This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/19670] New: Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)

From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 18 Feb 2016 21:09:23 +0000
Subject: [Bug libc/19670] New: Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19670

            Bug ID: 19670
           Summary: Missing Sanity Check for malloc() plus possible null
                    pointer dereference (CWE-476)
           Product: glibc
           Version: 2.22
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: wp02855 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9008
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9008&action=edit
patch file for above bug report (diff -u)

In directory 'glibc-2.22/posix'. file 'tst-pathconf.c', there is a
call to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in snprintf(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-pathconf.c.orig 2016-02-17 16:59:51.287939121 -0800
+++ tst-pathconf.c      2016-02-17 17:00:54.067918133 -0800
@@ -74,6 +74,11 @@

   size_t filenamelen = strlen (dirbuf) + strlen (fifo_name) + 2;
   char *filename = malloc (filenamelen);
+  if (filename == NULL)
+    {
+      puts ("Out of memory");
+      exit (1);
+    }

   snprintf (filename, filenamelen, "%s/%s", dirbuf, fifo_name);


=======================================================================

in directory 'glibc-2.22/posix'. file 'tst-exec.c', there are
2 calls to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in snprintf(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-exec.c.orig     2016-02-17 17:08:42.693478032 -0800
+++ tst-exec.c  2016-02-17 17:11:01.515121549 -0800
@@ -60,11 +60,15 @@

    name_len = strlen (test_dir);
    name1 = malloc (name_len + sizeof ("/execXXXXXX"));
+   if (name1 == NULL)
+      error (EXIT_FAILURE, 0, "Unable to allocate memory for file1");
    mempcpy (mempcpy (name1, test_dir, name_len),
            "/execXXXXXX", sizeof ("/execXXXXXX"));
    add_temp_file (name1);

    name2 = malloc (name_len + sizeof ("/execXXXXXX"));
+   if (name2 == NULL)
+      error (EXIT_FAILURE, 0, "Unable to allocate memory for file 2");
    mempcpy (mempcpy (name2, test_dir, name_len),
            "/execXXXXXX", sizeof ("/execXXXXXX"));
    add_temp_file (name2);

=======================================================================

in directory 'glibc-2.22/posix'. file 'tst-truncate.c', there is a call
to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-truncate.c.orig 2016-02-17 17:13:31.672205742 -0800
+++ tst-truncate.c      2016-02-17 17:14:29.926609578 -0800
@@ -60,6 +60,8 @@

    name_len = strlen (test_dir);
    name = malloc (name_len + sizeof (FNAME));
+   if (name == NULL)
+      error (EXIT_FAILURE, errno, "Unable to allocate memory");
    mempcpy (mempcpy (name, test_dir, name_len), FNAME, sizeof (FNAME));
    add_temp_file (name);

=======================================================================

in directory 'glibc-2.22/posix'. file 'tst-spawn.c', there are
3 calls to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-spawn.c.orig    2016-02-17 17:20:15.041471902 -0800
+++ tst-spawn.c 2016-02-17 17:21:49.098426057 -0800
@@ -64,16 +64,22 @@

    name_len = strlen (test_dir);
    name1 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+   if (name1 == NULL)
+      error (EXIT_FAILURE, 0, "unable to allocate memory for fd1");
    mempcpy (mempcpy (name1, test_dir, name_len),
            "/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
    add_temp_file (name1);

    name2 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+   if (name2 == NULL)
+      error (EXIT_FAILURE, 0, "unable to allocate memory for fd2");
    mempcpy (mempcpy (name2, test_dir, name_len),
            "/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
    add_temp_file (name2);

    name3 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+   if (name3 == NULL)
+      error (EXIT_FAILURE, 0, "unable to allocate memory for fd3");
    mempcpy (mempcpy (name3, test_dir, name_len),
            "/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
    add_temp_file (name3);

=======================================================================

in directory 'glibc-2.22/rt'. file 'tst-aio64.c', there is a call to
malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-aio64.c.orig    2016-02-17 17:40:44.060673923 -0800
+++ tst-aio64.c 2016-02-17 17:42:08.256374763 -0800
@@ -53,6 +53,8 @@

   name_len = strlen (test_dir);
   name = malloc (name_len + sizeof ("/aioXXXXXX"));
+  if (name == NULL)
+    error (EXIT_FAILURE, errno, "unable to allocate memory");
   mempcpy (mempcpy (name, test_dir, name_len),
           "/aioXXXXXX", sizeof ("/aioXXXXXX"));
   add_temp_file (name);

=======================================================================

in directory 'glibc-2.22/rt'. file 'tst-aio.c', there is a call to
malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.

The patch file below should correct/address this issue:

--- tst-aio.c.orig      2016-02-17 17:45:27.589709005 -0800
+++ tst-aio.c   2016-02-17 17:46:07.935836790 -0800
@@ -52,6 +52,8 @@

   name_len = strlen (test_dir);
   name = malloc (name_len + sizeof ("/aioXXXXXX"));
+  if (name == NULL)
+    error (EXIT_FAILURE, errno, "unable to allocate memory");
   mempcpy (mempcpy (name, test_dir, name_len),
           "/aioXXXXXX", sizeof ("/aioXXXXXX"));
   add_temp_file (name);

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/19670] Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
  - From: wp02855 at gmail dot com
- [Bug libc/19670] Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
  - From: wp02855 at gmail dot com
- [Bug libc/19670] Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
  - From: wp02855 at gmail dot com
- [Bug libc/19670] Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
  - From: wp02855 at gmail dot com
- [Bug libc/19670] Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
  - From: wp02855 at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]