From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 111563 invoked by alias); 10 Dec 2018 16:20:13 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 111538 invoked by uid 89); 10 Dec 2018 16:20:11 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 10 Dec 2018 16:20:07 +0000 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 96FC23002315 for ; Mon, 10 Dec 2018 16:20:06 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-116-118.ams2.redhat.com [10.36.116.118]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2B7041001943 for ; Mon, 10 Dec 2018 16:20:06 +0000 (UTC) Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000) id 744A282DDA78; Mon, 10 Dec 2018 17:20:04 +0100 (CET) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.28 COMMITTED] compat getdents64: Use correct offset for retry [BZ #23972] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20181210162004.744A282DDA78@oldenburg2.str.redhat.com> From: Florian Weimer X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 10 Dec 2018 16:20:06 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-12/txt/msg00001.txt.bz2 d_off is the offset of the *next* entry, not the offset of the current entry. (cherry picked from commit 8d20a2f414fa52aceef8a0e3675415df54a840db) 2018-12-10 Florian Weimer [BZ #23972] * sysdeps/unix/sysv/linux/getdents64.c (handle_overflow): Check offset instead of count for clarity. Fix typo in comment. (__old_getdents64): Keep track of previous offset. Use it to call handle_overflow. * sysdeps/unix/sysv/linux/tst-readdir64-compat.c (do_test): Check that d_off is never zero. diff --git a/NEWS b/NEWS index 5290e21da9..4d4a5a1911 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,7 @@ The following bugs are resolved with this release: [23821] si_band in siginfo_t has wrong type long int on sparc64 [23822] ia64 static libm.a is missing exp2f, log2f and powf symbols [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591) + [23972] __old_getdents64 uses wrong d_off value on overflow Security related changes: diff --git a/sysdeps/unix/sysv/linux/getdents64.c b/sysdeps/unix/sysv/linux/getdents64.c index bc140b5a7f..46eb5f4419 100644 --- a/sysdeps/unix/sysv/linux/getdents64.c +++ b/sysdeps/unix/sysv/linux/getdents64.c @@ -41,14 +41,14 @@ handle_overflow (int fd, __off64_t offset, ssize_t count) { /* If this is the first entry in the buffer, we can report the error. */ - if (count == 0) + if (offset == 0) { __set_errno (EOVERFLOW); return -1; } /* Otherwise, seek to the overflowing entry, so that the next call - will report the error, and return the data read so far.. */ + will report the error, and return the data read so far. */ if (__lseek64 (fd, offset, SEEK_SET) != 0) return -1; return count; @@ -70,6 +70,15 @@ __old_getdents64 (int fd, char *buf, size_t nbytes) ssize_t retval = INLINE_SYSCALL_CALL (getdents64, fd, buf, nbytes); if (retval > 0) { + /* This is the marker for the first entry. Offset 0 is reserved + for the first entry (see rewinddir). Here, we use it as a + marker for the first entry in the buffer. We never actually + seek to offset 0 because handle_overflow reports the error + directly, so it does not matter that the offset is incorrect + if entries have been read from the descriptor before (so that + the descriptor is not actually at offset 0). */ + __off64_t previous_offset = 0; + char *p = buf; char *end = buf + retval; while (p < end) @@ -84,7 +93,7 @@ __old_getdents64 (int fd, char *buf, size_t nbytes) /* Check for ino_t overflow. */ if (__glibc_unlikely (ino != source->d_ino)) - return handle_overflow (fd, offset, p - buf); + return handle_overflow (fd, previous_offset, p - buf); /* Convert to the target layout. Use a separate struct and memcpy to side-step aliasing issues. */ @@ -107,6 +116,7 @@ __old_getdents64 (int fd, char *buf, size_t nbytes) reclen - offsetof (struct dirent64, d_name)); p += reclen; + previous_offset = offset; } } return retval; diff --git a/sysdeps/unix/sysv/linux/tst-readdir64-compat.c b/sysdeps/unix/sysv/linux/tst-readdir64-compat.c index 43c4a8477c..cb78bc9be4 100644 --- a/sysdeps/unix/sysv/linux/tst-readdir64-compat.c +++ b/sysdeps/unix/sysv/linux/tst-readdir64-compat.c @@ -88,6 +88,10 @@ do_test (void) else TEST_VERIFY_EXIT (entry_test != NULL); + /* d_off is never zero because it is the offset of the next + entry (not the current entry). */ + TEST_VERIFY (entry_reference->d_off > 0); + /* Check that the entries are the same. */ TEST_COMPARE_BLOB (entry_reference->d_name, strlen (entry_reference->d_name),