Bug 28011 (CVE-2021-35942)

Summary: Wild read in wordexp (parse_param) (CVE-2021-35942)
Product: glibc Reporter: Philippe Antoine <p.antoine>
Component: libcAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: drepper.fsp, fweimer, siddhesh
Priority: P2 Flags: siddhesh: security+
Version: 2.23   
Target Milestone: 2.34   
Host: Target:
Build: Last reconfirmed:

Description Philippe Antoine 2021-06-25 12:24:55 UTC
Found by oss-fuzz

Quick reproducer is :

```
#include <wordexp.h>

int main() {
wordexp_t p;
int ret = wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap                   
  gi37             },},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888
##sioiondata:ap                     gi37                     TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\
xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap   )", &p, 0);
return ret;
}
```

Stack trace is 
```
==797==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff8ed1c2b28 (pc 0x7f11b008eee0 bp 0x616000001880 sp 0x7ffc14979fa0 T0)
==797==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x7f11b008eee0 in parse_param /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:1466
    #1 0x7f11b008eee0 in parse_dollars /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2112
    #2 0x7f11b0090ed7 in parse_dquote /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2198
    #3 0x7f11b0090ed7 in wordexp /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2379
```
Comment 1 Andreas Schwab 2021-06-27 17:39:03 UTC
Fixed in 2.34.
Comment 2 Philippe Antoine 2021-06-27 19:44:10 UTC
Thanks Andreas
Comment 3 Siddhesh Poyarekar 2021-06-30 04:27:26 UTC
The fix:

From: Andreas Schwab <schwab@linux-m68k.org>
Date: Fri, 25 Jun 2021 13:02:47 +0000 (+0200)
Subject: wordexp: handle overflow in positional parameter number (bug 28011)
X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c

wordexp: handle overflow in positional parameter number (bug 28011)

Use strtoul instead of atoi so that overflow can be detected.