[Bug libc/28769] New: Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[Bug libc/28769] New: Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

            Bug ID: 28769
           Summary: Off-by-one buffer overflow/underflow in getcwd()
                    (CVE-2021-3999)
           Product: glibc
           Version: 2.35
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: siddhesh at sourceware dot org
          Reporter: siddhesh at sourceware dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---
             Flags: security+

For very long file names, the getcwd syscall returns ENAMETOOLONG, resulting in
a call to __getcwd_generic.  That function in turn assumes a size that's
suficient for at least a '/', so a size of 1 results in access that's one byte
beyond bounds of buf.

We always need a minimum size of 2 bytes, so the glibc function should set
ERANGE and return NULL for size of 1 byte.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=2024637

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[aurelien at aurel32 dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

Aurelien Jarno <aurelien at aurel32 dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aurelien at aurel32 dot net

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[pgowda.cve at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

pgowda <pgowda.cve at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pgowda.cve at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e

commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 21 23:32:56 2022 +0530

    getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

    No valid path returned by getcwd would fit into 1 byte, so reject the
    size early and return NULL with errno set to ERANGE.  This change is
    prompted by CVE-2021-3999, which describes a single byte buffer
    underflow and overflow when all of the following conditions are met:

    - The buffer size (i.e. the second argument of getcwd) is 1 byte
    - The current working directory is too long
    - '/' is also mounted on the current working directory

    Sequence of events:

    - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
      because the linux kernel checks for name length before it checks
      buffer size

    - The code falls back to the generic getcwd in sysdeps/posix

    - In the generic func, the buf[0] is set to '\0' on line 250

    - this while loop on line 262 is bypassed:

        while (!(thisdev == rootdev && thisino == rootino))

      since the rootfs (/) is bind mounted onto the directory and the flow
      goes on to line 449, where it puts a '/' in the byte before the
      buffer.

    - Finally on line 458, it moves 2 bytes (the underflowed byte and the
      '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

    - buf is returned on line 469 and errno is not set.

    This resolves BZ #28769.

    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c

commit 472e799a5f2102bc0c3206dbd5a801765fceb39c
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 21 23:32:56 2022 +0530

    getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

    No valid path returned by getcwd would fit into 1 byte, so reject the
    size early and return NULL with errno set to ERANGE.  This change is
    prompted by CVE-2021-3999, which describes a single byte buffer
    underflow and overflow when all of the following conditions are met:

    - The buffer size (i.e. the second argument of getcwd) is 1 byte
    - The current working directory is too long
    - '/' is also mounted on the current working directory

    Sequence of events:

    - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
      because the linux kernel checks for name length before it checks
      buffer size

    - The code falls back to the generic getcwd in sysdeps/posix

    - In the generic func, the buf[0] is set to '\0' on line 250

    - this while loop on line 262 is bypassed:

        while (!(thisdev == rootdev && thisino == rootino))

      since the rootfs (/) is bind mounted onto the directory and the flow
      goes on to line 449, where it puts a '/' in the byte before the
      buffer.

    - Finally on line 458, it moves 2 bytes (the underflowed byte and the
      '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

    - buf is returned on line 469 and errno is not set.

    This resolves BZ #28769.

    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.35
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Fixed on trunk and 2.34.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by Aurelien Jarno
<aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1b9cd6a7214db1812a20eb3591cf42f9190a5d1a

commit 1b9cd6a7214db1812a20eb3591cf42f9190a5d1a
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Mon Jan 24 23:45:03 2022 +0100

    NEWS: add bug entry for BZ #28769 and BZ #28770

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28769] Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28769

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.33/master branch has been updated by Aurelien Jarno
<aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bcdde07537d733eafe1f28cea3084003e140f5ff

commit bcdde07537d733eafe1f28cea3084003e140f5ff
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 21 23:32:56 2022 +0530

    getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

    No valid path returned by getcwd would fit into 1 byte, so reject the
    size early and return NULL with errno set to ERANGE.  This change is
    prompted by CVE-2021-3999, which describes a single byte buffer
    underflow and overflow when all of the following conditions are met:

    - The buffer size (i.e. the second argument of getcwd) is 1 byte
    - The current working directory is too long
    - '/' is also mounted on the current working directory

    Sequence of events:

    - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
      because the linux kernel checks for name length before it checks
      buffer size

    - The code falls back to the generic getcwd in sysdeps/posix

    - In the generic func, the buf[0] is set to '\0' on line 250

    - this while loop on line 262 is bypassed:

        while (!(thisdev == rootdev && thisino == rootino))

      since the rootfs (/) is bind mounted onto the directory and the flow
      goes on to line 449, where it puts a '/' in the byte before the
      buffer.

    - Finally on line 458, it moves 2 bytes (the underflowed byte and the
      '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

    - buf is returned on line 469 and errno is not set.

    This resolves BZ #28769.

    Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e)

-- 
You are receiving this mail because:
You are on the CC list for the bug.