Bug 13656 (CVE-2012-0864) - vfprintf nargs integer overflow (CVE-2012-0864)
Summary: vfprintf nargs integer overflow (CVE-2012-0864)
Status: RESOLVED FIXED
Alias: CVE-2012-0864
Product: glibc
Classification: Unclassified
Component: stdio (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Carlos O'Donell
URL:
Keywords: glibc_2.14, glibc_2.15
Depends on:
Blocks:
 
Reported: 2012-02-02 20:52 UTC by Kees Cook
Modified: 2014-06-27 09:58 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kees Cook 2012-02-02 20:52:43 UTC
The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections:

http://www.phrack.org/issues.html?issue=67&id=9

Patch in progress:
http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html
Comment 1 Andreas Jaeger 2012-03-05 09:38:00 UTC
Fixed in git head, this should be backported to all active branches.
Comment 2 Tomas Hoger 2012-03-05 09:56:50 UTC
FYI, a comment form Laszlo Ersek in Red Hat BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8


The easiest fix would have been to restrict "nargs" to NL_ARGMAX.

http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07
Comment 3 Andreas Jaeger 2012-03-05 10:09:26 UTC
Tomas, could you or Laszlo bring this up on libc-alpha, please?
Comment 4 Tomas Hoger 2012-03-06 14:42:32 UTC
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?

This was posted in:
  http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html

Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already.

Related commit links for posterity:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57
Comment 5 Paul Eggert 2012-03-09 08:36:47 UTC
Fix committed:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e

so I am marking this bug as fixed.
Comment 6 Jackie Rosen 2014-02-16 19:42:18 UTC Comment hidden (spam)