[newlib-cygwin] Cygwin: cygwin_conv_path: don't write to `to` before size is validated.

Takashi Yano tyan0@sourceware.org
Fri May 2 12:35:53 GMT 2025 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=5dd3d58c02924b4b98b200c81c6c6d9fd5d9312a

commit 5dd3d58c02924b4b98b200c81c6c6d9fd5d9312a
Author: Jeremy Drake via Cygwin-patches <cygwin-patches@cygwin.com>
Date:   Tue Apr 29 10:42:58 2025 -0700

    Cygwin: cygwin_conv_path: don't write to `to` before size is validated.
    
    In the CCP_POSIX_TO_WIN_W path, when `from` is a device,
    cygwin_conv_path would attempt to write to the `to` buffer before the
    validation of the `size`.  This resulted in an EFAULT error in the
    common use-case of passing `to` as NULL and `size` as 0 to get the
    required size of `to` for the conversion (as used in
    cygwin_create_path).  Instead, set a boolean and write to `to`
    after validation.
    
    Fixes: 43f65cdd7dae ("* Makefile.in (DLL_OFILES): Add fhandler_procsys.o.")
    Addresses: https://cygwin.com/pipermail/cygwin/2025-April/258068.html
    Signed-off-by: Jeremy Drake <cygwin@jdrake.com>

Diff:
---
 winsup/cygwin/path.cc       | 5 ++++-
 winsup/cygwin/release/3.6.2 | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/winsup/cygwin/path.cc b/winsup/cygwin/path.cc
index 7a08e978a..d26f99ee7 100644
--- a/winsup/cygwin/path.cc
+++ b/winsup/cygwin/path.cc
@@ -3911,6 +3911,7 @@ cygwin_conv_path (cygwin_conv_path_t what, const void *from, void *to,
   int how = what & CCP_CONVFLAGS_MASK;
   what &= CCP_CONVTYPE_MASK;
   int ret = -1;
+  bool prependglobalroot = false;
 
   __try
     {
@@ -4019,7 +4020,7 @@ cygwin_conv_path (cygwin_conv_path_t what, const void *from, void *to,
 	    {
 	      /* Device name points to somewhere else in the NT namespace.
 		 Use GLOBALROOT prefix to convert to Win32 path. */
-	      to = (void *) wcpcpy ((wchar_t *) to, ro_u_globalroot.Buffer);
+	      prependglobalroot = true;
 	      lsiz += ro_u_globalroot.Length / sizeof (WCHAR);
 	    }
 	  /* TODO: Same ".\\" band-aid as in CCP_POSIX_TO_WIN_A case. */
@@ -4075,6 +4076,8 @@ cygwin_conv_path (cygwin_conv_path_t what, const void *from, void *to,
 	  stpcpy ((char *) to, buf);
 	  break;
 	case CCP_POSIX_TO_WIN_W:
+	  if (prependglobalroot)
+	    to = (void *) wcpcpy ((PWCHAR) to, ro_u_globalroot.Buffer);
 	  wcpcpy ((PWCHAR) to, path);
 	  break;
 	}
diff --git a/winsup/cygwin/release/3.6.2 b/winsup/cygwin/release/3.6.2
index bceabcab3..de6eae13f 100644
--- a/winsup/cygwin/release/3.6.2
+++ b/winsup/cygwin/release/3.6.2
@@ -13,3 +13,6 @@ Fixes:
 
 - Fix setting DOS attributes on devices.
   Addresse: https://cygwin.com/pipermail/cygwin/2025-April/257940.html
+
+- Fix cygwin_conv_path writing to 'to' pointer before size is checked.
+  Addresses: https://cygwin.com/pipermail/cygwin/2025-April/258068.html

More information about the Cygwin-cvs mailing list