Bug 11883 (CVE-2011-1071) - fnmatch() alloca() abuse, with security consequence (CVE-2011-1071)
Summary: fnmatch() alloca() abuse, with security consequence (CVE-2011-1071)
Status: RESOLVED FIXED
Alias: CVE-2011-1071
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.9
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-05 05:04 UTC by Chris Evans
Modified: 2021-09-15 02:24 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Evans 2010-08-05 05:04:39 UTC
Demo:

#include <err.h>
#include <fnmatch.h>
#include <locale.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, const char* argv[]) {
  size_t num_as;
  char* p;
  setlocale(LC_ALL, "en_US.UTF8");
  if (argc < 2) {
    errx(1, "Missing argument.");
  }
  num_as = atoi(argv[1]);
  if (num_as < 5) {
    errx(1, "Need 5.");
  }
  p = malloc(num_as);
  if (!p) {
    errx(1, "malloc() failed.");
  }
  memset(p, 'A', num_as);
  p[num_as - 1] = '\0';
  p[0] = 'f';
  p[1] = 'o';
  p[2] = 'o';
  p[3] = '.';
  fnmatch("*.anim[1-9j]", p, 0);
  return 0;
}

./a.out 3000000
Segmentation fault

(If your default max stack size is greater than the default 8MB then you may 
need a larger number)

I chatted to some people and they suggested that there's probably a missing 
__libc_use_alloca() somewhere.

This was the source of a nasty Chromium bug which was worked around for now.

[Random aside: I can't seem to find the default value for __libc_alloca_cutoff 
but if it is > PAGE_SIZE then that in of itself would cause serious issues since 
most people don't compile glibc with -fstack-check, combined with the fact that 
pthread stacks by default are separated with a single guard page]
Comment 1 Ulrich Drepper 2010-08-10 04:27:18 UTC
I cannot reproduce any problem.  I did check in changes to keep the alloca use
limited.
Comment 2 Jackie Rosen 2014-02-16 19:35:27 UTC Comment hidden (spam)
Comment 3 namboru 2021-09-15 02:24:23 UTC Comment hidden (spam)