public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug locale/30443] New: heap overflow in duplocale
@ 2023-05-12 18:27 fasdfasdas at gmail dot com
2023-05-12 18:27 ` [Bug locale/30443] " fasdfasdas at gmail dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: fasdfasdas at gmail dot com @ 2023-05-12 18:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30443
Bug ID: 30443
Summary: heap overflow in duplocale
Product: glibc
Version: 2.31
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: fasdfasdas at gmail dot com
Target Milestone: ---
The issue appears to be an overflow in locale handling code that I've
experienced while using the json-c library.
The problem happens when I launch the program with LC_ALL=en_US.UTF-8, but does
not happen if I launch it with LC_ALL=C.
Here's the simplified valgrind output:
==585411== Thread 117:
==585411== Invalid write of size 1
==585411== at 0x483EFB4: stpcpy (vg_replace_strmem.c:1155)
==585411== by 0x517210F: duplocale (duplocale.c:74)
==585411== by 0x4BEF3B0: json_tokener_parse_ex (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411== by 0x4BF1B16: json_tokener_parse_verbose (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411== by 0x4BF1B7D: json_tokener_parse (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0
...
==585411== Address 0x64d1078 is 0 bytes after a block of size 232 alloc'd
==585411== at 0x483877F: malloc (vg_replace_malloc.c:307)
==585411== by 0x51720D2: duplocale (duplocale.c:53)
==585411== by 0x4BEF3B0: json_tokener_parse_ex (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411== by 0x4BF1B16: json_tokener_parse_verbose (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
==585411== by 0x4BF1B7D: json_tokener_parse (in
/usr/lib/x86_64-linux-gnu/libjson-c.so.5.1.0)
I've briefly skimmed the code and it looks like maybe the offset on [1] is not
accounted for during the malloc operation.
[1]:
https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/locale/duplocale.c#L57
If it's not an obvious problem on that malloc/offset, then let me know and I
can try probably come up with a small program to reproduce.
P.S. complete valgrind output looks VERY similar to the one in this report in
case it helps: https://bugzilla.redhat.com/show_bug.cgi?id=1658260
Glibc version is the one in debian-bullseye, 2.31-13+deb11u6,
(glibc-2.31 + glibc_2.31-13+deb11u6 debian patches). Json-c version is
0.15
(https://github.com/json-c/json-c/blob/json-c-0.15-20200726/json_tokener.c).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug locale/30443] heap overflow in duplocale
2023-05-12 18:27 [Bug locale/30443] New: heap overflow in duplocale fasdfasdas at gmail dot com
@ 2023-05-12 18:27 ` fasdfasdas at gmail dot com
2023-05-12 18:50 ` fweimer at redhat dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fasdfasdas at gmail dot com @ 2023-05-12 18:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30443
Tolga HOŞGÖR <fasdfasdas at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|critical |normal
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug locale/30443] heap overflow in duplocale
2023-05-12 18:27 [Bug locale/30443] New: heap overflow in duplocale fasdfasdas at gmail dot com
2023-05-12 18:27 ` [Bug locale/30443] " fasdfasdas at gmail dot com
@ 2023-05-12 18:50 ` fweimer at redhat dot com
2023-05-13 9:21 ` fasdfasdas at gmail dot com
2023-05-13 9:22 ` fasdfasdas at gmail dot com
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2023-05-12 18:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30443
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is the program multi-threaded? The valgrind output suggests it is.
Please check if there is a concurrent call to setlocale from another thread. In
glibc, setlocale is not thread-safe, so all kinds of bad things can happen if
it is used in a multi-threaded program. This is technically not a bug because
setlocale is not required to be thread-safe.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug locale/30443] heap overflow in duplocale
2023-05-12 18:27 [Bug locale/30443] New: heap overflow in duplocale fasdfasdas at gmail dot com
2023-05-12 18:27 ` [Bug locale/30443] " fasdfasdas at gmail dot com
2023-05-12 18:50 ` fweimer at redhat dot com
@ 2023-05-13 9:21 ` fasdfasdas at gmail dot com
2023-05-13 9:22 ` fasdfasdas at gmail dot com
3 siblings, 0 replies; 5+ messages in thread
From: fasdfasdas at gmail dot com @ 2023-05-13 9:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30443
--- Comment #2 from Tolga HOŞGÖR <fasdfasdas at gmail dot com> ---
(In reply to Florian Weimer from comment #1)
> Is the program multi-threaded? The valgrind output suggests it is.
Yes it is.
>
> Please check if there is a concurrent call to setlocale from another thread.
> In glibc, setlocale is not thread-safe, so all kinds of bad things can
> happen if it is used in a multi-threaded program. This is technically not a
> bug because setlocale is not required to be thread-safe.
Very good guess. Apparently, libnetsnmp's `init_snmp` calls `setlocale` from
another thread.
I've written a small set of hooks to get around this. Posting it here in case
it helps others. I'm not 100% sure whether giving exclusive access to setlocale
is enough but at least it seems to work for me so far.
```
#include <pthread.h>
#include <dlfcn.h>
static pthread_once_t locale_hooks_init_once_flag = PTHREAD_ONCE_INIT;
static pthread_rwlock_t locale_hooks_rwlock = PTHREAD_RWLOCK_INITIALIZER;
typedef char* (*setlocale_type)(int, const char*);
typedef locale_t (*duplocale_type)(locale_t);
typedef duplocale_type uselocale_type;
typedef void (*freelocale_type)(locale_t);
static setlocale_type real_setlocale = nullptr;
static duplocale_type real_duplocale = nullptr;
static uselocale_type real_uselocale = nullptr;
static freelocale_type real_freelocale = nullptr;
static void init_overrides() {
real_setlocale = (setlocale_type)dlsym(RTLD_NEXT, "setlocale");
if (!real_setlocale) {
fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
exit(EXIT_FAILURE);
}
real_duplocale = (duplocale_type)dlsym(RTLD_NEXT, "duplocale");
if (!real_duplocale) {
fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
exit(EXIT_FAILURE);
}
real_uselocale = (uselocale_type)dlsym(RTLD_NEXT, "uselocale");
if (!real_uselocale) {
fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
exit(EXIT_FAILURE);
}
real_freelocale = (freelocale_type)dlsym(RTLD_NEXT, "freelocale");
if (!real_freelocale) {
fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
exit(EXIT_FAILURE);
}
}
char* setlocale(int category, const char* locale) {
char* ret;
pthread_once(&locale_hooks_init_once_flag, init_overrides);
pthread_rwlock_wrlock(&locale_hooks_rwlock);
ret = real_setlocale(category, locale);
pthread_rwlock_unlock(&locale_hooks_rwlock);
return ret;
}
locale_t duplocale(locale_t locale) {
locale_t ret;
pthread_once(&locale_hooks_init_once_flag, init_overrides);
pthread_rwlock_rdlock(&locale_hooks_rwlock);
ret = real_duplocale(locale);
pthread_rwlock_unlock(&locale_hooks_rwlock);
return ret;
}
locale_t uselocale(locale_t locale) {
locale_t ret;
pthread_once(&locale_hooks_init_once_flag, init_overrides);
pthread_rwlock_rdlock(&locale_hooks_rwlock);
ret = real_uselocale(locale);
pthread_rwlock_unlock(&locale_hooks_rwlock);
return ret;
}
void freelocale(locale_t locale) {
pthread_once(&locale_hooks_init_once_flag, init_overrides);
pthread_rwlock_rdlock(&locale_hooks_rwlock);
real_freelocale(locale);
pthread_rwlock_unlock(&locale_hooks_rwlock);
}
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug locale/30443] heap overflow in duplocale
2023-05-12 18:27 [Bug locale/30443] New: heap overflow in duplocale fasdfasdas at gmail dot com
` (2 preceding siblings ...)
2023-05-13 9:21 ` fasdfasdas at gmail dot com
@ 2023-05-13 9:22 ` fasdfasdas at gmail dot com
3 siblings, 0 replies; 5+ messages in thread
From: fasdfasdas at gmail dot com @ 2023-05-13 9:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30443
Tolga HOŞGÖR <fasdfasdas at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #3 from Tolga HOŞGÖR <fasdfasdas at gmail dot com> ---
Closing as duplicate since there's already a request to make
setlocale/uselocale thread-safe.
*** This bug has been marked as a duplicate of bug 23970 ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-05-13 9:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-12 18:27 [Bug locale/30443] New: heap overflow in duplocale fasdfasdas at gmail dot com
2023-05-12 18:27 ` [Bug locale/30443] " fasdfasdas at gmail dot com
2023-05-12 18:50 ` fweimer at redhat dot com
2023-05-13 9:21 ` fasdfasdas at gmail dot com
2023-05-13 9:22 ` fasdfasdas at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).