From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pfrankli@redhat.com>
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [216.205.24.74])
 by sourceware.org (Postfix) with ESMTP id 839F23942027
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 02:38:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 839F23942027
Received: from mail-il1-f197.google.com (mail-il1-f197.google.com
 [209.85.166.197]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-287-O71Dc5hKN7CcxCF0aQiNog-1; Tue, 17 Mar 2020 22:38:50 -0400
X-MC-Unique: O71Dc5hKN7CcxCF0aQiNog-1
Received: by mail-il1-f197.google.com with SMTP id u9so13054419iln.22
 for <libc-stable@sourceware.org>; Tue, 17 Mar 2020 19:38:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=5ZCw3w4NpFvtHj6UzlymTK3z1GTKYUdx7aEg/g+vbKg=;
 b=MSh7VXRBMf6Ga6It9bsZjH+TEhkExCGAvL4Cgs3ZkioA9WVQVUkeoePOT+WSyEhpQF
 6qOsIeQ+mZWB/IVFmFQ70bxr758cz2d30BfuphN+lXC36i/LuAyO20CsEy+/m04Xqkh3
 B04i5d82X08qG9Uoj0czfIUkDvixBFgzCv9BsVMvkW6gyLtMiG9dxo1AumXhA2kqFb8d
 0RJNJFaon1Y5W2EK4dG/1lWAOPcyssIdd5GtSYmoS0pdY7XVA/KcLT7STfWC2fJVwlA5
 9YlZyh6fEv4Bnf3C4CwrKKu6Pf0TJnywrnK8AYE24xMXuv/2btImdpX4QoB42YWIphVP
 o4sg==
X-Gm-Message-State: ANhLgQ2bq7utWPnKnYzKnkS9wuUCI4qDgjuIJha6ZDNBflEeo2vTNH8f
 PoqzuWpUoiS/UcPRrz66nWN0Xi5OmEOoo8Ix1y/YyyubUffOslXF83RKcSZf9BXViUKS8PoWBYe
 e+kN7CH1VZ1Fp4maaEf1a4YcPxln8TB3LQQ2AlA==
X-Received: by 2002:a5d:9489:: with SMTP id v9mr1722773ioj.170.1584499130189; 
 Tue, 17 Mar 2020 19:38:50 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvi5EgMYiYq9Nm01JGIOyqXhcNQgP7PqNihS2Cq8YDv9tFxzuTYCo1qNbeU3aUZ5PK38PdLc4XWXvbuqMQu/k0=
X-Received: by 2002:a5d:9489:: with SMTP id v9mr1722763ioj.170.1584499129975; 
 Tue, 17 Mar 2020 19:38:49 -0700 (PDT)
MIME-Version: 1.0
From: Patsy Griffin <patsy@redhat.com>
Date: Tue, 17 Mar 2020 22:38:14 -0400
Message-ID: <CAOraFgAWgxTk6M5nh5nUQdRr1S1K8qK1pvx-8KDjt7Hg=yohGQ@mail.gmail.com>
Subject: [2.29 COMMITTED] Fix use-after-free in glob when expanding ~user (bug
 25414)
To: libc-stable@sourceware.org
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 02:38:54 -0000

From: Andreas Schwab <schwab@suse.de>

The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.

(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
---
 posix/glob.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/posix/glob.c b/posix/glob.c
index e73e35c510..c6cbd0eb43 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int
(*errfunc) (const char *, int),
       {
  size_t home_len =3D strlen (p->pw_dir);
  size_t rest_len =3D end_name =3D=3D NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca =3D glob_use_alloca (alloca_used,
+   home_len + rest_len + 1);

- if (__glibc_unlikely (malloc_dirname))
-  free (dirname);
- malloc_dirname =3D 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-  dirname =3D alloca_account (home_len + rest_len + 1,
-    alloca_used);
+ if (use_alloca)
+  newp =3D alloca_account (home_len + rest_len + 1, alloca_used);
  else
   {
-    dirname =3D malloc (home_len + rest_len + 1);
-    if (dirname =3D=3D NULL)
+    newp =3D malloc (home_len + rest_len + 1);
+    if (newp =3D=3D NULL)
       {
  scratch_buffer_free (&pwtmpbuf);
  retval =3D GLOB_NOSPACE;
  goto out;
       }
-    malloc_dirname =3D 1;
   }
- d =3D mempcpy (dirname, p->pw_dir, home_len);
+ d =3D mempcpy (newp, p->pw_dir, home_len);
  if (end_name !=3D NULL)
   d =3D mempcpy (d, end_name, rest_len);
  *d =3D '\0';

+ if (__glibc_unlikely (malloc_dirname))
+  free (dirname);
+ dirname =3D newp;
+ malloc_dirname =3D !use_alloca;
+
  dirlen =3D home_len + rest_len;
  dirname_modified =3D 1;
       }
--=20
2.21.1