glibc: Fix CVE-2020-1752

Backported the original patch to 2.26 version. https://sourceware.org/git/?p=glibc.git;a=patch;h=ddc650e9b3dc916eab417ce9f79e67337b05035c;hp=f2323817dde1e87d44e058af5954c25d72fbdb11 Change-Id: I05b625bc21e55f5cb0feb286ce54684301d31e75 Signed-off-by: Keerthana K <keerthanak@vmware.com> Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/10120 Tested-by: gerrit-photon <photon-checkins@vmware.com> Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
vmware · Jun 1, 2020 · 285fba4 · 285fba4
1 parent 727188a
commit 285fba4
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 1 deletion.
diff --git a/SPECS/glibc/glibc-fix-CVE-2020-1752.patch b/SPECS/glibc/glibc-fix-CVE-2020-1752.patch
@@ -0,0 +1,61 @@
+From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 17:21:46 +0100
+Subject: [PATCH 1/1] Fix use-after-free in glob when expanding ~user (bug
+ 25414)
+
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+
+Signed-off-by: Keerthana K <keerthanak@vmware.com>
+---
+ posix/glob.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+
+diff --git a/posix/glob.c b/posix/glob.c
+index 6db26c8..f23ac6e 100644
+--- a/posix/glob.c
++++ b/posix/glob.c
+@@ -946,28 +946,30 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+ 	      {
+ 		size_t home_len = strlen (p->pw_dir);
+ 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
++		char *newp;
++		bool use_alloca = glob_use_alloca (alloca_used,
++						   home_len + rest_len + 1);
+
+-		if (__glibc_unlikely (malloc_dirname))
+-		  free (dirname);
+-		malloc_dirname = 0;
+-
+-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-		  dirname = alloca_account (home_len + rest_len + 1,
+-					    alloca_used);
++		if (use_alloca)
++		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
+ 		else
+ 		  {
+-		    dirname = malloc (home_len + rest_len + 1);
+-		    if (dirname == NULL)
++		      newp = malloc (home_len + rest_len + 1);
++		      if (newp == NULL)
+ 		      {
+ 			free (malloc_pwtmpbuf);
+ 			retval = GLOB_NOSPACE;
+ 			goto out;
+ 		      }
+-		    malloc_dirname = 1;
+ 		  }
+-		*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
++		*((char *) mempcpy (mempcpy (newp, p->pw_dir, home_len),
+ 				    end_name, rest_len)) = '\0';
+
++		if (__glibc_unlikely (malloc_dirname))
++		  free (dirname);
++		dirname = newp;
++		malloc_dirname = !use_alloca;
++
+ 		dirlen = home_len + rest_len;
+ 		dirname_modified = 1;
+
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
@@ -4,7 +4,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.26
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        LGPLv2+
 URL:            http://www.gnu.org/software/libc
 Group:          Applications/System
@@ -34,6 +34,7 @@ Patch16:        CVE-2019-9169.patch
 Patch17:        glibc-fix-CVE-2009-5155.patch
 Patch18:        glibc-fix-CVE-2019-10739.patch
 Patch19:        glibc-fix-CVE-2020-10029.patch
+Patch20:        glibc-fix-CVE-2020-1752.patch
 Provides:       rtld(GNU_HASH)
 Requires:       filesystem
 %description
@@ -107,6 +108,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
 
 install -vdm 755 %{_builddir}/%{name}-build
 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries
@@ -311,6 +313,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 
 
 %changelog
+*   Wed May 20 2020 Keerthana K <keerthanak@vmware.com> 2.26-18
+-   Fix CVE-2020-1752
 *   Thu May 07 2020 Keerthana K <keerthanak@vmware.com> 2.26-17
 -   Fix CVE-2019-10793, CVE-2020-10029
 *   Fri May 10 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.26-16