Bug 1340757 - [abrt] off-by-one error in curl's URL globbing causes SIGSEGV
Summary: [abrt] off-by-one error in curl's URL globbing causes SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: 23
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:ae8d6b99da752ac0e4816514054...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-30 08:57 UTC by Romain Coltel
Modified: 2016-06-18 18:46 UTC (History)
2 users (show)

Fixed In Version: curl-7.49.1-2.fc25 curl-7.43.0-7.fc23 curl-7.47.1-5.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-07 01:23:35 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (12.11 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: cgroup (200 bytes, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: core_backtrace (1.83 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: dso_list (3.06 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: environ (4.51 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: exploitable (82 bytes, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: limits (1.29 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: maps (14.86 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: mountinfo (3.46 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: namespaces (85 bytes, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: open_fds (244 bytes, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: proc_pid_status (1.05 KB, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details
File: var_log_messages (297 bytes, text/plain)
2016-05-30 08:57 UTC, Romain Coltel
no flags Details

Description Romain Coltel 2016-05-30 08:57:21 UTC
Description of problem:
Just run the following command on a Fedora 23:
curl "`perl -e 'print "{a}" x 101'`"

Version-Release number of selected component:
curl-7.43.0-6.fc23

Additional info:
reporter:       libreport-2.6.4
backtrace_rating: 4
cmdline:        curl {a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}{a}
crash_function: strlen
executable:     /usr/bin/curl
global_pid:     19218
kernel:         4.4.9-300.fc23.x86_64
runlevel:       N 5
type:           CCpp
uid:            1001

Truncated backtrace:
Thread no. 1 (7 frames)
 #0 strlen at ../sysdeps/x86_64/strlen.S:106
 #1 __strdup at strdup.c:41
 #2 glob_set at tool_urlglob.c:132
 #3 glob_parse at tool_urlglob.c:391
 #4 glob_url at tool_urlglob.c:435
 #5 operate_do at tool_operate.c:452
 #6 operate at tool_operate.c:1881

Comment 1 Romain Coltel 2016-05-30 08:57:28 UTC
Created attachment 1162717 [details]
File: backtrace

Comment 2 Romain Coltel 2016-05-30 08:57:29 UTC
Created attachment 1162718 [details]
File: cgroup

Comment 3 Romain Coltel 2016-05-30 08:57:31 UTC
Created attachment 1162719 [details]
File: core_backtrace

Comment 4 Romain Coltel 2016-05-30 08:57:34 UTC
Created attachment 1162720 [details]
File: dso_list

Comment 5 Romain Coltel 2016-05-30 08:57:36 UTC
Created attachment 1162721 [details]
File: environ

Comment 6 Romain Coltel 2016-05-30 08:57:38 UTC
Created attachment 1162722 [details]
File: exploitable

Comment 7 Romain Coltel 2016-05-30 08:57:40 UTC
Created attachment 1162723 [details]
File: limits

Comment 8 Romain Coltel 2016-05-30 08:57:42 UTC
Created attachment 1162724 [details]
File: maps

Comment 9 Romain Coltel 2016-05-30 08:57:44 UTC
Created attachment 1162725 [details]
File: mountinfo

Comment 10 Romain Coltel 2016-05-30 08:57:46 UTC
Created attachment 1162726 [details]
File: namespaces

Comment 11 Romain Coltel 2016-05-30 08:57:48 UTC
Created attachment 1162727 [details]
File: open_fds

Comment 12 Romain Coltel 2016-05-30 08:57:49 UTC
Created attachment 1162728 [details]
File: proc_pid_status

Comment 13 Romain Coltel 2016-05-30 08:57:51 UTC
Created attachment 1162729 [details]
File: var_log_messages

Comment 14 Kamil Dudka 2016-05-30 09:54:39 UTC
Thank you for reporting the bug!  It looks like an obvious off-by-one error:

--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -400,9 +400,9 @@ static CURLcode glob_parse(URLGlob *glob, char *pattern,
         break;
       }
     }

-    if(++glob->size > GLOB_PATTERN_NUM)
+    if(++glob->size >= GLOB_PATTERN_NUM)
       return GLOBERROR("too many globs", pos, CURLE_URL_MALFORMAT);
   }
   return res;
 }

There is a risk that the issue has impact on security.  Please do not share it publicly until it is properly investigated.  I will notify curl upstream about this.

Comment 16 Kamil Dudka 2016-06-03 11:12:14 UTC
upstream commit:

https://github.com/curl/curl/commit/584d0121

Comment 17 Kamil Dudka 2016-06-03 11:40:05 UTC
fixed in curl-7.49.1-2.fc25

Comment 18 Fedora Update System 2016-06-03 12:51:51 UTC
curl-7.43.0-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-828d573a0f

Comment 19 Fedora Update System 2016-06-03 12:51:59 UTC
curl-7.47.1-5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b2eafcf2f

Comment 20 Fedora Update System 2016-06-04 18:26:11 UTC
curl-7.47.1-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b2eafcf2f

Comment 21 Fedora Update System 2016-06-05 03:58:31 UTC
curl-7.43.0-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-828d573a0f

Comment 22 Fedora Update System 2016-06-07 01:23:32 UTC
curl-7.43.0-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2016-06-18 18:46:01 UTC
curl-7.47.1-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.