bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash buffer overflow in handling locale environment variables


From: Chet Ramey
Subject: Re: bash buffer overflow in handling locale environment variables
Date: Thu, 30 Apr 2015 16:59:47 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 4/30/15 2:13 PM, Trammell Hudson wrote:

> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
> 
> Description:
> Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
> in converting 32-bit unicode characters.  The stub_charset() function
> calls strcpy() into a static 40-byte buffer for the charset, which
> can be overflowed if the charset portion of LC_CTYPE contains more
> than 40 characters.
> 
> If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
> this to bug to cause malicious code execution.
> 
> 
> Repeat-By:
> LC_ALL="foo.1234567890123456789012345678901234567890" \
> ./bash -c 'echo -e "\Udeadbeef\n"'
> 
> ./bash: warning: setlocale: LC_ALL: cannot change locale 
> (foo.1234567890123456789012345678901234567890)
> *** buffer overflow detected ***: ./bash terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x37)[0x7f4d49ad3b87]
> /lib/libc.so.6[0x7f4d49ad2b30]
> ./bash(u32cconv+0x22e)[0x49b9ae]
> ./bash(ansicstr+0x53b)[0x49991b]
> ./bash(echo_builtin+0xc3)[0x47d1d3]
> ./bash[0x436ac3]
> ./bash[0x43abfc]
> ./bash[0x43be5b]
> ./bash(execute_command_internal+0xca0)[0x4384f0]
> ./bash(parse_and_execute+0x36b)[0x47ecab]
> ./bash[0x423004]
> ./bash(main+0xa22)[0x424022]
> /lib/libc.so.6(__libc_start_main+0xfd)[0x7f4d499faabd]
> ./bash[0x4224c9]
> 
> 
> Fix:
> Use strncpy() in place of strcpy() in lib/sh/unicode.c:
> 
> --- /tmp/bash-4.3.30/lib/sh/unicode.c   2014-01-30 21:47:19.000000000 +0000
> +++ ./bash-4.3.30/lib/sh/unicode.c       2015-04-30 18:03:42.300340729 +0000
> @@ -78,7 +78,8 @@
>    s = strrchr (locale, '.');
>    if (s)
>      {
> -      strcpy (charsetbuf, s+1);
> +      strncpy (charsetbuf, s+1, sizeof(charsetbuf)-1);
> +      charsetbuf[sizeof(charsetbuf)-1] = '\0';
>        t = strchr (charsetbuf, '@');
>        if (t)
>         *t = 0;

Thanks for the report; this is a good fix.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]