From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 8F5013858C5E; Sat, 30 Dec 2023 00:36:39 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8F5013858C5E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1703896599; bh=50laZB/KWqsy92sNoJwqB9dOmyjf9wOq0xj2T9aSNX0=; h=From:To:Subject:Date:From; b=o3CGNTzMBvZpL8sQdvXCL5qSv8XdIueIiDFLuQmnA7SBmPeepIjbCT4sTusC1pYEB Po6FzitT7LW7GPY9Z4tFvLaVk/WJ3xu054j4vbCwTzTl1Gyw88PiOmBcOTJXTm02Jv 7PV7QpISC3aQmQuvZJWd+EfTxUq5eJvdjlWsEs1A= From: "flibitijibibo at flibitijibibo dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/31198] New: realpath allocates a buffer that may not fit a full path Date: Sat, 30 Dec 2023 00:36:38 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.36 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: flibitijibibo at flibitijibibo dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31198 Bug ID: 31198 Summary: realpath allocates a buffer that may not fit a full path Product: glibc Version: 2.36 Status: UNCONFIRMED Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: flibitijibibo at flibitijibibo dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 15273 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15273&action=3Ded= it Patch to replace strdup with malloc(PATH_MAX) Consider the following example: extern char *somepath; char *path =3D realpath(somepath, NULL); strcat(path, "/"); It is common to append directory separators to paths, but when realpath allocates the buffer the size cannot be determined from the outside. While = the application can provide its own buffer, it is reasonable for an application= to assume that a path buffer will be able to fit a full path string even if it gets modified after the call is made. As a result, modifications to the strdup'd return value may result in a buffer overwrite. A good replacement for the strdup allocation in realpath would be to always allocate a buffer of PATH_MAX size, regardless of the realpath size, so that modifications to the return value will always fit. I've attached a patch th= at does this. This would fix a crash in the Steamworks SDK, which prior to 2017 always assumed that the buffer returned by realpath had room to append a directory separator to the end. --=20 You are receiving this mail because: You are on the CC list for the bug.=