public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64
@ 2023-07-14 2:40 372091606 at qq dot com
2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: 372091606 at qq dot com @ 2023-07-14 2:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30635
Bug ID: 30635
Summary: stack-overflow
/build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:5
46:9 in glob64
Product: glibc
Version: 2.31
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: glob
Assignee: unassigned at sourceware dot org
Reporter: 372091606 at qq dot com
Target Milestone: ---
Created attachment 14963
--> https://sourceware.org/bugzilla/attachment.cgi?id=14963&action=edit
The poc and ASAN report of glob stack-buffer-overflow
When I was fuzzing the logrotate program, I discovered a glob stack overflow
vulnerability, details of which can be seen in the 0x02 section of the link
below:
https://github.com/logrotate/logrotate/issues/533
Poc 0x02 seems to be an issue in the glob(3) implementation of glibc, since the
man page does not mention any limitations on the supported input or offers a
flag for secure operations on user controlled input.
Reproduction steps are as follows:
```
$ git clone https://github.com/logrotate/logrotate
$ cd logrotate
$ CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"
CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure
$ make
$ ./logrotate -d ./poc2_stack_overflow
```
```
$ ls -al /lib/x86_64-linux-gnu/libc.so.6
lrwxrwxrwx 1 root root /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com @ 2023-07-14 2:42 ` 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-07-14 2:42 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 blu3sh0rk <372091606 at qq dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |glibc_2.31 CC| |372091606 at qq dot com URL| |https://github.com/logrotat | |e/logrotate/issues/533 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com @ 2023-09-06 5:27 ` 372091606 at qq dot com 2023-09-08 1:50 ` 372091606 at qq dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-06 5:27 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #1 from blu3sh0rk <372091606 at qq dot com> --- Created attachment 15099 --> https://sourceware.org/bugzilla/attachment.cgi?id=15099&action=edit fuzz harness for glob() and poc ``` $ glob.c -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com @ 2023-09-08 1:50 ` 372091606 at qq dot com 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 1:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #2 from blu3sh0rk <372091606 at qq dot com> --- fuzz harness for glob() and poc ``` $ gcc -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com ` (2 preceding siblings ...) 2023-09-08 1:50 ` 372091606 at qq dot com @ 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 1:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #3 from blu3sh0rk <372091606 at qq dot com> --- fuzz harness for glob() and poc ``` $ gcc gloib.c -g -fsanitize=address -o fuzz_glob $ ./fuzz_glob poc ``` SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:289:1 in glob64 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug glob/30635] stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com ` (3 preceding siblings ...) 2023-09-08 1:53 ` 372091606 at qq dot com @ 2023-09-08 2:04 ` 372091606 at qq dot com 4 siblings, 0 replies; 6+ messages in thread From: 372091606 at qq dot com @ 2023-09-08 2:04 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30635 --- Comment #4 from blu3sh0rk <372091606 at qq dot com> --- Sorry for continuously outputting incorrect commands. The correct one should be: ``` gcc glob.c -g -fsanitize=address -o fuzz_glob ``` Moreover, this vulnerability also exists in version 2.35. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-09-08 2:04 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-07-14 2:40 [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 372091606 at qq dot com 2023-07-14 2:42 ` [Bug glob/30635] " 372091606 at qq dot com 2023-09-06 5:27 ` 372091606 at qq dot com 2023-09-08 1:50 ` 372091606 at qq dot com 2023-09-08 1:53 ` 372091606 at qq dot com 2023-09-08 2:04 ` 372091606 at qq dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).