This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/13506] New: tzfile.c heap overrun/corruption

From: "eggert at gnu dot org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Thu, 15 Dec 2011 20:44:55 +0000
Subject: [Bug libc/13506] New: tzfile.c heap overrun/corruption
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=13506

             Bug #: 13506
           Summary: tzfile.c heap overrun/corruption
           Product: glibc
           Version: 2.14
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: eggert@gnu.org
    Classification: Unclassified


Created attachment 6113
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6113
Jeff Law work-in-progress patch

In <http://cygwin.com/ml/libc-alpha/2011-12/msg00037.html>
Jeff Law writes:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As y'all may be aware, there's an integer overflow which can be used
to trigger a heap overrun/corruption in time/tzfile.c

http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/


http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to


I'm not terribly familiar with the code in question, but ISTM we have
to verify the intermediate computations to determine the amount of
memory to malloc don't overflow/wrap.

Here's a WIP.  It catches the cases I've been made aware of
(overflowing total_size to 0 by creating a tzfile with a very large
tzh_charcnt).  But there may be further overflows I've missed.

Obviously it's not commented and it's unclear to me if we also want to
put in some kind of sanity checks on total_size to prevent it from
trying to malloc unreasoanble amounts of memory.

Your feedback would be greatly appreciated.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO6k6gAAoJEBRtltQi2kC7ASQH/0UmQm0wqk3NRmlsVr5M1r3f
fUelY55y8OQssaFCLDZ9LX1vybam9j85gmvGtRJUU4MJ3134hn/v73k8TYCd3rHJ
/QIQY10zPBHkmEwp8G56+3l9QRl418C+ajTq0W4NAzM1rIHtPUgrqZ3AkNJgFVYU
OAF+2afFDGE5vJ3HR7LSL62tuxjDf7m66r4tHHkbhkSSZgkyW/YxfFUPDupZnlz8
Wl87JU/RWHdMJ+RR+fB1ofgFKrNZnGpIsD3sAc07KWTp63S358DSRpZ1IaF2o3vh
N93z28eCQQKIVciOKgAE5q/qYr1KmcyU/6M4xPk+Pqv5YFdKOz8uNiw5NQu2rv0=
=RKgA
-----END PGP SIGNATURE-----

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: eggert at gnu dot org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: law at redhat dot com
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: vapier at gentoo dot org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: rguenth at gcc dot gnu.org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: allan at archlinux dot org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: mpolacek at redhat dot com
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: drepper.fsp at gmail dot com
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: vapier at gentoo dot org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: allan at archlinux dot org
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: law at redhat dot com
- [Bug libc/13506] tzfile.c heap overrun/corruption
  - From: drepper.fsp at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]