From: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>
To: libc-stable@sourceware.org
Cc: Andreas Schwab <schwab@suse.de>
Subject: [2.26 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414)
Date: Fri, 20 Mar 2020 18:23:20 -0300 [thread overview]
Message-ID: <20200320212320.203179-2-tuliom@linux.ibm.com> (raw)
From: Andreas Schwab <schwab@suse.de>
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with
changes from commit d711a00f93fa964f41a53839228598fbf1a6b482)
---
NEWS | 4 ++++
posix/glob.c | 28 +++++++++++++++++-----------
2 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/NEWS b/NEWS
index cb62587dbb..b18a0f3d29 100644
--- a/NEWS
+++ b/NEWS
@@ -394,6 +394,9 @@ Security related changes:
* A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
fixed (CVE-2017-12133).
+* A use-after-free vulnerability in the glob function when expanding ~user has
+ been fixed (CVE-2020-1752).
+
The following bugs are resolved with this release:
[984] network: Respond to changed resolv.conf in gethostbyname
@@ -621,6 +624,7 @@ The following bugs are resolved with this release:
[21839] localedata: Fix LC_MONETARY for ta_LK
[21844] localedata: Fix Latin characters and Months Sequence.
[21848] localedata: Fix mai_NP Title Name
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
\f
Version 2.25
diff --git a/posix/glob.c b/posix/glob.c
index b2273ea7bc..0c6eeb3637 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
free (malloc_pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
- end_name, rest_len)) = '\0';
+
+ d = mempcpy (newp, p->pw_dir, home_len);
+ if (end_name != NULL)
+ d = mempcpy (d, end_name, rest_len);
+ *d = '\0';
+
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
dirlen = home_len + rest_len;
dirname_modified = 1;
--
2.24.1
reply other threads:[~2020-03-20 21:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200320212320.203179-2-tuliom@linux.ibm.com \
--to=tuliom@linux.ibm.com \
--cc=libc-stable@sourceware.org \
--cc=schwab@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).