* [2.26 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414)
@ 2020-03-20 21:23 Tulio Magno Quites Machado Filho
0 siblings, 0 replies; only message in thread
From: Tulio Magno Quites Machado Filho @ 2020-03-20 21:23 UTC (permalink / raw)
To: libc-stable; +Cc: Andreas Schwab
From: Andreas Schwab <schwab@suse.de>
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with
changes from commit d711a00f93fa964f41a53839228598fbf1a6b482)
---
NEWS | 4 ++++
posix/glob.c | 28 +++++++++++++++++-----------
2 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/NEWS b/NEWS
index cb62587dbb..b18a0f3d29 100644
--- a/NEWS
+++ b/NEWS
@@ -394,6 +394,9 @@ Security related changes:
* A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
fixed (CVE-2017-12133).
+* A use-after-free vulnerability in the glob function when expanding ~user has
+ been fixed (CVE-2020-1752).
+
The following bugs are resolved with this release:
[984] network: Respond to changed resolv.conf in gethostbyname
@@ -621,6 +624,7 @@ The following bugs are resolved with this release:
[21839] localedata: Fix LC_MONETARY for ta_LK
[21844] localedata: Fix Latin characters and Months Sequence.
[21848] localedata: Fix mai_NP Title Name
+ [25414] 'glob' use-after-free bug (CVE-2020-1752)
\f
Version 2.25
diff --git a/posix/glob.c b/posix/glob.c
index b2273ea7bc..0c6eeb3637 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
free (malloc_pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
- end_name, rest_len)) = '\0';
+
+ d = mempcpy (newp, p->pw_dir, home_len);
+ if (end_name != NULL)
+ d = mempcpy (d, end_name, rest_len);
+ *d = '\0';
+
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
dirlen = home_len + rest_len;
dirname_modified = 1;
--
2.24.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-20 21:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-20 21:23 [2.26 COMMITTED] Fix use-after-free in glob when expanding ~user (bug 25414) Tulio Magno Quites Machado Filho
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).