Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
915 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001 | ||
From: DJ Delorie <dj@redhat.com> | ||
Date: Thu, 25 Feb 2021 16:08:21 -0500 | ||
Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462] | ||
|
||
In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free | ||
was fixed, but this led to an occasional double-free. This patch | ||
tracks the "live" allocation better. | ||
|
||
Tested manually by a third party. | ||
|
||
Related: RHBZ 1927877 | ||
|
||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
Reviewed-by: Carlos O'Donell <carlos@redhat.com> | ||
--- | ||
nscd/netgroupcache.c | 4 ++-- | ||
1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c | ||
index dba6ceec1b..ad2daddafd 100644 | ||
--- a/nscd/netgroupcache.c | ||
+++ b/nscd/netgroupcache.c | ||
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, | ||
: NULL); | ||
ndomain = (ndomain ? newbuf + ndomaindiff | ||
: NULL); | ||
- buffer = newbuf; | ||
+ *tofreep = buffer = newbuf; | ||
} | ||
|
||
nhost = memcpy (buffer + bufused, | ||
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, | ||
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) | ||
{ | ||
buflen *= 2; | ||
- buffer = xrealloc (buffer, buflen); | ||
+ *tofreep = buffer = xrealloc (buffer, buflen); | ||
} | ||
else if (status == NSS_STATUS_RETURN | ||
|| status == NSS_STATUS_NOTFOUND | ||
-- | ||
2.27.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001 | ||
From: Andreas Schwab <schwab@linux-m68k.org> | ||
Date: Thu, 27 May 2021 12:49:47 +0200 | ||
Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) | ||
|
||
Make a deep copy of the pthread attribute object to remove a potential | ||
use-after-free issue. | ||
--- | ||
NEWS | 4 ++++ | ||
sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- | ||
2 files changed, 14 insertions(+), 5 deletions(-) | ||
|
||
diff --git a/NEWS b/NEWS | ||
index 6f4d325d55..1bf3daa502 100644 | ||
--- a/NEWS | ||
+++ b/NEWS | ||
@@ -62,6 +62,10 @@ Security related changes: | ||
potentially resulting in degraded service or Denial of Service on the | ||
local system. Reported by Chris Schanzle. | ||
|
||
+ CVE-2021-33574: The mq_notify function has a potential use-after-free | ||
+ issue when using a notification type of SIGEV_THREAD and a thread | ||
+ attribute with a non-default affinity mask. | ||
+ | ||
The following bugs are resolved with this release: | ||
|
||
[The release manager will add the list generated by | ||
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | ||
index cc575a0cdd..f7ddfe5a6c 100644 | ||
--- a/sysdeps/unix/sysv/linux/mq_notify.c | ||
+++ b/sysdeps/unix/sysv/linux/mq_notify.c | ||
@@ -133,8 +133,11 @@ helper_thread (void *arg) | ||
(void) __pthread_barrier_wait (¬ify_barrier); | ||
} | ||
else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) | ||
- /* The only state we keep is the copy of the thread attributes. */ | ||
- free (data.attr); | ||
+ { | ||
+ /* The only state we keep is the copy of the thread attributes. */ | ||
+ pthread_attr_destroy (data.attr); | ||
+ free (data.attr); | ||
+ } | ||
} | ||
return NULL; | ||
} | ||
@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
if (data.attr == NULL) | ||
return -1; | ||
|
||
- memcpy (data.attr, notification->sigev_notify_attributes, | ||
- sizeof (pthread_attr_t)); | ||
+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
} | ||
|
||
/* Construct the new request. */ | ||
@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
|
||
/* If it failed, free the allocated memory. */ | ||
if (__glibc_unlikely (retval != 0)) | ||
- free (data.attr); | ||
+ { | ||
+ pthread_attr_destroy (data.attr); | ||
+ free (data.attr); | ||
+ } | ||
|
||
return retval; | ||
} | ||
-- | ||
2.27.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 | ||
From: Florian Weimer <fweimer@redhat.com> | ||
Date: Tue, 1 Jun 2021 17:51:41 +0200 | ||
Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) | ||
|
||
__pthread_attr_copy can fail and does not initialize the attribute | ||
structure in that case. | ||
|
||
If __pthread_attr_copy is never called and there is no allocated | ||
attribute, pthread_attr_destroy should not be called, otherwise | ||
there is a null pointer dereference in rt/tst-mqueue6. | ||
|
||
Fixes commit 42d359350510506b87101cf77202fefcbfc790cb | ||
("Use __pthread_attr_copy in mq_notify (bug 27896)"). | ||
|
||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
--- | ||
sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- | ||
1 file changed, 9 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | ||
index f7ddfe5a6c..6f46d29d1d 100644 | ||
--- a/sysdeps/unix/sysv/linux/mq_notify.c | ||
+++ b/sysdeps/unix/sysv/linux/mq_notify.c | ||
@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
if (data.attr == NULL) | ||
return -1; | ||
|
||
- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
+ int ret = __pthread_attr_copy (data.attr, | ||
+ notification->sigev_notify_attributes); | ||
+ if (ret != 0) | ||
+ { | ||
+ free (data.attr); | ||
+ __set_errno (ret); | ||
+ return -1; | ||
+ } | ||
} | ||
|
||
/* Construct the new request. */ | ||
@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); | ||
|
||
/* If it failed, free the allocated memory. */ | ||
- if (__glibc_unlikely (retval != 0)) | ||
+ if (retval != 0 && data.attr != NULL) | ||
{ | ||
pthread_attr_destroy (data.attr); | ||
free (data.attr); | ||
-- | ||
2.27.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 | ||
From: Andreas Schwab <schwab@linux-m68k.org> | ||
Date: Fri, 25 Jun 2021 15:02:47 +0200 | ||
Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug | ||
28011) | ||
|
||
Use strtoul instead of atoi so that overflow can be detected. | ||
--- | ||
posix/wordexp-test.c | 1 + | ||
posix/wordexp.c | 2 +- | ||
2 files changed, 2 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c | ||
index f93a546d7e..9df02dbbb3 100644 | ||
--- a/posix/wordexp-test.c | ||
+++ b/posix/wordexp-test.c | ||
@@ -183,6 +183,7 @@ struct test_case_struct | ||
{ 0, NULL, "$var", 0, 0, { NULL, }, IFS }, | ||
{ 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, | ||
{ 0, NULL, "", 0, 0, { NULL, }, IFS }, | ||
+ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, | ||
|
||
/* Flags not already covered (testit() has special handling for these) */ | ||
{ 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, | ||
diff --git a/posix/wordexp.c b/posix/wordexp.c | ||
index bcbe96e48d..1f3b09f721 100644 | ||
--- a/posix/wordexp.c | ||
+++ b/posix/wordexp.c | ||
@@ -1399,7 +1399,7 @@ envsubst: | ||
/* Is it a numeric parameter? */ | ||
else if (isdigit (env[0])) | ||
{ | ||
- int n = atoi (env); | ||
+ unsigned long n = strtoul (env, NULL, 10); | ||
|
||
if (n >= __libc_argc) | ||
/* Substitute NULL. */ | ||
-- | ||
2.27.0 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
From ee8d5e33adb284601c00c94687bc907e10aec9bb Mon Sep 17 00:00:00 2001 | ||
From: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
Date: Thu, 13 Jan 2022 11:28:36 +0530 | ||
Subject: [PATCH 1/1] realpath: Set errno to ENAMETOOLONG for result larger | ||
than PATH_MAX [BZ #28770] | ||
|
||
realpath returns an allocated string when the result exceeds PATH_MAX, | ||
which is unexpected when its second argument is not NULL. This results | ||
in the second argument (resolved) being uninitialized and also results | ||
in a memory leak since the caller expects resolved to be the same as the | ||
returned value. | ||
|
||
Return NULL and set errno to ENAMETOOLONG if the result exceeds | ||
PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. | ||
|
||
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> | ||
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
--- | ||
NEWS | 4 +++ | ||
stdlib/Makefile | 1 + | ||
stdlib/canonicalize.c | 12 +++++++-- | ||
stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ | ||
4 files changed, 64 insertions(+), 2 deletions(-) | ||
create mode 100644 stdlib/tst-realpath-toolong.c | ||
|
||
diff --git a/NEWS b/NEWS | ||
index 6ed9fa9787..4c392a445e 100644 | ||
--- a/NEWS | ||
+++ b/NEWS | ||
@@ -166,6 +166,10 @@ Security related changes: | ||
CVE-2022-23218: Passing an overlong file name to the svcunix_create | ||
legacy function could result in a stack-based buffer overflow. | ||
|
||
+ CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath | ||
+ function could result in a memory leak and potential access of | ||
+ uninitialized memory. Reported by Qualys. | ||
+ | ||
The following bugs are resolved with this release: | ||
|
||
[The release manager will add the list generated by | ||
diff --git a/stdlib/Makefile b/stdlib/Makefile | ||
index 1e81f98fac..8236741984 100644 | ||
--- a/stdlib/Makefile | ||
+++ b/stdlib/Makefile | ||
@@ -68,6 +68,7 @@ test-srcs := tst-fmtmsg | ||
tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ | ||
test-canon test-canon2 tst-strtoll tst-environ \ | ||
tst-xpg-basename tst-random tst-random2 tst-bsearch \ | ||
+ tst-realpath-toolong \ | ||
tst-limits tst-rand48 bug-strtod tst-setcontext \ | ||
tst-setcontext2 test-a64l tst-qsort testmb2 \ | ||
bug-strtod2 tst-atof1 tst-atof2 tst-strtod2 \ | ||
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c | ||
index f36bdf4c76..732dc7ea46 100644 | ||
--- a/stdlib/canonicalize.c | ||
+++ b/stdlib/canonicalize.c | ||
@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, | ||
|
||
error: | ||
*dest++ = '\0'; | ||
- if (resolved != NULL && dest - rname <= get_path_max ()) | ||
- rname = strcpy (resolved, rname); | ||
+ if (resolved != NULL) | ||
+ { | ||
+ if (dest - rname <= get_path_max ()) | ||
+ rname = strcpy (resolved, rname); | ||
+ else | ||
+ { | ||
+ failed = true; | ||
+ __set_errno (ENAMETOOLONG); | ||
+ } | ||
+ } | ||
|
||
error_nomem: | ||
scratch_buffer_free (&extra_buffer); | ||
diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c | ||
new file mode 100644 | ||
index 0000000000..8bed772460 | ||
--- /dev/null | ||
+++ b/stdlib/tst-realpath-toolong.c | ||
@@ -0,0 +1,49 @@ | ||
+/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds | ||
+ NAME_MAX. | ||
+ Copyright The GNU Toolchain Authors. | ||
+ This file is part of the GNU C Library. | ||
+ | ||
+ The GNU C Library is free software; you can redistribute it and/or | ||
+ modify it under the terms of the GNU Lesser General Public | ||
+ License as published by the Free Software Foundation; either | ||
+ version 2.1 of the License, or (at your option) any later version. | ||
+ | ||
+ The GNU C Library is distributed in the hope that it will be useful, | ||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
+ Lesser General Public License for more details. | ||
+ | ||
+ You should have received a copy of the GNU Lesser General Public | ||
+ License along with the GNU C Library; if not, see | ||
+ <https://www.gnu.org/licenses/>. */ | ||
+ | ||
+#include <errno.h> | ||
+#include <limits.h> | ||
+#include <stdlib.h> | ||
+#include <string.h> | ||
+#include <unistd.h> | ||
+#include <support/check.h> | ||
+#include <support/temp_file.h> | ||
+#include <sys/types.h> | ||
+#include <sys/stat.h> | ||
+ | ||
+#define BASENAME "tst-realpath-toolong." | ||
+ | ||
+int | ||
+do_test (void) | ||
+{ | ||
+ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); | ||
+ | ||
+ char buf[PATH_MAX + 1]; | ||
+ const char *res = realpath (".", buf); | ||
+ | ||
+ /* canonicalize.c states that if the real path is >= PATH_MAX, then | ||
+ realpath returns NULL and sets ENAMETOOLONG. */ | ||
+ TEST_VERIFY (res == NULL); | ||
+ TEST_VERIFY (errno == ENAMETOOLONG); | ||
+ | ||
+ free (base); | ||
+ return 0; | ||
+} | ||
+ | ||
+#include <support/test-driver.c> | ||
-- | ||
2.27.0 | ||
|
Oops, something went wrong.