Bug 31198 - realpath allocates a buffer that may not fit a full path
Summary: realpath allocates a buffer that may not fit a full path
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.36
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-30 00:36 UTC by Ethan Lee
Modified: 2023-12-30 00:46 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Patch to replace strdup with malloc(PATH_MAX) (939 bytes, text/plain)
2023-12-30 00:36 UTC, Ethan Lee 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ethan Lee 2023-12-30 00:36:38 UTC 
Created attachment 15273 [details]
Patch to replace strdup with malloc(PATH_MAX)

Consider the following example:

  extern char *somepath;
  char *path = realpath(somepath, NULL);
  strcat(path, "/");

It is common to append directory separators to paths, but when realpath allocates the buffer the size cannot be determined from the outside. While the application can provide its own buffer, it is reasonable for an application to assume that a path buffer will be able to fit a full path string even if it gets modified after the call is made. As a result, modifications to the strdup'd return value may result in a buffer overwrite.

A good replacement for the strdup allocation in realpath would be to always allocate a buffer of PATH_MAX size, regardless of the realpath size, so that modifications to the return value will always fit. I've attached a patch that does this.

This would fix a crash in the Steamworks SDK, which prior to 2017 always assumed that the buffer returned by realpath had room to append a directory separator to the end.
Comment 1 Andreas Schwab 2023-12-30 00:46:52 UTC 
Just use realloc.