Thursday, February 18, 2016

Buffer Overflow Vulnerability Discovered in glibc

There's a report out today from Google that their security team discovered a buffer overflow vulnerability in the GNU implementation of getaddrinfo.  Readers of Chapter 11 of CS:APP3e know this function as a very general tool for converting string representations of network parameters into the data structures used by other networking functions.  Engineers at Google and Red Hat were able to demonstrate that the program error could be exploited with a buffer overflow attack.

It's instructive to read the bug tracking reports at the Google post on their discovery:

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

as well as the bug tracking log covering the actual error:

https://sourceware.org/bugzilla/show_bug.cgi?id=18665

There are several important insights to be gained from this report:


  • Buffer overflows are still a key source of software vulnerabilities.  Although they can be mitigated by address space randomization and other techniques, they still show up.
  • This bug was introduced in with glib 2.9 in May, 2008.  It was first reported in July, 2015 and fixed in February, 2016.  That's a long time for a security vulnerability to lie undetected.
  • It only happens when a string is given that exceeds the 2048-byte limit of the regular buffer size.  The code is then allocates more memory, but it does not correctly update some of the size information properly.  Apparently, this part of the code was not tested very carefully.  It's an unfortunate reality of program testing that it's hard to reach all of the corner cases in a program.  It seems like using code coverage tools could have been beneficial here.


No comments:

Post a Comment