SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GNU Compiler Collection (GCC) Vendors:   GNU [multiple authors]
GNU C++ Compiler (GCC) Flaw in calloc() and Similar Functions May Result in Buffer Overflows in Applications That Use the Compiler
SecurityTracker Alert ID:  1004981
SecurityTracker URL:  http://securitytracker.com/id/1004981
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2002
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network

Version(s): GCC 2.95, 3.0, 3.1.1
Description:   A vulnerability was reported in the GNU C++ Compiler (gcc), as well as several C, C++, and Ada compilers and runtime libraries. The calloc() function and other similar functions contain an integer overflow that may possibly result in a buffer overflow in a compiled application.

RUS-CERT reported that several products are affected. The extent to which an application compiled with or using these products is actually vulnerable depends on the application's use of the flawed function.

It is reported that the calloc() function and other memory allocation interfaces may experience an integer overflow if the storage size of the element type multiplied by the number of elements is greater than can be represented in a machine word.

In this case, the allocation routine may return a pointer to an allocated area that is too small instead of triggering an error condition. As a result, the application could overflow this buffer.

This is the same type of flaw that was recently reported in the xdr_array() function.

The RUS-CERT advisory (contained in the Source Message and also available at http://CERT.Uni-Stuttgart.DE/advisories/calloc.php) describes methods that can be used to determine if an application is affected.

Impact:   An application compiled with or using an affected product may contain a buffer overflow.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gcc.gnu.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  RUS-CERT Advisory 2002-08:02: Flaw in calloc and similar routines


Flaw in calloc and similar routines

   Integer overflow can occur during the computation of the
   memory region size by calloc and similar functions. As a
   result, the function returns a buffer which is too small,
   possibly resulting in a subsequent buffer overflow. 

Who Should Read This Document

   This advisory is targeted at C, C++ and Ada compiler
   implementors and programmers.

Systems Affected

   RUS-CERT has verified that the following products are affected
   by this defect:

     * C run-time libraries:
          + GNU libc 2.2.5
          + dietlibc CVS as of 2002-08-01
          + Microsoft Visual C++ 4.0
          + Microsoft Visual C++ 6.0

     * language-specific allocators:
          + GNU C++ Compiler (GCC 2.95, 3.0, 3.1.1)
          + GNU Ada Compiler (GNAT 3.14p, GCC 3.1.1)
          + Microsoft Visual C++ 6.0 (C++ new allocator)

   Probably many more products are affected. (If a product is not
   listed above, it has not been examined.)

Attack Requirements And Impact

   Attack requirements and impact depend on the application using
   these interfaces.

Description

   Many memory allocation interfaces exhibit the same erratic
   behavior as the xdr_array Sun RPC function which has recently
   been published by ISS (CAN-2002-0391). All these interfaces
   take a (somtimes implicit) argument, the storage size of the
   element type, and the number of elements. To compute the size
   of the memory area which is needed, both numbers are
   multipliedA. If the result cannot be represented in a machine
   word, it can happen that the allocation routine returns a
   pointer to an allocated area which is too small (instead of
   signalling an error condition using the appropriate mechanism
   defined by the programming language). As a result, the
   application might overflow this buffer. The defect discovered
   in the xdr_array function mentioned above shows that errors in
   this class do have security implications.

   Typical code fragments which might lead to vulnerable
   applications are listed below.

     * C: pointer = calloc(sizeof(element_t), count);
     * C++: pointer = new ElementType[count];
     * Ada: Array_Access := new Element_Type (1 .. Count);

How To Detect The Defect

   In the calloc case, the source code should be examined.
   Constructs like "size = count * element_size;" without any
   overflow checks are problematic (and, similarly, expressions
   like "size *= nelems").

   In the C++ and Ada cases, the compiler can emit machine code
   instructions to calculate the total size in place. A small
   test program like the following can be compiled:

typedef struct {
  char data[0x10];
} DATA10;

void allocate(unsigned size)
{
  DATA10 *x = new DATA10[size];
}

   After that, the generated machine code has to be examined for
   overflow checking. In the Ada case, the following procedure
   can be used:

procedure Test (Size : Positive) is

   subtype Data10 is String (1 .. 16#0000_0010#);
   type Data10_Array is array (Positive range <>) of Data10;

   type Pointer is access Data10_Array;

   V : Pointer;

begin
   V := new Data10_Array (1 .. Size);
end;

   For both languages, the size might be computed using a library
   routine. In this case, the source code of the library routine
   has to be examined.

Countermeasures

   The GNU libc CVS repository contains a patch to add overflow
   detection to calloc.

   Although in most cases, the present overflows can be detected
   after they occured because only unsigned types are involved,
   programmers should be aware that overflow checking in C is not
   straightforward (see RUS-CERT Advisory 2002-08:01,
   http://cert.uni-stuttgart.de/advisories/c-integer-overflow.php).

About RUS-CERT

   RUS-CERT (http://CERT.Uni-Stuttgart.DE/) is the Computer
   Emergency Response Team located at the Computing Center (RUS)
   of the University of Stuttgart, Germany.

Revision History

   This document was published on 2002-08-05.

URL For This Document

   http://CERT.Uni-Stuttgart.DE/advisories/calloc.php

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC