Bug 22679 (CVE-2018-1000001)

Summary: getcwd(3) can succeed without returning an absolute path (CVE-2018-1000001)
Product: glibc Reporter: Dmitry V. Levin <ldv>
Component: libcAssignee: Dmitry V. Levin <ldv>
Status: RESOLVED FIXED    
Severity: normal CC: drepper.fsp, fweimer, jeremip11
Priority: P2 Flags: ldv: security+
Version: unspecified   
Target Milestone: 2.27   
Host: Target:
Build: Last reconfirmed:
Bug Depends on:    
Bug Blocks: 18203    

Description Dmitry V. Levin 2018-01-05 22:34:11 UTC
As noted in https://sourceware.org/bugzilla/show_bug.cgi?id=18203,
getcwd(3) on linux can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

This is a conformance issue because "The getcwd() function shall place
an absolute pathname of the current working directory in the array
pointed to by buf, and return buf".
Comment 1 Dmitry V. Levin 2018-01-11 21:55:46 UTC
This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3).
Comment 2 Sourceware Commits 2018-01-12 14:56:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 (commit)
      from  249a5895f120b13290a372a49bb4b499e749806f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94

commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
    
    Currently getcwd(3) can succeed without returning an absolute path
    because the underlying getcwd syscall, starting with linux commit
    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
    
    This is a conformance issue because "The getcwd() function shall
    place an absolute pathname of the current working directory
    in the array pointed to by buf, and return buf".
    
    This is also a security issue because a non-absolute path returned
    by getcwd(3) causes a buffer underflow in realpath(3).
    
    Fix this by checking the path returned by getcwd syscall and falling
    back to generic_getcwd if the path is not absolute, effectively making
    getcwd(3) fail with ENOENT.  The error code is chosen for consistency
    with the case when the current directory is unlinked.
    
    [BZ #22679]
    CVE-2018-1000001
    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
    generic_getcwd if the path returned by getcwd syscall is not absolute.
    * io/tst-getcwd-abspath.c: New test.
    * io/Makefile (tests): Add tst-getcwd-abspath.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |    9 +++
 NEWS                                               |    4 ++
 io/Makefile                                        |    2 +-
 .../tst-getcwd-abspath.c                           |   54 +++++++++++--------
 sysdeps/unix/sysv/linux/getcwd.c                   |    8 ++--
 5 files changed, 49 insertions(+), 28 deletions(-)
 copy iconv/tst-gconv-init-failure.c => io/tst-getcwd-abspath.c (50%)
Comment 3 Dmitry V. Levin 2018-01-12 14:59:03 UTC
Fixed in 2.27.
Comment 4 Sourceware Commits 2018-01-12 22:24:48 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  fabef2edbc29424a8048bdd60eba1a201f95682b (commit)
      from  7d2672a47b24c6991ddbcc7b65a5086caed4596a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fabef2edbc29424a8048bdd60eba1a201f95682b

commit fabef2edbc29424a8048bdd60eba1a201f95682b
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
    
    Currently getcwd(3) can succeed without returning an absolute path
    because the underlying getcwd syscall, starting with linux commit
    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
    
    This is a conformance issue because "The getcwd() function shall
    place an absolute pathname of the current working directory
    in the array pointed to by buf, and return buf".
    
    This is also a security issue because a non-absolute path returned
    by getcwd(3) causes a buffer underflow in realpath(3).
    
    Fix this by checking the path returned by getcwd syscall and falling
    back to generic_getcwd if the path is not absolute, effectively making
    getcwd(3) fail with ENOENT.  The error code is chosen for consistency
    with the case when the current directory is unlinked.
    
    [BZ #22679]
    CVE-2018-1000001
    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
    generic_getcwd if the path returned by getcwd syscall is not absolute.
    * io/tst-getcwd-abspath.c: New test.
    * io/Makefile (tests): Add tst-getcwd-abspath.
    
    (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                        |    9 +++++
 NEWS                             |    6 +++
 io/Makefile                      |    2 +-
 io/tst-getcwd-abspath.c          |   66 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/getcwd.c |    8 ++--
 5 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 io/tst-getcwd-abspath.c
Comment 5 Sourceware Commits 2018-01-16 08:17:55 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.25/master has been updated
       via  771c846a71d9ee14aa3b91fd184026482da585d9 (commit)
      from  2ee370613ce1c72fbaad08dcda323a3b122c82df (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=771c846a71d9ee14aa3b91fd184026482da585d9

commit 771c846a71d9ee14aa3b91fd184026482da585d9
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
    
    Currently getcwd(3) can succeed without returning an absolute path
    because the underlying getcwd syscall, starting with linux commit
    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
    
    This is a conformance issue because "The getcwd() function shall
    place an absolute pathname of the current working directory
    in the array pointed to by buf, and return buf".
    
    This is also a security issue because a non-absolute path returned
    by getcwd(3) causes a buffer underflow in realpath(3).
    
    Fix this by checking the path returned by getcwd syscall and falling
    back to generic_getcwd if the path is not absolute, effectively making
    getcwd(3) fail with ENOENT.  The error code is chosen for consistency
    with the case when the current directory is unlinked.
    
    [BZ #22679]
    CVE-2018-1000001
    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
    generic_getcwd if the path returned by getcwd syscall is not absolute.
    * io/tst-getcwd-abspath.c: New test.
    * io/Makefile (tests): Add tst-getcwd-abspath.
    
    (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                        |    9 +++++
 NEWS                             |    6 +++
 io/Makefile                      |    2 +-
 io/tst-getcwd-abspath.c          |   66 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/getcwd.c |    8 ++--
 5 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 io/tst-getcwd-abspath.c
Comment 6 Florian Weimer 2018-02-05 12:28:50 UTC
There is a reported of a regression which has apparently been caused by this change:

https://lists.gluster.org/pipermail/gluster-users/2018-January/033293.html