[Bug 2015216] [NEW] Invalid read of size 8 in strncmp() from is_dst()

Daniel van Vugt 2015216 at bugs.launchpad.net
Tue Apr 4 10:04:00 UTC 2023 

*** This bug is a security vulnerability ***

Public security bug reported:

Valgrind reports this in gnome-shell on almost every run:

==34822== Invalid read of size 8
==34822==    at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822==    by 0x400554E: is_dst (dl-load.c:216)
==34822==    by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822==    by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
==34822==    by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822==    by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822==    by 0x4002934: openaux (dl-deps.c:64)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822==  Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822==    at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822==    by 0x402628E: malloc (rtld-malloc.h:56)
==34822==    by 0x402628E: strdup (strdup.c:42)
==34822==    by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822==    by 0x4002934: openaux (dl-deps.c:64)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C6BB: _dl_open (dl-open.c:884)
==34822== 
==34822== Invalid read of size 8
==34822==    at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822==    by 0x400554E: is_dst (dl-load.c:216)
==34822==    by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822==    by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822==    by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822==    by 0x4002934: openaux (dl-deps.c:64)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822==  Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822==    at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822==    by 0x402628E: malloc (rtld-malloc.h:56)
==34822==    by 0x402628E: strdup (strdup.c:42)
==34822==    by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822==    by 0x4002934: openaux (dl-deps.c:64)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822==    by 0x400C6BB: _dl_open (dl-open.c:884)

ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr  4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: glibc (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug lunar

** Information type changed from Public to Private Security

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2015216

Title:
  Invalid read of size 8 in strncmp() from is_dst()

Status in glibc package in Ubuntu:
  New

Bug description:
  Valgrind reports this in gnome-shell on almost every run:

  ==34822== Invalid read of size 8
  ==34822==    at 0x40264A8: strncmp (strcmp-sse2.S:162)
  ==34822==    by 0x400554E: is_dst (dl-load.c:216)
  ==34822==    by 0x40067D6: _dl_dst_count (dl-load.c:253)
  ==34822==    by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
  ==34822==    by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
  ==34822==    by 0x4006CB2: decompose_rpath (dl-load.c:654)
  ==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
  ==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
  ==34822==    by 0x4002934: openaux (dl-deps.c:64)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
  ==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
  ==34822==  Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
  ==34822==    at 0x4843828: malloc (vg_replace_malloc.c:381)
  ==34822==    by 0x402628E: malloc (rtld-malloc.h:56)
  ==34822==    by 0x402628E: strdup (strdup.c:42)
  ==34822==    by 0x4006C44: decompose_rpath (dl-load.c:629)
  ==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
  ==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
  ==34822==    by 0x4002934: openaux (dl-deps.c:64)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
  ==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C6BB: _dl_open (dl-open.c:884)
  ==34822== 
  ==34822== Invalid read of size 8
  ==34822==    at 0x40264A8: strncmp (strcmp-sse2.S:162)
  ==34822==    by 0x400554E: is_dst (dl-load.c:216)
  ==34822==    by 0x4006645: _dl_dst_substitute (dl-load.c:295)
  ==34822==    by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
  ==34822==    by 0x4006CB2: decompose_rpath (dl-load.c:654)
  ==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
  ==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
  ==34822==    by 0x4002934: openaux (dl-deps.c:64)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
  ==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
  ==34822==  Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
  ==34822==    at 0x4843828: malloc (vg_replace_malloc.c:381)
  ==34822==    by 0x402628E: malloc (rtld-malloc.h:56)
  ==34822==    by 0x402628E: strdup (strdup.c:42)
  ==34822==    by 0x4006C44: decompose_rpath (dl-load.c:629)
  ==34822==    by 0x40092DF: cache_rpath (dl-load.c:696)
  ==34822==    by 0x40092DF: _dl_map_object (dl-load.c:2114)
  ==34822==    by 0x4002934: openaux (dl-deps.c:64)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
  ==34822==    by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C2E9: dl_open_worker (dl-open.c:782)
  ==34822==    by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
  ==34822==    by 0x400C6BB: _dl_open (dl-open.c:884)

  ProblemType: Bug
  DistroRelease: Ubuntu 23.04
  Package: libc6 2.37-0ubuntu2
  ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
  Uname: Linux 6.2.0-18-generic x86_64
  ApportVersion: 2.26.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Tue Apr  4 18:01:17 2023
  InstallationDate: Installed on 2022-11-28 (127 days ago)
  InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
  SourcePackage: glibc
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2015216/+subscriptions

More information about the foundations-bugs mailing list