[PATCH nptl] Fix memory overwrite bug in pthread_attr_getaffinity().

Carmelo AMOROSO carmelo.amoroso at st.com
Tue Jan 12 08:03:00 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Metcalf wrote:
> On 1/11/2010 12:47 PM, Carmelo AMOROSO wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chris Metcalf wrote:
>>   
>>> If the caller requests fewer bytes of cpu_set_t data than are
>>> available from the system, the code will still copy all of the
>>> system's data to the user, overwriting additional memory.
>>>
>>> Signed-off-by: Chris Metcalf <cmetcalf at tilera.com>
>>> ---
>>>  .../unix/sysv/linux/pthread_attr_getaffinity.c     |    8 +++++++-
>>>  1 files changed, 7 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
>>> index 5a3d418..376eac8 100644
>>> --- a/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
>>> +++ b/libpthread/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
>>> @@ -43,9 +43,15 @@ __pthread_attr_getaffinity_new (const pthread_attr_t *attr, size_t cpusetsize,
>>>  	if (((char *) iattr->cpuset)[cnt] != 0)
>>>  	  return EINVAL;
>>>  
>>> -      void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>>>        if (cpusetsize > iattr->cpusetsize)
>>> +      {
>>> +	void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
>>>  	memset (p, '\0', cpusetsize - iattr->cpusetsize);
>>> +      }
>>> +      else
>>> +      {
>>> +	memcpy (cpuset, iattr->cpuset, cpusetsize);
>>> +      }
>>>      }
>>>    else
>>>      /* We have no information.  */
>>>     
>> Chris,
>> the patch is fine to me, anyway I've sent a slightly modified version to glibc list
>> (as we agreed by emails) to raise the issue to them too: at the end I'd like to avoid
>> diverging from glibc/nptl code from which we taken the nptl implementation.
>> I'll just wait any feedback from Drepper & glibc community, to see if we can keep the same
>> code, otherwise we can commit your patch into uClibc.
>>
>> Anyway I'm wondering how this exploit this issue ? do you have a real case in which this
>> occurred ? or you were just doing a static code analysis and find it out ?
>>   
> 
> test/nptl/tst-attr3.c seg faulted in our environment.  I didn't drill
> down to why the cpusetsize that was passed (as sizeof(cpu_set_t))
> differed from the iattr->cpusetsize, I just saw the mempcpy() overwrite
> the link register on the stack and cause the function to try to branch
> to PC=0 on return.
> 

Thanks for the info... never failed on sh4 indeed. Anyway for you it should be
useful to figure out the reason for the difference in the sizeof, likely it is hiding
some problems some somewhere else.

Carmelo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktMLLMACgkQoRq/3BrK1s+8lQCg7KepMXPq+IyAAGdj4c7bNg5A
e4MAnjGYIZkHuDlUWXuXSTs+3Gwtpm2s
=+wnp
-----END PGP SIGNATURE-----


More information about the uClibc mailing list