From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6841 invoked by alias); 22 Oct 2018 13:02:20 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 6722 invoked by uid 89); 22 Oct 2018 13:02:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.1 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 22 Oct 2018 13:02:15 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8342DC0AF79A for ; Mon, 22 Oct 2018 13:02:14 +0000 (UTC) Received: from oldenburg.str.redhat.com (dhcp-192-212.str.redhat.com [10.33.192.212]) by smtp.corp.redhat.com (Postfix) with ESMTP id 411046FEC0 for ; Mon, 22 Oct 2018 13:02:14 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id A85744399457D; Mon, 22 Oct 2018 15:02:13 +0200 (CEST) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.26 COMMITTED] Fix nscd readlink argument aliasing (bug 22446). User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20181022130213.A85744399457D@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 22 Oct 2018 13:02:14 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-10/txt/msg00011.txt.bz2 From: Joseph Myers Current GCC mainline detects that nscd calls readlink with the same buffer for both input and output, which is not valid (those arguments are both restrict-qualified in POSIX). This patch makes it use a separate buffer for readlink's input (with a size that is sufficient to avoid truncation, so there should be no problems with warnings about possible truncation, though not strictly minimal, but much smaller than the buffer for output) to avoid this problem. Tested compilation for aarch64-linux-gnu with build-many-glibcs.py. [BZ #22446] * nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate buffers for readlink input and output. (cherry picked from commit 49b036bce9f021ae994a85aee8b410d20b29c8b7) 2017-12-18 Joseph Myers [BZ #22446] * nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate buffers for readlink input and output. diff --git a/NEWS b/NEWS index fecdbdf103..f6c9a1412c 100644 --- a/NEWS +++ b/NEWS @@ -127,6 +127,7 @@ The following bugs are resolved with this release: [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) [22377] Provide a C++ version of iseqsig [22442] if_nametoindex: Check length of ifname before copying it + [22446] Fix nscd readlink argument aliasing [22447] Avoid use of strlen in getlogin_r [22463] Fix p_secstodate overflow handling [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice diff --git a/nscd/connections.c b/nscd/connections.c index cc1ed72077..dab722dcb2 100644 --- a/nscd/connections.c +++ b/nscd/connections.c @@ -1077,14 +1077,15 @@ cannot handle old request version %d; current version is %d"), if (debug_level > 0) { #ifdef SO_PEERCRED + char pbuf[sizeof ("/proc//exe") + 3 * sizeof (long int)]; # ifdef PATH_MAX char buf[PATH_MAX]; # else char buf[4096]; # endif - snprintf (buf, sizeof (buf), "/proc/%ld/exe", (long int) pid); - ssize_t n = readlink (buf, buf, sizeof (buf) - 1); + snprintf (pbuf, sizeof (pbuf), "/proc/%ld/exe", (long int) pid); + ssize_t n = readlink (pbuf, buf, sizeof (buf) - 1); if (n <= 0) dbg_log (_("\