This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug stdio/23236] Harden function pointers in _IO_str_fields

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Fri, 01 Jun 2018 08:41:49 +0000
Subject: [Bug stdio/23236] Harden function pointers in _IO_str_fields
Auto-submitted: auto-generated
References: <bug-23236-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=23236

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  4e8a6346cd3da2d88bbad745a1769260d36f2783 (commit)
      from  50d004c91c942221b862a4a13a4b5f78cfb0d595 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e8a6346cd3da2d88bbad745a1769260d36f2783

commit 4e8a6346cd3da2d88bbad745a1769260d36f2783
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Jun 1 10:41:03 2018 +0200

    libio: Avoid _allocate_buffer, _free_buffer function pointers [BZ #23236]

    These unmangled function pointers reside on the heap and could
    be targeted by exploit writers, effectively bypassing libio vtable
    validation.  Instead, we ignore these pointers and always call
    malloc or free.

    In theory, this is a backwards-incompatible change, but using the
    global heap instead of the user-supplied callback functions should
    have little application impact.  (The old libstdc++ implementation
    exposed this functionality via a public, undocumented constructor
    in its strstreambuf class.)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog             |   24 ++++++++++++++++++++++++
 debug/vasprintf_chk.c |    4 ++--
 libio/memstream.c     |    4 ++--
 libio/strfile.h       |   11 +++++------
 libio/strops.c        |   14 ++++++--------
 libio/vasprintf.c     |    4 ++--
 libio/wmemstream.c    |    4 ++--
 libio/wstrops.c       |   16 ++++++----------
 8 files changed, 49 insertions(+), 32 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]