Summary: | NULL pointer dereference in mq_notify (CVE-2021-38604) | ||
---|---|---|---|
Product: | glibc | Reporter: | Nikita Popov <npv1310> |
Component: | librt | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam, siddhesh, toolchain |
Priority: | P2 | Flags: | siddhesh:
security+
|
Version: | unspecified | ||
Target Milestone: | 2.35 | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | Proposed patch |
Description
Nikita Popov
2021-08-09 12:14:00 UTC
Created attachment 13606 [details]
Proposed patch
Pushed to master and 2.34. Test case for the fix. commit 4cc79c217744743077bf7a0ec5e0a4318f1e6641 (HEAD -> master, origin/master, origin/HEAD) Author: Nikita Popov <npv1310@gmail.com> Date: Thu Aug 12 16:09:50 2021 +0530 librt: add test (bug 28213) This test implements following logic: 1) Create POSIX message queue. Register a notification with mq_notify (using NULL attributes). Then immediately unregister the notification with mq_notify. Helper thread in a vulnerable version of glibc should cause NULL pointer dereference after these steps. 2) Once again, register the same notification. Try to send a dummy message. Test is considered successfulif the dummy message is successfully received by the callback function. Signed-off-by: Nikita Popov <npv1310@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |