This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 123343 - libia32x.so does not check size of env var before copying it to local var
libia32x.so does not check size of env var before copying it to local var
Status: CLOSED RAWHIDE
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: ia32el (Show other bugs)
3.0
ia64 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-17 07:55 EDT by Yoav Zach
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-18 04:43:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
check the size of env variable before copying it into a local var (4.67 KB, patch)
2004-05-17 07:57 EDT, Yoav Zach
no flags Details | Diff

  None (edit)
Description Yoav Zach 2004-05-17 07:55:57 EDT
Description of problem:
in development mode, libia32x.so copies the contents of HOME 
environment variable into a local variable. this is done without 
ensuring that the local buffer is big enough for that operation.
in development mode **ONLY**, this can result with buffer overrun.

Version-Release number of selected component (if applicable):
4600

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
this problem is only in development mode. in production mode - the 
makefile ensures that this piece of code is never built by setting 
the SYSBTG variable.
Comment 1 Yoav Zach 2004-05-17 07:57:25 EDT
Created attachment 100270 [details]
check the size of env variable before copying it into a local var

this patch goes on top of fix_fast_syscall.patch which was submitted to bug
#123341
Comment 2 Yoav Zach 2004-11-16 03:02:22 EST
this is fixed in v5. i believe it should be closed.

Note You need to log in before you can comment on or make changes to this bug.