From 771c846a71d9ee14aa3b91fd184026482da585d9 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 7 Jan 2018 02:03:41 +0000 Subject: linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Currently getcwd(3) can succeed without returning an absolute path because the underlying getcwd syscall, starting with linux commit v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. This is a conformance issue because "The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf". This is also a security issue because a non-absolute path returned by getcwd(3) causes a buffer underflow in realpath(3). Fix this by checking the path returned by getcwd syscall and falling back to generic_getcwd if the path is not absolute, effectively making getcwd(3) fail with ENOENT. The error code is chosen for consistency with the case when the current directory is unlinked. [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. (cherry picked from commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94) --- ChangeLog | 9 ++++++ NEWS | 6 ++++ io/Makefile | 2 +- io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++++ sysdeps/unix/sysv/linux/getcwd.c | 8 ++--- 5 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 io/tst-getcwd-abspath.c diff --git a/ChangeLog b/ChangeLog index 135ff6b518..7f83c9337d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2018-01-12 Dmitry V. Levin + + [BZ #22679] + CVE-2018-1000001 + * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to + generic_getcwd if the path returned by getcwd syscall is not absolute. + * io/tst-getcwd-abspath.c: New test. + * io/Makefile (tests): Add tst-getcwd-abspath. + 2017-08-22 Joseph Myers * assert/Makefile [$(have-cxx-thread_local)]: Move conditional diff --git a/NEWS b/NEWS index d84e1fa50b..1cad04eb0e 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,10 @@ Security related changes: for AT_SECURE or SUID binaries could be used to load libraries from the current directory. + CVE-2018-1000001: Buffer underflow in realpath function when getcwd function + succeeds without returning an absolute path due to unexpected behaviour + of the Linux kernel getcwd syscall. Reported by halfdog. + The following bugs are resolved with this release: [20257] sunrpc: clntudp_call does not enforce timeout when receiving data @@ -63,6 +67,8 @@ The following bugs are resolved with this release: [22078] nss_files performance issue in hosts multi mode [22322] libc: [mips64] wrong bits/long-double.h installed [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice + [22679] getcwd(3) can succeed without returning an absolute path + (CVE-2018-1000001) Version 2.25 diff --git a/io/Makefile b/io/Makefile index 333a049d2b..9c39bd08a7 100644 --- a/io/Makefile +++ b/io/Makefile @@ -72,7 +72,7 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \ tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \ tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \ tst-posix_fallocate tst-posix_fallocate64 \ - tst-fts tst-fts-lfs tst-open-tmpfile + tst-fts tst-fts-lfs tst-open-tmpfile tst-getcwd-abspath ifeq ($(run-built-tests),yes) tests-special += $(objpfx)ftwtest.out diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c new file mode 100644 index 0000000000..3a3636f2ed --- /dev/null +++ b/io/tst-getcwd-abspath.c @@ -0,0 +1,66 @@ +/* BZ #22679 getcwd(3) should not succeed without returning an absolute path. + + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static char *chroot_dir; + +/* The actual test. Run it in a subprocess, so that the test harness + can remove the temporary directory in --direct mode. */ +static void +getcwd_callback (void *closure) +{ + xchroot (chroot_dir); + + errno = 0; + char *cwd = getcwd (NULL, 0); + TEST_COMPARE (errno, ENOENT); + TEST_VERIFY (cwd == NULL); + + errno = 0; + cwd = realpath (".", NULL); + TEST_COMPARE (errno, ENOENT); + TEST_VERIFY (cwd == NULL); + + _exit (0); +} + +static int +do_test (void) +{ + support_become_root (); + if (!support_can_chroot ()) + return EXIT_UNSUPPORTED; + + chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-"); + support_isolate_in_subprocess (getcwd_callback, NULL); + + return 0; +} + +#include diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c index 3b556fd450..f485de88a5 100644 --- a/sysdeps/unix/sysv/linux/getcwd.c +++ b/sysdeps/unix/sysv/linux/getcwd.c @@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size) int retval; retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size); - if (retval >= 0) + if (retval > 0 && path[0] == '/') { #ifndef NO_ALLOCATION if (buf == NULL && size == 0) @@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size) return buf; } - /* The system call cannot handle paths longer than a page. - Neither can the magic symlink in /proc/self. Just use the + /* The system call either cannot handle paths longer than a page + or can succeed without returning an absolute path. Just use the generic implementation right away. */ - if (errno == ENAMETOOLONG) + if (retval >= 0 || errno == ENAMETOOLONG) { #ifndef NO_ALLOCATION if (buf == NULL && size == 0) -- cgit 1.4.1