|
 |
147e83 |
commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
|
|
|
147e83 |
Author: Dmitry V. Levin <ldv@altlinux.org>
|
|
|
147e83 |
Date: Sun Jan 7 02:03:41 2018 +0000
|
|
|
147e83 |
|
|
|
147e83 |
linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
|
|
|
147e83 |
|
|
|
147e83 |
Currently getcwd(3) can succeed without returning an absolute path
|
|
|
147e83 |
because the underlying getcwd syscall, starting with linux commit
|
|
|
147e83 |
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.
|
|
|
147e83 |
|
|
|
147e83 |
This is a conformance issue because "The getcwd() function shall
|
|
|
147e83 |
place an absolute pathname of the current working directory
|
|
|
147e83 |
in the array pointed to by buf, and return buf".
|
|
|
147e83 |
|
|
|
147e83 |
This is also a security issue because a non-absolute path returned
|
|
|
147e83 |
by getcwd(3) causes a buffer underflow in realpath(3).
|
|
|
147e83 |
|
|
|
147e83 |
Fix this by checking the path returned by getcwd syscall and falling
|
|
|
147e83 |
back to generic_getcwd if the path is not absolute, effectively making
|
|
|
147e83 |
getcwd(3) fail with ENOENT. The error code is chosen for consistency
|
|
|
147e83 |
with the case when the current directory is unlinked.
|
|
|
147e83 |
|
|
|
147e83 |
[BZ #22679]
|
|
|
147e83 |
CVE-2018-1000001
|
|
|
147e83 |
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
|
|
|
147e83 |
generic_getcwd if the path returned by getcwd syscall is not absolute.
|
|
|
147e83 |
* io/tst-getcwd-abspath.c: New test.
|
|
|
147e83 |
* io/Makefile (tests): Add tst-getcwd-abspath.
|
|
|
147e83 |
|
|
|
147e83 |
Index: glibc-2.17-c758a686/io/Makefile
|
|
|
147e83 |
===================================================================
|
|
|
147e83 |
--- glibc-2.17-c758a686.orig/io/Makefile
|
|
|
147e83 |
+++ glibc-2.17-c758a686/io/Makefile
|
|
|
147e83 |
@@ -70,7 +70,8 @@ tests := test-utime test-stat test-stat
|
|
|
147e83 |
tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \
|
|
|
147e83 |
tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \
|
|
|
147e83 |
tst-posix_fallocate \
|
|
|
147e83 |
- tst-open-tmpfile
|
|
|
147e83 |
+ tst-open-tmpfile \
|
|
|
147e83 |
+ tst-getcwd-abspath
|
|
|
147e83 |
|
|
|
147e83 |
include ../Rules
|
|
|
147e83 |
|
|
|
147e83 |
Index: glibc-2.17-c758a686/io/tst-getcwd-abspath.c
|
|
|
147e83 |
===================================================================
|
|
|
147e83 |
--- /dev/null
|
|
|
147e83 |
+++ glibc-2.17-c758a686/io/tst-getcwd-abspath.c
|
|
|
147e83 |
@@ -0,0 +1,66 @@
|
|
|
147e83 |
+/* BZ #22679 getcwd(3) should not succeed without returning an absolute path.
|
|
|
147e83 |
+
|
|
|
147e83 |
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
|
|
147e83 |
+ This file is part of the GNU C Library.
|
|
|
147e83 |
+
|
|
|
147e83 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
147e83 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
147e83 |
+ License as published by the Free Software Foundation; either
|
|
|
147e83 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
147e83 |
+
|
|
|
147e83 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
147e83 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
147e83 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
147e83 |
+ Lesser General Public License for more details.
|
|
|
147e83 |
+
|
|
|
147e83 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
147e83 |
+ License along with the GNU C Library; if not, see
|
|
|
147e83 |
+ <https://www.gnu.org/licenses/>. */
|
|
|
147e83 |
+
|
|
|
147e83 |
+#include <errno.h>
|
|
|
147e83 |
+#include <stdio.h>
|
|
|
147e83 |
+#include <stdlib.h>
|
|
|
147e83 |
+#include <support/check.h>
|
|
|
147e83 |
+#include <support/namespace.h>
|
|
|
147e83 |
+#include <support/support.h>
|
|
|
147e83 |
+#include <support/temp_file.h>
|
|
|
147e83 |
+#include <support/test-driver.h>
|
|
|
147e83 |
+#include <support/xunistd.h>
|
|
|
147e83 |
+#include <unistd.h>
|
|
|
147e83 |
+
|
|
|
147e83 |
+static char *chroot_dir;
|
|
|
147e83 |
+
|
|
|
147e83 |
+/* The actual test. Run it in a subprocess, so that the test harness
|
|
|
147e83 |
+ can remove the temporary directory in --direct mode. */
|
|
|
147e83 |
+static void
|
|
|
147e83 |
+getcwd_callback (void *closure)
|
|
|
147e83 |
+{
|
|
|
147e83 |
+ xchroot (chroot_dir);
|
|
|
147e83 |
+
|
|
|
147e83 |
+ errno = 0;
|
|
|
147e83 |
+ char *cwd = getcwd (NULL, 0);
|
|
|
147e83 |
+ TEST_COMPARE (errno, ENOENT);
|
|
|
147e83 |
+ TEST_VERIFY (cwd == NULL);
|
|
|
147e83 |
+
|
|
|
147e83 |
+ errno = 0;
|
|
|
147e83 |
+ cwd = realpath (".", NULL);
|
|
|
147e83 |
+ TEST_COMPARE (errno, ENOENT);
|
|
|
147e83 |
+ TEST_VERIFY (cwd == NULL);
|
|
|
147e83 |
+
|
|
|
147e83 |
+ _exit (0);
|
|
|
147e83 |
+}
|
|
|
147e83 |
+
|
|
|
147e83 |
+static int
|
|
|
147e83 |
+do_test (void)
|
|
|
147e83 |
+{
|
|
|
147e83 |
+ support_become_root ();
|
|
|
147e83 |
+ if (!support_can_chroot ())
|
|
|
147e83 |
+ return EXIT_UNSUPPORTED;
|
|
|
147e83 |
+
|
|
|
147e83 |
+ chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");
|
|
|
147e83 |
+ support_isolate_in_subprocess (getcwd_callback, NULL);
|
|
|
147e83 |
+
|
|
|
147e83 |
+ return 0;
|
|
|
147e83 |
+}
|
|
|
147e83 |
+
|
|
|
147e83 |
+#include <support/test-driver.c>
|
|
|
147e83 |
Index: glibc-2.17-c758a686/sysdeps/unix/sysv/linux/getcwd.c
|
|
|
147e83 |
===================================================================
|
|
|
147e83 |
--- glibc-2.17-c758a686.orig/sysdeps/unix/sysv/linux/getcwd.c
|
|
|
147e83 |
+++ glibc-2.17-c758a686/sysdeps/unix/sysv/linux/getcwd.c
|
|
|
147e83 |
@@ -79,7 +79,7 @@ __getcwd (char *buf, size_t size)
|
|
|
147e83 |
int retval;
|
|
|
147e83 |
|
|
|
147e83 |
retval = INLINE_SYSCALL (getcwd, 2, CHECK_STRING (path), alloc_size);
|
|
|
147e83 |
- if (retval >= 0)
|
|
|
147e83 |
+ if (retval >= 0 && path[0] == '/')
|
|
|
147e83 |
{
|
|
|
147e83 |
#ifndef NO_ALLOCATION
|
|
|
147e83 |
if (buf == NULL && size == 0)
|
|
|
147e83 |
@@ -95,10 +95,10 @@ __getcwd (char *buf, size_t size)
|
|
|
147e83 |
return buf;
|
|
|
147e83 |
}
|
|
|
147e83 |
|
|
|
147e83 |
- /* The system call cannot handle paths longer than a page.
|
|
|
147e83 |
- Neither can the magic symlink in /proc/self. Just use the
|
|
|
147e83 |
+ /* The system call either cannot handle paths longer than a page
|
|
|
147e83 |
+ or can succeed without returning an absolute path. Just use the
|
|
|
147e83 |
generic implementation right away. */
|
|
|
147e83 |
- if (errno == ENAMETOOLONG)
|
|
|
147e83 |
+ if (retval >= 0 || errno == ENAMETOOLONG)
|
|
|
147e83 |
{
|
|
|
147e83 |
#ifndef NO_ALLOCATION
|
|
|
147e83 |
if (buf == NULL && size == 0)
|