From patchwork Fri Dec 5 16:43:41 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 418176 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 70AAF1400B7 for ; Sat, 6 Dec 2014 03:43:52 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:content-type; q=dns; s=default; b=iEXGDy3UwYN9eVlTS7bq+ oZo/qOYrQrHCDzSWcQFtZQ657T6EqR6DMGFS5WJhexM+Yrd78Ydkutxe1Uy5MMgL Dxv9RGCkOkU01mFqCzf1OBGJQnC3iGJxoJ69nW+MMiQ3glBD0cHfR/rpf7QvPtOq /9QHZl+hdkzaFWVuqSGCh4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:content-type; s=default; bh=Tv14C8nzw2YfFRbtnr/A+VbHeDE =; b=XaNJ+b6XYNSV9a1YxOBpjBHUBM2hpEaVJVYucPb34x5hxPatv3EslbQLJsM GTCfDKBFEJdZvlAMcmvy/xY5TdymDR1zL/Ot7r53xld8XqChZHKIKyBlGxAth6pA KPlYUr7r2+DCZgfdDMn68Plyll8o+weel6VKLHg4OZRE6vzI= Received: (qmail 6796 invoked by alias); 5 Dec 2014 16:43:47 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 6786 invoked by uid 89); 5 Dec 2014 16:43:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=AWL, BAYES_00, SPF_HELO_PASS, SPF_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <5481E0BD.9000203@redhat.com> Date: Fri, 05 Dec 2014 17:43:41 +0100 From: Florian Weimer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: GNU C Library CC: Jeff Law Subject: [PATCH] vfprintf stack overflow [BZ #16617] This fell through the cracks. I took Jeff Law's patch (which we carry as a local patch in Fedora and downstream), compressed the bug23-3.c test case, and added Joseph's test case from the bug as bug23-4.c. Tested on x86_64-redhat-linux-gnu, with no regressions. From 3fcae31c646f9419b5201c9189f961487f2b6743 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Fri, 5 Dec 2014 15:49:34 +0100 Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] A larger number of format specifiers coudld cause a stack overflow, potentially allowing to bypass _FORTIFY_SOURCE format string protection. 2014-12-05 Jeff Law [BZ #16617] * stdio-common/vfprintf.c (vfprintf): Allocate large specs array on the heap. (CVE-2012-3406) * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file. * stdio-common/bug23-4.c: New file. Test case by Joseph Myers. * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4. diff --git a/NEWS b/NEWS index 84c1353..fe46941 100644 --- a/NEWS +++ b/NEWS @@ -10,10 +10,11 @@ Version 2.21 * The following bugs are resolved with this release: 6652, 12926, 13862, 14132, 14138, 14171, 14498, 15215, 15884, 16469, - 16619, 16740, 16857, 17192, 17266, 17344, 17363, 17370, 17371, 17411, - 17460, 17475, 17485, 17501, 17506, 17508, 17522, 17555, 17570, 17571, - 17572, 17573, 17574, 17581, 17582, 17583, 17584, 17585, 17589, 17594, - 17601, 17608, 17616, 17625, 17633, 17647, 17653, 17664, 17665, 17668. + 16617, 16619, 16740, 16857, 17192, 17266, 17344, 17363, 17370, 17371, + 17411, 17460, 17475, 17485, 17501, 17506, 17508, 17522, 17555, 17570, + 17571, 17572, 17573, 17574, 17581, 17582, 17583, 17584, 17585, 17589, + 17594, 17601, 17608, 17616, 17625, 17633, 17647, 17653, 17664, 17665, + 17668. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 5f8e534..24e8496 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \ - bug25 tst-printf-round bug26 + bug25 tst-printf-round bug23-2 bug23-3 bug23-4 test-srcs = tst-unbputc tst-printf diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c new file mode 100644 index 0000000..9e0cfe6 --- /dev/null +++ b/stdio-common/bug23-2.c @@ -0,0 +1,70 @@ +#include +#include +#include + +static const char expected[] = "\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; + +static int +do_test (void) +{ + char *buf = malloc (strlen (expected) + 1); + snprintf (buf, strlen (expected) + 1, + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", + "a", "b", "c", "d", 5); + return strcmp (buf, expected) != 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c new file mode 100644 index 0000000..57c8cef --- /dev/null +++ b/stdio-common/bug23-3.c @@ -0,0 +1,50 @@ +#include +#include +#include + +int +do_test (void) +{ + size_t instances = 16384; +#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + const char *item = "\na\nabbcd55"; +#define X3 X0 X0 X0 X0 X0 X0 X0 X0 +#define X6 X3 X3 X3 X3 X3 X3 X3 X3 +#define X9 X6 X6 X6 X6 X6 X6 X6 X6 +#define X12 X9 X9 X9 X9 X9 X9 X9 X9 +#define X14 X12 X12 X12 X12 +#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%" +#define TRAILER2 TRAILER TRAILER + size_t length = instances * strlen (item) + strlen (TRAILER) + 1; + + char *buf = malloc (length + 1); + snprintf (buf, length + 1, + X14 TRAILER2 "\n", + "a", "b", "c", "d", 5); + + const char *p = buf; + size_t i; + for (i = 0; i < instances; ++i) + { + const char *expected; + for (expected = item; *expected; ++expected) + { + if (*p != *expected) + { + printf ("mismatch at offset %zu (%zu): expected %d, got %d\n", + (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF); + return 1; + } + ++p; + } + } + if (strcmp (p, TRAILER "\n") != 0) + { + printf ("mismatch at trailer: [%s]\n", p); + return 1; + } + free (buf); + return 0; +} +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c new file mode 100644 index 0000000..a478564 --- /dev/null +++ b/stdio-common/bug23-4.c @@ -0,0 +1,31 @@ +#include +#include +#include +#include + +#define LIMIT 1000000 + +int +main (void) +{ + struct rlimit lim; + getrlimit (RLIMIT_STACK, &lim); + lim.rlim_cur = 1048576; + setrlimit (RLIMIT_STACK, &lim); + char *fmtstr = malloc (4 * LIMIT + 1); + if (fmtstr == NULL) + abort (); + char *output = malloc (LIMIT + 1); + if (output == NULL) + abort (); + for (size_t i = 0; i < LIMIT; i++) + memcpy (fmtstr + 4 * i, "%1$d", 4); + fmtstr[4 * LIMIT] = '\0'; + int ret = snprintf (output, LIMIT + 1, fmtstr, 0); + if (ret != LIMIT) + abort (); + for (size_t i = 0; i < LIMIT; i++) + if (output[i] != '0') + abort (); + return 0; +} diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index c4ff833..520b33c 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) /* For the argument descriptions, which may be allocated on the heap. */ void *args_malloced = NULL; + /* For positional argument handling. */ + struct printf_spec *specs; + + /* Track if we malloced the SPECS array and thus must free it. */ + bool specs_malloced = false; + /* This table maps a character into a number representing a class. In each step there is a destination label for each class. */ @@ -1679,8 +1685,8 @@ do_positional: size_t nspecs = 0; /* A more or less arbitrary start value. */ size_t nspecs_size = 32 * sizeof (struct printf_spec); - struct printf_spec *specs = alloca (nspecs_size); + specs = alloca (nspecs_size); /* The number of arguments the format string requests. This will determine the size of the array needed to store the argument attributes. */ @@ -1722,10 +1728,25 @@ do_positional: { /* Extend the array of format specifiers. */ struct printf_spec *old = specs; - specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); + if (__libc_use_alloca (2 * nspecs_size)) + specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); + else + { + nspecs_size *= 2; + specs = malloc (nspecs_size); + } /* Copy the old array's elements to the new space. */ memmove (specs, old, nspecs * sizeof (*specs)); + + /* If we had previously malloc'd space for SPECS, then + release it after the copy is complete. */ + if (specs_malloced) + free (old); + + /* Now set SPECS_MALLOCED if needed. */ + if (!__libc_use_alloca (nspecs_size)) + specs_malloced = true; } /* Parse the format specifier. */ @@ -2046,6 +2067,8 @@ do_positional: } all_done: + if (specs_malloced) + free (specs); if (__glibc_unlikely (args_malloced != NULL)) free (args_malloced); if (__glibc_unlikely (workstart != NULL)) -- 1.9.3