From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pfrankli@redhat.com>
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [216.205.24.74])
 by sourceware.org (Postfix) with ESMTP id 7FBEF381DCDF
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 00:30:58 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7FBEF381DCDF
Received: from mail-io1-f70.google.com (mail-io1-f70.google.com
 [209.85.166.70]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-397-JinTIDTDPWiH-Gx1M8qvrw-1; Tue, 17 Mar 2020 20:30:55 -0400
X-MC-Unique: JinTIDTDPWiH-Gx1M8qvrw-1
Received: by mail-io1-f70.google.com with SMTP id z207so13403422iof.7
 for <libc-stable@sourceware.org>; Tue, 17 Mar 2020 17:30:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=ahVMm8ssGA61cXqT+x3CzjzNz/ER0lrU4WbIYM4zvjA=;
 b=OlKcEEdR86VNzupwubxp3IJrBBZ6c6ujBNZ958CN70/eqAHa1XIWpvBHVRBhiI78K4
 EbEa/CMpkDfX59stfLT4r+bdst1aOTDiV9PfscxuEt5I3kYcKx+XTmnAsNqsfD8snbQz
 zpKoMTM7ueD63l1e2Ky97J1rvhDr5L7x8olzTHiozTsJ4gi3c+9/cQes6gbbNhwXSXX/
 ko0I4oXRgy3rib+RkN+sTOv04l1hG5JT9RCyr4/0g7E6/XAsCtg+d/AhLZ38YbSC0Kl1
 yCKJILeW+ODSJfjcXUkhrOZ0zK9AzsUKioIAJVBaCZbUiaFMW8eCifTlzLrSO/Qry9G4
 4gFg==
X-Gm-Message-State: ANhLgQ1uXPXB3XPoEKMxWdVWZ66BOpzV1RZExSeBpQt5Ev64emAzL31m
 3CVMvCqPU7RWfMiBnVgHBxEad6eh1H3Dr8cRLIptJliqhm/u+sAEcB3a665xL4QhEgmmc80EuIe
 CgFSRyvKApgevfjtrP130JzlOzhr5r8BMw10C4w==
X-Received: by 2002:a02:cf3c:: with SMTP id s28mr1887164jar.83.1584491454939; 
 Tue, 17 Mar 2020 17:30:54 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsqmGCl48WmgTIAbuTg9o7YusaqCtspNsm4wxiBYWg8X6xOgL/w8dhA3bPhnMW69I6GyRcXcKmhCc4cGydBacw=
X-Received: by 2002:a02:cf3c:: with SMTP id s28mr1887141jar.83.1584491454658; 
 Tue, 17 Mar 2020 17:30:54 -0700 (PDT)
MIME-Version: 1.0
From: Patsy Griffin <patsy@redhat.com>
Date: Tue, 17 Mar 2020 20:30:18 -0400
Message-ID: <CAOraFgA97hhSFvzQZPHhgeYfPJ6+nuQErZRgzt1AHtiV5ucujA@mail.gmail.com>
Subject: [2.31 COMMITTED] Fix use-after-free in glob when expanding ~user (bug
 25414)
To: libc-stable@sourceware.org
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 00:30:59 -0000

From: Andreas Schwab <schwab@suse.de>

The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.

(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
---
 posix/glob.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/posix/glob.c b/posix/glob.c
index cba9cd1819..4580cefb9f 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int
(*errfunc) (const char *, int),
              {
                size_t home_len =3D strlen (p->pw_dir);
                size_t rest_len =3D end_name =3D=3D NULL ? 0 : strlen (end_=
name);
-               char *d;
+               char *d, *newp;
+               bool use_alloca =3D glob_use_alloca (alloca_used,
+                                                  home_len + rest_len + 1)=
;

-               if (__glibc_unlikely (malloc_dirname))
-                 free (dirname);
-               malloc_dirname =3D 0;
-
-               if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-                 dirname =3D alloca_account (home_len + rest_len + 1,
-                                           alloca_used);
+               if (use_alloca)
+                 newp =3D alloca_account (home_len + rest_len + 1,
alloca_used);
                else
                  {
-                   dirname =3D malloc (home_len + rest_len + 1);
-                   if (dirname =3D=3D NULL)
+                   newp =3D malloc (home_len + rest_len + 1);
+                   if (newp =3D=3D NULL)
                      {
                        scratch_buffer_free (&pwtmpbuf);
                        retval =3D GLOB_NOSPACE;
                        goto out;
                      }
-                   malloc_dirname =3D 1;
                  }
-               d =3D mempcpy (dirname, p->pw_dir, home_len);
+               d =3D mempcpy (newp, p->pw_dir, home_len);
                if (end_name !=3D NULL)
                  d =3D mempcpy (d, end_name, rest_len);
                *d =3D '\0';

+               if (__glibc_unlikely (malloc_dirname)
+                 free (dirname);
+               dirname =3D newp;
+               malloc_dirname =3D !use_alloca;
+
                dirlen =3D home_len + rest_len;
                dirname_modified =3D 1;
              }
--
2.21.1