bash buffer overflow in handling locale environment variables

Thu, 30 Apr 2015 13:21:06 -0700 

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' 
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash' 
-DSHELL -DHAVE_CONFIG_H   -I.  -I.. -I../include -I../lib   -g -O2
uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9 
03:28:16 GMT 2014 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.3
Patch Level: 30
Release Status: release

Description:
Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
in converting 32-bit unicode characters.  The stub_charset() function
calls strcpy() into a static 40-byte buffer for the charset, which
can be overflowed if the charset portion of LC_CTYPE contains more
than 40 characters.

If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
this to bug to cause malicious code execution.


Repeat-By:
LC_ALL="foo.1234567890123456789012345678901234567890" \
./bash -c 'echo -e "\Udeadbeef\n"'

./bash: warning: setlocale: LC_ALL: cannot change locale 
(foo.1234567890123456789012345678901234567890)
*** buffer overflow detected ***: ./bash terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f4d49ad3b87]
/lib/libc.so.6[0x7f4d49ad2b30]
./bash(u32cconv+0x22e)[0x49b9ae]
./bash(ansicstr+0x53b)[0x49991b]
./bash(echo_builtin+0xc3)[0x47d1d3]
./bash[0x436ac3]
./bash[0x43abfc]
./bash[0x43be5b]
./bash(execute_command_internal+0xca0)[0x4384f0]
./bash(parse_and_execute+0x36b)[0x47ecab]
./bash[0x423004]
./bash(main+0xa22)[0x424022]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f4d499faabd]
./bash[0x4224c9]


Fix:
Use strncpy() in place of strcpy() in lib/sh/unicode.c:

--- /tmp/bash-4.3.30/lib/sh/unicode.c   2014-01-30 21:47:19.000000000 +0000
+++ ./bash-4.3.30/lib/sh/unicode.c       2015-04-30 18:03:42.300340729 +0000
@@ -78,7 +78,8 @@
   s = strrchr (locale, '.');
   if (s)
     {
-      strcpy (charsetbuf, s+1);
+      strncpy (charsetbuf, s+1, sizeof(charsetbuf)-1);
+      charsetbuf[sizeof(charsetbuf)-1] = '\0';
       t = strchr (charsetbuf, '@');
       if (t)
        *t = 0;

-- 
Trammell

Reply via email to