public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string
@ 2024-04-30 15:48 adhemerval.zanella at linaro dot org
  2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-04-30 15:48 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31686

            Bug ID: 31686
           Summary: Stack-based buffer overflow in parse_tunables_string
           Product: glibc
           Version: 2.39
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: adhemerval.zanella at linaro dot org
  Target Milestone: ---

If a tunable is duplicated more times than the number of tunable options
supported parse_tunables_string will overflow the internal 'tunables':


* elf/dl-tunables.c

245 static void
246 parse_tunables (const char *valstring)
247 {
248   struct tunable_toset_t tunables[tunables_list_size];
249   int ntunables = parse_tunables_string (valstring, tunables);


173 static int
174 parse_tunables_string (const char *valstring, struct tunable_toset_t
*tunables)

181   int ntunables = 0;
182
183   while (!done)
184     {

217       /* Add the tunable if it exists.  */
218       for (size_t i = 0; i < tunables_list_size; i++)
219         {
220           tunable_t *cur = &tunable_list[i];
221
222           if (tunable_is_name (cur->name, name))
223             {
224               tunables[ntunables++] =
225                 (struct tunable_toset_t) { cur, value, p - value };

Reported-by: Yuto Maeda <maeda@cyberdefense.jp>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
  2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
@ 2024-05-01 11:22 ` fweimer at redhat dot com
  2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2024-05-01 11:22 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31686

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is this a security vulnerability? Not anymore, I presume, because we assume
GLIBC_TUNABLES is trusted, and no trust boundary is crossed?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
  2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
  2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
@ 2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
  2024-05-01 16:57 ` siddhesh at sourceware dot org
  2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
  3 siblings, 0 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-05-01 14:07 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31686

--- Comment #2 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
(In reply to Florian Weimer from comment #1)
> Is this a security vulnerability? Not anymore, I presume, because we assume
> GLIBC_TUNABLES is trusted, and no trust boundary is crossed?

Siddhesh and I discussed this with the reporter and we decided that since this
is a local-only bug without a possibility of a real privilege escalation
(GLIBC_TUNABLES parsing is skipped for secure process), we did not allocate a
CVE for this one.  

The reporter provided a POC that relies on some weak hardening guarantee
(executable stacks) to bypass a restricted shell, but I am not sure if this is
a viable security issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
  2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
  2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
  2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
@ 2024-05-01 16:57 ` siddhesh at sourceware dot org
  2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
  3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2024-05-01 16:57 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31686

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |siddhesh at sourceware dot org
              Flags|                            |security-

--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Right, sorry I forgot to add the security- flag. Fixed now.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
  2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
                   ` (2 preceding siblings ...)
  2024-05-01 16:57 ` siddhesh at sourceware dot org
@ 2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
  3 siblings, 0 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-05-07 17:05 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31686

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |2.40

--- Comment #4 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed on 2.40.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-05-07 17:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
2024-05-01 16:57 ` siddhesh at sourceware dot org
2024-05-07 17:05 ` adhemerval.zanella at linaro dot org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).