This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param


https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #7 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Paul Pluzhnikov from comment #6)
> Second case fixed.

I've tweaked the fuzzer a bit and it produced something else: 

pattern: "${Ca+da}"

This time reproducible only on glibc trunk so I can't reproduce with valgrind.
Can you see it? 

==22916==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020001625f2 at pc 0x7f58e333187e bp 0x7fff8223fe90 sp 0x7fff8223fe88
READ of size 1 at 0x6020001625f2 thread T0
    #0 0x7f58e333187d in parse_param posix/wordexp.c:1581:18
    #1 0x7f58e333187d in parse_dollars posix/wordexp.c:2103
    #2 0x7f58e33212ac in parse_glob posix/wordexp.c:490:12
    #3 0x7f58e33212ac in wordexp posix/wordexp.c:2416


0x6020001625f2 is located 0 bytes to the right of 2-byte region
[0x6020001625f0,0x6020001625f2)
allocated by thread T0 here:
    #0 0x4a1eab in malloc 
    #1 0x7f58e321a546 in __add_to_environ stdlib/setenv.c:202
    #2 0x7f58e332d8c3 in parse_param posix/wordexp.c:1916:4
    #3 0x7f58e332d8c3 in parse_dollars posix/wordexp.c:2103
    #4 0x7f58e332102b in wordexp posix/wordexp.c:2348:10

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]