URL:
<https://savannah.gnu.org/bugs/?59881>
Summary: Segmentation Fault through manipulated Makefile
Project: make
Submitted by: None
Submitted on: Fri 15 Jan 2021 01:18:53 PM UTC
Severity: 3 - Normal
Item Group: Bug
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Component Version: SCM
Operating System: None
Fixed Release: None
Triage Status: None
_______________________________________________________
Details:
I found another bug which causes a segfault when reading with "make -f min".
The issue is this line:
https://github.com/mirror/make/blob/master/src/file.c#L528
There the value of "o" is smaller than "buffer" which causes an integer
underflow and a very large "len" value. When now calling "strcache_add_len"
the memcpy has such a large length that it actually tries to write to a value
below the stack:
https://github.com/mirror/make/blob/master/src/strcache.c#L248
I hadn't the time to check if there is a previous root cause which could be
detected sooner, but one fix (at least for that example) would be to just
check if "o" is smaller than "buffer".
On this example I am not sure if it is possible to exploit. This could be
potentially upgraded to an arbitrary write primitive to execute code. I know
there are easier ways to execute code (Since it is a makefile), but it could
be a way to hide malware within the Makefile of open source projects.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 15 Jan 2021 01:18:53 PM UTC Name: min Size: 206B By: None
<http://savannah.gnu.org/bugs/download.php?file_id=50723>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?59881>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
