From: Raphael Moreira Zinsly <rzinsly@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Subject: [PATCH 2.22 11/14] linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <1522269821-15007-11-git-send-email-rzinsly@linux.vnet.ibm.com> (raw)
In-Reply-To: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com>
From: "Dmitry V. Levin" <ldv@altlinux.org>
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".
This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).
Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT. The error code is chosen for consistency
with the case when the current directory is unlinked.
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* io/tst-getcwd-abspath.c: New test.
* io/Makefile (tests): Add tst-getcwd-abspath.
(cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)
---
ChangeLog | 9 ++++++
NEWS | 4 +++
io/Makefile | 2 +-
io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++++
sysdeps/unix/sysv/linux/getcwd.c | 8 ++---
5 files changed, 84 insertions(+), 5 deletions(-)
create mode 100644 io/tst-getcwd-abspath.c
diff --git a/ChangeLog b/ChangeLog
index 92af495..91a9fb9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-01-12 Dmitry V. Levin <ldv@altlinux.org>
+
+ [BZ #22679]
+ CVE-2018-1000001
+ * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
+ generic_getcwd if the path returned by getcwd syscall is not absolute.
+ * io/tst-getcwd-abspath.c: New test.
+ * io/Makefile (tests): Add tst-getcwd-abspath.
+
2018-01-18 Arjun Shankar <arjun@redhat.com>
[BZ #22343]
diff --git a/NEWS b/NEWS
index 7c090fe..e061583 100644
--- a/NEWS
+++ b/NEWS
@@ -90,6 +90,10 @@ Version 2.22.1
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
+* CVE-2018-1000001: Buffer underflow in realpath function when getcwd function
+ succeeds without returning an absolute path due to unexpected behaviour
+ of the Linux kernel getcwd syscall. Reported by halfdog.
+
\f
Version 2.22
diff --git a/io/Makefile b/io/Makefile
index 613dce0..c50be28 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -71,7 +71,7 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \
tst-renameat tst-fchownat tst-fchmodat tst-faccessat \
tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \
tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \
- tst-posix_fallocate
+ tst-posix_fallocate tst-getcwd-abspath
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)ftwtest.out
diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c
new file mode 100644
index 0000000..3a3636f
--- /dev/null
+++ b/io/tst-getcwd-abspath.c
@@ -0,0 +1,66 @@
+/* BZ #22679 getcwd(3) should not succeed without returning an absolute path.
+
+ Copyright (C) 2018 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <support/test-driver.h>
+#include <support/xunistd.h>
+#include <unistd.h>
+
+static char *chroot_dir;
+
+/* The actual test. Run it in a subprocess, so that the test harness
+ can remove the temporary directory in --direct mode. */
+static void
+getcwd_callback (void *closure)
+{
+ xchroot (chroot_dir);
+
+ errno = 0;
+ char *cwd = getcwd (NULL, 0);
+ TEST_COMPARE (errno, ENOENT);
+ TEST_VERIFY (cwd == NULL);
+
+ errno = 0;
+ cwd = realpath (".", NULL);
+ TEST_COMPARE (errno, ENOENT);
+ TEST_VERIFY (cwd == NULL);
+
+ _exit (0);
+}
+
+static int
+do_test (void)
+{
+ support_become_root ();
+ if (!support_can_chroot ())
+ return EXIT_UNSUPPORTED;
+
+ chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");
+ support_isolate_in_subprocess (getcwd_callback, NULL);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c
index 5caee92..4a4c8f0 100644
--- a/sysdeps/unix/sysv/linux/getcwd.c
+++ b/sysdeps/unix/sysv/linux/getcwd.c
@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
int retval;
retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
- if (retval >= 0)
+ if (retval > 0 && path[0] == '/')
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)
@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
return buf;
}
- /* The system call cannot handle paths longer than a page.
- Neither can the magic symlink in /proc/self. Just use the
+ /* The system call either cannot handle paths longer than a page
+ or can succeed without returning an absolute path. Just use the
generic implementation right away. */
- if (errno == ENAMETOOLONG)
+ if (retval >= 0 || errno == ENAMETOOLONG)
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)
--
1.8.3.1
next prev parent reply other threads:[~2018-03-28 20:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 [PATCH 2.22 01/14] ldd: never run file directly Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 06/14] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] Raphael Moreira Zinsly
2018-01-01 0:00 ` Raphael Moreira Zinsly [this message]
2018-01-01 0:00 ` [PATCH 2.22 01/14] ldd: never run file directly Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 14/14] Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 09/14] elf: Compute correct array size in _dl_init_paths [BZ #22606] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 10/14] Fix integer overflows in internal memalign and malloc functions [BZ #22343] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 v2] " Raphael Moreira Zinsly
2018-01-01 0:00 ` Carlos O'Donell
[not found] ` <20180405194944.GA44061@aloka.lostca.se>
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 03/14] glob: Add new test tst-glob-tilde Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] Synchronize support/ infrastructure with master Raphael Moreira Zinsly
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] posix: Sync glob with gnulib [BZ #1062] Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 05/14] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 08/14] <array_length.h>: New array_length and array_end macros Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 13/14] Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 04/14] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 12/14] Add ChangeLog reference to bug 16750/CVE-2009-5064 Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 02/14] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 07/14] elf: Count components of the expanded path in _dl_init_path [BZ #22607] Raphael Moreira Zinsly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522269821-15007-11-git-send-email-rzinsly@linux.vnet.ibm.com \
--to=rzinsly@linux.vnet.ibm.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).