← Back to index | Original Bugzilla link

Bug 14156 – buffer overflow in LibELF

Status
RESOLVED
Resolution
FIXED
Severity
enhancement
Priority
P1
Component
dmd
Product
D
Version
D2
Platform
x86_64
OS
Linux
Creation time
2015-02-09T11:41:00Z
Last change time
2015-02-21T09:11:23Z
Assigned to
nobody
Creator
chatelet.guillaume

Attachments

IDFilenameSummaryContent-TypeSize
1476dmd_compilation_crash.txtcompilation log with update.shtext/plain65112
1477dmd_compilation_gdb_crash.txtgdb backtrace fulltext/plain16630

Comments

Comment #0 by chatelet.guillaume — 2015-02-09T11:41:28Z
Created attachment 1476 compilation log with update.sh Compiling druntime with dmd using the update.sh script leads to buffer overflow in DMD.
Comment #1 by chatelet.guillaume — 2015-02-09T11:41:59Z
Created attachment 1477 gdb backtrace full
Comment #2 by chatelet.guillaume — 2015-02-09T11:42:29Z
I cannot reproduce the issue with dmd compiled in debug mode.
Comment #3 by chatelet.guillaume — 2015-02-09T11:59:14Z
Probably coming from this function and something funky with sprintf. https://github.com/D-Programming-Language/dmd/blob/047d0de680c32f5b7ce746e6de574698898535b7/src/libelf.c#L186
Comment #4 by chatelet.guillaume — 2015-02-10T21:12:16Z
The 'error' is actually here : https://github.com/D-Programming-Language/dmd/blob/047d0de680c32f5b7ce746e6de574698898535b7/src/libelf.c#L214 when user_id or group_id is exactly 6 characters printf will add a trailing \0 that will overflow h->user_id or h->group_id. It will fail on hardened linux.
Comment #5 by dfj1esp02 — 2015-02-12T07:32:49Z
If sprintf is provided through a macro wrapper, it can infer buffer size of the first argument, as it's known statically. See if this circumvents protection: --- char* dest = h->user_id; len = sprintf(dest, "%u", om->user_id); ---
Comment #6 by chatelet.guillaume — 2015-02-12T07:41:28Z
Thx Sobira, it makes sense. I have a pending proposal which will write the buffer at once and solve the 'memory corruption'. https://github.com/D-Programming-Language/dmd/pull/4402
Comment #7 by dfj1esp02 — 2015-02-12T07:43:22Z
There's also a declaration like this: --- template <size_t size> int sprintf( char (&buffer)[size], const char *format [, argument] ... ); // C++ only ---
Comment #8 by github-bugzilla — 2015-02-12T21:40:25Z
Commits pushed to master at https://github.com/D-Programming-Language/dmd https://github.com/D-Programming-Language/dmd/commit/a389f2de1dc0a7381b5d685e317d583bf0eccaf5 fix Issue 14156 - buffer overflow in LibELF https://github.com/D-Programming-Language/dmd/commit/e7a18f669ccf77a18273948f426461961635582c Merge pull request #4402 from gchatelet/master Fix Issue 14156 - buffer overflow in LibELF
Comment #9 by github-bugzilla — 2015-02-21T09:11:23Z
Commits pushed to https://github.com/D-Programming-Language/dmd https://github.com/D-Programming-Language/dmd/commit/a389f2de1dc0a7381b5d685e317d583bf0eccaf5 fix Issue 14156 - buffer overflow in LibELF https://github.com/D-Programming-Language/dmd/commit/e7a18f669ccf77a18273948f426461961635582c Merge pull request #4402 from gchatelet/master