Created attachment 10549 [details] glob heap-buffer-overflow reproducer There seems to be another issue: ==32482==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c2 at pc 0x000000518166 bp 0x7fff35827050 sp 0x7fff35827048 WRITE of size 1 at 0x60d0000000c2 thread T0 #0 0x518165 in rpl_glob /home/tim/src/wget2/lib/glob.c:762:28 #1 0x50ef16 in main /home/tim/src/wget2/fuzz/ooo/glob_crash.c:58:6 #2 0x7f10b4c342e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #3 0x4193e9 in _start (/home/tim/src/wget2/fuzz/ooo/glob_crash+0x4193e9) 0x60d0000000c2 is located 0 bytes to the right of 130-byte region [0x60d000000040,0x60d0000000c2) allocated by thread T0 here: #0 0x4d73b0 in __interceptor_malloc (/home/tim/src/wget2/fuzz/ooo/glob_crash+0x4d73b0) #1 0x514d8f in rpl_glob /home/tim/src/wget2/lib/glob.c:734:26 #2 0x50ef16 in main /home/tim/src/wget2/fuzz/ooo/glob_crash.c:58:6 #3 0x7f10b4c342e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) Reproducer C file attached.
dup *** This bug has been marked as a duplicate of bug 22320 ***
No, the crash happens on line 868 here: 848 if (unescape != NULL) 849 { 850 char *p = mempcpy (newp, dirname + 1, 851 unescape - dirname - 1); 852 char *q = unescape; 853 while (*q != '\0') 854 { 855 if (*q == '\\') 856 { 857 if (q[1] == '\0') 858 { 859 /* "~fo\\o\\" unescape to user_name "foo\\", 860 but "~fo\\o\\/" unescape to user_name 861 "foo". */ 862 if (filename == NULL) 863 *p++ = '\\'; 864 break; 865 } 866 ++q; 867 } 868 *p++ = *q++; 869 } 870 *p = '\0'; 871 } The crash is obscured in glibc because it uses alloca, so you need to add more data to the name before the overflow can be observed with valgrind.
I fixed this bug in Gnulib with this patch: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=6803dda53781f7da920f568a31610d41e5c3a351 and something like this patcvh should be merged into glibc.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 (commit) from 914c9994d27b80bc3b71c483e801a4f04e269ba6 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Oct 22 10:00:57 2017 +0200 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] ----------------------------------------------------------------------- Summary of changes: ChangeLog | 6 ++++++ NEWS | 4 ++++ posix/glob.c | 4 ++-- 3 files changed, 12 insertions(+), 2 deletions(-)
Fixed in 2.27.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via 2fac6a6cd50c22ac28c97d0864306594807ade3e (commit) from 260fbd0a394fec9aabe5cfa24272f33723cb355c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2fac6a6cd50c22ac28c97d0864306594807ade3e commit 2fac6a6cd50c22ac28c97d0864306594807ade3e Author: Florian Weimer <fweimer@redhat.com> Date: Thu Nov 2 11:06:45 2017 +0100 posix/tst-glob-tilde.c: Add test for bug 22332 ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 ++++++ posix/tst-glob-tilde.c | 53 +++++++++++++++++++++++++++-------------------- 2 files changed, 37 insertions(+), 23 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.26/master has been updated via 0890d5379cac9b7e2a5f09c3647ebad235c1442d (commit) via a9f35ac127e2244185d0a80ed91fa629f9d19dcf (commit) via f1cf98b583787cfb6278baea46e286a0ee7567fd (commit) via 6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56 (commit) from f312f235d535fac5c3ff2b0aa7cacb1958aa4529 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0890d5379cac9b7e2a5f09c3647ebad235c1442d commit 0890d5379cac9b7e2a5f09c3647ebad235c1442d Author: Aurelien Jarno <aurelien@aurel32.net> Date: Fri Dec 1 21:53:51 2017 +0100 Update NEWS to add CVE-2017-15804 entry (cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a9f35ac127e2244185d0a80ed91fa629f9d19dcf commit a9f35ac127e2244185d0a80ed91fa629f9d19dcf Author: Florian Weimer <fweimer@redhat.com> Date: Thu Nov 2 11:06:45 2017 +0100 posix/tst-glob-tilde.c: Add test for bug 22332 (cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f1cf98b583787cfb6278baea46e286a0ee7567fd commit f1cf98b583787cfb6278baea46e286a0ee7567fd Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Oct 22 10:00:57 2017 +0200 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56 commit 6f9f307b5db6b2eeb7b92f2a75e5ab3e749c3d56 Author: Florian Weimer <fweimer@redhat.com> Date: Sun Oct 22 09:29:52 2017 +0200 Update NEWS and ChangeLog for CVE-2017-15671 (cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 13 +++++++++++ NEWS | 9 ++++++++ posix/glob.c | 4 +- posix/tst-glob-tilde.c | 53 +++++++++++++++++++++++++++-------------------- 4 files changed, 54 insertions(+), 25 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.25/master has been updated via 4444f6a92b83f7e044705b43b11dcdb0dbe97fe1 (commit) via b2b39e667143a921eeec01517c9c99ea25eaafae (commit) via ee68a4419a7c4473e48b16a55c50689a11f9b725 (commit) via 3b587362bd54a81528b36ff8e13ba9f7c233e995 (commit) via a06cc8caa7f4c0fcfdc7580cbc5c21be63637353 (commit) via 717743bb07471f95bef6ea63d9b12848ad91aaf6 (commit) via ea54198514e1a4f4abd8727acac0890bc95b4bdc (commit) via 2b54f16a8a237a1f3e6f8b974cafda09ed75d292 (commit) from 7bd7ddfab138f67a1d8c10d4d70f16240a1c6796 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4444f6a92b83f7e044705b43b11dcdb0dbe97fe1 commit 4444f6a92b83f7e044705b43b11dcdb0dbe97fe1 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Fri Dec 1 21:53:51 2017 +0100 Update NEWS to add CVE-2017-15804 entry (cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b2b39e667143a921eeec01517c9c99ea25eaafae commit b2b39e667143a921eeec01517c9c99ea25eaafae Author: Florian Weimer <fweimer@redhat.com> Date: Thu Nov 2 11:06:45 2017 +0100 posix/tst-glob-tilde.c: Add test for bug 22332 (cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee68a4419a7c4473e48b16a55c50689a11f9b725 commit ee68a4419a7c4473e48b16a55c50689a11f9b725 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Oct 22 10:00:57 2017 +0200 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b587362bd54a81528b36ff8e13ba9f7c233e995 commit 3b587362bd54a81528b36ff8e13ba9f7c233e995 Author: Florian Weimer <fweimer@redhat.com> Date: Sun Oct 22 09:29:52 2017 +0200 Update NEWS and ChangeLog for CVE-2017-15671 (cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a06cc8caa7f4c0fcfdc7580cbc5c21be63637353 commit a06cc8caa7f4c0fcfdc7580cbc5c21be63637353 Author: Florian Weimer <fweimer@redhat.com> Date: Sat Oct 21 18:03:30 2017 +0200 glob: Add new test tst-glob-tilde The new test checks for memory leaks (see bug 22325) and attempts to trigger the buffer overflow in bug 22320. (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=717743bb07471f95bef6ea63d9b12848ad91aaf6 commit 717743bb07471f95bef6ea63d9b12848ad91aaf6 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Fri Oct 20 18:41:14 2017 +0200 CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ea54198514e1a4f4abd8727acac0890bc95b4bdc commit ea54198514e1a4f4abd8727acac0890bc95b4bdc Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Mon Sep 4 14:53:38 2017 -0300 posix: Sync glob with gnulib [BZ #1062] This patch syncs posix/glob.c implementation with gnulib version b5ec983 (glob: simplify symlink detection). The only difference to gnulib code is * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there were not already defined. Gnulib code which uses HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE. Instead the patch check for each definition instead. Also, the patch requires additional globfree and globfree64 files for compatibility version on some architectures. Also the code simplification leads to not macro simplification (not need for NO_GLOB_PATTERN_P anymore). Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py for all major architectures. [BZ #1062] * posix/Makefile (routines): Add globfree, globfree64, and glob_pattern_p. * posix/flexmember.h: New file. * posix/glob_internal.h: Likewise. * posix/glob_pattern_p.c: Likewise. * posix/globfree.c: Likewise. * posix/globfree64.c: Likewise. * sysdeps/gnu/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise. * sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/oldglob.c: Likewise. * sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise. * sysdeps/wordsize-64/globfree.c: Likewise. * sysdeps/wordsize-64/globfree64.c: Likewise. * posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead. [NDEBUG): Remove comments. (GLOB_ONLY_P, _AMIGA, VMS): Remove define. (dirent_type): New type. Use uint_fast8_t not uint8_t, as C99 does not require uint8_t. (DT_UNKNOWN, DT_DIR, DT_LNK): New macros. (struct readdir_result): Use dirent_type. Do not define skip_entry unless it is needed; this saves a byte on platforms lacking d_ino. (readdir_result_type, readdir_result_skip_entry): New functions, replacing ... (readdir_result_might_be_symlink, readdir_result_might_be_dir): these functions, which were removed. This makes the callers easier to read. All callers changed. (D_INO_TO_RESULT): Now empty if there is no d_ino. (size_add_wrapv, glob_use_alloca): New static functions. (glob, glob_in_dir): Check for size_t overflow in several places, and fix some size_t checks that were not quite right. Remove old code using SHELL since Bash no longer uses this. (glob, prefix_array): Separate MS code better. (glob_in_dir): Remove old Amiga and VMS code. (globfree, __glob_pattern_type, __glob_pattern_p): Move to separate files. (glob_in_dir): Do not rely on undefined behavior in accessing struct members beyond their bounds. Use a flexible array member instead (link_stat): Rename from link_exists2_p and return -1/0 instead of 0/1. Caller changed. (glob): Fix memory leaks. * posix/glob64 (globfree64): Move to separate file. * sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define. (globfree64): Remove hidden alias. * sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add oldglob. * sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to separate file. * sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove define. Move compat code to separate file. * sysdeps/wordsize-64/glob.c (globfree): Move definitions to separate file. (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2b54f16a8a237a1f3e6f8b974cafda09ed75d292 commit 2b54f16a8a237a1f3e6f8b974cafda09ed75d292 Author: H.J. Lu <hjl.tools@gmail.com> Date: Sun Aug 20 10:46:47 2017 -0700 i386: Hide __old_glob64 [BZ #18822] Hide internal __old_glob64 function to allow direct access within libc.so and libc.a without using GOT nor PLT. [BZ #18822] * sysdeps/unix/sysv/linux/i386/glob64.c (__old_glob64): Add libc_hidden_proto and libc_hidden_def. (cherry picked from commit 2585d7b839559e665d5723734862fbe62264b25d) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 94 +++ NEWS | 16 + posix/Makefile | 14 +- posix/flexmember.h | 45 ++ posix/glob.c | 780 ++++++++++---------- posix/glob64.c | 6 - posix/glob_internal.h | 57 ++ posix/glob_pattern_p.c | 33 + posix/globfree.c | 41 + posix/globfree64.c | 31 + posix/tst-glob-tilde.c | 143 ++++ sysdeps/gnu/glob64.c | 3 - sysdeps/gnu/globfree64.c | 10 + sysdeps/unix/sysv/linux/Makefile | 2 +- sysdeps/unix/sysv/linux/alpha/glob.c | 4 - sysdeps/unix/sysv/linux/alpha/globfree.c | 37 + sysdeps/unix/sysv/linux/i386/glob64.c | 36 +- .../unix/sysv/linux/mips/mips64/n64/globfree64.c | 1 + sysdeps/unix/sysv/linux/oldglob.c | 42 ++ sysdeps/unix/sysv/linux/wordsize-64/globfree64.c | 2 + sysdeps/unix/sysv/linux/x86_64/x32/globfree.c | 1 + sysdeps/wordsize-64/glob.c | 2 - sysdeps/wordsize-64/globfree.c | 5 + sysdeps/wordsize-64/globfree64.c | 1 + 24 files changed, 945 insertions(+), 461 deletions(-) create mode 100644 posix/flexmember.h create mode 100644 posix/glob_internal.h create mode 100644 posix/glob_pattern_p.c create mode 100644 posix/globfree.c create mode 100644 posix/globfree64.c create mode 100644 posix/tst-glob-tilde.c create mode 100644 sysdeps/gnu/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/oldglob.c create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c create mode 100644 sysdeps/wordsize-64/globfree.c create mode 100644 sysdeps/wordsize-64/globfree64.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.24/master has been updated via d81254d2efcb839fd11df2960df5bba579193808 (commit) via bddc5728810859952a2acaec6302308361e828cc (commit) via 94825c8924b80518214ad9e3ca1f6589f209592c (commit) via 1e53b88296dc95d325d6073910a33dca851b6bc4 (commit) via 5ff2eb52b236ca3d77f92272e8711b3c2b98140b (commit) via 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 (commit) via 832e2ec56701f85b892b782b8b749bc5a33899fb (commit) via 89bf8ef2dba93e19385bf922fdcee87a97db768f (commit) from bea3f92405f705684275bffee954cafe84ffb09d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d81254d2efcb839fd11df2960df5bba579193808 commit d81254d2efcb839fd11df2960df5bba579193808 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Fri Dec 1 21:53:51 2017 +0100 Update NEWS to add CVE-2017-15804 entry (cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bddc5728810859952a2acaec6302308361e828cc commit bddc5728810859952a2acaec6302308361e828cc Author: Florian Weimer <fweimer@redhat.com> Date: Thu Nov 2 11:06:45 2017 +0100 posix/tst-glob-tilde.c: Add test for bug 22332 (cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94825c8924b80518214ad9e3ca1f6589f209592c commit 94825c8924b80518214ad9e3ca1f6589f209592c Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Oct 22 10:00:57 2017 +0200 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1e53b88296dc95d325d6073910a33dca851b6bc4 commit 1e53b88296dc95d325d6073910a33dca851b6bc4 Author: Florian Weimer <fweimer@redhat.com> Date: Sun Oct 22 09:29:52 2017 +0200 Update NEWS and ChangeLog for CVE-2017-15671 (cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ff2eb52b236ca3d77f92272e8711b3c2b98140b commit 5ff2eb52b236ca3d77f92272e8711b3c2b98140b Author: Florian Weimer <fweimer@redhat.com> Date: Sat Oct 21 18:03:30 2017 +0200 glob: Add new test tst-glob-tilde The new test checks for memory leaks (see bug 22325) and attempts to trigger the buffer overflow in bug 22320. (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 commit 1f523e3c6efd673bdd05cbec85ff6ba178ba6e08 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Fri Oct 20 18:41:14 2017 +0200 CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=832e2ec56701f85b892b782b8b749bc5a33899fb commit 832e2ec56701f85b892b782b8b749bc5a33899fb Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Mon Sep 4 14:53:38 2017 -0300 posix: Sync glob with gnulib [BZ #1062] This patch syncs posix/glob.c implementation with gnulib version b5ec983 (glob: simplify symlink detection). The only difference to gnulib code is * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there were not already defined. Gnulib code which uses HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE. Instead the patch check for each definition instead. Also, the patch requires additional globfree and globfree64 files for compatibility version on some architectures. Also the code simplification leads to not macro simplification (not need for NO_GLOB_PATTERN_P anymore). Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py for all major architectures. [BZ #1062] * posix/Makefile (routines): Add globfree, globfree64, and glob_pattern_p. * posix/flexmember.h: New file. * posix/glob_internal.h: Likewise. * posix/glob_pattern_p.c: Likewise. * posix/globfree.c: Likewise. * posix/globfree64.c: Likewise. * sysdeps/gnu/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise. * sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/oldglob.c: Likewise. * sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise. * sysdeps/wordsize-64/globfree.c: Likewise. * sysdeps/wordsize-64/globfree64.c: Likewise. * posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead. [NDEBUG): Remove comments. (GLOB_ONLY_P, _AMIGA, VMS): Remove define. (dirent_type): New type. Use uint_fast8_t not uint8_t, as C99 does not require uint8_t. (DT_UNKNOWN, DT_DIR, DT_LNK): New macros. (struct readdir_result): Use dirent_type. Do not define skip_entry unless it is needed; this saves a byte on platforms lacking d_ino. (readdir_result_type, readdir_result_skip_entry): New functions, replacing ... (readdir_result_might_be_symlink, readdir_result_might_be_dir): these functions, which were removed. This makes the callers easier to read. All callers changed. (D_INO_TO_RESULT): Now empty if there is no d_ino. (size_add_wrapv, glob_use_alloca): New static functions. (glob, glob_in_dir): Check for size_t overflow in several places, and fix some size_t checks that were not quite right. Remove old code using SHELL since Bash no longer uses this. (glob, prefix_array): Separate MS code better. (glob_in_dir): Remove old Amiga and VMS code. (globfree, __glob_pattern_type, __glob_pattern_p): Move to separate files. (glob_in_dir): Do not rely on undefined behavior in accessing struct members beyond their bounds. Use a flexible array member instead (link_stat): Rename from link_exists2_p and return -1/0 instead of 0/1. Caller changed. (glob): Fix memory leaks. * posix/glob64 (globfree64): Move to separate file. * sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define. (globfree64): Remove hidden alias. * sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add oldglob. * sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to separate file. * sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove define. Move compat code to separate file. * sysdeps/wordsize-64/glob.c (globfree): Move definitions to separate file. (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89bf8ef2dba93e19385bf922fdcee87a97db768f commit 89bf8ef2dba93e19385bf922fdcee87a97db768f Author: H.J. Lu <hjl.tools@gmail.com> Date: Sun Aug 20 10:46:47 2017 -0700 i386: Hide __old_glob64 [BZ #18822] Hide internal __old_glob64 function to allow direct access within libc.so and libc.a without using GOT nor PLT. [BZ #18822] * sysdeps/unix/sysv/linux/i386/glob64.c (__old_glob64): Add libc_hidden_proto and libc_hidden_def. (cherry picked from commit 2585d7b839559e665d5723734862fbe62264b25d) (cherry picked from commit 2b54f16a8a237a1f3e6f8b974cafda09ed75d292) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 94 +++ NEWS | 13 + posix/Makefile | 13 +- posix/flexmember.h | 45 ++ posix/glob.c | 780 ++++++++++---------- posix/glob64.c | 6 - posix/glob_internal.h | 57 ++ posix/glob_pattern_p.c | 33 + posix/globfree.c | 41 + posix/globfree64.c | 31 + posix/tst-glob-tilde.c | 143 ++++ sysdeps/gnu/glob64.c | 3 - sysdeps/gnu/globfree64.c | 10 + sysdeps/unix/sysv/linux/Makefile | 2 +- sysdeps/unix/sysv/linux/alpha/glob.c | 4 - sysdeps/unix/sysv/linux/alpha/globfree.c | 37 + sysdeps/unix/sysv/linux/i386/glob64.c | 36 +- .../unix/sysv/linux/mips/mips64/n64/globfree64.c | 1 + sysdeps/unix/sysv/linux/oldglob.c | 42 ++ sysdeps/unix/sysv/linux/wordsize-64/globfree64.c | 2 + sysdeps/unix/sysv/linux/x86_64/x32/globfree.c | 1 + sysdeps/wordsize-64/glob.c | 2 - sysdeps/wordsize-64/globfree.c | 5 + sysdeps/wordsize-64/globfree64.c | 1 + 24 files changed, 941 insertions(+), 461 deletions(-) create mode 100644 posix/flexmember.h create mode 100644 posix/glob_internal.h create mode 100644 posix/glob_pattern_p.c create mode 100644 posix/globfree.c create mode 100644 posix/globfree64.c create mode 100644 posix/tst-glob-tilde.c create mode 100644 sysdeps/gnu/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/oldglob.c create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c create mode 100644 sysdeps/wordsize-64/globfree.c create mode 100644 sysdeps/wordsize-64/globfree64.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.22/master has been updated via 49a0c33ead1b1eea5b414e9e2574a4fd96291203 (commit) via d8b6b33f1d08642961aff14825c1fa6a0276ad49 (commit) via 42a2c81226c4fd4037aa90cbebf26bafc07b7072 (commit) via 3790ec0ca5b8cf5d317cd8d43f132ef88c52e824 (commit) from 017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=49a0c33ead1b1eea5b414e9e2574a4fd96291203 commit 49a0c33ead1b1eea5b414e9e2574a4fd96291203 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Oct 22 10:00:57 2017 +0200 glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] (cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d8b6b33f1d08642961aff14825c1fa6a0276ad49 commit d8b6b33f1d08642961aff14825c1fa6a0276ad49 Author: Florian Weimer <fweimer@redhat.com> Date: Sat Oct 21 18:03:30 2017 +0200 glob: Add new test tst-glob-tilde The new test checks for memory leaks (see bug 22325) and attempts to trigger the buffer overflow in bug 22320. (cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42a2c81226c4fd4037aa90cbebf26bafc07b7072 commit 42a2c81226c4fd4037aa90cbebf26bafc07b7072 Author: Paul Eggert <eggert@cs.ucla.edu> Date: Fri Oct 20 18:41:14 2017 +0200 CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] (cherry picked from commit c369d66e5426a30e4725b100d5cd28e372754f90) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3790ec0ca5b8cf5d317cd8d43f132ef88c52e824 commit 3790ec0ca5b8cf5d317cd8d43f132ef88c52e824 Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Mon Sep 4 14:53:38 2017 -0300 posix: Sync glob with gnulib [BZ #1062] This patch syncs posix/glob.c implementation with gnulib version b5ec983 (glob: simplify symlink detection). The only difference to gnulib code is * DT_UNKNOWN, DT_DIR, and DT_LNK definition in the case there were not already defined. Gnulib code which uses HAVE_STRUCT_DIRENT_D_TYPE will redefine them wrongly because GLIBC does not define HAVE_STRUCT_DIRENT_D_TYPE. Instead the patch check for each definition instead. Also, the patch requires additional globfree and globfree64 files for compatibility version on some architectures. Also the code simplification leads to not macro simplification (not need for NO_GLOB_PATTERN_P anymore). Checked on x86_64-linux-gnu and on a build using build-many-glibcs.py for all major architectures. [BZ #1062] * posix/Makefile (routines): Add globfree, globfree64, and glob_pattern_p. * posix/flexmember.h: New file. * posix/glob_internal.h: Likewise. * posix/glob_pattern_p.c: Likewise. * posix/globfree.c: Likewise. * posix/globfree64.c: Likewise. * sysdeps/gnu/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/alpha/globfree.c: Likewise. * sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/oldglob.c: Likewise. * sysdeps/unix/sysv/linux/wordsize-64/globfree64.c: Likewise. * sysdeps/unix/sysv/linux/x86_64/x32/globfree.c: Likewise. * sysdeps/wordsize-64/globfree.c: Likewise. * sysdeps/wordsize-64/globfree64.c: Likewise. * posix/glob.c (HAVE_CONFIG_H): Use !_LIBC instead. [NDEBUG): Remove comments. (GLOB_ONLY_P, _AMIGA, VMS): Remove define. (dirent_type): New type. Use uint_fast8_t not uint8_t, as C99 does not require uint8_t. (DT_UNKNOWN, DT_DIR, DT_LNK): New macros. (struct readdir_result): Use dirent_type. Do not define skip_entry unless it is needed; this saves a byte on platforms lacking d_ino. (readdir_result_type, readdir_result_skip_entry): New functions, replacing ... (readdir_result_might_be_symlink, readdir_result_might_be_dir): these functions, which were removed. This makes the callers easier to read. All callers changed. (D_INO_TO_RESULT): Now empty if there is no d_ino. (size_add_wrapv, glob_use_alloca): New static functions. (glob, glob_in_dir): Check for size_t overflow in several places, and fix some size_t checks that were not quite right. Remove old code using SHELL since Bash no longer uses this. (glob, prefix_array): Separate MS code better. (glob_in_dir): Remove old Amiga and VMS code. (globfree, __glob_pattern_type, __glob_pattern_p): Move to separate files. (glob_in_dir): Do not rely on undefined behavior in accessing struct members beyond their bounds. Use a flexible array member instead (link_stat): Rename from link_exists2_p and return -1/0 instead of 0/1. Caller changed. (glob): Fix memory leaks. * posix/glob64 (globfree64): Move to separate file. * sysdeps/gnu/glob64.c (NO_GLOB_PATTERN_P): Remove define. (globfree64): Remove hidden alias. * sysdeps/unix/sysv/linux/Makefile (sysdeps_routines): Add oldglob. * sysdeps/unix/sysv/linux/alpha/glob.c (__new_globfree): Move to separate file. * sysdeps/unix/sysv/linux/i386/glob64.c (NO_GLOB_PATTERN_P): Remove define. Move compat code to separate file. * sysdeps/wordsize-64/glob.c (globfree): Move definitions to separate file. (cherry picked from commit c66c908230169c1bab1f83b071eb585baa214b9f) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 80 ++ NEWS | 9 + posix/Makefile | 14 +- posix/flexmember.h | 45 ++ posix/glob.c | 785 ++++++++++---------- posix/glob64.c | 6 - posix/glob_internal.h | 57 ++ posix/glob_pattern_p.c | 33 + posix/globfree.c | 41 + posix/globfree64.c | 31 + posix/tst-glob-tilde.c | 136 ++++ sysdeps/gnu/glob64.c | 3 - sysdeps/gnu/globfree64.c | 10 + sysdeps/unix/sysv/linux/Makefile | 2 +- sysdeps/unix/sysv/linux/alpha/glob.c | 4 - sysdeps/unix/sysv/linux/alpha/globfree.c | 37 + sysdeps/unix/sysv/linux/i386/glob64.c | 36 +- .../unix/sysv/linux/mips/mips64/n64/globfree64.c | 1 + sysdeps/unix/sysv/linux/oldglob.c | 42 + sysdeps/unix/sysv/linux/wordsize-64/globfree64.c | 2 + sysdeps/unix/sysv/linux/x86_64/x32/globfree.c | 1 + sysdeps/wordsize-64/glob.c | 2 - sysdeps/wordsize-64/globfree.c | 5 + sysdeps/wordsize-64/globfree64.c | 1 + 24 files changed, 917 insertions(+), 466 deletions(-) create mode 100644 posix/flexmember.h create mode 100644 posix/glob_internal.h create mode 100644 posix/glob_pattern_p.c create mode 100644 posix/globfree.c create mode 100644 posix/globfree64.c create mode 100644 posix/tst-glob-tilde.c create mode 100644 sysdeps/gnu/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/alpha/globfree.c create mode 100644 sysdeps/unix/sysv/linux/mips/mips64/n64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/oldglob.c create mode 100644 sysdeps/unix/sysv/linux/wordsize-64/globfree64.c create mode 100644 sysdeps/unix/sysv/linux/x86_64/x32/globfree.c create mode 100644 sysdeps/wordsize-64/globfree.c create mode 100644 sysdeps/wordsize-64/globfree64.c