[2.28 COMMITTED] Fix array overflow in backtrace on PowerPC (bug 25423)

[2.28 COMMITTED] Fix array overflow in backtrace on PowerPC (bug 25423)

[Tulio Magno Quites Machado Filho]

From: Andreas Schwab <schwab@suse.de>

When unwinding through a signal frame the backtrace function on PowerPC
didn't check array bounds when storing the frame address.  Fixes commit
d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

(cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
---
 NEWS                                  |  1 +
 debug/tst-backtrace5.c                | 12 ++++++++++++
 sysdeps/powerpc/powerpc32/backtrace.c |  2 ++
 sysdeps/powerpc/powerpc64/backtrace.c |  2 ++
 4 files changed, 17 insertions(+)

diff --git a/NEWS b/NEWS
index ace1b86fdb..038541c83b 100644
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,7 @@ The following bugs are resolved with this release:
   [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
   [25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
   [25232] No const correctness for strchr et al. for Clang++
+  [25423] Array overflow in backtrace on powerpc
 
 Security related changes:
 
diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 0e6fb1a024..a117f1544f 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -88,6 +88,18 @@ handle_signal (int signum)
       }
   /* Symbol names are not available for static functions, so we do not
      check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j = 0; j < NUM_FUNCTIONS; j++)
+    {
+      n = backtrace (addresses, j);
+      if (n > j)
+	{
+	  FAIL ();
+	  return;
+	}
+    }
 }
 
 NO_INLINE int
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
index 5422fdd50d..c7b64f9e9b 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
         }
       if (gregset)
 	{
+	  if (count + 1 == size)
+	    break;
 	  array[++count] = (void*)((*gregset)[PT_NIP]);
 	  current = (void*)((*gregset)[PT_R1]);
 	}
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
index c0c4b48262..0acf17b37e 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
       if (is_sigtramp_address (current->return_address))
         {
 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
+	  if (count + 1 == size)
+	    break;
           array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
 	}
-- 
2.24.1

[2.28 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414)

[Tulio Magno Quites Machado Filho]

From: Andreas Schwab <schwab@suse.de>

The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.

(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
---
 NEWS         |  4 ++++
 posix/glob.c | 25 +++++++++++++------------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/NEWS b/NEWS
index 038541c83b..1d00542a5d 100644
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,7 @@ The following bugs are resolved with this release:
   [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
   [25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
   [25232] No const correctness for strchr et al. for Clang++
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)
   [25423] Array overflow in backtrace on powerpc
 
 Security related changes:
@@ -109,6 +110,9 @@ Security related changes:
   addresses for loaded libraries and thus bypass ASLR for a setuid
   program.  Reported by Marcin Kościelnicki.
 
+  CVE-2020-1752: A use-after-free vulnerability in the glob function when
+  expanding ~user has been fixed.
+
 \f
 Version 2.28
 
diff --git a/posix/glob.c b/posix/glob.c
index 8444b2f79e..1b389d2da1 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 	      {
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
 
-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
-
-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			scratch_buffer_free (&pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
 		if (end_name != NULL)
 		  d = mempcpy (d, end_name, rest_len);
 		*d = '\0';
 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
 	      }
-- 
2.24.1