From patchwork Thu Sep 10 15:19:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 40392 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 16DFC397242F; Thu, 10 Sep 2020 15:19:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 16DFC397242F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1599751168; bh=GiojlFihNm/7IHBb+qNWVNBUfbwX3SOExNpvKz2BLiE=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=ueXFic6L3V+po1yW9gNF+W9xURXF1gWL3rTql5VUNn/Z/iSNG9CPyh1EMino9kC1Z FUDFNLvaPb9jgTjONmWcuoK+nRTvJMLK8CUATBoYfNl+1db7mecVyzkCXq3BaO73rb uBHBvHEQUZZIAnL4CPriUCCeDTFgRoplKfIVxj08= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) by sourceware.org (Postfix) with ESMTPS id 8DB593972416 for ; Thu, 10 Sep 2020 15:19:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8DB593972416 Received: by mail-qk1-x741.google.com with SMTP id 16so6428017qkf.4 for ; Thu, 10 Sep 2020 08:19:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GiojlFihNm/7IHBb+qNWVNBUfbwX3SOExNpvKz2BLiE=; b=JECGYeeCLgbX2sYcaZ2nYaK4fgR7gwVPabfLN2Z7hvYiRN3FLO4lthmtey1bDsnUQt 0cSrGP8OJ/ifsIIaASrY2s8SBgprILFfIvtlHZYbzVACTblKz4sPtrn2kj2p0Zthe2Pf bftGSxOFPIIVFXQL7l4j7n2gAs0oQ7PBX7zhHt3c/zStb3DJB5S35b3io7NyqTkccrgy 8gg+AN6khnXaDouj9i/D8wkx/DbTrCRZZp5SecLqTPlp4VGdepyFBPoIuHrDqVcYXcGF kcbH6/0dd5KRIl6mTmEdBp9wEZymzNttmZm5LQEw4ZnTkv1PP2qnFSYMAf5evo+islZg a2pw== X-Gm-Message-State: AOAM532E0QU+lh21BvNQH5FHUi3jvhQwKc/RAGnmubh7AZ1yTVU7MmXm ExkIZyimS+waJJBiOVms5TqlCOJQ2WPmCA== X-Google-Smtp-Source: ABdhPJy/D1pybwB6bld4n3sWpvzaAjd4v0LMkL8I9XtXPJ8aH9VqxTE3ipIaFrcLnEGO1bMftdL57w== X-Received: by 2002:a37:9f52:: with SMTP id i79mr8061752qke.109.1599751162738; Thu, 10 Sep 2020 08:19:22 -0700 (PDT) Received: from localhost.localdomain ([177.194.48.209]) by smtp.googlemail.com with ESMTPSA id z37sm7851090qtz.67.2020.09.10.08.19.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 08:19:22 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH 3/4] stdlib: Fix arithmetic overflows in realpath [BZ #26592] Date: Thu, 10 Sep 2020 12:19:14 -0300 Message-Id: <20200910151915.1982465-3-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910151915.1982465-1-adhemerval.zanella@linaro.org> References: <20200910151915.1982465-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-13.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha From: Adhemerval Zanella Reply-To: Adhemerval Zanella Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" The realpath uses an end-of-array pointer 'rpath_limit', and makes invalid (overflowing) comparisons against it to catch overflow: 117 /* Find end of path component. */ 118 if (dest + (end-start) >= rpath_limit) I could not see a easy way to stress this issue since it rely on how the input argument is layout in memory along with a large filename name that trigger the overflow comparison. However, the fix is simple enough where it simple reorganize arithmetic in the comparison. Checked on x86_64-linux-gnu and i686-linux-gnu. --- stdlib/canonicalize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index 6798ed8963..44a25a9a59 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -136,7 +136,7 @@ __realpath (const char *name, char *resolved) if (dest[-1] != '/') *dest++ = '/'; - if (dest + (end - start) >= rpath_limit) + if (end - start >= rpath_limit - dest) { ptrdiff_t dest_offset = dest - rpath; char *new_rpath;