about summary refs log tree commit diff
diff options
context:
space:
mode:
authorTulio Magno Quites Machado Filho <tuliom@linux.ibm.com>2020-03-20 18:24:51 -0300
committerTulio Magno Quites Machado Filho <tuliom@linux.ibm.com>2020-03-20 18:24:51 -0300
commit6869471f35da6446d5d83faf154256a2fccce9b3 (patch)
tree3d9b26cfa8b4386cd55e9436ea5b7058e190defc
parentfe5012e47407914ec1a66f8337f6adfba6c42680 (diff)
parent263e6175999bc7f5adb8b32fd12fcfae3f0bb05a (diff)
downloadglibc-ibm/2.26/master.tar.gz
glibc-ibm/2.26/master.tar.xz
glibc-ibm/2.26/master.zip
Merge branch release/2.26/master into ibm/2.26/master ibm/2.26/master
Diffstat
-rw-r--r--NEWS5


-rw-r--r--debug/tst-backtrace5.c12


-rw-r--r--posix/glob.c28


-rw-r--r--sysdeps/powerpc/powerpc32/backtrace.c2


-rw-r--r--sysdeps/powerpc/powerpc64/backtrace.c2


5 files changed, 38 insertions, 11 deletions
diff --git a/NEWS b/NEWS
index 3ccaae3968..b18a0f3d29 100644
--- a/NEWS
+++ b/NEWS
@@ -190,6 +190,7 @@ The following bugs are resolved with this release:
   [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
   [25203] libio: Disable vtable validation for pre-2.1 interposed handles
   [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
+  [25423] Array overflow in backtrace on powerpc
 
 
 Version 2.26
@@ -393,6 +394,9 @@ Security related changes:
 * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
   fixed (CVE-2017-12133).
 
+* A use-after-free vulnerability in the glob function when expanding ~user has
+  been fixed (CVE-2020-1752).
+
 The following bugs are resolved with this release:
 
   [984] network: Respond to changed resolv.conf in gethostbyname
@@ -620,6 +624,7 @@ The following bugs are resolved with this release:
   [21839] localedata: Fix LC_MONETARY for ta_LK
   [21844] localedata: Fix Latin characters and Months Sequence.
   [21848] localedata: Fix mai_NP Title Name
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)
 
 
 Version 2.25
diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 0b85e4482e..57b7dee0f6 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -88,6 +88,18 @@ handle_signal (int signum)
       }
   /* Symbol names are not available for static functions, so we do not
      check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j = 0; j < NUM_FUNCTIONS; j++)
+    {
+      n = backtrace (addresses, j);
+      if (n > j)
+	{
+	  FAIL ();
+	  return;
+	}
+    }
 }
 
 NO_INLINE int
diff --git a/posix/glob.c b/posix/glob.c
index b2273ea7bc..0c6eeb3637 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
 
-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
 
-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			free (malloc_pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
-				    end_name, rest_len)) = '\0';
+
+		d = mempcpy (newp, p->pw_dir, home_len);
+		if (end_name != NULL)
+		  d = mempcpy (d, end_name, rest_len);
+		*d = '\0';
+
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
 
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
index 187c3b3349..f0a67008d9 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
         }
       if (gregset)
 	{
+	  if (count + 1 == size)
+	    break;
 	  array[++count] = (void*)((*gregset)[PT_NIP]);
 	  current = (void*)((*gregset)[PT_R1]);
 	}
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
index 919bf1cfd7..dd25b90bfc 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
       if (is_sigtramp_address (current->return_address))
         {
 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
+	  if (count + 1 == size)
+	    break;
           array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
 	}

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-09 04:57:01 +0000