Bug 14839 - Access behind terminating nullbyte of the environment?
Summary: Access behind terminating nullbyte of the environment?
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: 2.13
: P2 minor
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-13 22:40 UTC by Jann Horn
Modified: 2014-06-14 11:07 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jann Horn 2012-11-13 22:40:04 UTC 
From rtld.c:

	case 10:
	  /* Mask for the important hardware capabilities.  */
	  if (memcmp (envline, "HWCAP_MASK", 10) == 0)
	    GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL,
						      0, 0);

As far as I can see, there is no check that makes sure that the tenth byte isn't already the terminating nullbyte.
Comment 1 Jann Horn 2012-11-13 22:48:43 UTC 
Ah, didn't see the `if (envline[len] != '=')`. Sorry.