* [2.28 COMMITTED] Fix array overflow in backtrace on PowerPC (bug 25423)
@ 2020-03-20 21:03 Tulio Magno Quites Machado Filho
2020-03-20 21:03 ` [2.28 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414) Tulio Magno Quites Machado Filho
0 siblings, 1 reply; 2+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2020-03-20 21:03 UTC (permalink / raw)
To: libc-stable; +Cc: Andreas Schwab
From: Andreas Schwab <schwab@suse.de>
When unwinding through a signal frame the backtrace function on PowerPC
didn't check array bounds when storing the frame address. Fixes commit
d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
(cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
---
NEWS | 1 +
debug/tst-backtrace5.c | 12 ++++++++++++
sysdeps/powerpc/powerpc32/backtrace.c | 2 ++
sysdeps/powerpc/powerpc64/backtrace.c | 2 ++
4 files changed, 17 insertions(+)
diff --git a/NEWS b/NEWS
index ace1b86fdb..038541c83b 100644
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,7 @@ The following bugs are resolved with this release:
[25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
[25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
[25232] No const correctness for strchr et al. for Clang++
+ [25423] Array overflow in backtrace on powerpc
Security related changes:
diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 0e6fb1a024..a117f1544f 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -88,6 +88,18 @@ handle_signal (int signum)
}
/* Symbol names are not available for static functions, so we do not
check do_test. */
+
+ /* Check that backtrace does not return more than what fits in the array
+ (bug 25423). */
+ for (int j = 0; j < NUM_FUNCTIONS; j++)
+ {
+ n = backtrace (addresses, j);
+ if (n > j)
+ {
+ FAIL ();
+ return;
+ }
+ }
}
NO_INLINE int
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
index 5422fdd50d..c7b64f9e9b 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
}
if (gregset)
{
+ if (count + 1 == size)
+ break;
array[++count] = (void*)((*gregset)[PT_NIP]);
current = (void*)((*gregset)[PT_R1]);
}
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
index c0c4b48262..0acf17b37e 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
if (is_sigtramp_address (current->return_address))
{
struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
+ if (count + 1 == size)
+ break;
array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
}
--
2.24.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [2.28 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414)
2020-03-20 21:03 [2.28 COMMITTED] Fix array overflow in backtrace on PowerPC (bug 25423) Tulio Magno Quites Machado Filho
@ 2020-03-20 21:03 ` Tulio Magno Quites Machado Filho
0 siblings, 0 replies; 2+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2020-03-20 21:03 UTC (permalink / raw)
To: libc-stable; +Cc: Andreas Schwab
From: Andreas Schwab <schwab@suse.de>
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
---
NEWS | 4 ++++
posix/glob.c | 25 +++++++++++++------------
2 files changed, 17 insertions(+), 12 deletions(-)
diff --git a/NEWS b/NEWS
index 038541c83b..1d00542a5d 100644
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,7 @@ The following bugs are resolved with this release:
[25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
[25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
[25232] No const correctness for strchr et al. for Clang++
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
[25423] Array overflow in backtrace on powerpc
Security related changes:
@@ -109,6 +110,9 @@ Security related changes:
addresses for loaded libraries and thus bypass ASLR for a setuid
program. Reported by Marcin Kościelnicki.
+ CVE-2020-1752: A use-after-free vulnerability in the glob function when
+ expanding ~user has been fixed.
+
\f
Version 2.28
diff --git a/posix/glob.c b/posix/glob.c
index 8444b2f79e..1b389d2da1 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
scratch_buffer_free (&pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- d = mempcpy (dirname, p->pw_dir, home_len);
+ d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
}
--
2.24.1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-20 21:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-20 21:03 [2.28 COMMITTED] Fix array overflow in backtrace on PowerPC (bug 25423) Tulio Magno Quites Machado Filho
2020-03-20 21:03 ` [2.28 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414) Tulio Magno Quites Machado Filho
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).