[Bug libc/26592] New: pointer arithmetic overflows in realpath

[Bug libc/26592] New: pointer arithmetic overflows in realpath

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=26592

            Bug ID: 26592
           Summary: pointer arithmetic overflows in realpath
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: bugdal at aerifal dot cx
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

realpath uses an end-of-array pointer rpath_limit, and makes invalid
(overflowing) comparisons against it to catch overflow. In particular:

    if (dest + (end-start) >= rpath_limit)

This is not just a theoretical issue of pedantic UB-correctness; if dest is
within end-start of the end of address space (easily possible in some
environments, like i386 on 64-bit kernel with dest on stack, where stack
typically starts within 1MB of end of address space) then dest+(end-start) will
overflow and the comparison will evaluate false. Note that end-start can be
unboundedly large; no NAME_MAX limit is imposed here.

I first considered reporting this via security channels, but being that it's
probably rare for an attacker to have a vector to pass a long pathname to
realpath that's not also on the stack, I estimate the real-world exposure to be
low. Moreover, when the check is skipped, the impact seems to be a linear
overflow past the end of a stack buffer all the way to the end of address
space, which should be expected to crash before the memcpy completes. The only
situations in which it looks like this might be exploitable for anything beyond
DoS are multithreaded environments where there might be a brief window before
the crash (possibly with means to delay the crash) or in programs that
intercept SIGSEGV to do introspective diagnostics (in which case the
interceptor runs with potentially clobbered state).

This specific comparison can easily be rewritten to be correct as:

    if (end-start >= rpath_limit-dest)

but I have not checked the file in detail and there may be other points at
which undefined pointer arithmetic occurs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/26592] pointer arithmetic overflows in realpath

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26592

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Thanks, I posted a note to the bug-gnulib list, as this code is shared with
gnulib:

<https://lists.gnu.org/archive/html/bug-gnulib/2020-09/msg00025.html>

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/26592] pointer arithmetic overflows in realpath

[adhemerval.zanella at linaro dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26592

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adhemerval.zanella at linaro dot o
                   |                            |rg
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #2 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed on 2.33.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/26592] pointer arithmetic overflows in realpath

[adhemerval.zanella at linaro dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26592

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.33
           Assignee|unassigned at sourceware dot org   |adhemerval.zanella at linaro dot o
                   |                            |rg

-- 
You are receiving this mail because:
You are on the CC list for the bug.