public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
@ 2023-07-14 2:40 372091606 at qq dot com
2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-07-14 2:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
Bug ID: 30635
Summary: stack-overflow
/build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:5
46:9 in glob64
Product: glibc
Version: 2.31
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: glob
Assignee: unassigned at sourceware dot org
Reporter: 372091606 at qq dot com
Target Milestone: ---
Created attachment 14963
--> https://sourceware.org/bugzilla/attachment.cgi?id=14963&action=edit
The poc and ASAN report of glob stack-buffer-overflow
When I was fuzzing the logrotate program, I discovered a glob stack overflow
vulnerability, details of which can be seen in the 0x02 section of the link
below:
https://github.com/logrotate/logrotate/issues/533
Poc 0x02 seems to be an issue in the glob(3) implementation of glibc, since the
man page does not mention any limitations on the supported input or offers a
flag for secure operations on user controlled input.
Reproduction steps are as follows:
```
$ git clone https://github.com/logrotate/logrotate
$ cd logrotate
$ CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"
CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure
$ make
$ ./logrotate -d ./poc2_stack_overflow
```
```
$ ls -al /lib/x86_64-linux-gnu/libc.so.6
lrwxrwxrwx 1 root root /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
@ 2023-07-14 2:42 ` 372091606 at qq dot com
2023-09-06 5:27 ` 372091606 at qq dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-07-14 2:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
blu3sh0rk <372091606 at qq dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |glibc_2.31
CC| |372091606 at qq dot com
URL| |https://github.com/logrotat
| |e/logrotate/issues/533
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com
@ 2023-09-06 5:27 ` 372091606 at qq dot com
2023-09-08 1:50 ` 372091606 at qq dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-09-06 5:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
--- Comment #1 from blu3sh0rk <372091606 at qq dot com> ---
Created attachment 15099
--> https://sourceware.org/bugzilla/attachment.cgi?id=15099&action=edit
fuzz harness for glob() and poc
```
$ glob.c -g -fsanitize=address -o fuzz_glob
$ ./fuzz_glob poc
```
SUMMARY: AddressSanitizer: stack-overflow
/build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com
2023-09-06 5:27 ` 372091606 at qq dot com
@ 2023-09-08 1:50 ` 372091606 at qq dot com
2023-09-08 1:53 ` 372091606 at qq dot com
2023-09-08 2:04 ` 372091606 at qq dot com
4 siblings, 0 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-09-08 1:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
--- Comment #2 from blu3sh0rk <372091606 at qq dot com> ---
fuzz harness for glob() and poc
```
$ gcc -g -fsanitize=address -o fuzz_glob
$ ./fuzz_glob poc
```
SUMMARY: AddressSanitizer: stack-overflow
/build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
` (2 preceding siblings ...)
2023-09-08 1:50 ` 372091606 at qq dot com
@ 2023-09-08 1:53 ` 372091606 at qq dot com
2023-09-08 2:04 ` 372091606 at qq dot com
4 siblings, 0 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-09-08 1:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
--- Comment #3 from blu3sh0rk <372091606 at qq dot com> ---
fuzz harness for glob() and poc
```
$ gcc gloib.c -g -fsanitize=address -o fuzz_glob
$ ./fuzz_glob poc
```
SUMMARY: AddressSanitizer: stack-overflow
/build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
` (3 preceding siblings ...)
2023-09-08 1:53 ` 372091606 at qq dot com
@ 2023-09-08 2:04 ` 372091606 at qq dot com
4 siblings, 0 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-09-08 2:04 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
--- Comment #4 from blu3sh0rk <372091606 at qq dot com> ---
Sorry for continuously outputting incorrect commands. The correct one should
be:
```
gcc glob.c -g -fsanitize=address -o fuzz_glob
```
Moreover, this vulnerability also exists in version 2.35.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-09-08 2:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com
2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com
2023-09-06 5:27 ` 372091606 at qq dot com
2023-09-08 1:50 ` 372091606 at qq dot com
2023-09-08 1:53 ` 372091606 at qq dot com
2023-09-08 2:04 ` 372091606 at qq dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).