From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from buffalo.birch.relay.mailchannels.net
 (buffalo.birch.relay.mailchannels.net [23.83.209.24])
 by sourceware.org (Postfix) with ESMTPS id 25CAB3857C7D
 for <libc-alpha@sourceware.org>; Tue, 18 Jan 2022 13:16:46 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 25CAB3857C7D
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 5851020D2B;
 Tue, 18 Jan 2022 13:16:44 +0000 (UTC)
Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id E33ED20ECB;
 Tue, 18 Jan 2022 13:16:43 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.124.238.86 (trex/6.4.3); Tue, 18 Jan 2022 13:16:44 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Bored-Arithmetic: 3b6fbbb65e2c51c5_1642511804248_1687300549
X-MC-Loop-Signature: 1642511804248:2275363947
X-MC-Ingress-Time: 1642511804248
Received: from [192.168.1.174] (unknown [1.186.224.209])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits))
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4JdTnP5Hw7z3D; 
 Tue, 18 Jan 2022 05:16:41 -0800 (PST)
Message-ID: <4f6c58a4-7176-538f-63c5-827ee1f8f9a7@sourceware.org>
Date: Tue, 18 Jan 2022 18:46:36 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.4.0
Subject: Re: [PATCH 3/3] getcwd: Set errno to ERANGE for size == 1
 (CVE-2021-3999)
Content-Language: en-US
To: Andreas Schwab <schwab@linux-m68k.org>
Cc: Siddhesh Poyarekar via Libc-alpha <libc-alpha@sourceware.org>,
 fweimer@redhat.com, Qualys Security Advisory <qsa@qualys.com>
References: <20220118090728.1825487-1-siddhesh@sourceware.org>
 <20220118090728.1825487-4-siddhesh@sourceware.org> <87a6ft8dmy.fsf@igel.home>
 <149b2d34-a393-06e3-5dff-59a3885d208b@sourceware.org>
 <871r1589v5.fsf@igel.home>
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
In-Reply-To: <871r1589v5.fsf@igel.home>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3486.4 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_NONE, KAM_DMARC_STATUS, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_NEUTRAL, TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 13:16:49 -0000

On 18/01/2022 18:43, Andreas Schwab wrote:
> On Jan 18 2022, Siddhesh Poyarekar wrote:
> 
>> We then process it to try and get the cwd anyway by using the posix
>> variant.
> 
> Which returns the appropriate error.
> 

In the specific case of an unprivileged mount on the same directory, it 
ends up underflowing the buffer before returning.  Whether it returns 
the right error or not becomes irrelevant then.  Please see the reproducer.

Siddhesh