From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-19180-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 25043 invoked by alias); 20 Jul 2013 10:55:37 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 22796 invoked by uid 48); 20 Jul 2013 10:53:34 -0000
From: "corbellini.andrea at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/15763] New: shm_open/unlink let you write outside SHMDIR
Date: Sat, 20 Jul 2013 10:55:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: corbellini.andrea at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-15763-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-07/txt/msg00121.txt.bz2

http://sourceware.org/bugzilla/show_bug.cgi?id=15763

            Bug ID: 15763
           Summary: shm_open/unlink let you write outside SHMDIR
           Product: glibc
           Version: 2.18
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: corbellini.andrea at gmail dot com
                CC: drepper.fsp at gmail dot com

shm_open() and shm_unlink() accept relative paths. As the test case below
demonstrates, if you give a relative path to shm_open, you will be able to open
files anywhere in the system (assuming that you have the right permissions).

Test case:
#include <fcntl.h>
int main (void)
{
  shm_open ("../../tmp/abc", O_CREAT | O_RDWR, 0666);
  perror ("shm_open");
}

Expected output:
shm_open: Invalid argument

Actual output:
shm_open: Success

-- 
You are receiving this mail because:
You are on the CC list for the bug.