[bug #52331] use-after-free in the privateSetLocale function

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
URL:
  <http://savannah.gnu.org/bugs/?52331>

                 Summary: use-after-free in the privateSetLocale function
                 Project: GNUstep
            Submitted by: yavor
            Submitted on: Thu 02 Nov 2017 05:21:30 PM EET
                Category: Base/Foundation
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

Jakub Wilk <[hidden email]> reports via Debian (#880575):

GNUstep Base 1.25.0
Architecture: i386 (x86)

The privateSetLocale() function can use memory that has been already freed:

$ valgrind -q -- ./test-locale
  ==9722== Invalid read of size 1
  ==9722==    at 0x48313D8: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4A5FD89: _i_NSString__initWithCString_encoding_
(NSString.m:1246)
  ==9722==    by 0x4A5CAB3: _c_NSString__stringWithCString_encoding_
(NSString.m:954)
  ==9722==    by 0x48E2897: privateSetLocale (GSLocale.m:75)
  ==9722==    by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
  ==9722==    by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
  ==9722==    by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
  ==9722==    by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
  ==9722==    by 0x10878E: main (test-locale.m:10)
  ==9722==  Address 0x7a78688 is 0 bytes inside a block of size 181 free'd
  ==9722==    at 0x482F478: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4E9CE77: setname (setlocale.c:201)
  ==9722==    by 0x4E9CE77: setlocale (setlocale.c:456)
  ==9722==    by 0x4B0D13D: GSPrivateNativeCStringEncoding (Unicode.m:2862)
  ==9722==    by 0x48E2891: privateSetLocale (GSLocale.m:75)
  ==9722==    by 0x48E37CB: GSDefaultLanguageLocale (GSLocale.m:330)
  ==9722==    by 0x4A9BFCC: systemLanguages (NSUserDefaults.m:375)
  ==9722==    by 0x4A9BFCC: newLanguages (NSUserDefaults.m:397)
  ==9722==    by 0x4A9DF6D: _c_NSUserDefaults__standardUserDefaults
(NSUserDefaults.m:928)
  ==9722==    by 0x10878E: main (test-locale.m:10)
  ==9722==  Block was alloc'd at
  ==9722==    at 0x482E2BC: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==9722==    by 0x4E9C998: new_composite_name (setlocale.c:172)
  ==9722==    by 0x4E9CF49: setlocale (setlocale.c:378)
  ==9722==    by 0x108742: main (test-locale.m:8)

This happens because it calls setlocale twice; once directly:

 clocale = setlocale(category, clocale);

and then again indirectly: ToString -> GSPrivateNativeCStringEncoding ->
setlocale.

The other call invalidates the clocale pointer, as allowed by POSIX:
"The returned string pointer might be invalidated or the string content
might be overwritten by a subsequent call to setlocale()."

Attaching the test program.  (FWIW, I can't reproduce on x86 and x86_64.)



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 02 Nov 2017 05:21:30 PM EET  Name: test-locale.m  Size: 281B   By:
yavor
Test program supposed to demonstrate the bug
<http://savannah.gnu.org/bugs/download.php?file_id=42321>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
Update of bug #52331 (project gnustep):

                  Status:                    None => Ready For Test        
             Assigned to:                    None => FredKiefer            
             Open/Closed:                    Open => In Test                

    _______________________________________________________

Follow-up Comment #1:

Thank you very much for reporting this bug.
I just submitted a patch to the git repository. I was able to reproduce the
issue with valgrind and with this patch the memory corruption is gone. Please
test on your side as well.

Fred

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
Follow-up Comment #2, bug #52331 (project gnustep):

Thanks, but could you please tell me where is the canonical repository?  Gna!
is gone and it looks like there wasn't migration to Savannah.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
Follow-up Comment #3, bug #52331 (project gnustep):

The GNUstep repositories are now located at GitHub: https://github.com/gnustep

This is mentioned on the GNUstep web site but maybe not prominent enough.
Hopefully there will be a release of the core GNUstep components within the
next few weeks.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
Follow-up Comment #4, bug #52331 (project gnustep):

> The GNUstep repositories are now located at GitHub:

That is very unfortunate.

> This is mentioned on the GNUstep web site but maybe not
> prominent enough.

Yes, found it.  The last link under "Get it!" on the main page at gnustep.org
is confusing: it points to a wiki.gnustep.org page with instructions for the
old SVN repositories at gna.org.  

Thanks for fixing the bug, you can close this item.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep
Reply | Threaded
Open this post in threaded view
|

[bug #52331] use-after-free in the privateSetLocale function

dsdsdsds
Update of bug #52331 (project gnustep):

                  Status:          Ready For Test => Fixed                  
             Open/Closed:                 In Test => Closed                


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52331>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-gnustep mailing list
[hidden email]
https://lists.gnu.org/mailman/listinfo/bug-gnustep