Bug 28011 (CVE-2021-35942) - Wild read in wordexp (parse_param) (CVE-2021-35942)
Summary: Wild read in wordexp (parse_param) (CVE-2021-35942)
Alias: CVE-2021-35942
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.23
: P2 normal
Target Milestone: 2.34
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2021-06-25 12:24 UTC by Philippe Antoine
Modified: 2021-06-30 04:27 UTC (History)
3 users (show)

See Also:
Last reconfirmed:
siddhesh: security+


Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Antoine 2021-06-25 12:24:55 UTC
Found by oss-fuzz

Quick reproducer is :

#include <wordexp.h>

int main() {
wordexp_t p;
int ret = wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap                   
  gi37             },},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888
##sioiondata:ap                     gi37                     TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\
xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap   )", &p, 0);
return ret;

Stack trace is 
==797==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff8ed1c2b28 (pc 0x7f11b008eee0 bp 0x616000001880 sp 0x7ffc14979fa0 T0)
==797==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x7f11b008eee0 in parse_param /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:1466
    #1 0x7f11b008eee0 in parse_dollars /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2112
    #2 0x7f11b0090ed7 in parse_dquote /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2198
    #3 0x7f11b0090ed7 in wordexp /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2379
Comment 1 Andreas Schwab 2021-06-27 17:39:03 UTC
Fixed in 2.34.
Comment 2 Philippe Antoine 2021-06-27 19:44:10 UTC
Thanks Andreas
Comment 3 Siddhesh Poyarekar 2021-06-30 04:27:26 UTC
The fix:

From: Andreas Schwab <schwab@linux-m68k.org>
Date: Fri, 25 Jun 2021 13:02:47 +0000 (+0200)
Subject: wordexp: handle overflow in positional parameter number (bug 28011)
X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c

wordexp: handle overflow in positional parameter number (bug 28011)

Use strtoul instead of atoi so that overflow can be detected.