15672 – error_tail overflow in allocation calculation

Bug 15672 - error_tail overflow in allocation calculation

Summary: error_tail overflow in allocation calculation

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.17

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-06-24 19:58 UTC by Joseph Myers
Modified:	2014-06-16 16:47 UTC (History)
CC List:	3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Myers 2013-06-24 19:58:52 UTC

misc/error.c:error_tail, in the conversion code for when stderr is wide-oriented, calculates an allocation size as (len * sizeof (wchar_t)) without checking if that might overflow, as it would for a 1GB string on a 32-bit system.

It seems unlikely for an application to call error with an untrusted error string that is nevertheless known to be a valid printf format string (if it's not checked to be a valid format string, at least without %n, there's a much more simple exploit), but obviously such an allocation should be checked in any case.

Comment 1 Ondrej Bilka 2013-10-14 15:16:40 UTC

Fixed by 17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d

Comment 2 Florian Weimer 2014-06-16 16:47:40 UTC

As Joseph indicated, this is unlikely to cross a trust boundary.