This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22786] New: Stack buffer overflow in realpath() if input size is close to SSIZE_MAX
- From: "izbyshev at ispras dot ru" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 04 Feb 2018 17:33:00 +0000
- Subject: [Bug libc/22786] New: Stack buffer overflow in realpath() if input size is close to SSIZE_MAX
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22786
Bug ID: 22786
Summary: Stack buffer overflow in realpath() if input size is
close to SSIZE_MAX
Product: glibc
Version: 2.27
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: izbyshev at ispras dot ru
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security?
Created attachment 10783
--> https://sourceware.org/bugzilla/attachment.cgi?id=10783&action=edit
Demo of extra_buf overflow
In the following code from stdlib/canonicalize.c, if n + len > SSIZE_MAX, the
boundary check will incorrectly succeed and then extra_buf stack buffer will be
overflown. len is fully controlled by user.
183 len = strlen (end);
184 if ((long int) (n + len) >= path_max)
185 {
186 __set_errno (ENAMETOOLONG);
187 goto error;
188 }
189
190 /* Careful here, end may be a pointer into extra_buf... */
191 memmove (&extra_buf[n], end, len + 1);
This can be practically demonstrated for 32-bit glibc builds with the attached
test case (requires 2 GB of RAM):
$ ln -s . s
$ gcc -m32 test.c
$ ./a.out
--
You are receiving this mail because:
You are on the CC list for the bug.