This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [patch] Fix for heap overflow in wscanf (BZ 16618)

From: Florian Weimer <fweimer at redhat dot com>
To: "Carlos O'Donell" <carlos at redhat dot com>, Paul Pluzhnikov <ppluzhnikov at google dot com>
Cc: Paul Eggert <eggert at cs dot ucla dot edu>, Andreas Schwab <schwab at suse dot de>, Rich Felker <dalias at libc dot org>, GLIBC Devel <libc-alpha at sourceware dot org>
Date: Fri, 06 Feb 2015 16:34:21 +0100
Subject: Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
Authentication-results: sourceware.org; auth=none
References: <CALoOobPgvuBLTk4GzOchr792MHNi1yLgsO5Jqf8MPvY+bk544Q at mail dot gmail dot com> <20150202050906 dot GF23507 at brightrain dot aerifal dot cx> <CALoOobP5yEqB-oKUvPVJm0znonYJ_iM1q_uFBNT2sRojBguJ-A at mail dot gmail dot com> <mvmiofkiqaj dot fsf at hawking dot suse dot de> <CALoOobPyDepfTFp=_y50iKHxAhKV8W+ZkUiV6e-2O=kgpT_08g at mail dot gmail dot com> <54CFCEB1 dot 8090301 at cs dot ucla dot edu> <CALoOobOqBGEp=Jv-sncnUzi6BVzypg9txr-Oh2OTQL7BFbuwSw at mail dot gmail dot com> <54D45696 dot 2020801 at redhat dot com> <54D4C560 dot 8040401 at redhat dot com> <54D4D395 dot 2010406 at redhat dot com> <CALoOobP5ARnjtfxiYWcDtQXCdcWADmnFENvS2JXrjnXuvHUnJQ at mail dot gmail dot com> <54D4DDF4 dot 2020506 at redhat dot com>

On 02/06/2015 04:29 PM, Carlos O'Donell wrote:
> On 02/06/2015 10:19 AM, Paul Pluzhnikov wrote:
>> On Fri, Feb 6, 2015 at 6:45 AM, Carlos O'Donell <carlos@redhat.com> wrote:
>>> On 02/06/2015 08:45 AM, Florian Weimer wrote:
>>
>>>> I think this fixes as CVE-2015-1473 as well,
>>
>> Correct.
>>
> 
> Could you expand a bit on this comment? Did you test that it fixes the issue?
> Did you review that it's actually the same bug?
> 
> I trust your review, but "Correct." is not sufficiently verbose for me and
> I want to make sure we're all in agreement.

The old code had this:

     size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax                       \
                       ? UCHAR_MAX + 1 : 2 * wpmax);                   \
     if (use_malloc || !__libc_use_alloca (newsize))                   \
â
         wp = (CHAR_T *) extend_alloca (wp, s,                         \
                                        newsize * sizeof (CHAR_T));    \

Which is to say, the alloca policy check was against newsize, but the
actual allocation used newsize * sizeof (CHAR_T).

The new version computes newsize in bytes and uses it consistently,
addressing this discrepancy.

-- 
Florian Weimer / Red Hat Product Security

References:
- [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Rich Felker
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Andreas Schwab
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Eggert
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Carlos O'Donell
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Florian Weimer
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Carlos O'Donell
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]