This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/19652] New: Missing sanity check for malloc() in glibc-2.22 plus possible NULL pointer dereference (CWE-476)

https://sourceware.org/bugzilla/show_bug.cgi?id=19652

            Bug ID: 19652
           Summary: Missing sanity check for malloc() in glibc-2.22 plus
                    possible NULL pointer dereference (CWE-476)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: wp02855 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 8995
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8995&action=edit
patch file for above bug report (diff -u)

In directory 'io', file 'tst-fcntl.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, mempcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur.  The patch file below should address/correct this issue:

--- tst-fcntl.c.orig    2016-02-16 17:20:29.644379422 -0800
+++ tst-fcntl.c 2016-02-16 17:24:02.171387148 -0800
@@ -45,6 +45,11 @@

    name_len = strlen (test_dir);
    name = malloc (name_len + sizeof ("/fcntlXXXXXX"));
+   if (name == NULL)
+      {
+        puts ("out of memory");
+        exit (1);
+      }
    mempcpy (mempcpy (name, test_dir, name_len),
            "/fcntlXXXXXX", sizeof ("/fcntlXXXXXX"));
    add_temp_file (name);

=======================================================================

In directory 'io', file 'test-lfs.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, mempcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur.  The patch file below should address/correct this issue:

--- test-lfs.c.orig     2016-02-16 17:28:49.131397581 -0800
+++ test-lfs.c  2016-02-16 17:29:45.831399642 -0800
@@ -54,6 +54,11 @@

   name_len = strlen (test_dir);
   name = malloc (name_len + sizeof ("/lfsXXXXXX"));
+  if (name == NULL)
+    {
+      puts ("out of memory");
+      exit (1);
+    }
   mempcpy (mempcpy (name, test_dir, name_len),
            "/lfsXXXXXX", sizeof ("/lfsXXXXXX"));

=======================================================================

In directory 'libio', file 'tst-fopenloc.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, strcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur.  The patch file below should address/correct this issue:

--- tst-fopenloc.c.orig 2016-02-16 17:47:29.137438298 -0800
+++ tst-fopenloc.c      2016-02-16 17:48:40.176440881 -0800
@@ -40,6 +40,11 @@

   const size_t sz = 2 * 1024 * 1024;
   char *ccs = malloc (sz);
+  if (css == NULL)
+    {
+      puts ("out of memory");
+      exit (1);
+    }
   strcpy (ccs, "r,ccs=");
   memset (ccs + 6, 'A', sz - 6 - 1);
   ccs[sz - 1] = '\0';

=======================================================================

In directory 'libio', file 'tst-fopenloc.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, memset() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur.  The patch file below should address/correct this issue:

--- tst-mmap2-eofsync.c.orig    2016-02-16 17:51:52.835447885 -0800
+++ tst-mmap2-eofsync.c 2016-02-16 17:52:29.957449234 -0800
@@ -21,6 +21,11 @@
 do_prepare (void)
 {
   pages = malloc (getpagesize () * 2);
+  if (pages == NULL)
+    {
+      puts ("out of memory");
+      exit (1);
+    }
   memset (pages, 'a', getpagesize ());
   memset (pages + getpagesize (), 'b', getpagesize ());


=======================================================================

In directory 'libio', file 'wfileops.c', in function 'do_ftell_wide',
there is a call to malloc() which is NOT tested for a return value of
NULL, indicating failure.  The patch file below should address/correct
this issue:

--- wfileops.c.orig     2016-02-16 18:19:52.270508940 -0800
+++ wfileops.c  2016-02-16 18:26:39.686523751 -0800
@@ -701,6 +701,11 @@
              /* Allocate enough space for the conversion.  */
              size_t outsize = delta * sizeof (wchar_t);
              char *out = malloc (outsize);
+             if (out == NULL)
+               {
+                 __set_errno (ENOMEM);
+                 return WEOF;
+               }
              char *outstop = out;
              const wchar_t *in = fp->_wide_data->_IO_write_base;

=======================================================================

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]