From patchwork Thu Jan 13 05:59:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 49948 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 24FB13892472 for ; Thu, 13 Jan 2022 05:59:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 24FB13892472 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1642053592; bh=Kc/GVYqkLTESiBELl8zZun018W6/x2pBvx1a9RqpIvI=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=I5suCdDUMWLb5WcmkMas34mhavEhH3b+VSymAtG3ZTl9kftUeYvOYZmZXZg2t8fhT Qphyc9OEJoJs6SfiP/hJmiMuEkzBHDr7GnNYObxJFGZ9DAGXzVonT6+NYYnzsznRQD 5xARDc8HVA8V7d/8RHxbeaTmdkkMLGbOR6E2hgOY= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from quail.birch.relay.mailchannels.net (quail.birch.relay.mailchannels.net [23.83.209.151]) by sourceware.org (Postfix) with ESMTPS id 7C2D43891C07 for ; Thu, 13 Jan 2022 05:59:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7C2D43891C07 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 44B5B120BFE; Thu, 13 Jan 2022 05:59:29 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B9858121139; Thu, 13 Jan 2022 05:59:28 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.124.238.86 (trex/6.4.3); Thu, 13 Jan 2022 05:59:29 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Dime-Imminent: 741e4958341c0896_1642053569167_2162477880 X-MC-Loop-Signature: 1642053569167:2721255324 X-MC-Ingress-Time: 1642053569167 Received: from rhbox.redhat.com (unknown [1.186.121.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4JZDKC13Kwz1Z; Wed, 12 Jan 2022 21:59:26 -0800 (PST) To: libc-alpha@sourceware.org Subject: [PATCH v2] realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770] Date: Thu, 13 Jan 2022 11:29:20 +0530 Message-Id: <20220113055920.3155918-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20220113054203.3126818-1-siddhesh@sourceware.org> References: <20220113054203.3126818-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3494.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_SHORT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Cc: fweimer@redhat.com Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" realpath returns an allocated string when the result exceeds PATH_MAX, which is unexpected when its second argument is not NULL. This results in the second argument (resolved) being uninitialized and also results in a memory leak since the caller expects resolved to be the same as the returned value. Return NULL and set errno to ENAMETOOLONG if the result exceeds PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. Signed-off-by: Siddhesh Poyarekar --- stdlib/Makefile | 1 + stdlib/canonicalize.c | 12 ++++- stdlib/tst-realpath-toolong.c | 84 +++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 stdlib/tst-realpath-toolong.c diff --git a/stdlib/Makefile b/stdlib/Makefile index 52e4d8cf19..897d4ea79d 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -108,6 +108,7 @@ tests := bug-fmtmsg1 \ tst-random \ tst-random2 \ tst-realpath \ + tst-realpath-toolong \ tst-secure-getenv \ tst-setcontext \ tst-setcontext2 \ diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index f36bdf4c76..732dc7ea46 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, error: *dest++ = '\0'; - if (resolved != NULL && dest - rname <= get_path_max ()) - rname = strcpy (resolved, rname); + if (resolved != NULL) + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); + else + { + failed = true; + __set_errno (ENAMETOOLONG); + } + } error_nomem: scratch_buffer_free (&extra_buffer); diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c new file mode 100644 index 0000000000..71c0829a80 --- /dev/null +++ b/stdlib/tst-realpath-toolong.c @@ -0,0 +1,84 @@ +/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds + NAME_MAX. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define BASENAME "tst-realpath-toolong." +size_t nest_count; +char dir[NAME_MAX + 1]; +char *base; + +static void +delete_subdirectories (const char *name) +{ + TEST_VERIFY (chdir (name) == 0); + if (--nest_count > 0) + delete_subdirectories (dir); + TEST_VERIFY (chdir ("..") == 0); + TEST_VERIFY (rmdir (name) == 0); +} + +static void +do_cleanup (void) +{ + TEST_VERIFY (chdir (base) == 0); + if (nest_count > 0) + delete_subdirectories (dir); +} + +int +do_test (void) +{ + base = support_create_temp_directory (BASENAME); + + TEST_VERIFY_EXIT (chdir (base) == 0); + + memset (dir, 'X', sizeof (dir) - 1); + dir[NAME_MAX] = '\0'; + + /* Create directories and descend into them so that the final path is larger + than PATH_MAX. */ + for (nest_count = 0; nest_count <= PATH_MAX / sizeof (dir); nest_count++) + { + TEST_VERIFY_EXIT (mkdir (dir, S_IRWXU) == 0); + TEST_VERIFY_EXIT (chdir (dir) == 0); + } + + char buf[PATH_MAX + 1]; + const char * const res = realpath (".", buf); + + /* canonicalize.c states that if the real path is >= PATH_MAX, then + realpath returns NULL and sets ENAMETOOLONG. */ + TEST_VERIFY_EXIT (res == NULL && errno == ENAMETOOLONG); + + do_cleanup (); + free (base); + return 0; +} + +#define CLEANUP_HANDLER do_cleanup +#include