bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #52331] use-after-free in the privateSetLocale function


From: Yavor Doganov
Subject: [bug #52331] use-after-free in the privateSetLocale function
Date: Thu, 2 Nov 2017 11:21:32 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

URL:
  <http://savannah.gnu.org/bugs/?52331>

                 Summary: use-after-free in the privateSetLocale function
                 Project: GNUstep
            Submitted by: yavor
            Submitted on: Thu 02 Nov 2017 05:21:30 PM EET
                Category: Base/Foundation
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

Jakub Wilk <jwilk@jwilk.net> reports via Debian (#880575):

GNUstep Base 1.25.0
Architecture: i386 (x86)

The privateSetLocale() function can use memory that has been already freed:

$ valgrind -q -- ./test-locale
  ==9722== Invalid read of size 1
  ==9722==    at 0x48313D8: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4A5FD89: _i_NSString__initWithCString_encoding_
(NSString.m:1246)
  ==9722==    by 0x4A5CAB3: _c_NSString__stringWithCString_encoding_
(NSString.m:954)
  ==9722==    by 0x48E2897: privateSetLocale (GSLocale.m:75)
  ==9722==    by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
  ==9722==    by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
  ==9722==    by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
  ==9722==    by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
  ==9722==    by 0x10878E: main (test-locale.m:10)
  ==9722==  Address 0x7a78688 is 0 bytes inside a block of size 181 free'd
  ==9722==    at 0x482F478: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4E9CE77: setname (setlocale.c:201)
  ==9722==    by 0x4E9CE77: setlocale (setlocale.c:456)
  ==9722==    by 0x4B0D13D: GSPrivateNativeCStringEncoding (Unicode.m:2862)
  ==9722==    by 0x48E2891: privateSetLocale (GSLocale.m:75)
  ==9722==    by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
  ==9722==    by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
  ==9722==    by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
  ==9722==    by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
  ==9722==    by 0x10878E: main (test-locale.m:10)
  ==9722==  Block was alloc'd at
  ==9722==    at 0x482E2BC: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4E9C998: new_composite_name (setlocale.c:172)
  ==9722==    by 0x4E9CF49: setlocale (setlocale.c:378)
  ==9722==    by 0x108742: main (test-locale.m:8)

This happens because it calls setlocale twice; once directly:

 clocale = setlocale(category, clocale);

and then again indirectly: ToString -> GSPrivateNativeCStringEncoding -> 
setlocale.

The other call invalidates the clocale pointer, as allowed by POSIX: 
"The returned string pointer might be invalidated or the string content 
might be overwritten by a subsequent call to setlocale()."

Attaching the test program.  (FWIW, I can't reproduce on x86 and x86_64.)



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 02 Nov 2017 05:21:30 PM EET  Name: test-locale.m  Size: 281B   By:
yavor
Test program supposed to demonstrate the bug
<http://savannah.gnu.org/bugs/download.php?file_id=42321>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]