From patchwork Tue Apr 17 23:50:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 26771 Received: (qmail 101026 invoked by alias); 17 Apr 2018 23:51:27 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 100501 invoked by uid 89); 17 Apr 2018 23:51:26 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-33.2 required=5.0 tests=AWL, BAYES_00, ENV_AND_HDR_SPF_MATCH, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_PASS, URIBL_RED, USER_IN_DEF_SPF_WL autolearn=ham version=3.3.2 spammy=H*RU:209.85.128.196, Hx-spam-relays-external:209.85.128.196, 0755 X-HELO: mail-wr0-f196.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lqg500ZrYSqHLO9YmNE7C4tJO9l5Pt/UVimnLZsLrO0=; b=V+JwTc1cwB3YvTHsqiBNmB2bMZEL7sClH4xXRd4kLsbNkudM9pbOuOuKseCU/pylF6 1TYVvzNRuecb0u+qzLYbEF7Wqk7hwHkuBIbGs9Thtfe24fEjxrZQ4DkstIWCZXtQ72dm IvUnmhIHv0ytmPAe2hvuy3AfCJdJxiKDrZruM8ViMd2xulxTwTddSQT1HX+Mcc+yyAHe 474w5lbkyd447EvPMs6HnXcMY0/wBf3sJaWLZCTSR1VmFxFvZ9k/bxVQFRHY3Ya6IY+j nt1KFzjgWUhq7+wEmGym3zJN6UZrdw+pBkPwPPVKvrTkNLIewtEJFk9pC0lmU81xl0x5 Wgfw== X-Gm-Message-State: ALQs6tDgwgKBl+85JZAqQQkdUgPpk7rw228M3GC0YFO705O1HKbvHL7P fcy5ioPR7cyOgNWxr5+ewJ94Y1S1e5lyWyI4HWfJ1fYyF0M= X-Google-Smtp-Source: AIpwx4/KXx0SSFsFL2abi9F2FZ2xQcQrzE0vpCDF3rCcpACokWX3LZKYgS9Kv+u5YDzwpRGj1xvfDOootCo4JIrU+2s= X-Received: by 10.28.24.76 with SMTP id 73mr149178wmy.24.1524009082096; Tue, 17 Apr 2018 16:51:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Pluzhnikov Date: Tue, 17 Apr 2018 23:50:56 +0000 Message-ID: Subject: Re: [patch] Fix path length overflow in realpath (BZ#22786) To: "Joseph S. Myers" Cc: GLIBC Devel On Tue, Apr 17, 2018 at 2:01 PM Joseph Myers wrote: > On Mon, 9 Apr 2018, Paul Pluzhnikov wrote: > > +# suppress warnings about allocation size. > > +CFLAGS-test-bz22786.c += $(+gcc-nowarn) > Warnings should be disabled as locally as possible in the sources Revised patch attached. Thanks, 2018-04-17 Paul Pluzhnikov [BZ #22786] * stdlib/canonicalize.c (__realpath): Fix overflow in path length computation. * stdlib/Makefile (test-bz22786): New test. * stdlib/test-bz22786.c: New test. diff --git a/stdlib/Makefile b/stdlib/Makefile index af1643c0c4..1ddb1f9d18 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-cxa_atexit tst-on_exit test-atexit-race \ test-at_quick_exit-race test-cxa_atexit-race \ test-on_exit-race test-dlclose-exit-race \ - tst-makecontext-align + tst-makecontext-align test-bz22786 tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ tst-tls-atexit tst-tls-atexit-nodelete diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index 4135f3f33c..390fb437a8 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved) extra_buf = __alloca (path_max); len = strlen (end); - if ((long int) (n + len) >= path_max) + if (path_max - n <= len) { __set_errno (ENAMETOOLONG); goto error; diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c new file mode 100644 index 0000000000..1b6331ac5c --- /dev/null +++ b/stdlib/test-bz22786.c @@ -0,0 +1,90 @@ +/* Bug 22786: test for stack overflow in realpath. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static int +do_test (void) +{ + const char dir[] = "bz22786"; + const char lnk[] = "bz22786/symlink"; + + rmdir (dir); + if (mkdir (dir, 0755) != 0 && errno != EEXIST) + { + printf ("mkdir %s: %m\n", dir); + return EXIT_FAILURE; + } + if (symlink (".", lnk) != 0 && errno != EEXIST) + { + printf ("symlink (%s, %s): %m\n", dir, lnk); + return EXIT_FAILURE; + } + + const size_t path_len = (size_t) INT_MAX + 1; + + DIAG_PUSH_NEEDS_COMMENT; +#if __GNUC_PREREQ (7, 0) + /* GCC 7 warns about too-large allocations; here we need such + allocation to succeed for the test to work. */ + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); +#endif + char *path = malloc (path_len); + DIAG_POP_NEEDS_COMMENT; + + if (path == NULL) + { + printf ("malloc (%zu): %m\n", path_len); + return EXIT_UNSUPPORTED; + } + + /* Construct very long path = "bz22786/symlink/aaaa....." */ + char *p = mempcpy (path, lnk, sizeof (lnk) - 1); + *(p++) = '/'; + memset (p, 'a', path_len - (path - p) - 2); + p[path_len - (path - p) - 1] = '\0'; + + /* This call crashes before the fix for bz22786 on 32-bit platforms. */ + p = realpath (path, NULL); + + if (p != NULL || errno != ENAMETOOLONG) + { + printf ("realpath: %s (%m)", p); + return EXIT_FAILURE; + } + + /* Cleanup. */ + unlink (lnk); + rmdir (dir); + + return 0; +} + +#define TEST_FUNCTION do_test +#include