oss-sec mailing list archives
Re: Out-of-bounds read & write in the glibc's qsort()
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Mon, 5 Feb 2024 17:02:52 +0800
On Mon, Feb 5, 2024 at 4:45 PM Alexander E. Patrakov <patrakov () gmail com> wrote:
On Mon, Feb 5, 2024 at 4:40 PM Alexander E. Patrakov <patrakov () gmail com> wrote:On Mon, Feb 5, 2024 at 12:36 AM Solar Designer <solar () openwall com> wrote:It's so invasive I cannot easily tell whether qsort() remained robust after it or not. There's no longer a "tmp_ptr != base_ptr &&" check. So, lacking known-working tests in glibc tree, we don't know about glibc 2.39's status with respect to this issue. I don't have a glibc 2.39 build handy. Perhaps someone on a distro that has already updated can run the attached test program and let us know?Here you go: no output on Arch Linux. [aep@aep-haswell tmp]$ gcc ./glibc-qualys-rocky-qsort-test.c [aep@aep-haswell tmp]$ ./a.out [aep@aep-haswell tmp]$ /lib64/libc.so.6 GNU C Library (GNU libc) stable release version 2.39. Copyright (C) 2024 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 13.2.1 20230801. libc ABIs: UNIQUE IFUNC ABSOLUTE Minimum supported kernel: 4.4.0 For bug reporting instructions, please see: <https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/issues>. -- Alexander E. PatrakovSorry, I should have followed the instructions. [aep@aep-haswell tmp]$ while true; do n=$((RANDOM*64+RANDOM+1)); prlimit --as=$((n*4/2*3)) ./a.out $n; done This results in a mix of these outputs: PASSED ./a.out: error while loading shared libraries: libc.so.6: failed to map segment from shared object Segmentation fault -- Alexander E. Patrakov
Upon investigation, I have to add: the segmentation faults come from code that runs before main(), so they do not indicate a problem in qsort(). -- Alexander E. Patrakov
Current thread:
- Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Jan 30)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Adhemerval Zanella Netto (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)