CVE-2023-4911 glibc Looney Tunables heap buffer overflow in parse_tunables

The GNU C Library (glibc) version 2.37 contains a heap buffer overflow vulnerability in the __tunables_init function when processing the GLIBC_TUNABLES environment variable in secure mode (SUID/SGID binaries). The parse_tunables function (elf/dl-tunables.c:170) rewrites the GLIBC_TUNABLES string to drop security-restricted tunables, but uses full tunable names (e.g., 'glibc.malloc.arena_test') which are significantly longer than the original format. The buffer was allocated based on the original string length, but the rewritten output exceeds the allocated size with no bounds checking, allowing unbounded heap overflow and code execution.", Found the vulnerability by examining the call chain: __tunables_init calls tunables_strdup to allocate a buffer based on the environment variable length, then passes a pointer into that buffer to parse_tunables. In parse_tunables, when __libc_enable_secure is true, the function rewrites the buffer using full tunable names from tunable_list. Identified that full tunable names like 'glibc.malloc.arena_test' (23+ chars) are much longer than original format names, causing overflow when rewritten without bounds checking. Confirmed by examining dl-tunables.list which shows all tunable names that could be written.", The vulnerability can be exploited by crafting a GLIBC_TUNABLES environment variable that, when processed by a SUID/SGID binary, triggers the rewriting logic in parse_tunables. Since the buffer is allocated exactly to the original string size, writing longer full tunable names causes a heap buffer overflow past the allocated boundary. This allows writing arbitrary data on the heap, enabling ROP chains and code execution. The fix requires adding bounds checking before writes to tunestr[off++] at lines 231, 236, 238, 241, or allocating a larger buffer that can accommodate the rewritten string with full tunable names.", buffer-overflow