock_unlock(&locale_hooks_rwlock);
}
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/30443] heap overflow in duplocale

[fasdfasdas at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30443

Tolga HOŞGÖR <fasdfasdas at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #3 from Tolga HOŞGÖR <fasdfasdas at gmail dot com> ---
Closing as duplicate since there's already a request to make
setlocale/uselocale thread-safe.

*** This bug has been marked as a duplicate of bug 23970 ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.