This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug locale/22026] New: iconv_open: heap overflow on gconv_init failure
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 29 Aug 2017 13:03:27 +0000
- Subject: [Bug locale/22026] New: iconv_open: heap overflow on gconv_init failure
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22026
Bug ID: 22026
Summary: iconv_open: heap overflow on gconv_init failure
Product: glibc
Version: 2.26
Status: NEW
Severity: normal
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
gen_steps decrements step_cnt twice on an error path.
if (__builtin_expect (status, __GCONV_OK) != __GCONV_OK)
{
failed = 1;
/* Make sure we unload this modules. */
--step_cnt;
result[step_cnt].__end_fct = NULL;
break;
}
As a result, the update of __end_fct is out of bounds:
==10047== Invalid write of size 8
==10047== at 0x4C36B91: gen_steps (gconv_db.c:333)
==10047== by 0x4C36B91: find_derivation (gconv_db.c:691)
==10047== by 0x4C36F5D: __gconv_find_transform (gconv_db.c:792)
==10047== by 0x4C359D6: __gconv_open (gconv_open.c:110)
==10047== by 0x4C35568: iconv_open (iconv_open.c:71)
==10047== by 0x401413: do_test (tst-gconv-init-failure.c:50)
==10047== by 0x401B32: support_test_main (support_test_main.c:321)
==10047== by 0x401264: main (test-driver.c:164)
==10047== Address 0x5013288 is 24 bytes after a block of size 32 in arena
"client"
I don't we ship any gconv modules where gconv_init can actually fail (on a
correctly configured system), so I'm flagging this as security-.
--
You are receiving this mail because:
You are on the CC list for the bug.