addmntent duplicates strings in its input struct mntent using alloca due to which very long strings could blow up the stack. Example: #include <stdlib.h> #include <mntent.h> #include <stdio.h> #include <string.h> #define LARGE_VALUE 2*1024*1024*1024ULL int main(int argc, char **argv) { FILE *f = fopen("/dev/null", "w"); struct mntent bad; bad.mnt_fsname = calloc (LARGE_VALUE, 1); memset (bad.mnt_fsname, ' ', LARGE_VALUE - 1); bad.mnt_dir = calloc (LARGE_VALUE, 1); memset (bad.mnt_dir, ' ', LARGE_VALUE - 1); bad.mnt_type = calloc (LARGE_VALUE, 1); memset (bad.mnt_type, ' ', LARGE_VALUE - 1); bad.mnt_opts = calloc (LARGE_VALUE, 1); memset (bad.mnt_opts, ' ', LARGE_VALUE - 1); bad.mnt_freq = 1; bad.mnt_passno = 2; addmntent (f, &bad); endmntent(f); return 0; }
It is unlikely for this bug to have a security impact given the very limited use of the function.
To elaborate on my previous comment, the glibc Security Process[1] specifies that stack overflows due to an unbounded alloca may be considered a security issue if the data triggering the overflow could come from an untrusted source. Our assessment is that this is not true for addmntent, i.e. applications using addmntent already run in a trusted context. We can revisit this if it is found that this is not true. [1] https://sourceware.org/glibc/wiki/Security%20Process
Fixed in master: commit 9798906a426fc458b949271bcc9b8ad1608de867 (HEAD -> master) Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Dec 22 17:18:12 2020 +0530 addmntent: Remove unbounded alloca usage from getmntent [BZ#27083] The addmntent function replicates elements of struct mnt on stack using alloca, which is unsafe. Put characters directly into the stream, escaping them as they're being written out. Also add a test to check all escaped characters with addmntent and getmntent.