This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern

From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 26 Feb 2015 18:12:18 +0000
Subject: [Bug libc/18036] New: buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=18036

            Bug ID: 18036
           Summary: buffer overflow (read past end of buffer) in
                    internal_fnmatch=>end_pattern with "**(!()" pattern
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=18032
but in a different place: 

#include <fnmatch.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <assert.h>
int main(int argc, const char* argv[]) {
  long page_size = sysconf (_SC_PAGESIZE);
  assert(page_size > 0);
  char *page = mmap (NULL, 2 * page_size, PROT_READ | PROT_WRITE,
                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  assert(page != MAP_FAILED);
  assert(!mprotect (page + page_size, page_size, PROT_NONE));
  memset (page, ' ', page_size);
  const char p[] = "**(!()";
  strcpy(page, p); 
  fnmatch(page, p, FNM_EXTMATCH);
} 


gcc fn3.c && ./a.out 
Segmentation fault (core dumped)


gdb: 
(gdb) bt
#0  0x00007ffff7adaf4b in end_pattern (pattern=pattern@entry=0x7ffff7ff6002
"(!()") at fnmatch_loop.c:1032
#1  0x00007ffff7adcbb9 in internal_fnmatch (pattern=<optimized out>,
string=string@entry=0x7fffffffdcd0 "**(!()", string_end=0x7fffffffdcd6 "",
no_leading_period=no_leading_period@entry=0, 
    flags=flags@entry=32, ends=ends@entry=0x0, alloca_used=alloca_used@entry=0)
at fnmatch_loop.c:128
#2  0x00007ffff7addf72 in __fnmatch (pattern=0x7ffff7ff6000 "**(!()",
string=0x7fffffffdcd0 "**(!()", flags=32) at fnmatch.c:458
#3  0x000000000040084a in main ()

Reproduces on 2.19 and fresh trunk. Marking as security+ similar to bug 18032
Since bug 18032 has been fixed promptly I assume you don't mind these reports.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  - From: ppluzhnikov at google dot com
- [Bug libc/18036] buffer overflow (read past end of buffer) in internal_fnmatch=>end_pattern with "**(!()" pattern
  - From: ppluzhnikov at google dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]