From: fweimer@redhat.com (Florian Weimer)
To: libc-stable@sourceware.org
Subject: [2.26 COMMITTED] Fix nscd readlink argument aliasing (bug 22446).
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <20181022130213.A85744399457D@oldenburg.str.redhat.com> (raw)
From: Joseph Myers <joseph@codesourcery.com>
Current GCC mainline detects that nscd calls readlink with the same
buffer for both input and output, which is not valid (those arguments
are both restrict-qualified in POSIX). This patch makes it use a
separate buffer for readlink's input (with a size that is sufficient
to avoid truncation, so there should be no problems with warnings
about possible truncation, though not strictly minimal, but much
smaller than the buffer for output) to avoid this problem.
Tested compilation for aarch64-linux-gnu with build-many-glibcs.py.
[BZ #22446]
* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
buffers for readlink input and output.
(cherry picked from commit 49b036bce9f021ae994a85aee8b410d20b29c8b7)
2017-12-18 Joseph Myers <joseph@codesourcery.com>
[BZ #22446]
* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
buffers for readlink input and output.
diff --git a/NEWS b/NEWS
index fecdbdf103..f6c9a1412c 100644
--- a/NEWS
+++ b/NEWS
@@ -127,6 +127,7 @@ The following bugs are resolved with this release:
[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
[22377] Provide a C++ version of iseqsig
[22442] if_nametoindex: Check length of ifname before copying it
+ [22446] Fix nscd readlink argument aliasing
[22447] Avoid use of strlen in getlogin_r
[22463] Fix p_secstodate overflow handling
[22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
diff --git a/nscd/connections.c b/nscd/connections.c
index cc1ed72077..dab722dcb2 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -1077,14 +1077,15 @@ cannot handle old request version %d; current version is %d"),
if (debug_level > 0)
{
#ifdef SO_PEERCRED
+ char pbuf[sizeof ("/proc//exe") + 3 * sizeof (long int)];
# ifdef PATH_MAX
char buf[PATH_MAX];
# else
char buf[4096];
# endif
- snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid);
- ssize_t n = readlink (buf, buf, sizeof (buf) - 1);
+ snprintf (pbuf, sizeof (pbuf), "/proc/%ld/exe", (long int) pid);
+ ssize_t n = readlink (pbuf, buf, sizeof (buf) - 1);
if (n <= 0)
dbg_log (_("\
reply other threads:[~2018-10-22 13:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181022130213.A85744399457D@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).