Bug 14752 - Unsafe use of alloca in shm_open
Summary: Unsafe use of alloca in shm_open
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-22 17:07 UTC by Rich Felker
Modified: 2013-10-31 13:03 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rich Felker 2012-10-22 17:07:55 UTC
shm_open passes an arbitrarily-large value resulting from strlen to alloca, resulting in stack overflow. As there is no interface for supporting "directories" of shared memory, it makes sense to just bound the length by NAME_MAX and return an error if the input name is longer. Then a safe fixed-size buffer can be used.
Comment 1 OndrejBilka 2013-05-02 17:45:50 UTC
shm_open is definitely not performance critical. You could simply use malloc. Or copy malloca pattern.
Comment 2 Rich Felker 2013-05-05 15:17:54 UTC
Well despite the standard not requiring it, it may be nice to provide a shm_open which is async-signal-safe. Using malloc would preclude that. Limiting the buffer length to NAME_MAX+sizeof("/dev/shm/") should work just as well.
Comment 3 Ondrej Bilka 2013-05-06 08:24:12 UTC
On Sun, May 05, 2013 at 03:17:54PM +0000, bugdal at aerifal dot cx wrote:
> http://sourceware.org/bugzilla/show_bug.cgi?id=14752
> 
> --- Comment #2 from Rich Felker <bugdal at aerifal dot cx> 2013-05-05 15:17:54 UTC ---
> Well despite the standard not requiring it, it may be nice to provide a
> shm_open which is async-signal-safe. Using malloc would preclude that. Limiting
> the buffer length to NAME_MAX+sizeof("/dev/shm/") should work just as well.
>
Then bug is in not checking size. You can add test if it is more than
PATH_MAX and set errno to ENAMETOOLONG. Alloca will run fine.
Comment 4 Rich Felker 2013-07-20 16:59:07 UTC
Ping. Note that allowing up to PATH_MAX is not useful, since there's no shm_mkdir and thus no way to use "directories" of shm. The limit should simply be NAME_MAX.
Comment 5 Ondrej Bilka 2013-10-31 13:03:22 UTC
Fixed by 5d30d853295a5fe04cad22fdf649c5e0da6ded8c.