This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/19779] New: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 07 Mar 2016 13:13:44 +0000
- Subject: [Bug glob/19779] New: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19779
Bug ID: 19779
Summary: glob: buffer overflow with GLOB_ALTDIRFUNC due to
incorrect NAME_MAX limit assumption (CVE-2016-1234)
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: glob
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
Alexander Cherepanov discovered that the glob implementation in glibc does not
correctly handle overlong names in struct dirent buffers when GLOB_ALTDIRFUNC
is used.
Alexander's reproducer:
Indeed, it's easy to create such overlong filename with NTFS:
truncate -s 2M ntfs.img
mkfs.ntfs -F ntfs.img
mkdir dir
mount ntfs.img dir
cd dir
touch `perl -CS -e 'print chr(0x800) x 255'`
And I guess this is a problem for some programs. For example, glibc uses
NAME_MAX to compute an array size here:
https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/glob.c;h=0c04c3ccfdea4677ae8bb511e88ee8e4f37b02b5;hb=HEAD#l1564
The program:
#include <stddef.h>
#include <dirent.h>
#include <sys/stat.h>
#include <glob.h>
int main()
{
glob_t g;
g.gl_closedir = &closedir;
g.gl_readdir = &readdir;
g.gl_opendir = &opendir;
g.gl_lstat = &lstat;
g.gl_stat = &stat;
glob("*", GLOB_ALTDIRFUNC, NULL, &g);
}
crashes when run in a directory created as shown above -- stack buffer overflow
by up to 510 bytes with controlled length and (with some constrains) contents.
--
You are receiving this mail because:
You are on the CC list for the bug.