From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 62704 invoked by alias); 29 May 2018 16:31:50 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 62685 invoked by uid 89); 29 May 2018 16:31:49 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-105.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=UD:cygwin1.dll, cygwin1.dll, cygwin1dll, replying X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.126.135) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 29 May 2018 16:31:47 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue003 [212.227.15.167]) with ESMTPSA (Nemesis) id 0MIAsE-1fKxyS09rK-003sLw; Tue, 29 May 2018 18:31:42 +0200 Received: by calimero.vinschen.de (Postfix, from userid 500) id 140F8A8192C; Tue, 29 May 2018 18:31:41 +0200 (CEST) Date: Wed, 30 May 2018 01:04:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Cc: Ken Harris Subject: Re: winsup\cygwin\path.cc issues Message-ID: <20180529163141.GI3501@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com, Ken Harris References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cpvLTH7QU4gwfq3S" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-UI-Out-Filterresults: notjunk:1;V01:K0:4rTOhzWh94E=:B2vex2bLyDeLTZsW4ZuOk4 pEU/4csKuGlEU2To8iz6YBoEIfqwVYwSota2gnzHgxWZQEz0ckZ5YFsB7iupIfw/JrAtA45wS KN7b/qDYoQ9chzqfQUijT7Ftbrgy3UpLI1q99WepGTlDVDrJfNJwmeoZQtQn7J2dPxhKlSxwn 1QM/9CuMo7bv3bSuSrC07vn8PsSbVr9heSQCiGnPjtg5KAB6C5nbyMJ+iSnJwCwCX0KsiOW4C lU10GErwi1HUswNgQrhOXOJaLe+xLyCxNsrggb5ZlkRC3WJjxDuFVca6pKnMlj/GDd3OXbdzs MKvnePdtN58QcyhGBI+8ienYaPQpyIUCgtwfWB4+e7wflkQMjfboM+Isd7KJob6HTKz6RN5PJ sBKr0WO4ThzYqlVN6kL4X3JYRvBskXx1FhkB0bJGHteUNkf0Mv//ZmDSSJobfAjrP4sB1aAa8 X5ajIZ4cQ+fwYrffko8XNrxwhNhPn+d5uq5M2NS9QOKllGQEVdOgYvr59WsR8G3s/RxbVsJzq Ame2JXhd5nxjWjzJX6AkrSQn0+IqH6L2jFOY8CleTPG0fCj8tx5I4ClVU23m76iGM/nY3IpDn g+qIJJqY8+jd3f10WNMEBkoxKACDw691hqRLo0tGr4kWKx6shPlRdfn3gZAgj15jyiNI7uVB9 nd7yKtobnEIp4y/bt/ne1TVk/N3gvyPjTWGFT8BmTABEi3bH9rQZP0Bkz03E/aK1FXwg= X-SW-Source: 2018-05/txt/msg00317.txt.bz2 --cpvLTH7QU4gwfq3S Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2552 Hi Ken, On May 4 01:23, Ken Harris wrote: > Hi Marco: Sorry for not replying to the original exchange we had. I > wasn't subscribed to the list but now I am so it won't happen again > (so I'm quoting our exchange below). >=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 > I installed and built cygwin1.dll with an added assert > in path.cc to identify when the buffer underrun > condition I originally described occurs: >=20 > $ diff -b > ./cygwin-2.10.0-1.src/newlib-cygwin/winsup/cygwin/path.cc.ORIG > ./cygwin-2.10.0-1.src/newlib-cygwin/winsup/cygwin/path.cc 2803c2803 < > ; --- > > assert(p >=3D path); >=20 > Thus, a simple: >=20 > cat '\A../../../B' >=20 > will result in the assert firing: >=20 > kharris@ah-kharris /usr/src $ cat '\A../../../B' assertion "p >=3D path" > failed: file "../../.././winsup/cygwin/path.cc", line 2803, function: > int symlink_info::check(char*, const suffix_info*, fs_info&, > path_conv_handle&) Aborted (core dumped) >=20 > Attached is a patch (in addition to the added assert) with what I > *think* might really fix the problem. This was where the expected > backslash got squashed which allowed symlink_info::check() to go > "negative" with its 'p' pointer and look for a backslash in someone > else's memory. Thanks for your preliminary work, but as far as I can see this isn't the entire solution. The same problem occurs if your CWD is the root of a drive, e.g., C:\, and you call cat A../../../B. Even simpler, try `cat 'C:\A../../../B'' The reason is that the code in normalize_win32_path never actually ignores drive prefixes. There's an implicit (and oh so wrong) assumption that any path starts with a slash or backslash one way or the other. It's pretty weird that it took so long to find this blatant problem. I applied a patch which hopefully fixes this problem in all code paths: https://sourceware.org/git/?p=3Dnewlib-cygwin.git;a=3Dcommitdiff;h=3D35998f= c2fa6c I also left your assertion in the code for now as an additional patch https://sourceware.org/git/?p=3Dnewlib-cygwin.git;a=3Dcommitdiff;h=3D7d00a5= e320db just to be sure, but I will take this out again before a release. I uploaded new developer snapshots to https://cygwin.com/snapshots/ containing the above patches. Please give them a try. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --cpvLTH7QU4gwfq3S Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlsNgGwACgkQ9TYGna5E T6AJ5hAAgTCCLL3BScHgNa3ztJ3Pi/Fqd61cM6h2AJ6sKK2ULIhuemvTPjyut8F6 PeMq3OsgoB20G4NWlsWPSJKWm2vbRFjL2sVpXomjrxj1AjgdIo1tEvn1hgICPRTf YmpRbN8WypQvkgzZHLSAfCCVxXFKvRckls1RBmMPMl7eRFOFYjKp0vY0rlHrQ5kK +JK8TegIADey1N9lryCZ77YDbDmAFkd6QwIHOPZzAOdUXsQerPNC/5nM+N7gyFli DA70uPwkU2KFyurUn+EOsdpzvE3Kc7FEMEyFSTxmZBlRH8hAF7wNNcAqM1NAuatB O7LKP33CHNZGH91iAY8O6/IhsxNKqR73uFztD5VAzfipivuXRg0EmcJs7DX1LIiQ UbUjnYq/4kP+lXS3v2sTp9vfvcSNYoJGtvQWT4fWImSJ6hYr4hT/a52CnxbDc+Gi IlEoaLhrD2XmAj5Kat3szdHWcbKWIf+1pw2kt2eU8R2cpfn4h2hoMjQBQOBp8GHN 3XCwXSyeTYGlMDfnUCrWQ4vkCICq3Bjc5gzElmH29B7k0QxFEpHU5t0tVv5n8Wae 3q02ys2m2nVyxNs54H/Htb5UGJIyR2DTCQR5pH/A8+nEL0kYkLNN0GVjiS5IcSLf 9CEbHApfZIn7Pp2TEsMt8eoP9SORNajpOiKsci99NMvNs3JHjTs= =/hby -----END PGP SIGNATURE----- --cpvLTH7QU4gwfq3S--