Bug 85917 - buffer overrun in _dl_important_hw_caps
buffer overrun in _dl_important_hw_caps
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-03-10 15:22 EST by John Reiser
Modified: 2016-11-24 09:53 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.3.2-27.9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-17 01:41:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Reiser 2003-03-10 15:22:32 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
When there is only one important hardware capability, then the terminating slash
'/' is stored beyond the the end of a malloc()ed block.

The bug [fix] is at line 334; the existing overrun occurs at line 356:
-----sysdeps/generic/dl-sysdep.c line 332
  /* Determine the total size of all strings together.  */
  if (cnt == 1)
    total = temp[0].len;   /* BUG: forgot +1 */
  else
    {
      total = (1UL << (cnt - 2)) * (temp[0].len + temp[cnt - 1].len + 2);
      for (n = 1; n + 1 < cnt; ++n)
        total += (1UL << (cnt - 3)) * (temp[n].len + 1);
    }

  /* The result structure: we use a very compressed way to store the
     various combinations of capability names.  */
  *sz = 1 << cnt;
  result = (struct r_strlenpair *) malloc (*sz * sizeof (*result) + total);
  if (result == NULL)
    goto no_memory;

  if (cnt == 1)
    {
      result[0].str = (char *) (result + *sz);
      result[0].len = temp[0].len + 1; 
      result[1].str = (char *) (result + *sz);
      result[1].len = 0;
      cp = __mempcpy ((char *) (result + *sz), temp[0].str, temp[0].len);
      *cp = '/';   /* OVERRUN here */
-----


Version-Release number of selected component (if applicable):
Source is glibc-2.3.1-20021219

How reproducible:
Always

Steps to Reproduce:
1.Run any program using ld-linux.so.2 on a machine with only one important
hardware capability.  Total capability of 0x383f9ff, from a i686 (PentiumIII
Mobile) seems to be such a box.
2.
3.
    

Actual Results:  Terminating '/' is stored beyond the end of a malloc()ed block.

Expected Results:  Terminating '/' is stored within the malloc()ed block.

Additional info:
Comment 1 Ulrich Drepper 2003-04-17 01:41:04 EDT
This has been fixed some time ago in the glibc CVS version and should already be
in glibc 2.3.2-27.9.

Note You need to log in before you can comment on or make changes to this bug.