wok-4.x view glibc/stuff/patches/glibc-2.22-CVE-2018-11236.patch @ rev 12476

Up glibc (2.22) with CVE patchs
author Stanislas Leduc <shann@slitaz.org>
date Wed Mar 15 11:41:38 2023 +0000 (16 months ago)
parents
children
line source
1 Based on:
2 https://sourceware.org/bugzilla/show_bug.cgi?id=22786
3 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=af7519f7b35024224c163e32a89fb247b0c446fc
4
5 From af7519f7b35024224c163e32a89fb247b0c446fc Mon Sep 17 00:00:00 2001
6 From: Paul Pluzhnikov <ppluzhnikov@google.com>
7 Date: Tue, 8 May 2018 18:12:41 -0700
8 Subject: [PATCH] Fix path length overflow in realpath [BZ #22786]
9
10 Integer addition overflow may cause stack buffer overflow
11 when realpath() input length is close to SSIZE_MAX.
12 ---
13 stdlib/Makefile | 2 +-
14 stdlib/canonicalize.c | 2 +-
15 stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++
16 3 files changed, 92 insertions(+), 2 deletions(-)
17 create mode 100644 stdlib/test-bz22786.c
18
19 diff --git a/stdlib/Makefile b/stdlib/Makefile
20 index a925479..482c587 100644
21 --- a/stdlib/Makefile
22 +++ b/stdlib/Makefile
23 @@ -75,7 +75,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
24 tst-makecontext3 bug-getcontext bug-fmtmsg1 \
25 tst-secure-getenv tst-strtod-overflow tst-strtod-round \
26 tst-tininess tst-strtod-underflow tst-tls-atexit \
27 - tst-setcontext3 tst-tls-atexit-nodelete
28 + tst-setcontext3 tst-tls-atexit-nodelete test-bz22786
29 tests-static := tst-secure-getenv
30
31 modules-names = tst-tls-atexit-lib
32 diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
33 index 6f4f74d..509beb1 100644
34 --- a/stdlib/canonicalize.c
35 +++ b/stdlib/canonicalize.c
36 @@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
37 extra_buf = __alloca (path_max);
38
39 len = strlen (end);
40 - if ((long int) (n + len) >= path_max)
41 + if (path_max - n <= len)
42 {
43 __set_errno (ENAMETOOLONG);
44 goto error;
45 diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
46 new file mode 100644
47 index 0000000..e7837f9
48 --- /dev/null
49 +++ b/stdlib/test-bz22786.c
50 @@ -0,0 +1,90 @@
51 +/* Bug 22786: test for buffer overflow in realpath.
52 + Copyright (C) 2018 Free Software Foundation, Inc.
53 + This file is part of the GNU C Library.
54 +
55 + The GNU C Library is free software; you can redistribute it and/or
56 + modify it under the terms of the GNU Lesser General Public
57 + License as published by the Free Software Foundation; either
58 + version 2.1 of the License, or (at your option) any later version.
59 +
60 + The GNU C Library is distributed in the hope that it will be useful,
61 + but WITHOUT ANY WARRANTY; without even the implied warranty of
62 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
63 + Lesser General Public License for more details.
64 +
65 + You should have received a copy of the GNU Lesser General Public
66 + License along with the GNU C Library; if not, see
67 + <http://www.gnu.org/licenses/>. */
68 +
69 +/* This file must be run from within a directory called "stdlib". */
70 +
71 +#include <errno.h>
72 +#include <limits.h>
73 +#include <stdio.h>
74 +#include <stdlib.h>
75 +#include <string.h>
76 +#include <unistd.h>
77 +#include <sys/stat.h>
78 +#include <sys/types.h>
79 +#include <support/test-driver.h>
80 +#include <libc-diag.h>
81 +
82 +static int
83 +do_test (void)
84 +{
85 + const char dir[] = "bz22786";
86 + const char lnk[] = "bz22786/symlink";
87 +
88 + rmdir (dir);
89 + if (mkdir (dir, 0755) != 0 && errno != EEXIST)
90 + {
91 + printf ("mkdir %s: %m\n", dir);
92 + return EXIT_FAILURE;
93 + }
94 + if (symlink (".", lnk) != 0 && errno != EEXIST)
95 + {
96 + printf ("symlink (%s, %s): %m\n", dir, lnk);
97 + return EXIT_FAILURE;
98 + }
99 +
100 + const size_t path_len = (size_t) INT_MAX + 1;
101 +
102 + DIAG_PUSH_NEEDS_COMMENT;
103 +#if __GNUC_PREREQ (7, 0)
104 + /* GCC 7 warns about too-large allocations; here we need such
105 + allocation to succeed for the test to work. */
106 + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
107 +#endif
108 + char *path = malloc (path_len);
109 + DIAG_POP_NEEDS_COMMENT;
110 +
111 + if (path == NULL)
112 + {
113 + printf ("malloc (%zu): %m\n", path_len);
114 + return EXIT_UNSUPPORTED;
115 + }
116 +
117 + /* Construct very long path = "bz22786/symlink/aaaa....." */
118 + char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
119 + *(p++) = '/';
120 + memset (p, 'a', path_len - (path - p) - 2);
121 + p[path_len - (path - p) - 1] = '\0';
122 +
123 + /* This call crashes before the fix for bz22786 on 32-bit platforms. */
124 + p = realpath (path, NULL);
125 +
126 + if (p != NULL || errno != ENAMETOOLONG)
127 + {
128 + printf ("realpath: %s (%m)", p);
129 + return EXIT_FAILURE;
130 + }
131 +
132 + /* Cleanup. */
133 + unlink (lnk);
134 + rmdir (dir);
135 +
136 + return 0;
137 +}
138 +
139 +#define TEST_FUNCTION do_test
140 +#include <support/test-driver.c>
141 --
142 2.17.1
143