This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug locale/22029] New: iconv: gconv callback function mangling easily defeated

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 29 Aug 2017 14:23:30 +0000
Subject: [Bug locale/22029] New: iconv: gconv callback function mangling easily defeated
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=22029

            Bug ID: 22029
           Summary: iconv: gconv callback function mangling easily
                    defeated
           Product: glibc
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

Code like this (from wcsmbs/mbrtoc16.c:mbrtoc16) is problematic:

  __gconv_fct fct = fcts->towc->__fct;
#ifdef PTR_DEMANGLE
  if (fcts->towc->__shlib_handle != NULL)
    PTR_DEMANGLE (fct);
#endif

  status = DL_CALL_FCT (fct, (fcts->towc, &data, &inbuf, endbuf,
                              NULL, &dummy, 0, 1));

An attacker might just set __shlib_handle to NULL to avoid the need for
mangling the function pointer.

(Flagging as security- because this is merely hardening.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug locale/22029] iconv: gconv callback function mangling easily defeated
  - From: fweimer at redhat dot com
- [Bug locale/22029] iconv: gconv callback function mangling easily defeated
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]