[newlib-cygwin/cygwin-3_5-branch] Cygwin: check_dir_not_empty: Avoid leaving the allocated buffer.

Corinna Vinschen corinna@sourceware.org
Tue Nov 19 10:29:06 GMT 2024 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=22474a6e5d134407db3951e65c5b89a4bd700580

commit 22474a6e5d134407db3951e65c5b89a4bd700580
Author:     Bernhard Übelacker <bernhardu@mailbox.org>
AuthorDate: Sat Nov 16 18:09:50 2024 +0100
Commit:     Corinna Vinschen <corinna@vinschen.de>
CommitDate: Tue Nov 19 11:28:27 2024 +0100

    Cygwin: check_dir_not_empty: Avoid leaving the allocated buffer.
    
    The pointer pfni gets allocated the buffer at the begin,
    and is used in the NtQueryDirectoryFile call before the loops.
    In the loop the pointer pfni is also used as iterator.
    Therefore it holds no longer the initial buffer at the call
    to NtQueryDirectoryFile in the while conditition at the bottom.
    
    Fixes: 28fa2a72f8106 ("* syscalls.cc (check_dir_not_empty): Check surplus directory entries")
    Co-authored-by: Corinna Vinschen <corinna@vinschen.de>
    Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org>
    (cherry picked from commit dbb8069df56cb68ea1167b3bc0ceb66fa6c35d3f)

Diff:
---
 winsup/cygwin/release/3.5.5 |  3 +++
 winsup/cygwin/syscalls.cc   | 10 ++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/winsup/cygwin/release/3.5.5 b/winsup/cygwin/release/3.5.5
index 2ca4572db7ed..3088f8682b6b 100644
--- a/winsup/cygwin/release/3.5.5
+++ b/winsup/cygwin/release/3.5.5
@@ -33,3 +33,6 @@ Fixes:
 
 - Fix type of pthread_sigqueue() first parameter to match Linux.
   Addresses: https://cygwin.com/pipermail/cygwin/2024-September/256439.html
+
+- Fix potential stack corruption in rmdir() in a border case.
+  Addresses: https://cygwin.com/pipermail/cygwin/2024-November/256774.html
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 9d88b60b0f92..1d9308ef46cb 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -617,9 +617,10 @@ check_dir_not_empty (HANDLE dir, path_conv &pc)
   IO_STATUS_BLOCK io;
   const ULONG bufsiz = 3 * sizeof (FILE_NAMES_INFORMATION)
 		       + 3 * NAME_MAX * sizeof (WCHAR);
-  PFILE_NAMES_INFORMATION pfni = (PFILE_NAMES_INFORMATION)
-				 alloca (bufsiz);
-  NTSTATUS status = NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni,
+  PFILE_NAMES_INFORMATION pfni_buf = (PFILE_NAMES_INFORMATION)
+				     alloca (bufsiz);
+  PFILE_NAMES_INFORMATION pfni;
+  NTSTATUS status = NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni_buf,
 					  bufsiz, FileNamesInformation,
 					  FALSE, NULL, TRUE);
   if (!NT_SUCCESS (status))
@@ -631,6 +632,7 @@ check_dir_not_empty (HANDLE dir, path_conv &pc)
   int cnt = 1;
   do
     {
+      pfni = pfni_buf;
       while (pfni->NextEntryOffset)
 	{
 	  if (++cnt > 2)
@@ -677,7 +679,7 @@ check_dir_not_empty (HANDLE dir, path_conv &pc)
 	  pfni = (PFILE_NAMES_INFORMATION) ((caddr_t) pfni + pfni->NextEntryOffset);
 	}
     }
-  while (NT_SUCCESS (NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni,
+  while (NT_SUCCESS (NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni_buf,
 					   bufsiz, FileNamesInformation,
 					   FALSE, NULL, FALSE)));
   return STATUS_SUCCESS;

More information about the Cygwin-cvs mailing list