This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] __gconv_translit_find: Actually append ".so" to module name [BZ #17187]
- From: "Joseph S. Myers" <joseph at codesourcery dot com>
- To: Tavis Ormandy <taviso at google dot com>
- Cc: Florian Weimer <fweimer at redhat dot com>, Roland McGrath <roland at hack dot frob dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 31 Jul 2014 20:28:54 +0000
- Subject: Re: [PATCH] __gconv_translit_find: Actually append ".so" to module name [BZ #17187]
- Authentication-results: sourceware.org; auth=none
- References: <53CD0F15 dot 3030806 at redhat dot com> <20140728230221 dot 66D7A2C3994 at topped-with-meat dot com> <53D73636 dot 7060207 at redhat dot com> <CAJ_zFkJLdEpJzKSM3HDN6PuVriTd4vKNqq=EubtCR5qqvt1U8g at mail dot gmail dot com> <53D7F076 dot 9010505 at redhat dot com> <CAJ_zFk+biAoGh=v1AtVF_E2Kvg=yZbUpZ9i6h4QwF3M6_XGkoQ at mail dot gmail dot com>
On Thu, 31 Jul 2014, Tavis Ormandy wrote:
> Additionally, the DST expansion looks like it's vulnerable to an
> integer overflow on 32-bit, perhaps not exploitable on Fedora where
> $PLATFORM and $LIB don't expand to very big strings, but on Debian
> $LIB is "x86_64-linux-gnu" which is a 4x increase. Obviously that
> wouldn't matter very much if you can't get a DST expanded by a setuid
> boundary, but there are at least a few where you can via gconv (sudo,
> pkexec, etc).
If this is about strings from the environment, note that the Linux kernel
limits such strings to a length of MAX_ARG_STRLEN == (PAGE_SIZE * 32). So
you'd also need a large page size for such an exploit on Linux (but of
course we should fix integer overflows even if they aren't exploitable on
some glibc platforms).
--
Joseph S. Myers
joseph@codesourcery.com