[Bug glob/25414] New: 'glob' use-after-free bug

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] New: 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

            Bug ID: 25414
           Summary: 'glob' use-after-free bug
           Product: glibc
           Version: 2.30
            Status: NEW
          Severity: normal
          Priority: P2
         Component: glob
          Assignee: unassigned at sourceware dot org
          Reporter: eggert at cs dot ucla.edu
  Target Milestone: ---

Created attachment 12218
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12218&action=edit
patch for use-after-free bug in 'glob'

There's a use-after-free bug in 'glob', reported against Gnulib here:

https://lists.gnu.org/r/bug-gnulib/2020-01/msg00102.html

Proposed (but untested) glibc patch attached.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Bruno Haible <bruno at clisp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bruno at clisp dot org

--- Comment #1 from Bruno Haible <bruno at clisp dot org> ---
Created attachment 12219
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12219&action=edit
simpler patch for use-after-free bug in glob

The attached patch fixes the same bug, and is a little simpler.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #2 from Bruno Haible <bruno at clisp dot org> ---
Explanation of the bug:
  - end_name is part of dirname,
  - dirname is freed,
  - after dirname is freed, the code still accesses end_name.

The fix is to store the dirname to be freed in a different variable, and free
it a bit later, after the code has finished looking at end_name.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

tejesh.opensrc at gmail dot com <tejesh.opensrc at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tejesh.opensrc at gmail dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Andreas Schwab <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c

commit ddc650e9b3dc916eab417ce9f79e67337b05035c
Author: Andreas Schwab <[hidden email]>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)

    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.31

--- Comment #4 from Andreas Schwab <[hidden email]> ---
Fixed in 2.31.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|2.31                        |2.32

--- Comment #5 from Andreas Schwab <[hidden email]> ---
Fixed in 2.32.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com
              Flags|                            |security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #6 from Carlos O'Donell <carlos at redhat dot com> ---
It is a security issue that the glob function has a use-after-free. Marking
security+.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2020-1752

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|'glob' use-after-free bug   |'glob' use-after-free bug
                   |                            |(CVE-2020-1752)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Salvatore Bonaccorso <carnil at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carnil at debian dot org

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

Florian Weimer <fw at deneb dot enyo.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at deneb dot enyo.de

--- Comment #7 from Florian Weimer <fw at deneb dot enyo.de> ---
How exploitable is this bug in glibc, given its tendency to use alloca for
these allocations? Even with a huge user home directory (which needs malloc),
the previous string seems to be allocated on the stack.

I've confirmed that the bug goes back to glibc 2.19 as at least.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #8 from Florian Weimer <fw at deneb dot enyo.de> ---
I bisected this bug down to:

commit f2962a71959fd254a7a223437ca4b63b9e81130c
Author: Ulrich Drepper <[hidden email]>
Date:   Sun May 22 23:04:16 2011 -0400

    Add a few more alloca size checks

It went into glibc 2.14.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Patricia Franklin
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ab029a2801d4ddfeade8f64a6e46ee7e47fde710

commit ab029a2801d4ddfeade8f64a6e46ee7e47fde710
Author: Andreas Schwab <[hidden email]>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)

    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.

    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Patricia Franklin
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63

commit da97c6b88eb03fb834e92964b0895c2ac8d61f63
Author: Andreas Schwab <[hidden email]>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)

    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.

    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Patricia Franklin
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9aaebaf805f24ae10e0bfad332d6d5eabd58c451

commit 9aaebaf805f24ae10e0bfad332d6d5eabd58c451
Author: Andreas Schwab <[hidden email]>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)

    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.

    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aurelien Jarno <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=39a05214fe14ff722d4d92e697fb71ff15e84e70

commit 39a05214fe14ff722d4d92e697fb71ff15e84e70
Author: Aurelien Jarno <[hidden email]>
Date:   Thu Mar 19 22:53:00 2020 +0100

    Add NEWS entry for CVE-2020-1752 (bug 25414)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug glob/25414] 'glob' use-after-free bug (CVE-2020-1752)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25414

--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Aurelien Jarno
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3937f6806d9de4bbd25ff6e6dc4df8f47ad47573

commit 3937f6806d9de4bbd25ff6e6dc4df8f47ad47573
Author: Aurelien Jarno <[hidden email]>
Date:   Thu Mar 19 22:53:00 2020 +0100

    Add NEWS entry for CVE-2020-1752 (bug 25414)

    (cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)

--
You are receiving this mail because:
You are on the CC list for the bug.
12