From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29407 invoked by alias); 2 Oct 2005 23:12:04 -0000 Mailing-List: contact java-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: java-prs-owner@gcc.gnu.org Received: (qmail 29391 invoked by uid 48); 2 Oct 2005 23:12:04 -0000 Date: Sun, 02 Oct 2005 23:12:00 -0000 Subject: [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful X-Bugzilla-Reason: CC Message-ID: Reply-To: gcc-bugzilla@gcc.gnu.org To: java-prs@gcc.gnu.org From: "ben at decadentplace dot org dot uk" X-SW-Source: 2005-q4/txt/msg00012.txt.bz2 List-Id: The function java::io::File::performList in libjava/java/io/natFilePosix.cc calls readdir_r using a stack buffer with pathconf(path, _PC_NAME_MAX) + 1 extra bytes. It does not check for failure of pathconf(). Also there is a race condition between opendir() and pathconf(). This may well be exploitable for denial of service and code injection, particularly on Solaris and other platforms where struct dirent is defined with a small d_name array. I am attaching a draft copy of a security advisory that I intend to publish on 1st November. Please let me know if you have any unanswered questions about this issue or wish to provide information about workarounds, mitigation or versions that are or are not vulnerable for inclusion in the advisory. -- Summary: [SECURITY] readdir_r considered harmful Product: gcc Version: unknown Status: UNCONFIRMED Severity: major Priority: P1 Component: libgcj AssignedTo: unassigned at gcc dot gnu dot org ReportedBy: ben at decadentplace dot org dot uk http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170