oss-sec mailing list archives
Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552)
From: Florian Weimer <fweimer () redhat com>
Date: Mon, 10 Sep 2012 13:35:06 +0200
On 09/07/2012 07:29 PM, Jeff Law wrote:
If I have looked correctly this is expected / known behaviour of alloca() - from the manual page: [4] http://linux.die.net/man/3/alloca
Just because it's known/expected behaviour doesn't mean it's not a potential attack vector. Blowing out the stack is definitely a vector for attack:
I agree. If the frame address leaks or can be deduced, an unbounded alloca (or VLA) can be abused as a POKE. I think this might apply in this case because the writes to the allocated memory area are incremental.
-- Florian Weimer / Red Hat Product Security Team
Current thread:
- CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Jan Lieskovsky (Sep 07)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Kurt Seifried (Sep 07)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Jeff Law (Sep 07)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Florian Weimer (Sep 10)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Florian Weimer (Sep 10)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Jan Lieskovsky (Sep 10)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Kurt Seifried (Sep 13)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Jeff Law (Sep 07)
- Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552) Kurt Seifried (Sep 07)