Bug 25414 (CVE-2020-1752) - 'glob' use-after-free bug (CVE-2020-1752)
Summary: 'glob' use-after-free bug (CVE-2020-1752)
Status: RESOLVED FIXED
Alias: CVE-2020-1752
Product: glibc
Classification: Unclassified
Component: glob (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.32
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-17 19:44 UTC by eggert
Modified: 2020-03-20 21:23 UTC (History)
6 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
carlos: security+


Attachments
patch for use-after-free bug in 'glob' (971 bytes, patch)
2020-01-17 19:44 UTC, eggert
Details | Diff
simpler patch for use-after-free bug in glob (920 bytes, patch)
2020-01-17 21:08 UTC, Bruno Haible
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description eggert 2020-01-17 19:44:50 UTC
Created attachment 12218 [details]
patch for use-after-free bug in 'glob'

There's a use-after-free bug in 'glob', reported against Gnulib here:

https://lists.gnu.org/r/bug-gnulib/2020-01/msg00102.html

Proposed (but untested) glibc patch attached.
Comment 1 Bruno Haible 2020-01-17 21:08:05 UTC
Created attachment 12219 [details]
simpler patch for use-after-free bug in glob

The attached patch fixes the same bug, and is a little simpler.
Comment 2 Bruno Haible 2020-01-17 21:10:09 UTC
Explanation of the bug:
  - end_name is part of dirname,
  - dirname is freed,
  - after dirname is freed, the code still accesses end_name.

The fix is to store the dirname to be freed in a different variable, and free it a bit later, after the code has finished looking at end_name.
Comment 3 cvs-commit@gcc.gnu.org 2020-02-20 09:50:25 UTC
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c

commit ddc650e9b3dc916eab417ce9f79e67337b05035c
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
Comment 4 Andreas Schwab 2020-02-20 10:07:15 UTC
Fixed in 2.31.
Comment 5 Andreas Schwab 2020-02-20 10:22:19 UTC
Fixed in 2.32.
Comment 6 Carlos O'Donell 2020-03-04 20:14:41 UTC
It is a security issue that the glob function has a use-after-free. Marking security+.
Comment 7 Florian Weimer 2020-03-13 06:46:46 UTC
How exploitable is this bug in glibc, given its tendency to use alloca for these allocations? Even with a huge user home directory (which needs malloc), the previous string seems to be allocated on the stack.

I've confirmed that the bug goes back to glibc 2.19 as at least.
Comment 8 Florian Weimer 2020-03-13 07:32:45 UTC
I bisected this bug down to:

commit f2962a71959fd254a7a223437ca4b63b9e81130c
Author: Ulrich Drepper <drepper@gmail.com>
Date:   Sun May 22 23:04:16 2011 -0400

    Add a few more alloca size checks

It went into glibc 2.14.
Comment 9 cvs-commit@gcc.gnu.org 2020-03-18 00:23:54 UTC
The release/2.31/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ab029a2801d4ddfeade8f64a6e46ee7e47fde710

commit ab029a2801d4ddfeade8f64a6e46ee7e47fde710
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
    
    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
Comment 10 cvs-commit@gcc.gnu.org 2020-03-18 01:40:54 UTC
The release/2.30/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63

commit da97c6b88eb03fb834e92964b0895c2ac8d61f63
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
    
    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
Comment 11 cvs-commit@gcc.gnu.org 2020-03-18 02:33:27 UTC
The release/2.29/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9aaebaf805f24ae10e0bfad332d6d5eabd58c451

commit 9aaebaf805f24ae10e0bfad332d6d5eabd58c451
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
    
    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
Comment 12 cvs-commit@gcc.gnu.org 2020-03-19 21:53:07 UTC
The master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=39a05214fe14ff722d4d92e697fb71ff15e84e70

commit 39a05214fe14ff722d4d92e697fb71ff15e84e70
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Thu Mar 19 22:53:00 2020 +0100

    Add NEWS entry for CVE-2020-1752 (bug 25414)
Comment 13 cvs-commit@gcc.gnu.org 2020-03-19 22:07:59 UTC
The release/2.31/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3937f6806d9de4bbd25ff6e6dc4df8f47ad47573

commit 3937f6806d9de4bbd25ff6e6dc4df8f47ad47573
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Thu Mar 19 22:53:00 2020 +0100

    Add NEWS entry for CVE-2020-1752 (bug 25414)
    
    (cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
Comment 14 cvs-commit@gcc.gnu.org 2020-03-19 22:13:31 UTC
The release/2.30/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b11f60c700c9b50aba1a7f123411add5ade733c

commit 6b11f60c700c9b50aba1a7f123411add5ade733c
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Thu Mar 19 22:53:00 2020 +0100

    Add NEWS entry for CVE-2020-1752 (bug 25414)
    
    (cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
Comment 15 cvs-commit@gcc.gnu.org 2020-03-20 21:02:27 UTC
The release/2.28/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21344a3d62a29406fddeec069ee4eb3c341369f9

commit 21344a3d62a29406fddeec069ee4eb3c341369f9
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
    
    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
Comment 16 cvs-commit@gcc.gnu.org 2020-03-20 21:23:14 UTC
The release/2.26/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a

commit 263e6175999bc7f5adb8b32fd12fcfae3f0bb05a
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Feb 19 17:21:46 2020 +0100

    Fix use-after-free in glob when expanding ~user (bug 25414)
    
    The value of `end_name' points into the value of `dirname', thus don't
    deallocate the latter before the last use of the former.
    
    (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with
     changes from commit d711a00f93fa964f41a53839228598fbf1a6b482)