public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 @ 2023-07-14 2:40 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com ` (4 more replies) 0 siblings, 5 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-07-14 2:40 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 Bug ID: 30635 Summary: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:5 46:9 in glob64 Product: glibc Version: 2.31 Status: UNCONFIRMED Severity: critical Priority: P2 Component: glob Assignee: unassigned at sourceware dot org Reporter: 372091606 at qq dot com Target Milestone: --- Created attachment 14963 --> https://sourceware.org/bugzilla/attachment.cgi?id=14963&action=edit The poc and ASAN report of glob stack-buffer-overflow When I was fuzzing the logrotate program, I discovered a glob stack overflow vulnerability, details of which can be seen in the 0x02 section of the link below: https://github.com/logrotate/logrotate/issues/533 Poc 0x02 seems to be an issue in the glob(3) implementation of glibc, since the man page does not mention any limitations on the supported input or offers a flag for secure operations on user controlled input. Reproduction steps are as follows: ``` $ git clone https://github.com/logrotate/logrotate $ cd logrotate $ CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure $ make $ ./logrotate -d ./poc2_stack_overflow ``` ``` $ ls -al /lib/x86_64-linux-gnu/libc.so.6 lrwxrwxrwx 1 root root /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so ``` -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com @ 2023-07-14 2:42 ` 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-07-14 2:42 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 blu3sh0rk <372091606 at qq dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |glibc_2.31 CC| |372091606 at qq dot com URL| |https://github.com/logrotat | |e/logrotate/issues/533 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com @ 2023-09-06 5:27 ` 372091606 at qq dot com 2023-09-08 1:50 ` 372091606 at qq dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-06 5:27 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #1 from blu3sh0rk <372091606 at qq dot com> --- Created attachment 15099 --> https://sourceware.org/bugzilla/attachment.cgi?id=15099&action=edit fuzz harness for glob() and poc ``` $ glob.c -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com @ 2023-09-08 1:50 ` 372091606 at qq dot com 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 1:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #2 from blu3sh0rk <372091606 at qq dot com> --- fuzz harness for glob() and poc ``` $ gcc -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com ` (2 preceding siblings ...) 2023-09-08 1:50 ` 372091606 at qq dot com @ 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 1:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #3 from blu3sh0rk <372091606 at qq dot com> --- fuzz harness for glob() and poc ``` $ gcc gloib.c -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com ` (3 preceding siblings ...) 2023-09-08 1:53 ` 372091606 at qq dot com @ 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 2:04 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #4 from blu3sh0rk <372091606 at qq dot com> --- Sorry for continuously outputting incorrect commands. The correct one should be: ``` gcc glob.c -g -fsanitize=address -o fuzz_glob ``` Moreover, this vulnerability also exists in version 2.35. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-09-08 2:04 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com 2023-09-08 1:50 ` 372091606 at qq dot com 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).