1402299 – CMSG_NXTHDR use uninitialized variable

Bug 1402299 - CMSG_NXTHDR use uninitialized variable

Summary: CMSG_NXTHDR use uninitialized variable

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	glibc team
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1402300 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-07 08:36 UTC by flypig.zhu
Modified:	2019-06-20 02:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-20 02:26:38 UTC
Target Upstream Version:

Attachments	(Terms of Use)
testcase (783 bytes, text/plain) 2016-12-07 09:37 UTC, flypig.zhu	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Sourceware	13500	0	None	None	None	2019-06-18 03:52:49 UTC

Description flypig.zhu 2016-12-07 08:36:17 UTC

Description of problem:


Version-Release number of selected component (if applicable):
glibc-2.17

_EXTERN_INLINE struct cmsghdr *
__NTH (__cmsg_nxthdr (struct msghdr *__mhdr, struct cmsghdr *__cmsg))
{
  if ((size_t) __cmsg->cmsg_len < sizeof (struct cmsghdr))
    /* The kernel header does this so there may be a reason.  */
    return (struct cmsghdr *) 0;

  __cmsg = (struct cmsghdr *) ((unsigned char *) __cmsg
                               + CMSG_ALIGN (__cmsg->cmsg_len));
  if ((unsigned char *) (__cmsg + 1) > ((unsigned char *) __mhdr->msg_control
                                        + __mhdr->msg_controllen)
      || ((unsigned char *) __cmsg + CMSG_ALIGN (__cmsg->cmsg_len)
//__cmsg->cmsg_len is unitialized  ******************************

          > ((unsigned char *) __mhdr->msg_control + __mhdr->msg_controllen)))
    /* No more entries.  */
    return (struct cmsghdr *) 0;
  return __cmsg;
}


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Florian Weimer 2016-12-07 09:00:25 UTC

*** Bug 1402300 has been marked as a duplicate of this bug. ***

Comment 2 Florian Weimer 2016-12-07 09:27:49 UTC

This is likely a bug in application code.  We need a minimal test case which shows the problem.

Comment 3 flypig.zhu 2016-12-07 09:37:40 UTC

Created attachment 1228950 [details]
testcase

Comment 4 Florian Weimer 2016-12-07 10:15:43 UTC

The test case needs an optimization barrier.

The current version of CMSG_NXTHDR provided glibc is unsuitable for constructing a list of ancillary data because of the length check against the *next* cmsg_len header, which is indeed uninitialized at this point.

It is not clear if this is a bug.  We need to raise this upstream.

Comment 8 Carlos O'Donell 2019-06-20 02:26:38 UTC

The upstream bug has been closed RESOLVED/INVALID.

The length check in the current glibc CMSG_NXTHDR macro requires that the you are reading valid data, and the check will not be removed to facilitate setting up of lists. If you are setting up a list you must set it to some known values for the macro to work correctly e.g. memset to zero.

Note You need to log in before you can comment on or make changes to this bug.