Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552)

[Florian Weimer <fweimer () redhat com>]

On 09/07/2012 07:29 PM, Jeff Law wrote:

> > > If I have looked correctly this is expected / known behaviour of
> > > alloca() - from the manual page: [4]
> > > http://linux.die.net/man/3/alloca

> Just because it's known/expected behaviour doesn't mean it's not a
> potential attack vector.  Blowing out the stack is definitely a vector
> for attack:

I agree.  If the frame address leaks or can be deduced, an unbounded 
alloca (or VLA) can be abused as a POKE.  I think this might apply in 
this case because the writes to the allocated memory area are incremental.

--
Florian Weimer / Red Hat Product Security Team