You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/01/24 15:23:14 UTC
[Bug 60634] New: Stack address is returned from function mkrecord
https://bz.apache.org/bugzilla/show_bug.cgi?id=60634
Bug ID: 60634
Summary: Stack address is returned from function mkrecord
Product: Apache httpd-2
Version: 2.4.25
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: support
Assignee: bugs@httpd.apache.org
Reporter: shq-king@163.com
Target Milestone: ---
The vulnerable function is in "support/htpasswd.c".
The code snippet is as following.
static int mkrecord(struct passwd_ctx *ctx, char *user)
{
char hash_str[MAX_STRING_LEN];
...
ctx->out = hash_str;
...
ret = mkhash(ctx);
if (ret)
return ret;
...
}
As "ctx->out" is not updated in function "mkhash", a stack address, i.e.
"hash_str" is returned as a side effect.
This issue is similar to Bug 59844.
Note that this issue is reported by shqking and Zhenwei Zou.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60634] Stack address is returned from function mkrecord
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60634
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Yann Ylavic <yl...@gmail.com> ---
Anyway, addressed in r1781509 to avoid further warnings (false positive) from
code analysis.
Thanks for the report.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60634] Stack address is returned from function mkrecord
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60634
--- Comment #3 from shqking <sh...@163.com> ---
(In reply to Yann Ylavic from comment #1)
> Since the main (caller of mkrecord) exits when a non-zero value is returned,
> it does not access ctx->out so this is not really an issue, right?
Thanks for your reply.
According to the C Standard, 6.2.4 [ISO/IEC 9899:2011]
(https://www.securecoding.cert.org/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations),
the address of local variables escaping through output parameters is one kind
of undefined behaviors, and can lead to an exploitable vulnerability.
Yes. We agree with you in that, this issue cannot cause any severe impact so
far.
But in our opinion, this issue seems like a "time bomb" and we'd better solve
it earlier.
Also your revision r1781509 makes it safe.
Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60634] Stack address is returned from function mkrecord
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60634
--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
Since the main (caller of mkrecord) exits when a non-zero value is returned, it
does not access ctx->out so this is not really an issue, right?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org