Potential information disclosure vulnerability in FORTIFY_SOURCE

Bug #562614 reported by Dan Rosenberg
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)

Bug Description

The error message generated when stack smashing is detected on a program compiled -D FORTIFY_SOURCE includes a reference to argv[0]. Since argv[0] resides further up the stack from an overflowed buffer, if an application is vulnerable to a stack-based buffer overflow that allows the attacker to overwrite this pointer, the error message will print out arbitrary memory.

While this behavior requires the pre-existence of another vulnerability to be considered a security issue, it doesn't seem like a good idea to allow an attacker to read arbitrary memory of setuid binaries (for example) in the event of a mitigated stack overflow.

I've attached a contrived example to reproduce the issue. It's a classic strcpy() buffer overflow. An unused string is in the .data section as a target to read. By executing:

./strcpy `perl -e 'print "\xa0\x85\x04\x08"x80'`

the string will be printed out in the FORTIFY_SOURCE error message.

CVE References

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Kees Cook (kees) wrote :

I'd like to see the stack handler not use argv[0] or report a backtrace. What good is a backtrace on a corrupted stack?

visibility: private → public
Kees Cook (kees)
Changed in glibc (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
importance: Wishlist → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.