ptsname_r: don't leak unitialized memory

Message ID	1399294807-19817-1-git-send-email-aurelien@aurel32.net
State	Committed
Headers	DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; q=dns; s= default; b=Hrjt2qCU/0lKvzCtYyg1MwmdGgIvRlZNBLPEFH87yo+eCrLqj/vp5 WA3yrYGMFMeABpVzWjVTlY8WDORrWfgiVv5QZuNAfpXD+1IxStC00yaUTejo3NVv /qmMHCJry7dGDZM1De15KtZ9Lw5VvLWCnFGmCZPZVj5BOFgl4gWjio= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org From: Aurelien Jarno <aurelien@aurel32.net> To: libc-alpha@sourceware.org Cc: Aurelien Jarno <aurelien@aurel32.net> Subject: [PATCH] ptsname_r: don't leak unitialized memory Date: Mon, 5 May 2014 15:00:07 +0200 Message-Id: <1399294807-19817-1-git-send-email-aurelien@aurel32.net>

Message ID

1399294807-19817-1-git-send-email-aurelien@aurel32.net

State

Committed

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id; q=dns; s=
	default; b=Hrjt2qCU/0lKvzCtYyg1MwmdGgIvRlZNBLPEFH87yo+eCrLqj/vp5
	WA3yrYGMFMeABpVzWjVTlY8WDORrWfgiVv5QZuNAfpXD+1IxStC00yaUTejo3NVv
	/qmMHCJry7dGDZM1De15KtZ9Lw5VvLWCnFGmCZPZVj5BOFgl4gWjio=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH] ptsname_r: don't leak unitialized memory
Date: Mon,  5 May 2014 15:00:07 +0200
Message-Id: <1399294807-19817-1-git-send-email-aurelien@aurel32.net>

Commit Message

Aurelien Jarno May 5, 2014, 1 p.m. UTC

  If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.

Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).

Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
---
 ChangeLog                         | 6 ++++++
 sysdeps/unix/sysv/linux/ptsname.c | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

Comments

Roland McGrath May 5, 2014, 7:37 p.m. UTC | #1

Seems like something for which you could write a test case.

Aurelien Jarno May 5, 2014, 9:45 p.m. UTC | #2

On Mon, May 05, 2014 at 12:37:21PM -0700, Roland McGrath wrote:
> Seems like something for which you could write a test case.

Indeed, we can at least test that the error value is the correct one.
Catching the use of uninitialized data in xstat64 looks more difficult.

I'll work on that and provide a new version of this patch including a
test.

diff mbox

Patch

diff --git a/ChangeLog b/ChangeLog
index ac0d69e..cda0e7c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@ 
+2014-05-05  Aurelien Jarno  <aurelien@aurel32.net>
+
+	* sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): return
+	errno if the TIOCGPTN ioctl fails with an error different than
+	EINVAL.
+
 2014-05-04  Adam Conrad  <adconrad@0c3.net>
 
 	* locale/iso-4217.def: Reintroduce XDR currency.
diff --git a/sysdeps/unix/sysv/linux/ptsname.c b/sysdeps/unix/sysv/linux/ptsname.c
index ed39f8f..3fc14a7 100644
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@@ -105,7 +105,9 @@  __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
 
       memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
     }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
     {
       char *p;