NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lib/52400: Heap buffer overflow in libc
>Number: 52400
>Category: lib
>Synopsis: Heap buffer overflow in libc
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 13 18:05:00 +0000 2017
>Originator: coypu
>Release: NetBSD 8.99.1
>Organization:
>Environment:
System: NetBSD loggy 8.99.1 NetBSD 8.99.1 (GENERIC) #82: Thu Jun 22 15:45:33 IDT 2017 fly@loggy:/home/fly/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
vis.c,v 1.73
>Description:
Run the following:
Code:
#include <errno.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <vis.h>
#include <wchar.h>
static void
h_mbtowc(const char *locale, const char *legal)
{
char buf[64];
setlocale(LC_ALL, "C");
setlocale(LC_CTYPE, locale);
/* re-initialize internal state */
mbtowc(NULL, NULL, 0);
/* valid multibyte sequence case */
(void)strvis(buf, legal, VIS_WHITE | VIS_OCTAL);
}
int main()
{
h_mbtowc("zh_TW.eucTW", "\241\241");
}
(this is from one of the libc locale tests)
Compile:
gcc -fsanitize=address test.c; ./a.out
With a debug libc installed:
=================================================================
==8099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dfb4 at pc 0x7f7ff6c1e4f5 bp 0x7f7fffffe630 sp 0x7f7fffffdde0
READ of size 68 at 0x60400000dfb4 thread T0
#0 0x7f7ff6c1e4f4 in __interceptor_wcslen (/usr/lib/libasan.so.1+0x1e4f4)
#1 0x7f7ff68d6603 in istrsenvisx /usr/src/lib/libc/gen/vis.c:533
#2 0x7f7ff68d685c in istrsenvisxl /usr/src/lib/libc/gen/vis.c:597
#3 0x7f7ff68d6bc1 in strvis /usr/src/lib/libc/gen/vis.c:719
#4 0x401364 in h_mbtowc (/home/fly/a.out+0x401364)
#5 0x4013d2 in main (/home/fly/a.out+0x4013d2)
#6 0x4011aa in ___start (/home/fly/a.out+0x4011aa)
>How-To-Repeat:
>Fix:
Home |
Main Index |
Thread Index |
Old Index