packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix use after free in glob when expanding user bug.

Browse Source
This commit is contained in:
liqingqing_1229 2020-03-10 14:54:34 +08:00
parent dd1801bb6b
commit bd7176f084
2 changed files with 70 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch Normal file
View File

@ -0,0 +1,63 @@
From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Wed, 19 Feb 2020 17:21:46 +0100
Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
---
posix/glob.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/posix/glob.c b/posix/glob.c
index cba9cd18198..4580cefb9fa 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
- char *d;
+ char *d, *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
scratch_buffer_free (&pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- d = mempcpy (dirname, p->pw_dir, home_len);
+ d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
}
--
2.19.1

12
glibc.spec
View File

@ -59,7 +59,7 @@
############################################################################## ##############################################################################
Name: glibc Name: glibc
Version: 2.28 Version: 2.28
Release: 32 Release: 33
Summary: The GNU libc libraries Summary: The GNU libc libraries
License: %{all_license} License: %{all_license}
URL: http://www.gnu.org/software/glibc/ URL: http://www.gnu.org/software/glibc/
@ -73,6 +73,8 @@ Source5: glibc-bench-compare
Source6: LicenseList Source6: LicenseList
Source7: LanguageList Source7: LanguageList
Patch0: Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch
Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
BuildRequires: audit-libs-devel >= 1.1.3, sed >= 3.95, libcap-devel, gettext BuildRequires: audit-libs-devel >= 1.1.3, sed >= 3.95, libcap-devel, gettext
@ -912,11 +914,11 @@ fi
%changelog %changelog
* Tue Mar 10 2020 liqingqing<liqingqing3@huawei.com> - 2.28-33
- fix use after free in glob when expanding user bug
* Wed Feb 26 2020 Wang Shuo<wangshuo47@huawei.com> - 2.28-32 * Wed Feb 26 2020 Wang Shuo<wangshuo47@huawei.com> - 2.28-32
- Type:bugfix - remove aditional require for debugutils package
- ID:NA
- SUG:NA
- DESC: remove aditional require for debugutils package
* Tue Jan 7 2020 Wang Shuo <wangshuo47@huawei.com> - 2.28-31 * Tue Jan 7 2020 Wang Shuo <wangshuo47@huawei.com> - 2.28-31
- Fix compile macro - Fix compile macro