[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bash buffer overflow in handling locale environment variables
From: |
Trammell Hudson |
Subject: |
bash buffer overflow in handling locale environment variables |
Date: |
Thu, 30 Apr 2015 18:13:48 +0000 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H -I. -I.. -I../include -I../lib -g -O2
uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9
03:28:16 GMT 2014 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
Bash Version: 4.3
Patch Level: 30
Release Status: release
Description:
Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
in converting 32-bit unicode characters. The stub_charset() function
calls strcpy() into a static 40-byte buffer for the charset, which
can be overflowed if the charset portion of LC_CTYPE contains more
than 40 characters.
If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
this to bug to cause malicious code execution.
Repeat-By:
LC_ALL="foo.1234567890123456789012345678901234567890" \
./bash -c 'echo -e "\Udeadbeef\n"'
./bash: warning: setlocale: LC_ALL: cannot change locale
(foo.1234567890123456789012345678901234567890)
*** buffer overflow detected ***: ./bash terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f4d49ad3b87]
/lib/libc.so.6[0x7f4d49ad2b30]
./bash(u32cconv+0x22e)[0x49b9ae]
./bash(ansicstr+0x53b)[0x49991b]
./bash(echo_builtin+0xc3)[0x47d1d3]
./bash[0x436ac3]
./bash[0x43abfc]
./bash[0x43be5b]
./bash(execute_command_internal+0xca0)[0x4384f0]
./bash(parse_and_execute+0x36b)[0x47ecab]
./bash[0x423004]
./bash(main+0xa22)[0x424022]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f4d499faabd]
./bash[0x4224c9]
Fix:
Use strncpy() in place of strcpy() in lib/sh/unicode.c:
--- /tmp/bash-4.3.30/lib/sh/unicode.c 2014-01-30 21:47:19.000000000 +0000
+++ ./bash-4.3.30/lib/sh/unicode.c 2015-04-30 18:03:42.300340729 +0000
@@ -78,7 +78,8 @@
s = strrchr (locale, '.');
if (s)
{
- strcpy (charsetbuf, s+1);
+ strncpy (charsetbuf, s+1, sizeof(charsetbuf)-1);
+ charsetbuf[sizeof(charsetbuf)-1] = '\0';
t = strchr (charsetbuf, '@');
if (t)
*t = 0;
--
Trammell
- bash buffer overflow in handling locale environment variables,
Trammell Hudson <=