This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/20338] New: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
- From: "fedora.dm0 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 08 Jul 2016 14:44:55 +0000
- Subject: [Bug libc/20338] New: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20338
Bug ID: 20338
Summary: Parsing of /etc/gshadow can return bad pointers
causing segfaults in applications
Product: glibc
Version: 2.21
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fedora.dm0 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Specifically structured /etc/gshadow entries can cause fgetgsent() to return
invalid pointers that cause applications to segfault on dereference.
One line must fit into the character buffer (1024 bytes, unless a previous line
was longer) but have enough group members such that
line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.
The parser would return early to avoid overflow, leaving the static result
struct pointing to pointers from the previous line which are now invalid,
causing segfaults when those pointers are dereferenced.
See the following for a test program and a patch:
https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html
--
You are receiving this mail because:
You are on the CC list for the bug.