It's instructive to read the bug tracking reports at the Google post on their discovery:
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
as well as the bug tracking log covering the actual error:
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
There are several important insights to be gained from this report:
- Buffer overflows are still a key source of software vulnerabilities. Although they can be mitigated by address space randomization and other techniques, they still show up.
- This bug was introduced in with glib 2.9 in May, 2008. It was first reported in July, 2015 and fixed in February, 2016. That's a long time for a security vulnerability to lie undetected.
- It only happens when a string is given that exceeds the 2048-byte limit of the regular buffer size. The code is then allocates more memory, but it does not correctly update some of the size information properly. Apparently, this part of the code was not tested very carefully. It's an unfortunate reality of program testing that it's hard to reach all of the corner cases in a program. It seems like using code coverage tools could have been beneficial here.
No comments:
Post a Comment