bug-make
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #59881] Segmentation Fault through manipulated Makefile


From: anonymous
Subject: [bug #59881] Segmentation Fault through manipulated Makefile
Date: Fri, 15 Jan 2021 08:18:55 -0500 (EST)
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15

URL:
  <https://savannah.gnu.org/bugs/?59881>

                 Summary: Segmentation Fault through manipulated Makefile
                 Project: make
            Submitted by: None
            Submitted on: Fri 15 Jan 2021 01:18:53 PM UTC
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
       Component Version: SCM
        Operating System: None
           Fixed Release: None
           Triage Status: None

    _______________________________________________________

Details:

I found another bug which causes a segfault when reading with "make -f min".

The issue is this line:
https://github.com/mirror/make/blob/master/src/file.c#L528

There the value of "o" is smaller than "buffer" which causes an integer
underflow and a very large "len" value. When now calling "strcache_add_len"
the memcpy has such a large length that it actually tries to write to a value
below the stack:
https://github.com/mirror/make/blob/master/src/strcache.c#L248

I hadn't the time to check if there is a previous root cause which could be
detected sooner, but one fix (at least for that example) would be to just
check if "o" is smaller than "buffer".

On this example I am not sure if it is possible to exploit. This could be
potentially upgraded to an arbitrary write primitive to execute code. I know
there are easier ways to execute code (Since it is a makefile), but it could
be a way to hide malware within the Makefile of open source projects.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 15 Jan 2021 01:18:53 PM UTC  Name: min  Size: 206B   By: None

<http://savannah.gnu.org/bugs/download.php?file_id=50723>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?59881>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]