13506 2011-12-15 20:44:00 +0000 tzfile.c heap overrun/corruption 2011-12-21 23:58:14 +0000 1 1 1 Unclassified glibc libc 2.14 All All RESOLVED FIXED P2 normal --- 1 eggert drepper.fsp allan law polacek rguenth toolchain vapier oldest_to_newest 52165 0 6113 eggert 2011-12-15 20:44:55 +0000 Created attachment 6113 Jeff Law work-in-progress patch In <http://cygwin.com/ml/libc-alpha/2011-12/msg00037.html> Jeff Law writes: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As y'all may be aware, there's an integer overflow which can be used to trigger a heap overrun/corruption in time/tzfile.c http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/ http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to I'm not terribly familiar with the code in question, but ISTM we have to verify the intermediate computations to determine the amount of memory to malloc don't overflow/wrap. Here's a WIP. It catches the cases I've been made aware of (overflowing total_size to 0 by creating a tzfile with a very large tzh_charcnt). But there may be further overflows I've missed. Obviously it's not commented and it's unclear to me if we also want to put in some kind of sanity checks on total_size to prevent it from trying to malloc unreasoanble amounts of memory. Your feedback would be greatly appreciated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO6k6gAAoJEBRtltQi2kC7ASQH/0UmQm0wqk3NRmlsVr5M1r3f fUelY55y8OQssaFCLDZ9LX1vybam9j85gmvGtRJUU4MJ3134hn/v73k8TYCd3rHJ /QIQY10zPBHkmEwp8G56+3l9QRl418C+ajTq0W4NAzM1rIHtPUgrqZ3AkNJgFVYU OAF+2afFDGE5vJ3HR7LSL62tuxjDf7m66r4tHHkbhkSSZgkyW/YxfFUPDupZnlz8 Wl87JU/RWHdMJ+RR+fB1ofgFKrNZnGpIsD3sAc07KWTp63S358DSRpZ1IaF2o3vh N93z28eCQQKIVciOKgAE5q/qYr1KmcyU/6M4xPk+Pqv5YFdKOz8uNiw5NQu2rv0= =RKgA -----END PGP SIGNATURE----- 52166 1 6114 eggert 2011-12-15 21:00:49 +0000 Created attachment 6114 catch multiplication as well as addition overflows Jeff Law's work-in-progress patch misses some problematic overflows. This is because the integer multiplications may overflow too. Attached is an untested patch that catches the problematic overflows that I found by inspection. This patch does not attempt to catch all overflows, only those that might corrupt memory. 52205 2 drepper.fsp 2011-12-18 01:19:35 +0000 I added a patch. 52223 3 vapier 2011-12-19 05:35:35 +0000 http://sourceware.org/git/?p=glibc.git;a=commit;h=97ac2654b2d831acaa18a2b018b0736245903fd2 52224 4 allan 2011-12-19 05:50:57 +0000 Note that there is a typo in that patch. The "tzspec == 0" should be "tzspec_len == 0". I sent the trivial patch to the mailing list (awaiting moderation). 52225 5 law 2011-12-19 07:57:44 +0000 Also looks like s390 won't build because SIZE_MAX is not defined. Guessing stdint.h needs to be included in tzfile.c 52296 6 drepper.fsp 2011-12-21 23:58:14 +0000 (In reply to comment #5) > Also looks like s390 won't build because SIZE_MAX is not defined. Guessing > stdint.h needs to be included in tzfile.c The correct change is to make the s390 header look like the x86-64 headers. 6113 2011-12-15 20:44:00 +0000 2011-12-15 21:00:49 +0000 Jeff Law work-in-progress patch glibc-rh767696.patch text/plain 1751 eggert ZGlmZiAtcnVwIGEvdGltZS90emZpbGUuYyBiL3RpbWUvdHpmaWxlLmMKLS0tIGEvdGltZS90emZp bGUuYwkyMDExLTEwLTE5IDA1OjAzOjMxLjAwMDAwMDAwMCAtMDYwMAorKysgYi90aW1lL3R6Zmls ZS5jCTIwMTEtMTItMTUgMTE6NDk6MjYuNzYzMTIxNDU5IC0wNzAwCkBAIC0xMDcsNyArMTA3LDcg QEAgX190emZpbGVfcmVhZCAoY29uc3QgY2hhciAqZmlsZSwgc2l6ZV90CiAgIHNpemVfdCBudW1f aXNzdGQsIG51bV9pc2dtdDsKICAgcmVnaXN0ZXIgRklMRSAqZjsKICAgc3RydWN0IHR6aGVhZCB0 emhlYWQ7Ci0gIHNpemVfdCBjaGFyczsKKyAgc2l6ZV90IGNoYXJzLCB0bXA7CiAgIHJlZ2lzdGVy IHNpemVfdCBpOwogICBzaXplX3QgdG90YWxfc2l6ZTsKICAgc2l6ZV90IHR5cGVzX2lkeDsKQEAg LTIzOCwxMSArMjM4LDI1IEBAIF9fdHpmaWxlX3JlYWQgKGNvbnN0IGNoYXIgKmZpbGUsIHNpemVf dAogICB0b3RhbF9zaXplID0gKCh0b3RhbF9zaXplICsgX19hbGlnbm9mX18gKHN0cnVjdCB0dGlu Zm8pIC0gMSkKIAkJJiB+KF9fYWxpZ25vZl9fIChzdHJ1Y3QgdHRpbmZvKSAtIDEpKTsKICAgdHlw ZXNfaWR4ID0gdG90YWxfc2l6ZTsKLSAgdG90YWxfc2l6ZSArPSBudW1fdHlwZXMgKiBzaXplb2Yg KHN0cnVjdCB0dGluZm8pICsgY2hhcnM7CisKKyAgdG1wID0gbnVtX3R5cGVzICogc2l6ZW9mIChz dHJ1Y3QgdHRpbmZvKTsKKyAgaWYgKHRvdGFsX3NpemUgKyB0bXAgPCB0bXApCisgICAgZ290byBs b3NlOworICB0b3RhbF9zaXplICs9IHRtcDsKKworICBpZiAodG90YWxfc2l6ZSArIGNoYXJzIDwg Y2hhcnMpCisgICAgZ290byBsb3NlOworICB0b3RhbF9zaXplICs9IGNoYXJzOworCiAgIHRvdGFs X3NpemUgPSAoKHRvdGFsX3NpemUgKyBfX2FsaWdub2ZfXyAoc3RydWN0IGxlYXApIC0gMSkKIAkJ JiB+KF9fYWxpZ25vZl9fIChzdHJ1Y3QgbGVhcCkgLSAxKSk7CiAgIGxlYXBzX2lkeCA9IHRvdGFs X3NpemU7Ci0gIHRvdGFsX3NpemUgKz0gbnVtX2xlYXBzICogc2l6ZW9mIChzdHJ1Y3QgbGVhcCk7 CisKKyAgdG1wID0gbnVtX2xlYXBzICogc2l6ZW9mIChzdHJ1Y3QgbGVhcCk7CisgIGlmICh0b3Rh bF9zaXplICsgdG1wIDwgdG1wKQorICAgIGdvdG8gbG9zZTsKKyAgdG90YWxfc2l6ZSArPSB0bXA7 CisKICAgdHpzcGVjX2xlbiA9IChzaXplb2YgKHRpbWVfdCkgPT0gOCAmJiB0cmFuc193aWR0aCA9 PSA4CiAJCT8gc3Quc3Rfc2l6ZSAtIChmdGVsbG8gKGYpCiAJCQkJKyBudW1fdHJhbnNpdGlvbnMg KiAoOCArIDEpCkBAIC0yNTQsNyArMjY4LDE1IEBAIF9fdHpmaWxlX3JlYWQgKGNvbnN0IGNoYXIg KmZpbGUsIHNpemVfdAogCiAgIC8qIEFsbG9jYXRlIGVub3VnaCBtZW1vcnkgaW5jbHVkaW5nIHRo ZSBleHRyYSBibG9jayByZXF1ZXN0ZWQgYnkgdGhlCiAgICAgIGNhbGxlci4gICovCi0gIHRyYW5z aXRpb25zID0gKHRpbWVfdCAqKSBtYWxsb2MgKHRvdGFsX3NpemUgKyB0enNwZWNfbGVuICsgZXh0 cmEpOworICBpZiAodG90YWxfc2l6ZSArIHR6c3BlY19sZW4gPCB0b3RhbF9zaXplKQorICAgIGdv dG8gbG9zZTsKKyAgdG90YWxfc2l6ZSArPSB0enNwZWNfbGVuOworCisgIGlmICh0b3RhbF9zaXpl ICsgZXh0cmEgPCBleHRyYSkKKyAgICBnb3RvIGxvc2U7CisgIHRvdGFsX3NpemUgKz0gZXh0cmE7 CisKKyAgdHJhbnNpdGlvbnMgPSAodGltZV90ICopIG1hbGxvYyAodG90YWxfc2l6ZSk7CiAgIGlm ICh0cmFuc2l0aW9ucyA9PSBOVUxMKQogICAgIGdvdG8gbG9zZTsKIAo= 6114 2011-12-15 21:00:00 +0000 2011-12-15 21:00:49 +0000 catch multiplication as well as addition overflows tzfile.c.diff text/plain 1718 eggert ZGlmZiAtLWdpdCBhL3RpbWUvdHpmaWxlLmMgYi90aW1lL3R6ZmlsZS5jCmluZGV4IDE0NGUyMGIu LjUxNzcxNDggMTAwNjQ0Ci0tLSBhL3RpbWUvdHpmaWxlLmMKKysrIGIvdGltZS90emZpbGUuYwpA QCAtMjM0LDE0ICsyMzQsMjcgQEAgX190emZpbGVfcmVhZCAoY29uc3QgY2hhciAqZmlsZSwgc2l6 ZV90IGV4dHJhLCBjaGFyICoqZXh0cmFwKQogICAgICAgZ290byByZWFkX2FnYWluOwogICAgIH0K IAorICBpZiAobnVtX3RyYW5zaXRpb25zCisgICAgICA+ICgoU0laRV9NQVggLSAoX19hbGlnbm9m X18gKHN0cnVjdCB0dGluZm8pIC0gMSkpIC8gKHNpemVvZiAodGltZV90KSArIDEpKSkKKyAgICBn b3RvIGxvc2U7CiAgIHRvdGFsX3NpemUgPSBudW1fdHJhbnNpdGlvbnMgKiAoc2l6ZW9mICh0aW1l X3QpICsgMSk7CiAgIHRvdGFsX3NpemUgPSAoKHRvdGFsX3NpemUgKyBfX2FsaWdub2ZfXyAoc3Ry dWN0IHR0aW5mbykgLSAxKQogCQkmIH4oX19hbGlnbm9mX18gKHN0cnVjdCB0dGluZm8pIC0gMSkp OwogICB0eXBlc19pZHggPSB0b3RhbF9zaXplOworICBpZiAobnVtX3R5cGVzID4gU0laRV9NQVgg LyBzaXplb2YgKHN0cnVjdCB0dGluZm8pCisgICAgICB8fCB0b3RhbF9zaXplICsgbnVtX3R5cGVz ICogc2l6ZW9mIChzdHJ1Y3QgdHRpbmZvKSA8IHRvdGFsX3NpemUKKyAgICAgIHx8IHRvdGFsX3Np emUgKyBudW1fdHlwZXMgKiBzaXplb2YgKHN0cnVjdCB0dGluZm8pICsgY2hhcnMgPCBjaGFycwor ICAgICAgfHwgKCh0b3RhbF9zaXplICsgbnVtX3R5cGVzICogc2l6ZW9mIChzdHJ1Y3QgdHRpbmZv KSArIGNoYXJzCisJICAgKyBfX2FsaWdub2ZfXyAoc3RydWN0IGxlYXApIC0gMSkKKwkgIDwgX19h bGlnbm9mX18gKHN0cnVjdCBsZWFwKSAtIDEpKQorICAgIGdvdG8gbG9zZTsKICAgdG90YWxfc2l6 ZSArPSBudW1fdHlwZXMgKiBzaXplb2YgKHN0cnVjdCB0dGluZm8pICsgY2hhcnM7CiAgIHRvdGFs X3NpemUgPSAoKHRvdGFsX3NpemUgKyBfX2FsaWdub2ZfXyAoc3RydWN0IGxlYXApIC0gMSkKIAkJ JiB+KF9fYWxpZ25vZl9fIChzdHJ1Y3QgbGVhcCkgLSAxKSk7CiAgIGxlYXBzX2lkeCA9IHRvdGFs X3NpemU7CisgIGlmIChudW1fbGVhcHMgPiBTSVpFX01BWCAvIHNpemVvZiAoc3RydWN0IGxlYXAp CisgICAgICB8fCB0b3RhbF9zaXplICsgbnVtX2xlYXBzICogc2l6ZW9mIChzdHJ1Y3QgbGVhcCkg PCB0b3RhbF9zaXplKQorICAgIGdvdG8gbG9zZTsKICAgdG90YWxfc2l6ZSArPSBudW1fbGVhcHMg KiBzaXplb2YgKHN0cnVjdCBsZWFwKTsKICAgdHpzcGVjX2xlbiA9IChzaXplb2YgKHRpbWVfdCkg PT0gOCAmJiB0cmFuc193aWR0aCA9PSA4CiAJCT8gc3Quc3Rfc2l6ZSAtIChmdGVsbG8gKGYpCkBA IC0yNTEsNiArMjY0LDkgQEAgX190emZpbGVfcmVhZCAoY29uc3QgY2hhciAqZmlsZSwgc2l6ZV90 IGV4dHJhLCBjaGFyICoqZXh0cmFwKQogCQkJCSsgbnVtX2xlYXBzICogMTIKIAkJCQkrIG51bV9p c3N0ZAogCQkJCSsgbnVtX2lzZ210KSAtIDEgOiAwKTsKKyAgaWYgKHRvdGFsX3NpemUgKyB0enNw ZWNfbGVuIDwgdHpzcGVjX2xlbgorICAgICAgfHwgdG90YWxfc2l6ZSArIHR6c3BlY19sZW4gKyBl eHRyYSA8IGV4dHJhKQorICAgIGdvdG8gbG9zZTsKIAogICAvKiBBbGxvY2F0ZSBlbm91Z2ggbWVt b3J5IGluY2x1ZGluZyB0aGUgZXh0cmEgYmxvY2sgcmVxdWVzdGVkIGJ5IHRoZQogICAgICBjYWxs ZXIuICAqLwo=