Potential information disclosure vulnerability in FORTIFY_SOURCE
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| glibc (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
The error message generated when stack smashing is detected on a program compiled -D FORTIFY_SOURCE includes a reference to argv[0]. Since argv[0] resides further up the stack from an overflowed buffer, if an application is vulnerable to a stack-based buffer overflow that allows the attacker to overwrite this pointer, the error message will print out arbitrary memory.
While this behavior requires the pre-existence of another vulnerability to be considered a security issue, it doesn't seem like a good idea to allow an attacker to read arbitrary memory of setuid binaries (for example) in the event of a mitigated stack overflow.
I've attached a contrived example to reproduce the issue. It's a classic strcpy() buffer overflow. An unused string is in the .data section as a target to read. By executing:
./strcpy `perl -e 'print "\xa0\x85\
the string will be printed out in the FORTIFY_SOURCE error message.
CVE References
| Dan Rosenberg (dan-j-rosenberg) wrote | #1 |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Changed in glibc (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| importance: | Wishlist → Low |
Public now: http://