URL: <http://savannah.gnu.org/bugs/?52331>
Summary: use-after-free in the privateSetLocale function Project: GNUstep Submitted by: yavor Submitted on: Thu 02 Nov 2017 05:21:30 PM EET Category: Base/Foundation Severity: 3 - Normal Item Group: Bug Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: Jakub Wilk <jw...@jwilk.net> reports via Debian (#880575): GNUstep Base 1.25.0 Architecture: i386 (x86) The privateSetLocale() function can use memory that has been already freed: $ valgrind -q -- ./test-locale ==9722== Invalid read of size 1 ==9722== at 0x48313D8: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==9722== by 0x4A5FD89: _i_NSString__initWithCString_encoding_ (NSString.m:1246) ==9722== by 0x4A5CAB3: _c_NSString__stringWithCString_encoding_ (NSString.m:954) ==9722== by 0x48E2897: privateSetLocale (GSLocale.m:75) ==9722== by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330) ==9722== by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375) ==9722== by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397) ==9722== by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults (NSUserDefaults.m:928) ==9722== by 0x10878E: main (test-locale.m:10) ==9722== Address 0x7a78688 is 0 bytes inside a block of size 181 free'd ==9722== at 0x482F478: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==9722== by 0x4E9CE77: setname (setlocale.c:201) ==9722== by 0x4E9CE77: setlocale (setlocale.c:456) ==9722== by 0x4B0D13D: GSPrivateNativeCStringEncoding (Unicode.m:2862) ==9722== by 0x48E2891: privateSetLocale (GSLocale.m:75) ==9722== by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330) ==9722== by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375) ==9722== by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397) ==9722== by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults (NSUserDefaults.m:928) ==9722== by 0x10878E: main (test-locale.m:10) ==9722== Block was alloc'd at ==9722== at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==9722== by 0x4E9C998: new_composite_name (setlocale.c:172) ==9722== by 0x4E9CF49: setlocale (setlocale.c:378) ==9722== by 0x108742: main (test-locale.m:8) This happens because it calls setlocale twice; once directly: clocale = setlocale(category, clocale); and then again indirectly: ToString -> GSPrivateNativeCStringEncoding -> setlocale. The other call invalidates the clocale pointer, as allowed by POSIX: "The returned string pointer might be invalidated or the string content might be overwritten by a subsequent call to setlocale()." Attaching the test program. (FWIW, I can't reproduce on x86 and x86_64.) _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Thu 02 Nov 2017 05:21:30 PM EET Name: test-locale.m Size: 281B By: yavor Test program supposed to demonstrate the bug <http://savannah.gnu.org/bugs/download.php?file_id=42321> _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?52331> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Bug-gnustep mailing list Bug-gnustep@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnustep