Created attachment 12218 [details] patch for use-after-free bug in 'glob' There's a use-after-free bug in 'glob', reported against Gnulib here: https://lists.gnu.org/r/bug-gnulib/2020-01/msg00102.html Proposed (but untested) glibc patch attached.
Created attachment 12219 [details] simpler patch for use-after-free bug in glob The attached patch fixes the same bug, and is a little simpler.
Explanation of the bug: - end_name is part of dirname, - dirname is freed, - after dirname is freed, the code still accesses end_name. The fix is to store the dirname to be freed in a different variable, and free it a bit later, after the code has finished looking at end_name.
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c commit ddc650e9b3dc916eab417ce9f79e67337b05035c Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former.
Fixed in 2.31.
Fixed in 2.32.
It is a security issue that the glob function has a use-after-free. Marking security+.
How exploitable is this bug in glibc, given its tendency to use alloca for these allocations? Even with a huge user home directory (which needs malloc), the previous string seems to be allocated on the stack. I've confirmed that the bug goes back to glibc 2.19 as at least.
I bisected this bug down to: commit f2962a71959fd254a7a223437ca4b63b9e81130c Author: Ulrich Drepper <drepper@gmail.com> Date: Sun May 22 23:04:16 2011 -0400 Add a few more alloca size checks It went into glibc 2.14.
The release/2.31/master branch has been updated by Patricia Franklin <patsy@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ab029a2801d4ddfeade8f64a6e46ee7e47fde710 commit ab029a2801d4ddfeade8f64a6e46ee7e47fde710 Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
The release/2.30/master branch has been updated by Patricia Franklin <patsy@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63 commit da97c6b88eb03fb834e92964b0895c2ac8d61f63 Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
The release/2.29/master branch has been updated by Patricia Franklin <patsy@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9aaebaf805f24ae10e0bfad332d6d5eabd58c451 commit 9aaebaf805f24ae10e0bfad332d6d5eabd58c451 Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
The master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=39a05214fe14ff722d4d92e697fb71ff15e84e70 commit 39a05214fe14ff722d4d92e697fb71ff15e84e70 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Thu Mar 19 22:53:00 2020 +0100 Add NEWS entry for CVE-2020-1752 (bug 25414)
The release/2.31/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3937f6806d9de4bbd25ff6e6dc4df8f47ad47573 commit 3937f6806d9de4bbd25ff6e6dc4df8f47ad47573 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Thu Mar 19 22:53:00 2020 +0100 Add NEWS entry for CVE-2020-1752 (bug 25414) (cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
The release/2.30/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b11f60c700c9b50aba1a7f123411add5ade733c commit 6b11f60c700c9b50aba1a7f123411add5ade733c Author: Aurelien Jarno <aurelien@aurel32.net> Date: Thu Mar 19 22:53:00 2020 +0100 Add NEWS entry for CVE-2020-1752 (bug 25414) (cherry picked from commit 39a05214fe14ff722d4d92e697fb71ff15e84e70)
The release/2.28/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21344a3d62a29406fddeec069ee4eb3c341369f9 commit 21344a3d62a29406fddeec069ee4eb3c341369f9 Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
The release/2.26/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a commit 263e6175999bc7f5adb8b32fd12fcfae3f0bb05a Author: Andreas Schwab <schwab@suse.de> Date: Wed Feb 19 17:21:46 2020 +0100 Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with changes from commit d711a00f93fa964f41a53839228598fbf1a6b482)