[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #52331] use-after-free in the privateSetLocale function
From: |
Yavor Doganov |
Subject: |
[bug #52331] use-after-free in the privateSetLocale function |
Date: |
Thu, 2 Nov 2017 11:21:32 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
URL:
<http://savannah.gnu.org/bugs/?52331>
Summary: use-after-free in the privateSetLocale function
Project: GNUstep
Submitted by: yavor
Submitted on: Thu 02 Nov 2017 05:21:30 PM EET
Category: Base/Foundation
Severity: 3 - Normal
Item Group: Bug
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Jakub Wilk <jwilk@jwilk.net> reports via Debian (#880575):
GNUstep Base 1.25.0
Architecture: i386 (x86)
The privateSetLocale() function can use memory that has been already freed:
$ valgrind -q -- ./test-locale
==9722== Invalid read of size 1
==9722== at 0x48313D8: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9722== by 0x4A5FD89: _i_NSString__initWithCString_encoding_
(NSString.m:1246)
==9722== by 0x4A5CAB3: _c_NSString__stringWithCString_encoding_
(NSString.m:954)
==9722== by 0x48E2897: privateSetLocale (GSLocale.m:75)
==9722== by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
==9722== by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
==9722== by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
==9722== by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
==9722== by 0x10878E: main (test-locale.m:10)
==9722== Address 0x7a78688 is 0 bytes inside a block of size 181 free'd
==9722== at 0x482F478: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9722== by 0x4E9CE77: setname (setlocale.c:201)
==9722== by 0x4E9CE77: setlocale (setlocale.c:456)
==9722== by 0x4B0D13D: GSPrivateNativeCStringEncoding (Unicode.m:2862)
==9722== by 0x48E2891: privateSetLocale (GSLocale.m:75)
==9722== by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
==9722== by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
==9722== by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
==9722== by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
==9722== by 0x10878E: main (test-locale.m:10)
==9722== Block was alloc'd at
==9722== at 0x482E2BC: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9722== by 0x4E9C998: new_composite_name (setlocale.c:172)
==9722== by 0x4E9CF49: setlocale (setlocale.c:378)
==9722== by 0x108742: main (test-locale.m:8)
This happens because it calls setlocale twice; once directly:
clocale = setlocale(category, clocale);
and then again indirectly: ToString -> GSPrivateNativeCStringEncoding ->
setlocale.
The other call invalidates the clocale pointer, as allowed by POSIX:
"The returned string pointer might be invalidated or the string content
might be overwritten by a subsequent call to setlocale()."
Attaching the test program. (FWIW, I can't reproduce on x86 and x86_64.)
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 02 Nov 2017 05:21:30 PM EET Name: test-locale.m Size: 281B By:
yavor
Test program supposed to demonstrate the bug
<http://savannah.gnu.org/bugs/download.php?file_id=42321>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?52331>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #52331] use-after-free in the privateSetLocale function,
Yavor Doganov <=