From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 32C043858017; Fri, 14 Jul 2023 02:40:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 32C043858017 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1689302403; bh=eLRD26ffgW6KxOtV/c6U891zRTwcPnhjaiCksA2DDP0=; h=From:To:Subject:Date:From; b=finxPEIofNoUYn/O3SyCKyQKPeJ9YmEkSYckIGK/fkaXQqEIlmRXn0CfxsthXqoIw 57runZIx4pCF9TWos7cA8hdf/qCdT3WUKrzjUMQJ0WtgOfCjAUc3NJn5zYo5gGzDlx 1ct9H2dr8uAgdFyX5gkaDkBI6XbK/6kdxq6CiHuo= From: "372091606 at qq dot com" To: glibc-bugs@sourceware.org Subject: [Bug glob/30635] New: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:546:9 in glob64 Date: Fri, 14 Jul 2023 02:40:02 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: glob X-Bugzilla-Version: 2.31 X-Bugzilla-Keywords: X-Bugzilla-Severity: critical X-Bugzilla-Who: 372091606 at qq dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30635 Bug ID: 30635 Summary: stack-overflow /build/glibc-SzIz7B/glibc-2.31/posix/../posix/glob.c:5 46:9 in glob64 Product: glibc Version: 2.31 Status: UNCONFIRMED Severity: critical Priority: P2 Component: glob Assignee: unassigned at sourceware dot org Reporter: 372091606 at qq dot com Target Milestone: --- Created attachment 14963 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D14963&action=3Ded= it The poc and ASAN report of glob stack-buffer-overflow When I was fuzzing the logrotate program, I discovered a glob stack overflow vulnerability, details of which can be seen in the 0x02 section of the link below: https://github.com/logrotate/logrotate/issues/533 Poc 0x02 seems to be an issue in the glob(3) implementation of glibc, since= the man page does not mention any limitations on the supported input or offers a flag for secure operations on user controlled input.=20 Reproduction steps are as follows: ``` $ git clone https://github.com/logrotate/logrotate $ cd logrotate $ CC=3Dclang CXX=3Dclang++ CFLAGS=3D"-g -fsanitize=3Daddress -fno-omit-fram= e-pointer" CXXFLAGS=3D"-g -fsanitize=3Daddress -fno-omit-frame-pointer" ./configure $ make $ ./logrotate -d ./poc2_stack_overflow=20 ``` ``` $ ls -al /lib/x86_64-linux-gnu/libc.so.6=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20 lrwxrwxrwx 1 root root /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.31.so ``` --=20 You are receiving this mail because: You are on the CC list for the bug.=