Submitted by: William Harrington (kb0iic at clfs dot ort) Date: 2018-01-05 Initial Package Version: 2.26 Origin: https://sourceware.org/bugzilla/show_bug.cgi?id=22320 https://sourceware.org/bugzilla/show_bug.cgi?id=22325 https://sourceware.org/bugzilla/show_bug.cgi?id=22332 Description: Fixes Memory leak in glob with GLOB_TILDE Fixes Buffer overflow in glob with GLOB_TILDE in unescaping diff -Naur glibc-2.26.orig/ChangeLog glibc-2.26/ChangeLog --- glibc-2.26.orig/ChangeLog 2017-08-02 12:57:16.000000000 +0000 +++ glibc-2.26/ChangeLog 2018-01-05 14:44:14.213870591 +0000 @@ -1,3 +1,23 @@ +2017-10-22 Paul Eggert + + [BZ #22332] + * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE + unescaping. + +2017-10-21 Florian Weimer + + * posix/Makefile (tests): Add tst-glob-tilde. + (tests-special): Add tst-glob-tilde-mem.out + (tst-glob-tilde-ENV): Set MALLOC_TRACE. + (tst-glob-tilde-mem.out): Add mtrace check. + * posix/tst-glob-tilde.c: New file. + +2017-10-20 Paul Eggert + + [BZ #22320] + CVE-2017-15670 + * posix/glob.c (__glob): Fix one-byte overflow. + 2017-08-02 Siddhesh Poyarekar * version.h (RELEASE): Set to "stable" diff -Naur glibc-2.26.orig/NEWS glibc-2.26/NEWS --- glibc-2.26.orig/NEWS 2017-08-02 12:57:16.000000000 +0000 +++ glibc-2.26/NEWS 2018-01-05 14:42:17.514827919 +0000 @@ -206,6 +206,11 @@ * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been fixed (CVE-2017-12133). + CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, + suffered from a one-byte overflow during ~ operator processing (either + on the stack or the heap, depending on the length of the user name). + Reported by Tim Rühsen. + The following bugs are resolved with this release: [984] network: Respond to changed resolv.conf in gethostbyname diff -Naur glibc-2.26.orig/posix/Makefile glibc-2.26/posix/Makefile --- glibc-2.26.orig/posix/Makefile 2017-08-02 12:57:16.000000000 +0000 +++ glibc-2.26/posix/Makefile 2018-01-05 14:43:21.001043109 +0000 @@ -93,7 +93,7 @@ tst-fnmatch3 bug-regex36 tst-getaddrinfo5 \ tst-posix_spawn-fd tst-posix_spawn-setsid \ tst-posix_fadvise tst-posix_fadvise64 \ - tst-sysconf-empty-chroot + tst-sysconf-empty-chroot tst-glob-tilde tests-internal := bug-regex5 bug-regex20 bug-regex33 \ tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 xtests := bug-ga2 @@ -141,7 +141,8 @@ $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \ $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \ $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ - $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out + $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ + $(objpfx)tst-glob-tilde-mem.out xtests-special += $(objpfx)bug-ga2-mem.out endif @@ -350,6 +351,12 @@ $(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \ $(evaluate-test) +tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace + +$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \ + $(evaluate-test) + $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \ $(objpfx)getconf.speclist FORCE $(addprefix $(..)./scripts/mkinstalldirs ,\ diff -Naur glibc-2.26.orig/posix/glob.c glibc-2.26/posix/glob.c --- glibc-2.26.orig/posix/glob.c 2017-08-02 12:57:16.000000000 +0000 +++ glibc-2.26/posix/glob.c 2018-01-05 14:42:17.516827800 +0000 @@ -843,7 +843,7 @@ *p = '\0'; } else - *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) + *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) = '\0'; user_name = newp; } diff -Naur glibc-2.26.orig/posix/tst-glob-tilde.c glibc-2.26/posix/tst-glob-tilde.c --- glibc-2.26.orig/posix/tst-glob-tilde.c 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.26/posix/tst-glob-tilde.c 2018-01-05 14:44:14.194871723 +0000 @@ -0,0 +1,143 @@ +/* Check for GLOB_TIDLE heap allocation issues (bugs 22320, 22325, 22332). + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Flag which indicates whether to pass the GLOB_ONLYDIR flag. */ +static int do_onlydir; + +/* Flag which indicates whether to pass the GLOB_NOCHECK flag. */ +static int do_nocheck; + +/* Flag which indicates whether to pass the GLOB_MARK flag. */ +static int do_mark; + +/* Flag which indicates whether to pass the GLOB_NOESCAPE flag. */ +static int do_noescape; + +static void +one_test (const char *prefix, const char *middle, const char *suffix) +{ + char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix); + int flags = GLOB_TILDE; + if (do_onlydir) + flags |= GLOB_ONLYDIR; + if (do_nocheck) + flags |= GLOB_NOCHECK; + if (do_mark) + flags |= GLOB_MARK; + if (do_noescape) + flags |= GLOB_NOESCAPE; + glob_t gl; + /* This glob call might result in crashes or memory leaks. */ + if (glob (pattern, flags, NULL, &gl) == 0) + globfree (&gl); + free (pattern); +} + +enum + { + /* The largest base being tested. */ + largest_base_size = 500000, + + /* The actual size is the base size plus a variable whose absolute + value is not greater than this. This helps malloc to trigger + overflows. */ + max_size_skew = 16, + + /* The maximum string length supported by repeating_string + below. */ + repeat_size = largest_base_size + max_size_skew, + }; + +/* Used to construct strings which repeat a single character 'x'. */ +static char *repeat; + +/* Return a string of SIZE characters. */ +const char * +repeating_string (int size) +{ + TEST_VERIFY (size >= 0); + TEST_VERIFY (size <= repeat_size); + const char *repeated_shifted = repeat + repeat_size - size; + TEST_VERIFY (strlen (repeated_shifted) == size); + return repeated_shifted; +} + +static int +do_test (void) +{ + /* Avoid network-based NSS modules and initialize nss_files with a + dummy lookup. This has to come before mtrace because NSS does + not free all memory. */ + __nss_configure_lookup ("passwd", "files"); + (void) getpwnam ("root"); + + mtrace (); + + repeat = xmalloc (repeat_size + 1); + memset (repeat, 'x', repeat_size); + repeat[repeat_size] = '\0'; + + /* These numbers control the size of the user name. The values + cover the minimum (0), a typical size (8), a large + stack-allocated size (100000), and a somewhat large + heap-allocated size (largest_base_size). */ + static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 }; + + for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir) + for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck) + for (do_mark = 0; do_mark < 2; ++do_mark) + for (do_noescape = 0; do_noescape < 2; ++do_noescape) + for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx) + { + for (int size_skew = -max_size_skew; size_skew <= max_size_skew; + ++size_skew) + { + int size = base_sizes[base_idx] + size_skew; + if (size < 0) + continue; + + const char *user_name = repeating_string (size); + one_test ("~", user_name, "/a/b"); + one_test ("~", user_name, "x\\x\\x////x\\a"); + } + + const char *user_name = repeating_string (base_sizes[base_idx]); + one_test ("~", user_name, ""); + one_test ("~", user_name, "/"); + one_test ("~", user_name, "/a"); + one_test ("~", user_name, "/*/*"); + one_test ("~", user_name, "\\/"); + one_test ("/~", user_name, ""); + one_test ("*/~", user_name, "/a/b"); + } + + free (repeat); + + return 0; +} + +#include