[Bug libgcj/24170] New: [SECURITY] readdir

public inbox for java-prs@sourceware.org
help / color / mirror / Atom feed

* [Bug libgcj/24170]  New: [SECURITY] readdir_r considered harmful
@ 2005-10-02 23:12 ben at decadentplace dot org dot uk
  2005-10-02 23:16 ` [Bug libgcj/24170] " ben at decadentplace dot org dot uk
                   ` (10 more replies)
  0 siblings, 11 replies; 12+ messages in thread
From: ben at decadentplace dot org dot uk @ 2005-10-02 23:12 UTC (permalink / raw)
  To: java-prs

The function java::io::File::performList in libjava/java/io/natFilePosix.cc
calls readdir_r using a stack buffer with pathconf(path, _PC_NAME_MAX) + 1
extra bytes. It does not check for failure of pathconf(). Also there is a race
condition between opendir() and pathconf(). This may well be exploitable for
denial of service and code injection, particularly on Solaris and other
platforms where struct dirent is defined with a small d_name array.

I am attaching a draft copy of a security advisory that I intend to publish on
1st November.

Please let me know if you have any unanswered questions about this issue
or wish to provide information about workarounds, mitigation or versions
that are or are not vulnerable for inclusion in the advisory.

-- 
           Summary: [SECURITY] readdir_r considered harmful
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: major
          Priority: P1
         Component: libgcj
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: ben at decadentplace dot org dot uk

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] [SECURITY] readdir_r considered harmful
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
@ 2005-10-02 23:16 ` ben at decadentplace dot org dot uk
  2005-10-02 23:20 ` pinskia at gcc dot gnu dot org
                   ` (9 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: ben at decadentplace dot org dot uk @ 2005-10-02 23:16 UTC (permalink / raw)
  To: java-prs



------- Comment #1 from ben at decadentplace dot org dot uk  2005-10-02 23:16 -------
Can someone please remove this from public view, as Mozilla does for security
bugs  on their Bugzilla?


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] [SECURITY] readdir_r considered harmful
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
  2005-10-02 23:16 ` [Bug libgcj/24170] " ben at decadentplace dot org dot uk
@ 2005-10-02 23:20 ` pinskia at gcc dot gnu dot org
  2005-10-02 23:28 ` [Bug libgcj/24170] natFilePosix.cc seems to have a security problem pinskia at gcc dot gnu dot org
                   ` (8 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2005-10-02 23:20 UTC (permalink / raw)
  To: java-prs



------- Comment #2 from pinskia at gcc dot gnu dot org  2005-10-02 23:20 -------
(In reply to comment #1)
> Can someone please remove this from public view, as Mozilla does for security
> bugs  on their Bugzilla?

Why, this is a normal bug unless you can prove otherwise?
There are no known exploits and it is much harder from java anyways.

And we like to keep everything public.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
  2005-10-02 23:16 ` [Bug libgcj/24170] " ben at decadentplace dot org dot uk
  2005-10-02 23:20 ` pinskia at gcc dot gnu dot org
@ 2005-10-02 23:28 ` pinskia at gcc dot gnu dot org
  2005-10-02 23:38 ` ben at decadentplace dot org dot uk
                   ` (7 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2005-10-02 23:28 UTC (permalink / raw)
  To: java-prs



------- Comment #3 from pinskia at gcc dot gnu dot org  2005-10-02 23:28 -------
But from the sound of this, this is a bug in readdir_r and not fully in libgcj.

Yes libgcj should be testing the return value of pathconf but I assume from
reading the man pages of pathconf and readdir_r, there should be no problem.


-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[SECURITY] readdir_r        |natFilePosix.cc seems to
                   |considered harmful          |have a security problem


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (2 preceding siblings ...)
  2005-10-02 23:28 ` [Bug libgcj/24170] natFilePosix.cc seems to have a security problem pinskia at gcc dot gnu dot org
@ 2005-10-02 23:38 ` ben at decadentplace dot org dot uk
  2005-10-03  1:01 ` dberlin at dberlin dot org
                   ` (6 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: ben at decadentplace dot org dot uk @ 2005-10-02 23:38 UTC (permalink / raw)
  To: java-prs



------- Comment #4 from ben at decadentplace dot org dot uk  2005-10-02 23:38 -------
Andrew, I agree this is a problem with readdir_r, hence my original subject
(and the fact that I'm reporting bugs in a large number of other programs). I'm
not going to publish the advisory until 1st November. If you are interested in
understanding and fixing the bug rather than trying to deny it, you'll help to
provide a non-public channel through which I can send the draft advisory to
appropriate developers. Otherwise this will have to wait until publication.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (3 preceding siblings ...)
  2005-10-02 23:38 ` ben at decadentplace dot org dot uk
@ 2005-10-03  1:01 ` dberlin at dberlin dot org
  2005-10-03 14:28 ` tromey at gcc dot gnu dot org
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: dberlin at dberlin dot org @ 2005-10-03  1:01 UTC (permalink / raw)
  To: java-prs



------- Comment #5 from dberlin at gcc dot gnu dot org  2005-10-03 01:01 -------
Subject: Re:  [SECURITY] readdir_r considered harmful



On Sun, 2 Oct 2005, ben at decadentplace dot org dot uk wrote:

>
>
> ------- Comment #1 from ben at decadentplace dot org dot uk  2005-10-02 23:16 -------
> Can someone please remove this from public view, as Mozilla does for security
> bugs  on their Bugzilla?

Unlike mozilla, we do not remove security bugs from public view.
Nobody has ever set a policy for gcc that says we should (IE 
taking position on the merits of whether we should have such a policy, we 
don't).


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (4 preceding siblings ...)
  2005-10-03  1:01 ` dberlin at dberlin dot org
@ 2005-10-03 14:28 ` tromey at gcc dot gnu dot org
  2005-11-10 11:33 ` ben at decadentplace dot org dot uk
                   ` (4 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: tromey at gcc dot gnu dot org @ 2005-10-03 14:28 UTC (permalink / raw)
  To: java-prs



------- Comment #6 from tromey at gcc dot gnu dot org  2005-10-03 14:28 -------
Ben, you can send private email about this to the folks listed
as libgcj maintainers in the gcc MAINTAINERS file, namely Bryce
and me.


-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
   Last reconfirmed|0000-00-00 00:00:00         |2005-10-03 14:28:34
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (5 preceding siblings ...)
  2005-10-03 14:28 ` tromey at gcc dot gnu dot org
@ 2005-11-10 11:33 ` ben at decadentplace dot org dot uk
  2008-02-20 18:27 ` [Bug libgcj/24170] libjava " jason at gcc dot gnu dot org
                   ` (3 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: ben at decadentplace dot org dot uk @ 2005-11-10 11:33 UTC (permalink / raw)
  To: java-prs



------- Comment #7 from ben at decadentplace dot org dot uk  2005-11-10 11:33 -------
I have no interest in constructing buffer overflow exploits, but if someone
were to construct shell-code in a filename it should be possible to use it
against a privileged user of libgcj that reads user-specified directories, even
without different types of filesystem being mounted. If the directory is
specified by a path that includes a symbolic link, and the link is removed in
between gcj's opendir and pathconf calls, the pathconf call will fail and the
resulting buffer will be much too small (at least on Solaris and BeOS).


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] libjava natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (6 preceding siblings ...)
  2005-11-10 11:33 ` ben at decadentplace dot org dot uk
@ 2008-02-20 18:27 ` jason at gcc dot gnu dot org
  2008-02-20 18:38 ` tromey at gcc dot gnu dot org
                   ` (2 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: jason at gcc dot gnu dot org @ 2008-02-20 18:27 UTC (permalink / raw)
  To: java-prs



------- Comment #8 from jason at gcc dot gnu dot org  2008-02-20 18:27 -------
is anyone on the gcj team looking at this?


-- 

jason at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|natFilePosix.cc seems to    |libjava natFilePosix.cc
                   |have a security problem     |seems to have a security
                   |                            |problem


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] libjava natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (7 preceding siblings ...)
  2008-02-20 18:27 ` [Bug libgcj/24170] libjava " jason at gcc dot gnu dot org
@ 2008-02-20 18:38 ` tromey at gcc dot gnu dot org
  2008-02-20 19:09 ` tromey at gcc dot gnu dot org
  2008-02-20 19:10 ` tromey at gcc dot gnu dot org
  10 siblings, 0 replies; 12+ messages in thread
From: tromey at gcc dot gnu dot org @ 2008-02-20 18:38 UTC (permalink / raw)
  To: java-prs



------- Comment #9 from tromey at gcc dot gnu dot org  2008-02-20 18:38 -------
I'll handle it.


-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |tromey at gcc dot gnu dot
                   |dot org                     |org
             Status|NEW                         |ASSIGNED
   Last reconfirmed|2005-10-03 14:28:34         |2008-02-20 18:38:40
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] libjava natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (8 preceding siblings ...)
  2008-02-20 18:38 ` tromey at gcc dot gnu dot org
@ 2008-02-20 19:09 ` tromey at gcc dot gnu dot org
  2008-02-20 19:10 ` tromey at gcc dot gnu dot org
  10 siblings, 0 replies; 12+ messages in thread
From: tromey at gcc dot gnu dot org @ 2008-02-20 19:09 UTC (permalink / raw)
  To: java-prs



------- Comment #10 from tromey at gcc dot gnu dot org  2008-02-20 19:09 -------
Subject: Bug 24170

Author: tromey
Date: Wed Feb 20 19:09:09 2008
New Revision: 132491

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=132491
Log:
        PR libgcj/24170:
        * java/io/natFilePosix.cc (File::performList): Don't use
        readdir_r.
        * configure, include/config.h.in: Rebuilt.
        * configure.ac: Don't check for readdir_r.

Modified:
    trunk/libjava/ChangeLog
    trunk/libjava/configure
    trunk/libjava/configure.ac
    trunk/libjava/include/config.h.in
    trunk/libjava/java/io/natFilePosix.cc


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug libgcj/24170] libjava natFilePosix.cc seems to have a security problem
  2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
                   ` (9 preceding siblings ...)
  2008-02-20 19:09 ` tromey at gcc dot gnu dot org
@ 2008-02-20 19:10 ` tromey at gcc dot gnu dot org
  10 siblings, 0 replies; 12+ messages in thread
From: tromey at gcc dot gnu dot org @ 2008-02-20 19:10 UTC (permalink / raw)
  To: java-prs



------- Comment #11 from tromey at gcc dot gnu dot org  2008-02-20 19:10 -------
Fix checked in.


-- 

tromey at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.4.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2008-02-20 19:10 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-10-02 23:12 [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful ben at decadentplace dot org dot uk
2005-10-02 23:16 ` [Bug libgcj/24170] " ben at decadentplace dot org dot uk
2005-10-02 23:20 ` pinskia at gcc dot gnu dot org
2005-10-02 23:28 ` [Bug libgcj/24170] natFilePosix.cc seems to have a security problem pinskia at gcc dot gnu dot org
2005-10-02 23:38 ` ben at decadentplace dot org dot uk
2005-10-03  1:01 ` dberlin at dberlin dot org
2005-10-03 14:28 ` tromey at gcc dot gnu dot org
2005-11-10 11:33 ` ben at decadentplace dot org dot uk
2008-02-20 18:27 ` [Bug libgcj/24170] libjava " jason at gcc dot gnu dot org
2008-02-20 18:38 ` tromey at gcc dot gnu dot org
2008-02-20 19:09 ` tromey at gcc dot gnu dot org
2008-02-20 19:10 ` tromey at gcc dot gnu dot org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).