From patchwork Fri Mar 6 04:33:09 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 447004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401711400B7 for ; Fri, 6 Mar 2015 15:33:51 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass reason="1024-bit key; unprotected key" header.d=sourceware.org header.i=@sourceware.org header.b=srbSx6is; dkim-adsp=none (unprotected policy); dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; q=dns; s=default; b=QXsd OpR+gV1RC5BaHf9TmIj0aSoh9VpbmXT9cYGRAaNX46QwwCm6F0wfqnkXK8eGzgpJ IAv4gMj02O3Gdn5SexGHKR5ZRf6nJZ2lOQXzjsV0i2LM1M6dV+WSbt+rJlsVV7P2 iSjufKiUXQ5s/uTT5l2bxlBh6CuHRHLGGomvZhM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; s=default; bh=OAo0BlJWfw slzmxqGRw5hSgNUN4=; b=srbSx6ism8tC0iJeoK1u9mFyQ9V2p8UVvNaTlZHsHx BFjANeYw40rquanZadmm4YsoGwrhy/3kgYC1VkI4PRit2w+EWqqX95fB5nKaQ//W nZ/xnYY28cve0UcWODe6nWzml7mKS+3NheyvowqRX3+T8yx4cP3Qk/JNed5eBjVb w= Received: (qmail 58018 invoked by alias); 6 Mar 2015 04:33:45 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 58006 invoked by uid 89); 6 Mar 2015 04:33:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.4 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW, SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: mail-ob0-f171.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=q6ZePOnzugunMUYQm1wbnTBZZVMnTd5gnSgwZgHlfoc=; b=Zc28K4GqglXESUF1J+MswJR4Jk0DV/IVkZ6Z/q4W8ud3VENdq84w7EKt0SkgfUjWZD 32Mp6VvkQjqPaluWC85VdlqLfv16umPt5uIX7Ki1NU4gTdZ+d491IzFfp5XBJLJMwlDu vKRL1gGnJK/WVMQgBCKi3eU/4nEnCj5hKF8KySR9grUre+IrM8o238DKSWVYTf7xqm2X ZOHFWmEr4E/6ls9ShEyk4SWHMXpk1GIh0qYKqbWMEGpZ44q+dcNjjtK+2oF+cM9Dh09n ThmXowkdv4JA7Cafa9/rSZLiKzabl7+nj6Od7NhOxPr1hamxe19Lu4jA8iVyQtXlu74c zn3w== X-Gm-Message-State: ALoCoQl8HFDqB4gbzWWFD9jrZRar0eA9D1RWBe0+YNyxCcRJ2pRt1x27L0llrc5QuGBMS4I3V/DS X-Received: by 10.60.16.202 with SMTP id i10mr1010717oed.16.1425616421777; Thu, 05 Mar 2015 20:33:41 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <54F8B306.1080301@redhat.com> References: <54F8B306.1080301@redhat.com> From: Paul Pluzhnikov Date: Thu, 5 Mar 2015 20:33:09 -0800 Message-ID: Subject: Re: [patch] Fix for BZ #18043 buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param To: "Carlos O'Donell" Cc: GLIBC Devel On Thu, Mar 5, 2015 at 11:48 AM, Carlos O'Donell wrote: > OK to commit as long as you verified that test case fails before > and passes afterwards on at least x86_64. It doesn't. To make it fail I would have to mmap two pages, mprotect the second, and place the string at the end of the first page... which is quite a bit of code. Must I do that? I guess if we hope to catch any regression here, I must... Attached patch is verified to fail posix/wordexp-test with expected SIGSEGV due to overflow before the fix, and pass after. 2015-03-05 Paul Pluzhnikov [BZ #18043] * posix/wordexp.c (parse_param): Fix buffer overflow. * posix/wordexp-test.c (do_bz18043): Add test case. diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c index 8a312e0..c928438 100644 --- a/posix/wordexp-test.c +++ b/posix/wordexp-test.c @@ -17,6 +17,7 @@ #include #include +#include #include #include #include @@ -249,6 +250,31 @@ command_line_test (const char *words) printf ("we_wordv[%d] = \"%s\"\n", i, we.we_wordv[i]); } +static int +do_bz18043 (void) +{ + const int pagesize = getpagesize (); + char *start = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + + if (start == MAP_FAILED) + return 1; + + if (mprotect (start + pagesize, pagesize, PROT_NONE)) + return 2; + + const char word[] = "${"; + char *word_start = start + pagesize - sizeof (word); + memcpy (word_start, word, sizeof (word)); + + wordexp_t w; + wordexp (word_start, &w, 0); + + munmap (start, 2 * pagesize); + + return 0; +} + int main (int argc, char *argv[]) { @@ -370,6 +396,9 @@ main (int argc, char *argv[]) printf ("tests failed: %d\n", fail); + if (do_bz18043 ()) + ++fail; + return fail != 0; } diff --git a/posix/wordexp.c b/posix/wordexp.c index e3d8d6b..1c14401 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -1299,7 +1299,7 @@ parse_param (char **word, size_t *word_length, size_t *max_length, } while (isdigit(words[++*offset])); } - else if (strchr ("*@$", words[*offset]) != NULL) + else if (words[*offset] != '\0' && strchr ("*@$", words[*offset]) != NULL) { /* Special parameter. */ special = 1;