public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string
@ 2024-04-30 15:48 adhemerval.zanella at linaro dot org
2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-04-30 15:48 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31686
Bug ID: 31686
Summary: Stack-based buffer overflow in parse_tunables_string
Product: glibc
Version: 2.39
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: adhemerval.zanella at linaro dot org
Target Milestone: ---
If a tunable is duplicated more times than the number of tunable options
supported parse_tunables_string will overflow the internal 'tunables':
* elf/dl-tunables.c
245 static void
246 parse_tunables (const char *valstring)
247 {
248 struct tunable_toset_t tunables[tunables_list_size];
249 int ntunables = parse_tunables_string (valstring, tunables);
173 static int
174 parse_tunables_string (const char *valstring, struct tunable_toset_t
*tunables)
181 int ntunables = 0;
182
183 while (!done)
184 {
217 /* Add the tunable if it exists. */
218 for (size_t i = 0; i < tunables_list_size; i++)
219 {
220 tunable_t *cur = &tunable_list[i];
221
222 if (tunable_is_name (cur->name, name))
223 {
224 tunables[ntunables++] =
225 (struct tunable_toset_t) { cur, value, p - value };
Reported-by: Yuto Maeda <maeda@cyberdefense.jp>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
@ 2024-05-01 11:22 ` fweimer at redhat dot com
2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2024-05-01 11:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31686
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is this a security vulnerability? Not anymore, I presume, because we assume
GLIBC_TUNABLES is trusted, and no trust boundary is crossed?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
@ 2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
2024-05-01 16:57 ` siddhesh at sourceware dot org
2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
3 siblings, 0 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-05-01 14:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31686
--- Comment #2 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
(In reply to Florian Weimer from comment #1)
> Is this a security vulnerability? Not anymore, I presume, because we assume
> GLIBC_TUNABLES is trusted, and no trust boundary is crossed?
Siddhesh and I discussed this with the reporter and we decided that since this
is a local-only bug without a possibility of a real privilege escalation
(GLIBC_TUNABLES parsing is skipped for secure process), we did not allocate a
CVE for this one.
The reporter provided a POC that relies on some weak hardening guarantee
(executable stacks) to bypass a restricted shell, but I am not sure if this is
a viable security issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
@ 2024-05-01 16:57 ` siddhesh at sourceware dot org
2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
3 siblings, 0 replies; 5+ messages in thread
From: siddhesh at sourceware dot org @ 2024-05-01 16:57 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31686
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at sourceware dot org
Flags| |security-
--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Right, sorry I forgot to add the security- flag. Fixed now.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug dynamic-link/31686] Stack-based buffer overflow in parse_tunables_string
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
` (2 preceding siblings ...)
2024-05-01 16:57 ` siddhesh at sourceware dot org
@ 2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
3 siblings, 0 replies; 5+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2024-05-07 17:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31686
Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Target Milestone|--- |2.40
--- Comment #4 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed on 2.40.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-05-07 17:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-30 15:48 [Bug dynamic-link/31686] New: Stack-based buffer overflow in parse_tunables_string adhemerval.zanella at linaro dot org
2024-05-01 11:22 ` [Bug dynamic-link/31686] " fweimer at redhat dot com
2024-05-01 14:07 ` adhemerval.zanella at linaro dot org
2024-05-01 16:57 ` siddhesh at sourceware dot org
2024-05-07 17:05 ` adhemerval.zanella at linaro dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).