From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shebs@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2154)
 id D0C1C39B1C43; Fri, 23 Jul 2021 17:06:55 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D0C1C39B1C43
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stan Shebs <shebs@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc/google/grte/v5-2.27/master] Fix use-after-free in glob when
 expanding ~user (bug 25414)
X-Act-Checkin: glibc
X-Git-Author: Andreas Schwab <schwab@suse.de>
X-Git-Refname: refs/heads/google/grte/v5-2.27/master
X-Git-Oldrev: 4bb48f1b3aec652651b2fe45d5dac90cd7812453
X-Git-Newrev: 1ebb784472433f069e4c735efbbd738860e55bd0
Message-Id: <20210723170655.D0C1C39B1C43@sourceware.org>
Date: Fri, 23 Jul 2021 17:06:55 +0000 (GMT)
X-BeenThere: glibc-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-cvs mailing list <glibc-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-cvs>,
 <mailto:glibc-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-cvs/>
List-Help: <mailto:glibc-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-cvs>,
 <mailto:glibc-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 17:06:55 -0000

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1ebb784472433f069e4c735efbbd738860e55bd0

commit 1ebb784472433f069e4c735efbbd738860e55bd0
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.

Diff:
---
 posix/glob.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/posix/glob.c b/posix/glob.c
index 8444b2f79e..1b389d2da1 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 	      {
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
 
-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
-
-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			scratch_buffer_free (&pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
 		if (end_name != NULL)
 		  d = mempcpy (d, end_name, rest_len);
 		*d = '\0';
 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
 	      }