Potential information disclosure vulnerability in FORTIFY_SOURCE

Bug #562614 reported by Dan Rosenberg on 2010-04-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Low
Unassigned

Bug Description

The error message generated when stack smashing is detected on a program compiled -D FORTIFY_SOURCE includes a reference to argv[0]. Since argv[0] resides further up the stack from an overflowed buffer, if an application is vulnerable to a stack-based buffer overflow that allows the attacker to overwrite this pointer, the error message will print out arbitrary memory.

While this behavior requires the pre-existence of another vulnerability to be considered a security issue, it doesn't seem like a good idea to allow an attacker to read arbitrary memory of setuid binaries (for example) in the event of a mitigated stack overflow.

I've attached a contrived example to reproduce the issue. It's a classic strcpy() buffer overflow. An unused string is in the .data section as a target to read. By executing:

./strcpy `perl -e 'print "\xa0\x85\x04\x08"x80'`

the string will be printed out in the FORTIFY_SOURCE error message.

Dan Rosenberg (dan-j-rosenberg) wrote :
Kees Cook (kees) wrote :

I'd like to see the stack handler not use argv[0] or report a backtrace. What good is a backtrace on a corrupted stack?

visibility: private → public
Kees Cook (kees) on 2010-04-30
Changed in glibc (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
importance: Wishlist → Low
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers