[PATCH nptl] Fix memory overwrite bug in pthread_attr_getaffinity().

Carmelo AMOROSO carmelo.amoroso at st.com
Mon Jan 11 17:47:21 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Metcalf wrote:
> If the caller requests fewer bytes of cpu_set_t data than are
> available from the system, the code will still copy all of the
> system's data to the user, overwriting additional memory.
> 
> Signed-off-by: Chris Metcalf <cmetcalf at tilera.com>
> ---
>  .../unix/sysv/linux/pthread_attr_getaffinity.c     |    8 +++++++-
>  1 files changed, 7 insertions(+), 1 deletions(-)
> 
> diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> index 5a3d418..376eac8 100644
> --- a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> +++ b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
> @@ -43,9 +43,15 @@ __pthread_attr_getaffinity_new (const pthread_attr_t *attr, size_t cpusetsize,
>  	if (((char *) iattr->cpuset)[cnt] != 0)
>  	  return EINVAL;
>  
> -      void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>        if (cpusetsize > iattr->cpusetsize)
> +      {
> +	void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>  	memset (p, '\0', cpusetsize - iattr->cpusetsize);
> +      }
> +      else
> +      {
> +	memcpy (cpuset, iattr->cpuset, cpusetsize);
> +      }
>      }
>    else
>      /* We have no information.  */

Chris,
the patch is fine to me, anyway I've sent a slightly modified version to glibc list
(as we agreed by emails) to raise the issue to them too: at the end I'd like to avoid
diverging from glibc/nptl code from which we taken the nptl implementation.
I'll just wait any feedback from Drepper & glibc community, to see if we can keep the same
code, otherwise we can commit your patch into uClibc.

Anyway I'm wondering how this exploit this issue ? do you have a real case in which this
occurred ? or you were just doing a static code analysis and find it out ?

Cheers,
Carmelo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktLZCkACgkQoRq/3BrK1s8REwCeM/mgl/hQ8F69zHyaaTyxfBzW
OSUAnA5MVLSVBRJGpFvkS+QjMRw3oq42
=yUMl
-----END PGP SIGNATURE-----


More information about the uClibc mailing list