This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libgcj/24170] New: [SECURITY] readdir_r considered harmful

The function java::io::File::performList in libjava/java/io/natFilePosix.cc
calls readdir_r using a stack buffer with pathconf(path, _PC_NAME_MAX) + 1
extra bytes. It does not check for failure of pathconf(). Also there is a race
condition between opendir() and pathconf(). This may well be exploitable for
denial of service and code injection, particularly on Solaris and other
platforms where struct dirent is defined with a small d_name array.

I am attaching a draft copy of a security advisory that I intend to publish on
1st November.

Please let me know if you have any unanswered questions about this issue
or wish to provide information about workarounds, mitigation or versions
that are or are not vulnerable for inclusion in the advisory.


-- 
           Summary: [SECURITY] readdir_r considered harmful
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: major
          Priority: P1
         Component: libgcj
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: ben at decadentplace dot org dot uk


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24170
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]