This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/11892] New: putenv()/setenv() unbounded alloca()
- From: "cdn at chromium dot org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 6 Aug 2010 21:02:10 -0000
- Subject: [Bug libc/11892] New: putenv()/setenv() unbounded alloca()
- Reply-to: sourceware-bugzilla at sourceware dot org
Setting long environment variables results in errant stack pointer and
subsequent memory corruption. This is due to an inlined alloca() which can move
the stack pointer to an arbitrary location in memory.
This can probably be used to gain arbitrary code execution in code which sets
environment variables where an attacker controls either the name or value
arbitrarily.
the use of the -fstack-check compile flag probably does not sufficiently
mitigate these issues.
#include <sys/mman.h>
#include <sys/types.h>
void main(int argc, char **argv) {
char *name;
name = mmap(0, atoi(argv[1]), PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
memset(name, 0x41, atoi(argv[1]));
name[atoi(argv[1]) - 1] = 0;
name[atoi(argv[1]) / 2] = '=';
putenv(name);
exit(0);
}
within putenv() a sub esp, arbitrary will happen making subsequent writes to the
stack (in this case in the form of a memcpy() to overwrite arbitrary memory.
--
Summary: putenv()/setenv() unbounded alloca()
Product: glibc
Version: 2.11
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: cdn at chromium dot org
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=11892
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.