diff options
Diffstat (limited to 'source/l/glibc/patches/glibc.CVE-2021-3999.patch')
| -rw-r--r-- | source/l/glibc/patches/glibc.CVE-2021-3999.patch | 356 |
1 files changed, 0 insertions, 356 deletions
diff --git a/source/l/glibc/patches/glibc.CVE-2021-3999.patch b/source/l/glibc/patches/glibc.CVE-2021-3999.patch deleted file mode 100644 index 0644f798a..000000000 --- a/source/l/glibc/patches/glibc.CVE-2021-3999.patch +++ /dev/null @@ -1,356 +0,0 @@ -From 472e799a5f2102bc0c3206dbd5a801765fceb39c Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar <siddhesh@sourceware.org> -Date: Fri, 21 Jan 2022 23:32:56 +0530 -Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) - -No valid path returned by getcwd would fit into 1 byte, so reject the -size early and return NULL with errno set to ERANGE. This change is -prompted by CVE-2021-3999, which describes a single byte buffer -underflow and overflow when all of the following conditions are met: - -- The buffer size (i.e. the second argument of getcwd) is 1 byte -- The current working directory is too long -- '/' is also mounted on the current working directory - -Sequence of events: - -- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG - because the linux kernel checks for name length before it checks - buffer size - -- The code falls back to the generic getcwd in sysdeps/posix - -- In the generic func, the buf[0] is set to '\0' on line 250 - -- this while loop on line 262 is bypassed: - - while (!(thisdev == rootdev && thisino == rootino)) - - since the rootfs (/) is bind mounted onto the directory and the flow - goes on to line 449, where it puts a '/' in the byte before the - buffer. - -- Finally on line 458, it moves 2 bytes (the underflowed byte and the - '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. - -- buf is returned on line 469 and errno is not set. - -This resolves BZ #28769. - -Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> -Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> -Signed-off-by: Qualys Security Advisory <qsa@qualys.com> -Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -(cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) ---- - NEWS | 6 + - sysdeps/posix/getcwd.c | 7 + - sysdeps/unix/sysv/linux/Makefile | 7 +- - .../unix/sysv/linux/tst-getcwd-smallbuff.c | 241 ++++++++++++++++++ - 4 files changed, 260 insertions(+), 1 deletion(-) - create mode 100644 sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c - -diff --git a/NEWS b/NEWS -index b4f81c2668..8d7467d2c1 100644 ---- a/NEWS -+++ b/NEWS -@@ -20,6 +20,12 @@ Security related changes: - function could result in a memory leak and potential access of - uninitialized memory. Reported by Qualys. - -+ CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd -+ function may result in an off-by-one buffer underflow and overflow -+ when the current working directory is longer than PATH_MAX and also -+ corresponds to the / directory through an unprivileged mount -+ namespace. Reported by Qualys. -+ - The following bugs are resolved with this release: - - [12889] nptl: Fix race between pthread_kill and thread exit -diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c -index 13680026ff..b6984a382c 100644 ---- a/sysdeps/posix/getcwd.c -+++ b/sysdeps/posix/getcwd.c -@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size) - size_t allocated = size; - size_t used; - -+ /* A size of 1 byte is never useful. */ -+ if (allocated == 1) -+ { -+ __set_errno (ERANGE); -+ return NULL; -+ } -+ - #if HAVE_MINIMALLY_WORKING_GETCWD - /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and - this is much slower than the system getcwd (at least on -diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile -index 76ad06361c..9380d3848d 100644 ---- a/sysdeps/unix/sysv/linux/Makefile -+++ b/sysdeps/unix/sysv/linux/Makefile -@@ -331,7 +331,12 @@ sysdep_routines += xstatconv internal_statvfs \ - - sysdep_headers += bits/fcntl-linux.h - --tests += tst-fallocate tst-fallocate64 tst-o_path-locks -+tests += \ -+ tst-fallocate \ -+ tst-fallocate64 \ -+ tst-getcwd-smallbuff \ -+ tst-o_path-locks \ -+# tests - endif - - ifeq ($(subdir),elf) -diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c -new file mode 100644 -index 0000000000..d460d6e766 ---- /dev/null -+++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c -@@ -0,0 +1,241 @@ -+/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow -+ buffer when the CWD is too long and is also a mount target of /. See bug -+ #28769 or CVE-2021-3999 for more context. -+ Copyright The GNU Toolchain Authors. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ <https://www.gnu.org/licenses/>. */ -+ -+#include <errno.h> -+#include <fcntl.h> -+#include <intprops.h> -+#include <limits.h> -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+#include <sys/mount.h> -+#include <sys/stat.h> -+#include <sys/types.h> -+#include <sys/wait.h> -+ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <support/check.h> -+#include <support/temp_file.h> -+#include <support/xsched.h> -+#include <support/xunistd.h> -+ -+static char *base; -+#define BASENAME "tst-getcwd-smallbuff" -+#define MOUNT_NAME "mpoint" -+static int sockfd[2]; -+ -+static void -+do_cleanup (void) -+{ -+ support_chdir_toolong_temp_directory (base); -+ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0); -+ free (base); -+} -+ -+static void -+send_fd (const int sock, const int fd) -+{ -+ struct msghdr msg = {0}; -+ union -+ { -+ struct cmsghdr hdr; -+ char buf[CMSG_SPACE (sizeof (int))]; -+ } cmsgbuf = {0}; -+ struct cmsghdr *cmsg; -+ struct iovec vec; -+ char ch = 'A'; -+ ssize_t n; -+ -+ msg.msg_control = &cmsgbuf.buf; -+ msg.msg_controllen = sizeof (cmsgbuf.buf); -+ -+ cmsg = CMSG_FIRSTHDR (&msg); -+ cmsg->cmsg_len = CMSG_LEN (sizeof (int)); -+ cmsg->cmsg_level = SOL_SOCKET; -+ cmsg->cmsg_type = SCM_RIGHTS; -+ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); -+ -+ vec.iov_base = &ch; -+ vec.iov_len = 1; -+ msg.msg_iov = &vec; -+ msg.msg_iovlen = 1; -+ -+ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR); -+ -+ TEST_VERIFY_EXIT (n == 1); -+} -+ -+static int -+recv_fd (const int sock) -+{ -+ struct msghdr msg = {0}; -+ union -+ { -+ struct cmsghdr hdr; -+ char buf[CMSG_SPACE(sizeof(int))]; -+ } cmsgbuf = {0}; -+ struct cmsghdr *cmsg; -+ struct iovec vec; -+ ssize_t n; -+ char ch = '\0'; -+ int fd = -1; -+ -+ vec.iov_base = &ch; -+ vec.iov_len = 1; -+ msg.msg_iov = &vec; -+ msg.msg_iovlen = 1; -+ -+ msg.msg_control = &cmsgbuf.buf; -+ msg.msg_controllen = sizeof (cmsgbuf.buf); -+ -+ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR); -+ if (n != 1 || ch != 'A') -+ return -1; -+ -+ cmsg = CMSG_FIRSTHDR (&msg); -+ if (cmsg == NULL) -+ return -1; -+ if (cmsg->cmsg_type != SCM_RIGHTS) -+ return -1; -+ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd)); -+ if (fd < 0) -+ return -1; -+ return fd; -+} -+ -+static int -+child_func (void * const arg) -+{ -+ xclose (sockfd[0]); -+ const int sock = sockfd[1]; -+ char ch; -+ -+ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); -+ TEST_VERIFY_EXIT (ch == '1'); -+ -+ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) -+ FAIL_EXIT1 ("mount failed: %m\n"); -+ const int fd = xopen ("mpoint", -+ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); -+ -+ send_fd (sock, fd); -+ xclose (fd); -+ -+ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); -+ TEST_VERIFY_EXIT (ch == 'a'); -+ -+ xclose (sock); -+ return 0; -+} -+ -+static void -+update_map (char * const mapping, const char * const map_file) -+{ -+ const size_t map_len = strlen (mapping); -+ -+ const int fd = xopen (map_file, O_WRONLY, 0); -+ xwrite (fd, mapping, map_len); -+ xclose (fd); -+} -+ -+static void -+proc_setgroups_write (const long child_pid, const char * const str) -+{ -+ const size_t str_len = strlen(str); -+ -+ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)]; -+ -+ snprintf (setgroups_path, sizeof (setgroups_path), -+ "/proc/%ld/setgroups", child_pid); -+ -+ const int fd = open (setgroups_path, O_WRONLY); -+ -+ if (fd < 0) -+ { -+ TEST_VERIFY_EXIT (errno == ENOENT); -+ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid); -+ } -+ -+ xwrite (fd, str, str_len); -+ xclose(fd); -+} -+ -+static char child_stack[1024 * 1024]; -+ -+int -+do_test (void) -+{ -+ base = support_create_and_chdir_toolong_temp_directory (BASENAME); -+ -+ xmkdir (MOUNT_NAME, S_IRWXU); -+ atexit (do_cleanup); -+ -+ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0); -+ pid_t child_pid = xclone (child_func, NULL, child_stack, -+ sizeof (child_stack), -+ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD); -+ -+ xclose (sockfd[1]); -+ const int sock = sockfd[0]; -+ -+ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)]; -+ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)]; -+ -+ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map", -+ (long) child_pid); -+ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid()); -+ update_map (map_buf, map_path); -+ -+ proc_setgroups_write ((long) child_pid, "deny"); -+ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map", -+ (long) child_pid); -+ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid()); -+ update_map (map_buf, map_path); -+ -+ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1); -+ const int fd = recv_fd (sock); -+ TEST_VERIFY_EXIT (fd >= 0); -+ TEST_VERIFY_EXIT (fchdir (fd) == 0); -+ -+ static char buf[2 * 10 + 1]; -+ memset (buf, 'A', sizeof (buf)); -+ -+ /* Finally, call getcwd and check if it resulted in a buffer underflow. */ -+ char * cwd = getcwd (buf + sizeof (buf) / 2, 1); -+ TEST_VERIFY (cwd == NULL); -+ TEST_VERIFY (errno == ERANGE); -+ -+ for (int i = 0; i < sizeof (buf); i++) -+ if (buf[i] != 'A') -+ { -+ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]); -+ support_record_failure (); -+ } -+ -+ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1); -+ xclose (sock); -+ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid); -+ -+ return 0; -+} -+ -+#define CLEANUP_HANDLER do_cleanup -+#include <support/test-driver.c> --- -2.27.0 - - |