Vulnerability Development mailing list archives
Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)
From: Vladamir Shmirnov <red_vigil () yahoo com>
Date: Sat, 15 Feb 2003 13:30:04 -0800 (PST)
I came to the same deliberations, that it is in fact a bug in glibc. In the bash source file lib/glob/glob.c, in functiong glob_filename(), the call to bcopy(3) with an extraordinarily long length of source string causes the crash. However, I may note that although I haven't researched this it seems that it could possibly be a bug caused indirectly by the preceding call to alloca(3). If it is a problem with glibc then other programs are vulnerable, including SUID root, correct? Also, if it is a problem with glibc, it is not exploitable from user space, or is it?? Does glibc share the stack with the user process? - Josh --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
Dear Roland Postle, It looks to be the only correct post in this thread :) Yes, it's definitely bug in glibc, not in bash itself (same versions of bash on libc systems like FreeBSD are not affected). Recurse call stack overflow is believed not to be exploitable to code execution, but since this bug is in library it may be treated as security one as it may be exploited remotely (at least as a DoS) in a case glob_filename is used in some network service. --Thursday, February 13, 2003, 8:34:36 PM, you wrote to vuln-dev () securityfocus com:During some work, I noticed GNU bash could becrashed by sending amalformed perl request to the terminal. example: `perl -e 'print "*/*" x3500'`<bash crashes>RP> It's a stack overflow, due to glob_filename (in glob.c) recursively RP> calling itself while parsing the filename. So probably not exploitable. RP> - Blazde -- ~/ZARAZA Áðîñüòå ñòàðàòüñÿ - íè÷åãî èç ýòîãî íå âûéäåò. (Òâåí)
__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
Current thread:
- Bash Blues. uk2sec (Feb 13)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. Kurt Seifried (Feb 14)
- Re: Bash Blues. Dack (Feb 14)
- Re: Bash Blues. Roland Postle (Feb 14)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Vladamir Shmirnov (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Roland Postle (Feb 16)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) spacewalker (Feb 16)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. TerraTrans Security (Feb 14)
- A different bash blues admin (Feb 15)
- RE: A different bash blues Adam Gilmore (Feb 16)
- A different bash blues admin (Feb 15)
- RE: Bash Blues. Adam Gilmore (Feb 14)
- Re: Bash Blues. Peter Pentchev (Feb 14)