This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug locale/25123] New: Heap use-after-free in setlocale
- From: "v.manhnd at vincss dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 21 Oct 2019 12:12:26 +0000
- Subject: [Bug locale/25123] New: Heap use-after-free in setlocale
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=25123
Bug ID: 25123
Summary: Heap use-after-free in setlocale
Product: glibc
Version: 2.27
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: v.manhnd at vincss dot net
Target Milestone: ---
As analyzing glibc source code
(https://code.woboq.org/userspace/glibc/locale/setlocale.c.html), I see that
when a new locale is set up for a category, setlocale allocates a memory block
to save the new name, and then links it to a structure:
Line setlocale.c:434 (allocate memory to hold the locale name):
---------------------------------------
newname[0] = __strdup (newname[0]);
---------------------------------------
Line setlocale.c:455 (save the new name):
---------------------------------------
setname (category, newname[0]);
setname (LC_ALL, composite);
---------------------------------------
Line setlocale.c:469 (return the new name as return value of setlocale):
---------------------------------------
return (char *) newname[0];
---------------------------------------
Line setlocale.c:195, setname source:
---------------------------------------
setname (int category, const char *name)
{
if (_nl_global_locale.__names[category] == name)
return;
if (_nl_global_locale.__names[category] != _nl_C_name)
free ((char *) _nl_global_locale.__names[category]);
_nl_global_locale.__names[category] = name;
}
---------------------------------------
In setname function, the allocated memory chunk is saved in
_nl_global_locale.__names. The old chunk of the same category in
_nl_global_locale.__names is freed. So there should be use-after-free bug here.
Here is the Proof of Concepts:
--------------------------------------
root@pen:~/fuzz# cat test_setlocale.c
#include <stdlib.h>
#include <stdio.h>
#include <locale.h>
#include <string.h>
int main()
{
char* oldLocale = setlocale(LC_NUMERIC, "C.UTF-8");
printf("oldLocale = %s\n", oldLocale);
setlocale(LC_NUMERIC, "en_US.UTF-8");
char* foo = strdup("fakename");
printf("oldLocale = %s\n", oldLocale);
setlocale(LC_NUMERIC, oldLocale);
return 0;
}
root@pen:~/fuzz# gcc test_setlocale.c -O0 -m32 -ggdb -o test_setlocale
root@pen:~/fuzz# ./test_setlocale
oldLocale = C.UTF-8
oldLocale = fakename
root@pen:~/fuzz#
--------------------------------------
As you can see, oldLocale is overwritten with some fake data.
--
You are receiving this mail because:
You are on the CC list for the bug.