public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999) Date: Mon, 24 Jan 2022 06:46:46 +0000 [thread overview] Message-ID: <bug-28769-131-4lFwHDJRz4@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-28769-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=28769 --- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> --- The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c commit 472e799a5f2102bc0c3206dbd5a801765fceb39c Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri Jan 21 23:32:56 2022 +0530 getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) No valid path returned by getcwd would fit into 1 byte, so reject the size early and return NULL with errno set to ERANGE. This change is prompted by CVE-2021-3999, which describes a single byte buffer underflow and overflow when all of the following conditions are met: - The buffer size (i.e. the second argument of getcwd) is 1 byte - The current working directory is too long - '/' is also mounted on the current working directory Sequence of events: - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG because the linux kernel checks for name length before it checks buffer size - The code falls back to the generic getcwd in sysdeps/posix - In the generic func, the buf[0] is set to '\0' on line 250 - this while loop on line 262 is bypassed: while (!(thisdev == rootdev && thisino == rootino)) since the rootfs (/) is bind mounted onto the directory and the flow goes on to line 449, where it puts a '/' in the byte before the buffer. - Finally on line 458, it moves 2 bytes (the underflowed byte and the '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. - buf is returned on line 469 and errno is not set. This resolves BZ #28769. Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Qualys Security Advisory <qsa@qualys.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2022-01-24 6:46 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-01-12 13:44 [Bug libc/28769] New: " siddhesh at sourceware dot org 2022-01-12 13:45 ` [Bug libc/28769] " siddhesh at sourceware dot org 2022-01-12 13:48 ` fweimer at redhat dot com 2022-01-12 13:48 ` fweimer at redhat dot com 2022-01-15 15:41 ` aurelien at aurel32 dot net 2022-01-17 9:07 ` pgowda.cve at gmail dot com 2022-01-24 6:01 ` cvs-commit at gcc dot gnu.org 2022-01-24 6:46 ` cvs-commit at gcc dot gnu.org [this message] 2022-01-24 6:47 ` siddhesh at sourceware dot org 2022-01-24 22:46 ` cvs-commit at gcc dot gnu.org 2022-01-24 22:49 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-28769-131-4lFwHDJRz4@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).