From 9ec14ba8436e795b5573fee6685240721d7ca727 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@zoho.com>
Date: Fri, 13 Jun 2014
Subject: CVE-2014-4043
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
This backported fix for use on glibc 2.17 is based on the following
upstream commits:
https://sourceware.org/git/?p=glibc.git;h=89e435f3559c
https://sourceware.org/git/?p=glibc.git;h=35a5e3e338ae
---
posix/spawn_faction_addopen.c | 14 +++++++++++---
posix/spawn_faction_destroy.c | 22 ++++++++++++++++++++--
posix/spawn_int.h | 2 +-
posix/tst-spawn.c | 10 +++++++++-
4 files changed, 41 insertions(+), 7 deletions(-)
--- a/posix/spawn_faction_addopen.c
+++ b/posix/spawn_faction_addopen.c
@@ -18,6 +18,7 @@
#include <errno.h>
#include <spawn.h>
#include <unistd.h>
+#include <string.h>
#include "spawn_int.h"
@@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions,
if (fd < 0 || fd >= maxfd)
return EBADF;
+ char *path_copy = strdup (path);
+ if (path_copy == NULL)
+ return ENOMEM;
+
/* Allocate more memory if needed. */
if (file_actions->__used == file_actions->__allocated
&& __posix_spawn_file_actions_realloc (file_actions) != 0)
- /* This can only mean we ran out of memory. */
- return ENOMEM;
+ {
+ /* This can only mean we ran out of memory. */
+ free (path_copy);
+ return ENOMEM;
+ }
/* Add the new value. */
rec = &file_actions->__actions[file_actions->__used];
rec->tag = spawn_do_open;
rec->action.open_action.fd = fd;
- rec->action.open_action.path = path;
+ rec->action.open_action.path = path_copy;
rec->action.open_action.oflag = oflag;
rec->action.open_action.mode = mode;
--- a/posix/spawn_faction_destroy.c
+++ b/posix/spawn_faction_destroy.c
@@ -18,11 +18,29 @@
#include <spawn.h>
#include <stdlib.h>
-/* Initialize data structure for file attribute for `spawn' call. */
+#include "spawn_int.h"
+
+/* Deallocate the file actions. */
int
posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
{
- /* Free the memory allocated. */
+ /* Free the paths in the open actions. */
+ for (int i = 0; i < file_actions->__used; ++i)
+ {
+ struct __spawn_action *sa = &file_actions->__actions[i];
+ switch (sa->tag)
+ {
+ case spawn_do_open:
+ free (sa->action.open_action.path);
+ break;
+ case spawn_do_close:
+ case spawn_do_dup2:
+ /* No cleanup required. */
+ break;
+ }
+ }
+
+ /* Free the array of actions. */
free (file_actions->__actions);
return 0;
}
--- a/posix/spawn_int.h
+++ b/posix/spawn_int.h
@@ -22,7 +22,7 @@ struct __spawn_action
struct
{
int fd;
- const char *path;
+ char *path;
int oflag;
mode_t mode;
} open_action;
--- a/posix/tst-spawn.c
+++ b/posix/tst-spawn.c
@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
char fd2name[18];
char fd3name[18];
char fd4name[18];
+ char *name3_copy;
char *spargv[12];
/* We must have
@@ -221,9 +222,15 @@ do_test (int argc, char *argv[])
if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
/* We want to open the third file. */
- if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
+ name3_copy = strdup (name3);
+ if (name3_copy == NULL)
+ error (EXIT_FAILURE, errno, "strdup");
+ if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
O_RDONLY, 0666) != 0)
error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
+ /* Overwrite the name to check that a copy has been made. */
+ memset (name3_copy, 'X', strlen (name3_copy));
+
/* We dup the second descriptor. */
fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
@@ -254,6 +261,7 @@ do_test (int argc, char *argv[])
/* Cleanup. */
if (posix_spawn_file_actions_destroy (&actions) != 0)
error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
+ free (name3_copy);
/* Wait for the child. */
if (waitpid (pid, &status, 0) != pid)