glibc 2.37: snprintf() on armhf wrongly truncates writes given extremely large size argument
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cyrus-imapd (Ubuntu) |
Fix Released
|
High
|
Steve Langasek | ||
glibc (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
The cyrus-imapd package fails to build from source on armhf in lunar against glibc 2.37. I've tracked this down to a combination of bad string handling in the cyrus library's API, and a regression in glibc 2.37 vs 2.36 when snprintf() is passed a size argument whose value is very close to INT_MAX.
Basically, since the API is passed a buffer of unknown size, and then passes this on to functions that DO safe handling of buffer lengths, it claims a buffer size of INT_MAX. Because the functions start filling the buffer before the call to snprintf(), the actual size argument to snprintf() is slightly less than INT_MAX. This is unrealistic and incorrect, but technically valid, so snprintf() should handle it correctly.
Below is a reproducer that demonstrates the bug on armhf.
#include <limits.h>
#include <stdio.h>
#include <string.h>
int main() {
char buf[32];
int res;
res = snprintf(buf, sizeof(buf)-1, "%s", "hello world");
printf("having a normal one. res=%d,
res = snprintf(buf, INT_MAX, "%s", "hello world");
printf("res=%d but buf=%s\n",res,buf);
}
CVE References
Changed in glibc (Ubuntu): | |
status: | New → Triaged |
tags: | added: patch-needswork |
tags: | removed: patch-needswork |
Changed in cyrus-imapd (Ubuntu): | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
assignee: | nobody → Steve Langasek (vorlon) |
importance: | Undecided → High |
Changed in cyrus-imapd (Ubuntu): | |
status: | In Progress → Fix Committed |
Marking this as critical because a pretty fundamental string handling function is misbehaving, and even though the only known failure at the moment is from a consumer doing something patently ridiculous, the overall impact is not known.