This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22542] New: buffer overflow in sunrpc clnt_create
- From: "msebor at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 03 Dec 2017 22:27:53 +0000
- Subject: [Bug libc/22542] New: buffer overflow in sunrpc clnt_create
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22542
Bug ID: 22542
Summary: buffer overflow in sunrpc clnt_create
Product: glibc
Version: 2.24
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: msebor at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
The clnt_create() function calls strcpy() to copy the string pointed to by the
hostname argument to the sun_addr member array of a struct sockaddr_un object
allocated on the stack. When the string is longer than fits in the array the
function corrupts the calling process' stack due to the buffer overflow.
I noticed this while developing the patch suggested here:
https://sourceware.org/ml/libc-alpha/2017-11/msg00932.html.
$ cat d.c && gcc -Wall d.c && valgrind ./a.out
#include <errno.h>
#include <rpc/clnt.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <string.h>
int main ()
{
char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
memset (name, 'x', sizeof name - 1);
name [sizeof name - 1] = '\0';
CLIENT *clnt = clnt_create (name, 0, 0, "unix");
if (clnt)
clnt_destroy (clnt);
}
==18499== Memcheck, a memory error detector
==18499== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==18499== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==18499== Command: ./a.out
==18499==
==18499== Source and destination overlap in strcpy(0xffefffcc2, 0xffefffd70)
==18499== at 0x4C30E06: __GI_strcpy (vg_replace_strmem.c:507)
==18499== by 0x4F6FE30: clnt_create (in /usr/lib64/libc-2.24.so)
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878780077: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499==
==18499== Jump to the invalid address stated on the next line
==18499== at 0x7878787878787878: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878780077: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== Address 0x7878787878787878 is not stack'd, malloc'd or (recently)
free'd
==18499==
==18499==
==18499== Process terminating with default action of signal 11 (SIGSEGV)
==18499== Bad permissions for mapped region at address 0x7878787878787878
==18499== at 0x7878787878787878: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878780077: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499== by 0x7878787878787877: ???
==18499==
==18499== HEAP SUMMARY:
==18499== in use at exit: 0 bytes in 0 blocks
==18499== total heap usage: 2 allocs, 2 frees, 272 bytes allocated
==18499==
==18499== All heap blocks were freed -- no leaks are possible
==18499==
==18499== For counts of detected and suppressed errors, rerun with: -v
==18499== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
--
You are receiving this mail because:
You are on the CC list for the bug.