From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1]) by sourceware.org (Postfix) with ESMTPS id F103F3858031; Mon, 24 Jan 2022 22:49:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org F103F3858031 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=aurel32.net Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurel32.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net ; s=202004.hall; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Content-Type:From:Reply-To: Subject:Content-ID:Content-Description:X-Debbugs-Cc; bh=NEZnuhfEpHQ4ij9hc+tU6+gBO2pSX8N5boQsXI2vSWE=; b=AX5Ppb1Fsi0uS2fLwAGqiSOuHI DaAVLeHN0SI6mMpT6OTGvZv/jKyLB3+EXq3fj5HvmUKpJCh7drU+XpZ92DZTVqSJrRMATdvlsnf5u PVwCx+lkneOYVOBxw0oE2qJmV8hsvWJtMm/DSzr3XEktcbertgLgkUi+DnN3ZkEAkymdUPPBVGC7p oADqQYHmGdDsvu5tS1TnArORxQAeUZeVAK1Ojt/XkYGACUSkp+7zgK/m3NQi8VqJOjbQrZ2Khvzfw gNdz/Kba0/dTHAGoXduoldVLi4zp78PtNQVxKva6NiYSjUWQmNOE5cmlt3gLmSVjjQ1jnaf48RX5K GCDs04ew==; Received: from [2a01:e34:ec5d:a741:8a4c:7c4e:dc4c:1787] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nC88x-00FSYI-Ny; Mon, 24 Jan 2022 23:48:59 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.95) (envelope-from ) id 1nC88x-00Fwj6-3E; Mon, 24 Jan 2022 23:48:59 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Siddhesh Poyarekar , Adhemerval Zanella Subject: [COMMITTED 2.33 2/7] realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770] Date: Mon, 24 Jan 2022 23:48:52 +0100 Message-Id: <20220124224857.3799610-2-aurelien@aurel32.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124224857.3799610-1-aurelien@aurel32.net> References: <20220124224857.3799610-1-aurelien@aurel32.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-13.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2022 22:49:04 -0000 From: Siddhesh Poyarekar realpath returns an allocated string when the result exceeds PATH_MAX, which is unexpected when its second argument is not NULL. This results in the second argument (resolved) being uninitialized and also results in a memory leak since the caller expects resolved to be the same as the returned value. Return NULL and set errno to ENAMETOOLONG if the result exceeds PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. Reviewed-by: Adhemerval Zanella Signed-off-by: Siddhesh Poyarekar (cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) --- NEWS | 5 ++++ stdlib/Makefile | 3 ++- stdlib/canonicalize.c | 12 +++++++-- stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 stdlib/tst-realpath-toolong.c diff --git a/NEWS b/NEWS index eba875d1f6..5352599d7f 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,10 @@ Security related changes: CVE-2022-23218: Passing an overlong file name to the svcunix_create legacy function could result in a stack-based buffer overflow. + CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath + function could result in a memory leak and potential access of + uninitialized memory. Reported by Qualys. + The following bugs are resolved with this release: [15271] dlfcn function failure after dlmopen terminates process @@ -46,6 +50,7 @@ The following bugs are resolved with this release: [28524] Conversion from ISO-2022-JP-3 with iconv may emit spurious NULs [28532] powerpc64[le]: CFI for assembly templated syscalls is incorrect [28768] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create + [28770] CVE-2021-3998: Unexpected return value from realpath() for too long results Version 2.33 diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..b1eebd568f 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -86,7 +86,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ tst-setcontext6 tst-setcontext7 tst-setcontext8 \ - tst-setcontext9 tst-bz20544 tst-canon-bz26341 + tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ + tst-realpath-toolong tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ tst-tls-atexit tst-tls-atexit-nodelete diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index 698f9ede25..7a23a51b3a 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, error: *dest++ = '\0'; - if (resolved != NULL && dest - rname <= get_path_max ()) - rname = strcpy (resolved, rname); + if (resolved != NULL) + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); + else + { + failed = true; + __set_errno (ENAMETOOLONG); + } + } error_nomem: scratch_buffer_free (&extra_buffer); diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c new file mode 100644 index 0000000000..8bed772460 --- /dev/null +++ b/stdlib/tst-realpath-toolong.c @@ -0,0 +1,49 @@ +/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds + NAME_MAX. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define BASENAME "tst-realpath-toolong." + +int +do_test (void) +{ + char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); + + char buf[PATH_MAX + 1]; + const char *res = realpath (".", buf); + + /* canonicalize.c states that if the real path is >= PATH_MAX, then + realpath returns NULL and sets ENAMETOOLONG. */ + TEST_VERIFY (res == NULL); + TEST_VERIFY (errno == ENAMETOOLONG); + + free (base); + return 0; +} + +#include -- 2.34.1