[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bash buffer overflow in handling locale environment variables
From: |
Chet Ramey |
Subject: |
Re: bash buffer overflow in handling locale environment variables |
Date: |
Thu, 30 Apr 2015 16:59:47 -0400 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 4/30/15 2:13 PM, Trammell Hudson wrote:
> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
>
> Description:
> Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
> in converting 32-bit unicode characters. The stub_charset() function
> calls strcpy() into a static 40-byte buffer for the charset, which
> can be overflowed if the charset portion of LC_CTYPE contains more
> than 40 characters.
>
> If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
> this to bug to cause malicious code execution.
>
>
> Repeat-By:
> LC_ALL="foo.1234567890123456789012345678901234567890" \
> ./bash -c 'echo -e "\Udeadbeef\n"'
>
> ./bash: warning: setlocale: LC_ALL: cannot change locale
> (foo.1234567890123456789012345678901234567890)
> *** buffer overflow detected ***: ./bash terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x37)[0x7f4d49ad3b87]
> /lib/libc.so.6[0x7f4d49ad2b30]
> ./bash(u32cconv+0x22e)[0x49b9ae]
> ./bash(ansicstr+0x53b)[0x49991b]
> ./bash(echo_builtin+0xc3)[0x47d1d3]
> ./bash[0x436ac3]
> ./bash[0x43abfc]
> ./bash[0x43be5b]
> ./bash(execute_command_internal+0xca0)[0x4384f0]
> ./bash(parse_and_execute+0x36b)[0x47ecab]
> ./bash[0x423004]
> ./bash(main+0xa22)[0x424022]
> /lib/libc.so.6(__libc_start_main+0xfd)[0x7f4d499faabd]
> ./bash[0x4224c9]
>
>
> Fix:
> Use strncpy() in place of strcpy() in lib/sh/unicode.c:
>
> --- /tmp/bash-4.3.30/lib/sh/unicode.c 2014-01-30 21:47:19.000000000 +0000
> +++ ./bash-4.3.30/lib/sh/unicode.c 2015-04-30 18:03:42.300340729 +0000
> @@ -78,7 +78,8 @@
> s = strrchr (locale, '.');
> if (s)
> {
> - strcpy (charsetbuf, s+1);
> + strncpy (charsetbuf, s+1, sizeof(charsetbuf)-1);
> + charsetbuf[sizeof(charsetbuf)-1] = '\0';
> t = strchr (charsetbuf, '@');
> if (t)
> *t = 0;
Thanks for the report; this is a good fix.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/