g_newa() doesn’t check for multiplication overflow
Original reporter: Jason MSVR
Area: Platform component
Message
[Note from Emmanuele Bassi: I'm re-sending this because it ended up in the middle of a spam/DoS swarm]
Hello Gnome Security,
This is Jason from MSVR and we would like to report a security vulnerability. Please see below details. Microsoft Vulnerability Research's current disclosure policy is 120 days from reporting date. If you have any questions please email us with the case # 64221 ( MSVR@Microsoft.com ).
Vulnerability Summary: We inspected GNOME's Glib which is a general purpose libc/system library. Glib implements several memory allocation functions, one of them is 'g_newa' used to allocate buffer for n items of different (struct)types.
https://developer.gnome.org/glib/2.66/glib-Memory-Allocation.html#g-newa
g_newa is implemented in unsafe manner which might lead to integer multiplication overflow and unexpected successful allocation of very memory area.
https://gitlab.gnome.org/GNOME/glib/-/blob/master/glib/galloca.h#L101
This in turn leads to heap-overflow and potential RCE in client application code.
Test Environment (Includes the version of the software/hardware, version of the platform, special configuration): Vulnerable versions: All(19+ years old) up to latest.
Security Impact (MSVR uses the STRIDE threat model: Spoofing, Tempering, Repudiation, Info disclosure, Denial of service, Elevation of privilege): Remote Code Execution
Steps to reproduce the vulnerability: For example: allocating 1073741824 items of 4 on 32-bit machine will lead to unexpected successful allocation of only 1 byte.
Proof of Concept and/or Exploit Code: g_newa(int, 1073741824)
Thanks, Jason MSVR