This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/19670] New: Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
- From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 Feb 2016 21:09:23 +0000
- Subject: [Bug libc/19670] New: Missing Sanity Check for malloc() plus possible null pointer dereference (CWE-476)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19670
Bug ID: 19670
Summary: Missing Sanity Check for malloc() plus possible null
pointer dereference (CWE-476)
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: wp02855 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 9008
--> https://sourceware.org/bugzilla/attachment.cgi?id=9008&action=edit
patch file for above bug report (diff -u)
In directory 'glibc-2.22/posix'. file 'tst-pathconf.c', there is a
call to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in snprintf(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-pathconf.c.orig 2016-02-17 16:59:51.287939121 -0800
+++ tst-pathconf.c 2016-02-17 17:00:54.067918133 -0800
@@ -74,6 +74,11 @@
size_t filenamelen = strlen (dirbuf) + strlen (fifo_name) + 2;
char *filename = malloc (filenamelen);
+ if (filename == NULL)
+ {
+ puts ("Out of memory");
+ exit (1);
+ }
snprintf (filename, filenamelen, "%s/%s", dirbuf, fifo_name);
=======================================================================
in directory 'glibc-2.22/posix'. file 'tst-exec.c', there are
2 calls to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in snprintf(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-exec.c.orig 2016-02-17 17:08:42.693478032 -0800
+++ tst-exec.c 2016-02-17 17:11:01.515121549 -0800
@@ -60,11 +60,15 @@
name_len = strlen (test_dir);
name1 = malloc (name_len + sizeof ("/execXXXXXX"));
+ if (name1 == NULL)
+ error (EXIT_FAILURE, 0, "Unable to allocate memory for file1");
mempcpy (mempcpy (name1, test_dir, name_len),
"/execXXXXXX", sizeof ("/execXXXXXX"));
add_temp_file (name1);
name2 = malloc (name_len + sizeof ("/execXXXXXX"));
+ if (name2 == NULL)
+ error (EXIT_FAILURE, 0, "Unable to allocate memory for file 2");
mempcpy (mempcpy (name2, test_dir, name_len),
"/execXXXXXX", sizeof ("/execXXXXXX"));
add_temp_file (name2);
=======================================================================
in directory 'glibc-2.22/posix'. file 'tst-truncate.c', there is a call
to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-truncate.c.orig 2016-02-17 17:13:31.672205742 -0800
+++ tst-truncate.c 2016-02-17 17:14:29.926609578 -0800
@@ -60,6 +60,8 @@
name_len = strlen (test_dir);
name = malloc (name_len + sizeof (FNAME));
+ if (name == NULL)
+ error (EXIT_FAILURE, errno, "Unable to allocate memory");
mempcpy (mempcpy (name, test_dir, name_len), FNAME, sizeof (FNAME));
add_temp_file (name);
=======================================================================
in directory 'glibc-2.22/posix'. file 'tst-spawn.c', there are
3 calls to malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-spawn.c.orig 2016-02-17 17:20:15.041471902 -0800
+++ tst-spawn.c 2016-02-17 17:21:49.098426057 -0800
@@ -64,16 +64,22 @@
name_len = strlen (test_dir);
name1 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+ if (name1 == NULL)
+ error (EXIT_FAILURE, 0, "unable to allocate memory for fd1");
mempcpy (mempcpy (name1, test_dir, name_len),
"/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
add_temp_file (name1);
name2 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+ if (name2 == NULL)
+ error (EXIT_FAILURE, 0, "unable to allocate memory for fd2");
mempcpy (mempcpy (name2, test_dir, name_len),
"/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
add_temp_file (name2);
name3 = (char *) malloc (name_len + sizeof ("/spawnXXXXXX"));
+ if (name3 == NULL)
+ error (EXIT_FAILURE, 0, "unable to allocate memory for fd3");
mempcpy (mempcpy (name3, test_dir, name_len),
"/spawnXXXXXX", sizeof ("/spawnXXXXXX"));
add_temp_file (name3);
=======================================================================
in directory 'glibc-2.22/rt'. file 'tst-aio64.c', there is a call to
malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-aio64.c.orig 2016-02-17 17:40:44.060673923 -0800
+++ tst-aio64.c 2016-02-17 17:42:08.256374763 -0800
@@ -53,6 +53,8 @@
name_len = strlen (test_dir);
name = malloc (name_len + sizeof ("/aioXXXXXX"));
+ if (name == NULL)
+ error (EXIT_FAILURE, errno, "unable to allocate memory");
mempcpy (mempcpy (name, test_dir, name_len),
"/aioXXXXXX", sizeof ("/aioXXXXXX"));
add_temp_file (name);
=======================================================================
in directory 'glibc-2.22/rt'. file 'tst-aio.c', there is a call to
malloc() which is not checked for a return value of NULL
indicating failure, additionally, filename is used in mempcpy(), but
if this value is NULL, a segmentation fault/violation will occur.
The patch file below should correct/address this issue:
--- tst-aio.c.orig 2016-02-17 17:45:27.589709005 -0800
+++ tst-aio.c 2016-02-17 17:46:07.935836790 -0800
@@ -52,6 +52,8 @@
name_len = strlen (test_dir);
name = malloc (name_len + sizeof ("/aioXXXXXX"));
+ if (name == NULL)
+ error (EXIT_FAILURE, errno, "unable to allocate memory");
mempcpy (mempcpy (name, test_dir, name_len),
"/aioXXXXXX", sizeof ("/aioXXXXXX"));
add_temp_file (name);
--
You are receiving this mail because:
You are on the CC list for the bug.