Bug in setlocale()

Alexander Leidinger Thu, 01 Aug 2002 07:57:06 -0700

Hi,

we have a bug in setlocale(), it writes past
  static char new_categories[_LC_LAST][ENCODING_LEN + 1];
in the do-while loop around line 159.


I get this backtrace
---snip---
(gdb) bt
#0  0x2816c9bc in kill () from /usr/lib/libc.so.4
#1  0x281af744 in abort () at /usr/src/lib/libc/../libc/stdlib/abort.c:73
#2  0x28171d8b in setlocale (category=0, 
    locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the 
configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line 
katalog vil blive oprettet baseret p&aring; konfigurationen du"...)
    at /usr/src/lib/libc/../libc/locale/setlocale.c:159
#3  0x2823715a in XS_POSIX_setlocale (cv=0x8459d44) at POSIX.xs:3250
#4  0x80a3313 in Perl_pp_entersub () at pp_hot.c:2618
#5  0x809d41a in Perl_runops_debug () at run.c:53
#6  0x805bb01 in S_run_body (oldscope=1) at perl.c:1466
#7  0x805b828 in perl_run (my_perl=0x8105030) at perl.c:1393
#8  0x805903a in main (argc=3, argv=0xbfbffbc4, env=0xbfbffbd4)
    at perlmain.c:52
#9  0x8058f21 in _start ()
---snip---

on a 4.6-p1 system (current seems to contain the same code) with this
modification:

---snip---
(gdb) up 2
#2  0x28171d8b in setlocale (category=0, 
    locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the 
configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line 
katalog vil blive oprettet baseret p&aring; konfigurationen du"...)
    at /usr/src/lib/libc/../libc/locale/setlocale.c:159
159     if (_LC_LAST == i) abort();
(gdb) list
154                     } else {
155                             for (i = 1; r[1] == '/'; ++r);
156                             if (!r[1])
157                                     return (NULL);  /* Hmm, just slashes... */
158                             do {
159     if (_LC_LAST == i) abort();
160                                     len = r - locale > ENCODING_LEN ? ENCODING_LEN 
: r - locale;
161                                     (void)strncpy(new_categories[i], locale, len);
162                                     new_categories[i][len] = '\0';
163                                     i++;
---snip---

Yes, I know, "locale" isn't set to anything valid.

I don't know if this is exploitable (is there a length check somewhere
for the involved env vars? If not we are in trouble), but at least it's
a nasty buffer overflow (it overwrites parts of getpwent.c:__hashpw() on
this particular machine and causes a segfault in getpwuid()).

Bye,
Alexander.

-- 
     The three Rs of Microsoft support: Retry, Reboot, Reinstall.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Bug in setlocale()

Reply via email to