This is the mail archive of the
mailing list for the glibc project.
Re: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- From: Alex <alexinbeijing at gmail dot com>
- To: Paul Eggert <eggert at cs dot ucla dot edu>, Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 10 Aug 2015 11:24:53 +0200
- Subject: Re: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- Authentication-results: sourceware.org; auth=none
- References: <1439153945-22973-1-git-send-email-alexinbeijing at gmail dot com> <87fv3s83td dot fsf at igel dot home> <CACsECNf6dB8cAG4EHpox=tg8=+SbeWTb9J=T4zArLtmdQjqkHQ at mail dot gmail dot com> <CACsECNeWcACbJ50wYcrWL804G9o7T8eZT57oFZWS17jVZ98SxA at mail dot gmail dot com> <mvmzj1zmssr dot fsf at hawking dot suse dot de> <CACsECNcLeZW7WnC1mOM7AssN8xatAAHhEOnPAv9VUnup_cmU=Q at mail dot gmail dot com> <55C868DE dot 30909 at cs dot ucla dot edu>
On Mon, Aug 10, 2015 at 11:03 AM, Paul Eggert <firstname.lastname@example.org> wrote:
> Alex wrote:
>> I've been trying to figure
>> out why the original author used strndupa in the first place but
>> haven't wrapped my mind around it yet.
> Presumably the original author didn't know about "%.*s". The string is not
> null-terminated, so "%s" won't work, and I guess the original author used
> strndupa to create a null-terminated copy.
> Beware of int overflow when using "%.*s", by the way.
Thanks to Paul Eggert and Andreas Schwab for your helpful feedback! It
turns out that implementing the recommended fix will require a small
tweak in _dl_debug_vdprintf. I will send a v2 patch after testing.