This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug locale/22029] New: iconv: gconv callback function mangling easily defeated
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 29 Aug 2017 14:23:30 +0000
- Subject: [Bug locale/22029] New: iconv: gconv callback function mangling easily defeated
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22029
Bug ID: 22029
Summary: iconv: gconv callback function mangling easily
defeated
Product: glibc
Version: 2.26
Status: NEW
Severity: normal
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
Code like this (from wcsmbs/mbrtoc16.c:mbrtoc16) is problematic:
__gconv_fct fct = fcts->towc->__fct;
#ifdef PTR_DEMANGLE
if (fcts->towc->__shlib_handle != NULL)
PTR_DEMANGLE (fct);
#endif
status = DL_CALL_FCT (fct, (fcts->towc, &data, &inbuf, endbuf,
NULL, &dummy, 0, 1));
An attacker might just set __shlib_handle to NULL to avoid the need for
mangling the function pointer.
(Flagging as security- because this is merely hardening.)
--
You are receiving this mail because:
You are on the CC list for the bug.