diff options
author | Siddhesh Poyarekar <siddhesh@sourceware.org> | 2022-01-21 23:32:56 +0530 |
---|---|---|
committer | Pranav Kant <prka@google.com> | 2024-01-12 23:20:06 +0000 |
commit | 5643a977d0e2cca3877775f27a41df08e98d833a (patch) | |
tree | 083038122adbdcb61f65185e7e0bb512ad60a950 | |
parent | ac5b88042331d3a6ba0e44f8ebcc41a35ec1dab2 (diff) | |
download | glibc-5643a977d0e2cca3877775f27a41df08e98d833a.tar glibc-5643a977d0e2cca3877775f27a41df08e98d833a.tar.gz glibc-5643a977d0e2cca3877775f27a41df08e98d833a.tar.bz2 glibc-5643a977d0e2cca3877775f27a41df08e98d833a.zip |
getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
Cherry-picked from 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e in main branch.
Test included with this commit is not cherry-picked because it requires more
changes.
No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE. This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:
- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory
Sequence of events:
- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
because the linux kernel checks for name length before it checks
buffer size
- The code falls back to the generic getcwd in sysdeps/posix
- In the generic func, the buf[0] is set to '\0' on line 250
- this while loop on line 262 is bypassed:
while (!(thisdev == rootdev && thisino == rootino))
since the rootfs (/) is bind mounted onto the directory and the flow
goes on to line 449, where it puts a '/' in the byte before the
buffer.
- Finally on line 458, it moves 2 bytes (the underflowed byte and the
'\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
- buf is returned on line 469 and errno is not set.
This resolves BZ #28769.
Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | sysdeps/posix/getcwd.c | 8 |
2 files changed, 14 insertions, 0 deletions
@@ -28,6 +28,12 @@ Deprecated and removed features, and other changes affecting compatibility: Security related changes: + CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd + function may result in an off-by-one buffer underflow and overflow + when the current working directory is longer than PATH_MAX and also + corresponds to the / directory through an unprivileged mount + namespace. Reported by Qualys. + CVE-2016-10739: The getaddrinfo function could successfully parse IPv4 addresses with arbitrary trailing characters, potentially leading to data or command injection issues in applications. diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c index b53433a2dc..154b9846a5 100644 --- a/sysdeps/posix/getcwd.c +++ b/sysdeps/posix/getcwd.c @@ -241,6 +241,14 @@ __getcwd (char *buf, size_t size) char *path; #ifndef NO_ALLOCATION size_t allocated = size; + + /* A size of 1 byte is never useful. */ + if (allocated == 1) + { + __set_errno (ERANGE); + return NULL; + } + if (size == 0) { if (buf != NULL) |