From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from insect.birch.relay.mailchannels.net (insect.birch.relay.mailchannels.net [23.83.209.93]) by sourceware.org (Postfix) with ESMTPS id 5060B3857C48 for ; Tue, 18 Jan 2022 13:11:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5060B3857C48 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0FDCA2A1B2C; Tue, 18 Jan 2022 13:10:59 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 96CFE2A1A4F; Tue, 18 Jan 2022 13:10:58 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.112.55.222 (trex/6.4.3); Tue, 18 Jan 2022 13:10:59 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Cooperative-Share: 35bf58c779e25452_1642511458942_3302893785 X-MC-Loop-Signature: 1642511458941:702692310 X-MC-Ingress-Time: 1642511458941 Received: from [192.168.1.174] (unknown [1.186.224.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4JdTfm4fPvz3D; Tue, 18 Jan 2022 05:10:56 -0800 (PST) Message-ID: <149b2d34-a393-06e3-5dff-59a3885d208b@sourceware.org> Date: Tue, 18 Jan 2022 18:40:52 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Subject: Re: [PATCH 3/3] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) Content-Language: en-US To: Andreas Schwab , Siddhesh Poyarekar via Libc-alpha Cc: fweimer@redhat.com, Qualys Security Advisory References: <20220118090728.1825487-1-siddhesh@sourceware.org> <20220118090728.1825487-4-siddhesh@sourceware.org> <87a6ft8dmy.fsf@igel.home> From: Siddhesh Poyarekar In-Reply-To: <87a6ft8dmy.fsf@igel.home> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3493.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2022 13:11:05 -0000 On 18/01/2022 17:22, Andreas Schwab wrote: > On Jan 18 2022, Siddhesh Poyarekar via Libc-alpha wrote: > >> diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c >> index a6b5a7e8b0..5ff678d674 100644 >> --- a/sysdeps/unix/sysv/linux/getcwd.c >> +++ b/sysdeps/unix/sysv/linux/getcwd.c >> @@ -50,6 +50,13 @@ __getcwd (char *buf, size_t size) >> char *path; >> char *result; >> >> + /* A size of 1 byte is never useful. */ >> + if (size == 1) >> + { >> + __set_errno (ERANGE); >> + return NULL; >> + } >> + > > This is not needed, since the getcwd syscall does the check already and > returns the correct error. > Not quite; this is a very specific bug that goes beyond just a simple range issue. If the buffer is insufficient the syscall does return ERANGE. However if the returned name is too long, it does that check first and returns ENAMETOOLONG instead. We then process it to try and get the cwd anyway by using the posix variant. Now if the path also has an unprivileged mount (see reproducer) of '/' on it, it ends up writing outside of the single byte buffer bound. That said, we could get away with fixing only sysdeps/posix/getcwd.c. Is that what you suggest I do? Thanks, Siddhesh