Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 541542 (CVE-2015-8984) - <sys-libs/glibc-2.21-r1: buffer overflow (read past end of buffer) in internal_fnmatch
Summary: <sys-libs/glibc-2.21-r1: buffer overflow (read past end of buffer) in interna...
Status: RESOLVED FIXED
Alias: CVE-2015-8984
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-27 17:09 UTC by Agostino Sarubbo
Modified: 2017-02-15 07:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-02-27 17:09:02 UTC
From ${URL} :

#include <fnmatch.h>
#include <string.h>
int main(int argc, const char* argv[]) {
  const char text[] = {44, 92, 91, 44, 91, 46, 0};
  const char p[] = {91, 44, 91, 46, 0};
  const char *Pat = strdup(p);
  fnmatch(Pat, text, 0);
}

gcc -g fn2.c && valgrind ./a.out # 2.19

==32342== Invalid read of size 1
==32342==    at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965)
==32342==    by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458)
==32342==    by 0x400663: main (fn2.c:7)
==32342==  Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd
==32342==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==32342==    by 0x4EBF3C9: strdup (strdup.c:42)
==32342==    by 0x400647: main (fn2.c:6)

Reproduced on 2.19 and on fresh trunk; 
initially found with an experimental AddressSanitizer build of glibc and
a coverage guided fuzzer. 

# trunk

==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8
READ of size 1 at 0x60200000eff5 thread T0
    #0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8
    #1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10
    #2 0x4c1e3f in main

0x60200000eff5 is located 0 bytes to the right of 5-byte region [0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
    #0 0x48d23c in __interceptor_strdup 
    #1 0x4c1dfe in main


See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different bug somewhere similar.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-03 04:46:19 UTC
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Andreas Schwab 
2015-02-26 15:14:58 UTC
Fixed in 2.22.
Comment 2 SpanKY gentoo-dev 2015-07-21 03:49:10 UTC
this has been fixed for glibc 2.22 and 2.21.1, and i've backported it to our glibc 2.21-r1 ebuild.  but that's just now hitting ~arch so it'll be a little while before we can stabilize.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:38:52 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02
by GLSA coordinator Tobias Heinlein (keytoaster).