libpkgconf: personality: fix out of boundary access #193

ariadne · 2020-05-24T21:17:41Z

stoeckmann commented

2020-05-24 21:17:41 +00:00

(Migrated from github.com)

It is possible to set the instruction pointer to undefined values by
using an operator larger than ':' in ASCII.

Since the personality function array does not have 256 entries, an
invalid operator can overflow the array.

Proof of concept:

$ echo "a _ b" > poc
ln -s(which pkgconf) poc-pkgconf
$ ./poc-pkgconf

It is possible to set the instruction pointer to undefined values by using an operator larger than ':' in ASCII. Since the personality function array does not have 256 entries, an invalid operator can overflow the array. Proof of concept: $ echo "a _ b" > poc $ ln -s $(which pkgconf) poc-pkgconf $ ./poc-pkgconf

ariadne commented

2020-05-24 21:42:27 +00:00

you seem to be having fun today :)

well I will put this in 1.7.1 and any other silliness you find :)

you seem to be having fun today :) well I will put this in 1.7.1 and any other silliness you find :)

stoeckmann commented

2020-05-24 23:56:27 +00:00

(Migrated from github.com)

Heh, seems I am lucky to find these issues while inspecting the internal of pkgconf. Fortunately these issues are easy to fix, so I am fine with that approach.