diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2013-10-31 13:58:01 +0100 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2013-10-31 13:59:01 +0100 |
commit | 5d30d853295a5fe04cad22fdf649c5e0da6ded8c (patch) | |
tree | 9428bf5c8d81db0efbc55c3e51cc0fe94244fb51 | |
parent | 8a43e768d9404c64e0d98d7a54871abad427fd69 (diff) | |
download | glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.tar.gz glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.tar.xz glibc-5d30d853295a5fe04cad22fdf649c5e0da6ded8c.zip |
Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and 15763.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 16 | ||||
-rw-r--r-- | rt/tst-shm.c | 8 | ||||
-rw-r--r-- | sysdeps/unix/sysv/linux/shm_open.c | 14 |
4 files changed, 31 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog index ceaccba43c..23d5f8cb44 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2013-10-31 Ondřej Bílka <neleai@seznam.cz> + + [BZ #14752], [BZ #15763] + * sysdeps/unix/sysv/linux/shm_open.c (shm_open, shm_unlink): + Validate name. + * rt/tst_shm.c: Add test for escaping directory. + 2013-10-31 Andreas Schwab <schwab@suse.de> [BZ #15917] diff --git a/NEWS b/NEWS index 23a3c9e767..3ceed0c326 100644 --- a/NEWS +++ b/NEWS @@ -10,14 +10,14 @@ Version 2.19 * The following bugs are resolved with this release: 156, 431, 832, 2801, 9954, 10278, 11087, 13028, 13982, 13985, 14029, - 14155, 14547, 14699, 14876, 14910, 15048, 15218, 15277, 15308, 15362, - 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, 15640, - 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, - 15754, 15760, 15764, 15797, 15799, 15825, 15844, 15847, 15849, 15855, - 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, - 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963, - 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071, 16072, 16074, - 16078. + 14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218, 15277, 15308, + 15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, + 15640, 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, + 15749, 15754, 15760, 15763, 15764, 15797, 15799, 15825, 15844, 15847, + 15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, + 15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, + 15948, 15963, 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071, + 16072, 16074, 16078. * CVE-2012-4412 The strcoll implementation caches indices and rules for large collation sequences to optimize multiple passes. This cache diff --git a/rt/tst-shm.c b/rt/tst-shm.c index f9d5ab0098..cb4b1ee764 100644 --- a/rt/tst-shm.c +++ b/rt/tst-shm.c @@ -134,6 +134,14 @@ do_test (void) int status2; struct stat64 st; + fd = shm_open ("/../escaped", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600); + if (fd != -1) + { + perror ("read file outside of SHMDIR directory"); + return 1; + } + + /* Create the shared memory object. */ fd = shm_open ("/shm-test", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600); if (fd == -1) diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c index 41d93155a7..482b49cfe6 100644 --- a/sysdeps/unix/sysv/linux/shm_open.c +++ b/sysdeps/unix/sysv/linux/shm_open.c @@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode) while (name[0] == '/') ++name; - if (name[0] == '\0') + namelen = strlen (name); + + /* Validate the filename. */ + if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL) { - /* The name "/" is not supported. */ __set_errno (EINVAL); return -1; } - namelen = strlen (name); fname = (char *) alloca (mountpoint.dirlen + namelen + 1); __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen), name, namelen + 1); @@ -237,14 +238,15 @@ shm_unlink (const char *name) while (name[0] == '/') ++name; - if (name[0] == '\0') + namelen = strlen (name); + + /* Validate the filename. */ + if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL) { - /* The name "/" is not supported. */ __set_errno (ENOENT); return -1; } - namelen = strlen (name); fname = (char *) alloca (mountpoint.dirlen + namelen + 1); __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen), name, namelen + 1); |