This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.26/master updated. glibc-2.26-131-gfabef2e


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  fabef2edbc29424a8048bdd60eba1a201f95682b (commit)
      from  7d2672a47b24c6991ddbcc7b65a5086caed4596a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=fabef2edbc29424a8048bdd60eba1a201f95682b

commit fabef2edbc29424a8048bdd60eba1a201f95682b
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
    
    Currently getcwd(3) can succeed without returning an absolute path
    because the underlying getcwd syscall, starting with linux commit
    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
    
    This is a conformance issue because "The getcwd() function shall
    place an absolute pathname of the current working directory
    in the array pointed to by buf, and return buf".
    
    This is also a security issue because a non-absolute path returned
    by getcwd(3) causes a buffer underflow in realpath(3).
    
    Fix this by checking the path returned by getcwd syscall and falling
    back to generic_getcwd if the path is not absolute, effectively making
    getcwd(3) fail with ENOENT.  The error code is chosen for consistency
    with the case when the current directory is unlinked.
    
    [BZ #22679]
    CVE-2018-1000001
    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
    generic_getcwd if the path returned by getcwd syscall is not absolute.
    * io/tst-getcwd-abspath.c: New test.
    * io/Makefile (tests): Add tst-getcwd-abspath.
    
    (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)

diff --git a/ChangeLog b/ChangeLog
index 406307d..98ef90f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-01-12  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22679]
+	CVE-2018-1000001
+	* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
+	generic_getcwd if the path returned by getcwd syscall is not absolute.
+	* io/tst-getcwd-abspath.c: New test.
+	* io/Makefile (tests): Add tst-getcwd-abspath.
+
 2017-12-19  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 	    James Clarke <jrtc27@jrtc27.com>
 
diff --git a/NEWS b/NEWS
index 003bf67..7f88e9e 100644
--- a/NEWS
+++ b/NEWS
@@ -59,6 +59,10 @@ Security related changes:
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
 
+  CVE-2018-1000001: Buffer underflow in realpath function when getcwd function
+  succeeds without returning an absolute path due to unexpected behaviour
+  of the Linux kernel getcwd syscall.  Reported by halfdog.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
@@ -97,6 +101,8 @@ The following bugs are resolved with this release:
   [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671)
   [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
   [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
+  [22679] getcwd(3) can succeed without returning an absolute path
+    (CVE-2018-1000001)
 
 Version 2.26
 
diff --git a/io/Makefile b/io/Makefile
index 2f26bf5..f0bdc83 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -70,7 +70,7 @@ tests		:= test-utime test-stat test-stat2 test-lfs tst-getcwd \
 		   tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \
 		   tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \
 		   tst-posix_fallocate tst-posix_fallocate64 \
-		   tst-fts tst-fts-lfs tst-open-tmpfile
+		   tst-fts tst-fts-lfs tst-open-tmpfile tst-getcwd-abspath
 
 ifeq ($(run-built-tests),yes)
 tests-special += $(objpfx)ftwtest.out
diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c
new file mode 100644
index 0000000..3a3636f
--- /dev/null
+++ b/io/tst-getcwd-abspath.c
@@ -0,0 +1,66 @@
+/* BZ #22679 getcwd(3) should not succeed without returning an absolute path.
+
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <support/test-driver.h>
+#include <support/xunistd.h>
+#include <unistd.h>
+
+static char *chroot_dir;
+
+/* The actual test.  Run it in a subprocess, so that the test harness
+   can remove the temporary directory in --direct mode.  */
+static void
+getcwd_callback (void *closure)
+{
+  xchroot (chroot_dir);
+
+  errno = 0;
+  char *cwd = getcwd (NULL, 0);
+  TEST_COMPARE (errno, ENOENT);
+  TEST_VERIFY (cwd == NULL);
+
+  errno = 0;
+  cwd = realpath (".", NULL);
+  TEST_COMPARE (errno, ENOENT);
+  TEST_VERIFY (cwd == NULL);
+
+  _exit (0);
+}
+
+static int
+do_test (void)
+{
+  support_become_root ();
+  if (!support_can_chroot ())
+    return EXIT_UNSUPPORTED;
+
+  chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");
+  support_isolate_in_subprocess (getcwd_callback, NULL);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c
index 3b556fd..f485de8 100644
--- a/sysdeps/unix/sysv/linux/getcwd.c
+++ b/sysdeps/unix/sysv/linux/getcwd.c
@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
   int retval;
 
   retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
-  if (retval >= 0)
+  if (retval > 0 && path[0] == '/')
     {
 #ifndef NO_ALLOCATION
       if (buf == NULL && size == 0)
@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
       return buf;
     }
 
-  /* The system call cannot handle paths longer than a page.
-     Neither can the magic symlink in /proc/self.  Just use the
+  /* The system call either cannot handle paths longer than a page
+     or can succeed without returning an absolute path.  Just use the
      generic implementation right away.  */
-  if (errno == ENAMETOOLONG)
+  if (retval >= 0 || errno == ENAMETOOLONG)
     {
 #ifndef NO_ALLOCATION
       if (buf == NULL && size == 0)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                        |    9 +++++
 NEWS                             |    6 +++
 io/Makefile                      |    2 +-
 io/tst-getcwd-abspath.c          |   66 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/getcwd.c |    8 ++--
 5 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 io/tst-getcwd-abspath.c


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]