Bug 22026 - iconv_open: heap overflow on gconv_init failure
Summary: iconv_open: heap overflow on gconv_init failure
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: locale (show other bugs)
Version: 2.26
: P2 normal
Target Milestone: 2.27
Assignee: Florian Weimer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-29 13:03 UTC by Florian Weimer
Modified: 2017-08-29 15:36 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2017-08-29 13:03:27 UTC
gen_steps decrements step_cnt twice on an error path.

                  if (__builtin_expect (status, __GCONV_OK) != __GCONV_OK)
                    {
                      failed = 1;
                      /* Make sure we unload this modules.  */
                      --step_cnt;
                      result[step_cnt].__end_fct = NULL;
                      break;
                    }

As a result, the update of __end_fct is out of bounds:

==10047== Invalid write of size 8
==10047==    at 0x4C36B91: gen_steps (gconv_db.c:333)
==10047==    by 0x4C36B91: find_derivation (gconv_db.c:691)
==10047==    by 0x4C36F5D: __gconv_find_transform (gconv_db.c:792)
==10047==    by 0x4C359D6: __gconv_open (gconv_open.c:110)
==10047==    by 0x4C35568: iconv_open (iconv_open.c:71)
==10047==    by 0x401413: do_test (tst-gconv-init-failure.c:50)
==10047==    by 0x401B32: support_test_main (support_test_main.c:321)
==10047==    by 0x401264: main (test-driver.c:164)
==10047==  Address 0x5013288 is 24 bytes after a block of size 32 in arena "client"

I don't we ship any gconv modules where gconv_init can actually fail (on a correctly configured system), so I'm flagging this as security-.
Comment 1 Florian Weimer 2017-08-29 13:13:01 UTC
__end_fct must also be properly mangled on the error handling path.
Comment 2 cvs-commit@gcc.gnu.org 2017-08-29 15:36:02 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  251bccfa1fcb3568e43546b0df33e052889406c1 (commit)
      from  e7c18b9d0aacb02f9d6edffdf4d1e26a54fbfb84 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=251bccfa1fcb3568e43546b0df33e052889406c1

commit 251bccfa1fcb3568e43546b0df33e052889406c1
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 29 17:33:58 2017 +0200

    iconv_open: Fix heap corruption on gconv_init failure [BZ #22026]
    
    Also mangle the __end_fct function pointer on the error handling
    path.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                          |   16 ++++++++++
 iconv/Makefile                     |   14 ++++++++
 iconv/gconv_db.c                   |    9 ++++-
 iconv/test-gconv-modules           |   23 ++++++++++++++
 iconv/tst-gconv-init-failure-mod.c |   49 ++++++++++++++++++++++++++++++
 iconv/tst-gconv-init-failure.c     |   58 ++++++++++++++++++++++++++++++++++++
 6 files changed, 167 insertions(+), 2 deletions(-)
 create mode 100644 iconv/test-gconv-modules
 create mode 100644 iconv/tst-gconv-init-failure-mod.c
 create mode 100644 iconv/tst-gconv-init-failure.c
Comment 3 Florian Weimer 2017-08-29 15:36:26 UTC
Fixed in 2.27.