This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nss/21654] New: Incorrect pointer alignment in NSS group merge result construction
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 21 Jun 2017 08:34:44 +0000
- Subject: [Bug nss/21654] New: Incorrect pointer alignment in NSS group merge result construction
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=21654
Bug ID: 21654
Summary: Incorrect pointer alignment in NSS group merge result
construction
Product: glibc
Version: 2.25
Status: NEW
Severity: normal
Priority: P2
Component: nss
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
Sergey Kolosov discovered that the NSS group merge feature does not work on
ppc64 and s390x. The cause seems to be this code in grp/grp-merge.c:
/* Copy the pointers from the members array into the buffer and assign them
to the gr_mem member of destgrp. */
destgrp->gr_mem = (char **) &destbuf[c];
len = sizeof (char *) * (memcount + 1);
BUFCHECK (len);
memcpy (&destbuf[c], members, len);
c += len;
free (members);
members = NULL;
After the assigned to destgrp->gr_mem, we have:
(gdb) print destbuf
$1 = 0x10031000 "groupa"
(gdb) print c
$2 = 21
(gdb) print destgrp->gr_mem
$3 = (char **) 0x10031015
This pointer is not suitable aligned, and this triggers undefined behavior.
We should switch this code over to the allocation buffer interface, which deals
with exactly this kind of problem.
--
You are receiving this mail because:
You are on the CC list for the bug.