Bug 9706 - 32 bits uid/gid overflow
Summary: 32 bits uid/gid overflow
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-04 10:56 UTC by Aurelien Jarno
Modified: 2014-07-02 07:21 UTC (History)
3 users (show)

See Also:
Host: x86_64-unknown-linux-gnu
Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aurelien Jarno 2009-01-04 10:56:47 UTC
uid/gid use 32 bits integer and if a uid/gid is set bigger than (2^32)-1 on a 
64-bit system, there is an overflow:

# echo "toto:x:4294967296:4294967296:Fake root:/home/linus:/bin/bash" 
>> /etc/passwd
# id toto
uid=0(root) gid=0(root) groupes=0(root)

This is due to the use of strtoul() to parse the uid/gid value, followed by a 
cast to an int without any check.
Comment 1 Ulrich Drepper 2009-01-09 04:27:58 UTC
I'm changing this only to align 32-bit and 4-bit platforms.  Otherwise it is a
sysadmin problem.
Comment 2 Florian Weimer 2014-07-02 07:21:29 UTC
The bogus UID or GID number has to come from a trusted configuration file, so I'm marking this security-.