From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pfrankli@redhat.com>
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [63.128.21.74])
 by sourceware.org (Postfix) with ESMTP id A5D87387702E
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 01:49:24 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A5D87387702E
Received: from mail-il1-f197.google.com (mail-il1-f197.google.com
 [209.85.166.197]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-406-uj02noPaNhGLjbDE0kLmEg-1; Tue, 17 Mar 2020 21:49:21 -0400
X-MC-Unique: uj02noPaNhGLjbDE0kLmEg-1
Received: by mail-il1-f197.google.com with SMTP id w76so12769017ila.6
 for <libc-stable@sourceware.org>; Tue, 17 Mar 2020 18:49:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=c6u5Qtn9ewt4yOuuy81FEKUNbUQG9G5tJvId5g6Ejww=;
 b=EYKCc0Wok3ikZFNuPEL59eNTmPVO9cvZQzTo69Sbtu6uNKLdniQtOD4GdjHcvhKW6i
 7c1r1bOmR/NwKzD/Le0m1Q9H9KfSjAIfcqDKgcEV/U36HBmhJd4js+V7MCXrA0O26dIt
 7vSocpw0x7u6ExDjLosh+Au2+Jo/gwlZNBUUXSRHAG41yBSdW/C8ex5sfDwB2SR2OKrW
 eKQj5bqmYnm3+DPNpsG5dXcxLySWG+hc6RIqyHw7E1dEhRZ24+0NHF+COnGurpF3ss20
 XOVU6YKczWMn+QWEj++luAsbY4yIcZxjM5JlCJOF7yJDgYfwE3iOvegaAY0ceoZYWTsa
 ysrA==
X-Gm-Message-State: ANhLgQ1qMBjOfSLwKiK+zd/BHwC0DAlnKA/uFnaCB5nWbXWIdDDPUgGv
 ltsHIDEWeXUbHrw+cjdaAgSM60sO58FHDL7A0jw26PDtCvXR1nxpmWKnQNfE4DD7Cjxp1msM+zg
 c87h+R8Do+6Po7jF+OUHQE9Gj3MuUWg1x73pQ/g==
X-Received: by 2002:a92:778e:: with SMTP id s136mr1754487ilc.256.1584496160906; 
 Tue, 17 Mar 2020 18:49:20 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsOoFUOo4AI2Op9H4mi1XY08g9xhYXvc0+9AZy22/xOkYiBLvv8GUOOpLF72b1jPZGm1VuhIgt+QncLYWdJGPM=
X-Received: by 2002:a92:778e:: with SMTP id s136mr1754472ilc.256.1584496160654; 
 Tue, 17 Mar 2020 18:49:20 -0700 (PDT)
MIME-Version: 1.0
From: Patsy Griffin <patsy@redhat.com>
Date: Tue, 17 Mar 2020 21:48:44 -0400
Message-ID: <CAOraFgB1oQmG7qvQeCxSwr4YLi6X_UMdp7keKedjD=4ja-GSBQ@mail.gmail.com>
Subject: [2.30 COMMITTED] Fix use-after-free in glob when expanding ~user
To: libc-stable@sourceware.org
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 01:49:26 -0000

The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.

(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
---
 posix/glob.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/posix/glob.c b/posix/glob.c
index e73e35c510..c6cbd0eb43 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int
(*errfunc) (const char *, int),
       {
  size_t home_len =3D strlen (p->pw_dir);
  size_t rest_len =3D end_name =3D=3D NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca =3D glob_use_alloca (alloca_used,
+   home_len + rest_len + 1);

- if (__glibc_unlikely (malloc_dirname))
-  free (dirname);
- malloc_dirname =3D 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-  dirname =3D alloca_account (home_len + rest_len + 1,
-    alloca_used);
+ if (use_alloca)
+  newp =3D alloca_account (home_len + rest_len + 1, alloca_used);
  else
   {
-    dirname =3D malloc (home_len + rest_len + 1);
-    if (dirname =3D=3D NULL)
+    newp =3D malloc (home_len + rest_len + 1);
+    if (newp =3D=3D NULL)
       {
  scratch_buffer_free (&pwtmpbuf);
  retval =3D GLOB_NOSPACE;
  goto out;
       }
-    malloc_dirname =3D 1;
   }
- d =3D mempcpy (dirname, p->pw_dir, home_len);
+ d =3D mempcpy (newp, p->pw_dir, home_len);
  if (end_name !=3D NULL)
   d =3D mempcpy (d, end_name, rest_len);
  *d =3D '\0';

+ if (__glibc_unlikely (malloc_dirname))
+  free (dirname);
+ dirname =3D newp;
+ malloc_dirname =3D !use_alloca;
+
  dirlen =3D home_len + rest_len;
  dirname_modified =3D 1;
       }
--
2.21.1