This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/22606] New: Incorrect array size computation in _dl_init_paths (CVE-2017-1000408)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 14 Dec 2017 12:14:15 +0000
- Subject: [Bug dynamic-link/22606] New: Incorrect array size computation in _dl_init_paths (CVE-2017-1000408)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22606
Bug ID: 22606
Summary: Incorrect array size computation in _dl_init_paths
(CVE-2017-1000408)
Product: glibc
Version: 2.26
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
_dl_init_paths uses this construct to allocate an array:
rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
* round_size * sizeof (struct r_search_path_elem));
The intent is to use nsystem_dirs_len instead. This leads to an eightfold to
tenfold increase in allocated memory.
I'm flagging this as security+ merely for consistency due the CVE assignment.
I don't think this is a security bug. It rather looks like an ordinary bug
used to write an exploit for CVE-2017-1000409.
Qualys advisory:
http://www.openwall.com/lists/oss-security/2017/12/11/4
--
You are receiving this mail because:
You are on the CC list for the bug.