This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/17048] New: posix_spawn_file_actions_addopen fails to copy the path argument

From: "alex.gaynor at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 11 Jun 2014 20:19:32 +0000
Subject: [Bug libc/17048] New: posix_spawn_file_actions_addopen fails to copy the path argument
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=17048

            Bug ID: 17048
           Summary: posix_spawn_file_actions_addopen fails to copy the
                    path argument
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: alex.gaynor at gmail dot com
                CC: drepper.fsp at gmail dot com

Per the specification
(http://pubs.opengroup.org/onlinepubs/000095399/functions/posix_spawn_file_actions_addclose.html)
it is supposed to. The result of not copying is that programs can easily
trigger use-after-free bugs, or other situations where the path is mutated. The
following program demonstrates this issue:

#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <spawn.h>
#include <stdio.h>


extern char *const *environ;

int main() {
    int res;
    posix_spawn_file_actions_t fa;
    posix_spawn_file_actions_init(&fa);

    char *orig_path = "/tmp/afddsa";
    char *path = malloc(strlen(orig_path) + 1);
    strcpy(path, orig_path);
    path[strlen(orig_path)] = '\0';

    res = posix_spawn_file_actions_addopen(
        &fa, 1, path, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
    assert(res == 0);

    memset(path, 0, strlen(orig_path));
    free(path);

    char *argv[] = {"/bin/echo", NULL};
    pid_t pid;
    res = posix_spawn(
        &pid,
        "/bin/echo",
        &fa,
        NULL,
        argv,
        environ
    );
    assert(res == 0);
    int status;
    wait4(pid, &status, 0, NULL);
    printf("%d\n", WEXITSTATUS(status));
}


This bug was jointly discovered by David Reid, Alex Gaynor, and Glyph
Lefkowitz.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument
  - From: alex.gaynor at gmail dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument
  - From: cvs-commit at gcc dot gnu.org
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument
  - From: fweimer at redhat dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument
  - From: fweimer at redhat dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument
  - From: fweimer at redhat dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
  - From: fweimer at redhat dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
  - From: fweimer at redhat dot com
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
  - From: cvs-commit at gcc dot gnu.org
- [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
  - From: cvs-commit at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]