This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful
- From: "ben at decadentplace dot org dot uk" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 2 Oct 2005 23:12:04 -0000
- Subject: [Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
The function java::io::File::performList in libjava/java/io/natFilePosix.cc
calls readdir_r using a stack buffer with pathconf(path, _PC_NAME_MAX) + 1
extra bytes. It does not check for failure of pathconf(). Also there is a race
condition between opendir() and pathconf(). This may well be exploitable for
denial of service and code injection, particularly on Solaris and other
platforms where struct dirent is defined with a small d_name array.
I am attaching a draft copy of a security advisory that I intend to publish on
1st November.
Please let me know if you have any unanswered questions about this issue
or wish to provide information about workarounds, mitigation or versions
that are or are not vulnerable for inclusion in the advisory.
--
Summary: [SECURITY] readdir_r considered harmful
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: major
Priority: P1
Component: libgcj
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: ben at decadentplace dot org dot uk
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170