GNU C Library Heap Buffer Overflow Vulnerability in scanf with %mc Format

A heap buffer overflow vulnerability has been identified in the GNU C Library (glibc) versions 2.7 through 2.43. This issue arises when the scanf family of functions is used with the %mc (malloc'd character match) format specifier, particularly with a width greater than 1024. The vulnerability allows for a controlled one-byte overwrite of the heap buffer, which could potentially be exploited.

Impact

Exploitation of this vulnerability leads to a one-byte heap buffer overflow, which can be manipulated to overwrite adjacent memory and possibly execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using the scanf function with a format string that includes the %mc specifier and a width greater than 1024. This can be done by allocating a buffer of 1033 bytes, which is the maximum width that can be used without causing an overflow. After the buffer is filled with data, the scanf function is called with the crafted input, which triggers the off-by-one overflow by reallocating one byte less than needed. This overwrites the metadata of the next memory chunk, creating a potential for exploitation.

Remediation

A patch for this vulnerability has been proposed and is available for review.