From 5d30d853295a5fe04cad22fdf649c5e0da6ded8c Mon Sep 17 00:00:00 2001
From: Ondřej Bílka <neleai@seznam.cz>
Date: Thu, 31 Oct 2013 13:58:01 +0100
Subject: Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and
 15763.

---
 ChangeLog                          |  7 +++++++
 NEWS                               | 16 ++++++++--------
 rt/tst-shm.c                       |  8 ++++++++
 sysdeps/unix/sysv/linux/shm_open.c | 14 ++++++++------
 4 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ceaccba43c..23d5f8cb44 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-10-31  Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #14752], [BZ #15763]
+	* sysdeps/unix/sysv/linux/shm_open.c (shm_open, shm_unlink):
+	Validate name.
+	* rt/tst_shm.c: Add test for escaping directory.
+
 2013-10-31  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #15917]
diff --git a/NEWS b/NEWS
index 23a3c9e767..3ceed0c326 100644
--- a/NEWS
+++ b/NEWS
@@ -10,14 +10,14 @@ Version 2.19
 * The following bugs are resolved with this release:
 
   156, 431, 832, 2801, 9954, 10278, 11087, 13028, 13982, 13985, 14029,
-  14155, 14547, 14699, 14876, 14910, 15048, 15218, 15277, 15308, 15362,
-  15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, 15640,
-  15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749,
-  15754, 15760, 15764, 15797, 15799, 15825, 15844, 15847, 15849, 15855,
-  15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895,
-  15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963,
-  15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071, 16072, 16074,
-  16078.
+  14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218, 15277, 15308,
+  15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632,
+  15640, 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748,
+  15749, 15754, 15760, 15763, 15764, 15797, 15799, 15825, 15844, 15847,
+  15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892,
+  15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939,
+  15948, 15963, 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071,
+  16072, 16074, 16078.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache
diff --git a/rt/tst-shm.c b/rt/tst-shm.c
index f9d5ab0098..cb4b1ee764 100644
--- a/rt/tst-shm.c
+++ b/rt/tst-shm.c
@@ -134,6 +134,14 @@ do_test (void)
   int status2;
   struct stat64 st;
 
+  fd = shm_open ("/../escaped", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
+  if (fd != -1)
+    {
+      perror ("read file outside of SHMDIR directory");
+      return 1;
+    }
+
+
   /* Create the shared memory object.  */
   fd = shm_open ("/shm-test", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
   if (fd == -1)
diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c
index 41d93155a7..482b49cfe6 100644
--- a/sysdeps/unix/sysv/linux/shm_open.c
+++ b/sysdeps/unix/sysv/linux/shm_open.c
@@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (EINVAL);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);
@@ -237,14 +238,15 @@ shm_unlink (const char *name)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (ENOENT);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);
-- 
cgit 1.4.1