From patchwork Tue Oct 27 14:35:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 40888 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 07C853953CE6; Tue, 27 Oct 2020 14:35:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 07C853953CE6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1603809344; bh=xNBengUZLG6WlMzfYUHgGOiCT5WgWLx0+yoYJVq8+io=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=Jq/yI7TplJzlXcNzXNFEtS6T+zYSuXOq2I06PEB4GCPp3J4+veWBMD9zJmGByVxdp zFqxInOLovZ8pOKLp9EKPCi8m/JRmVU7hlKo8393taWsyCqvpQBiGBEKZi2Hcfm38C GsXte4UMUf5Wg1woAEKS9Ck1xNscUfkcwrtLv8BY= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by sourceware.org (Postfix) with ESMTPS id 0050D3953819 for ; Tue, 27 Oct 2020 14:35:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0050D3953819 Received: by mail-qk1-x742.google.com with SMTP id r7so1330575qkf.3 for ; Tue, 27 Oct 2020 07:35:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xNBengUZLG6WlMzfYUHgGOiCT5WgWLx0+yoYJVq8+io=; b=Iamu+KnI89jNBpX3/A0rLCEP3vgwdsDrb7nfKvzBaYDHvDhSyOly12eMSv41wHpgMi rLHOd78CUtQjSLpU+YhfnpYns82UuziOgqL2PTJNs7xmk3XOhZ9G2JkdmMqRl2sI/zGd X9wipiuVzKkDpydD4+EyS/Ths/+5mWYnOA5l6evQ0XdoQTSnSeACgnKFKgDwEZ8T/Am8 EuKHb7VnGlRn7hh/pFiJsif7KARO/ITVf5ophl5eM41+o2CfiSOeot3o8M++ba+aFh5n BzygEOV2csCBoqHsZD18Qd0KQ0NCJufHhRyqtOhgRQcJWoGUDnZL3zkxrGLSx/7SXLfP 0vFw== X-Gm-Message-State: AOAM531xcM500omisDRT4SVyJ+gLHHo9oExvjOc5iV9lYC2bpIe2FxV8 pvWzq9UzckT8VjThwcy5zmUpmnfQ3FbGMQ== X-Google-Smtp-Source: ABdhPJy6e2isL9Benuh3cKFStvPozu7ctRl+Yzx4MsPYGK4IPw5CINFtXvdPDs5qJDAxubMtCOtnaw== X-Received: by 2002:a05:620a:a09:: with SMTP id i9mr2269421qka.119.1603809340357; Tue, 27 Oct 2020 07:35:40 -0700 (PDT) Received: from localhost.localdomain ([177.194.48.209]) by smtp.googlemail.com with ESMTPSA id 19sm780704qki.33.2020.10.27.07.35.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Oct 2020 07:35:39 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH v2 3/4] stdlib: Fix arithmetic overflows in realpath [BZ #26592] Date: Tue, 27 Oct 2020 11:35:30 -0300 Message-Id: <20201027143531.2448132-3-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201027143531.2448132-1-adhemerval.zanella@linaro.org> References: <20201027143531.2448132-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-Spam-Status: No, score=-14.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha From: Adhemerval Zanella Netto Reply-To: Adhemerval Zanella Cc: Andreas Schwab Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" The realpath uses an end-of-array pointer 'rpath_limit', and makes invalid (overflowing) comparisons against it to catch overflow: 117 /* Find end of path component. */ 118 if (dest + (end-start) >= rpath_limit) I could not see a easy way to stress this issue since it rely on how the input argument is layout in memory along with a large filename name that trigger the overflow comparison. However, the fix is simple enough where it simple reorganize arithmetic in the comparison. Checked on x86_64-linux-gnu and i686-linux-gnu. --- stdlib/canonicalize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index 50244d0f67..9aa69676e4 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -136,7 +136,7 @@ __realpath (const char *name, char *resolved) if (dest[-1] != '/') *dest++ = '/'; - if (dest + (end - start) >= rpath_limit) + if (end - start >= rpath_limit - dest) { ptrdiff_t dest_offset = dest - rpath; char *new_rpath;