Bug 24588

Summary: Remove codecvt vtables from libio
Product: glibc Reporter: Florian Weimer <fweimer>
Component: stdioAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: normal Flags: fweimer: security-
Priority: P2    
Version: 2.30   
Target Milestone: 2.30   
Host: Target:
Build: Last reconfirmed:

Description Florian Weimer 2019-05-20 12:34:04 UTC 
codecvt support was added to the internal copy of libio in GCC 3.0, but the C++ compiler in that GCC version uses a different ABI for placing vtable pointers, so libio in glibc is already ABI-incompatible with C++, and cannot be used with libstdc++.

I believe that we can remove the codecvt vtable without affecting old binaries (even though the struct definition was exposed in <libio.h>).

Also see <https://sourceware.org/glibc/wiki/LibioVtables>.
Comment 1 Sourceware Commits 2019-05-20 20:13:38 UTC 
The master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=09e1b0e3f6facc1af2dbcfef204f0aaa8718772b

commit 09e1b0e3f6facc1af2dbcfef204f0aaa8718772b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 20 21:54:57 2019 +0200

    libio: Remove codecvt vtable [BZ #24588]
    
    The codecvt vtable is not a real vtable because it also contains the
    conversion state data.  Furthermore, wide stream support was added to
    GCC 3.0, after a C++ ABI bump, so there is no compatibility
    requirement with libstdc++.
    
    This change removes several unmangled function pointers which could
    be used with a corrupted FILE object to redirect execution.  (libio
    vtable verification did not cover the codecvt vtable.)
    
    Reviewed-by: Yann Droneaud <ydroneaud@opteya.com>
    Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Comment 2 Florian Weimer 2019-05-20 20:14:21 UTC 
Fixed for glibc 2.30.