diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 11:44:12 -0500 |
|---|---|---|
| committer | Carlos O'Donell <carlos@redhat.com> | 2014-11-19 14:35:03 -0500 |
| commit | a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c (patch) | |
| tree | 699430f828076d3ae74ecf4b5be5025953cc34f5 /posix/wordexp.c | |
| parent | 130ac68ca25c9aa65e027e3e37337bc048205c69 (diff) | |
| download | glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.gz glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.tar.bz2 glibc-a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c.zip | |
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
Diffstat (limited to 'posix/wordexp.c')
| -rw-r--r-- | posix/wordexp.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/posix/wordexp.c b/posix/wordexp.c index b6b65dd993..26f3a2653f 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length, pid_t pid; int noexec = 0; + /* Do nothing if command substitution should not succeed. */ + if (flags & WRDE_NOCMD) + return WRDE_CMDSUB; + /* Don't fork() unless necessary */ if (!comm || !*comm) return 0; @@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length, } } - if (flags & WRDE_NOCMD) - return WRDE_CMDSUB; - (*offset) += 2; return parse_comm (word, word_length, max_length, words, offset, flags, quoted? NULL : pwordexp, ifs, ifs_white); @@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length, break; case '`': - if (flags & WRDE_NOCMD) - return WRDE_CMDSUB; - ++(*offset); error = parse_backtick (word, word_length, max_length, words, offset, flags, NULL, NULL, NULL); @@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) break; case '`': - if (flags & WRDE_NOCMD) - { - error = WRDE_CMDSUB; - goto do_error; - } - ++words_offset; error = parse_backtick (&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, |