[2.26 COMMITTED] Fix path length overflow in realpath [BZ #22786]

public inbox for libc-stable@sourceware.org
 help / color / mirror / Atom feed

* [2.26 COMMITTED] Fix path length overflow in realpath [BZ #22786]
@ 2018-01-01  0:00 Florian Weimer
  0 siblings, 0 replies; only message in thread
From: Florian Weimer @ 2018-01-01  0:00 UTC (permalink / raw)
  To: libc-stable

From: Paul Pluzhnikov <ppluzhnikov@google.com>

Integer addition overflow may cause stack buffer overflow
when realpath() input length is close to SSIZE_MAX.

2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #22786]
	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
	computation.
	* stdlib/Makefile (test-bz22786): New test.
	* stdlib/test-bz22786.c: New test.

(cherry picked from commit 5460617d1567657621107d895ee2dd83bc1f88f2)

2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #22786]
	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
	computation.
	* stdlib/Makefile (test-bz22786): New test.
	* stdlib/test-bz22786.c: New test.

diff --git a/NEWS b/NEWS
index 7f5b68a006..d5daa3adc5 100644
--- a/NEWS
+++ b/NEWS
@@ -121,6 +121,7 @@ The following bugs are resolved with this release:
   [22679] getcwd(3) can succeed without returning an absolute path
     (CVE-2018-1000001)
   [22685] powerpc: Fix syscalls during early process initialization
+  [22786] Fix path length overflow in realpath
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
   [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
   [23005] resolv: Fix crash in resolver on memory allocation failure
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 0314d5926b..5cdc91050c 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -80,7 +80,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
 		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \
 		   tst-quick_exit tst-thread-quick_exit tst-width	    \
 		   tst-width-stdint tst-strfrom tst-strfrom-locale	    \
-		   tst-getrandom
+		   tst-getrandom test-bz22786
 tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
 		   tst-tls-atexit tst-tls-atexit-nodelete
 tests-static	:= tst-secure-getenv
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index c3d892c862..a497d06454 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
new file mode 100644
index 0000000000..e7837f98c1
--- /dev/null
+++ b/stdlib/test-bz22786.c
@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This file must be run from within a directory called "stdlib".  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-diag.h>
+
+static int
+do_test (void)
+{
+  const char dir[] = "bz22786";
+  const char lnk[] = "bz22786/symlink";
+
+  rmdir (dir);
+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+    {
+      printf ("mkdir %s: %m\n", dir);
+      return EXIT_FAILURE;
+    }
+  if (symlink (".", lnk) != 0 && errno != EEXIST)
+    {
+      printf ("symlink (%s, %s): %m\n", dir, lnk);
+      return EXIT_FAILURE;
+    }
+
+  const size_t path_len = (size_t) INT_MAX + 1;
+
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 7 warns about too-large allocations; here we need such
+     allocation to succeed for the test to work.  */
+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+  char *path = malloc (path_len);
+  DIAG_POP_NEEDS_COMMENT;
+
+  if (path == NULL)
+    {
+      printf ("malloc (%zu): %m\n", path_len);
+      return EXIT_UNSUPPORTED;
+    }
+
+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+  *(p++) = '/';
+  memset (p, 'a', path_len - (path - p) - 2);
+  p[path_len - (path - p) - 1] = '\0';
+
+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
+  p = realpath (path, NULL);
+
+  if (p != NULL || errno != ENAMETOOLONG)
+    {
+      printf ("realpath: %s (%m)", p);
+      return EXIT_FAILURE;
+    }
+
+  /* Cleanup.  */
+  unlink (lnk);
+  rmdir (dir);
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-05-17 12:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-01  0:00 [2.26 COMMITTED] Fix path length overflow in realpath [BZ #22786] Florian Weimer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).