+2018-12-10 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #23972]
+ * sysdeps/unix/sysv/linux/getdents64.c (handle_overflow): Check
+ offset instead of count for clarity. Fix typo in comment.
+ (__old_getdents64): Keep track of previous offset. Use it to call
+ handle_overflow.
+ * sysdeps/unix/sysv/linux/tst-readdir64-compat.c (do_test): Check
+ that d_off is never zero.
+
2018-11-30 Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>
[BZ #23690]
[23821] si_band in siginfo_t has wrong type long int on sparc64
[23822] ia64 static libm.a is missing exp2f, log2f and powf symbols
[23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
+ [23972] __old_getdents64 uses wrong d_off value on overflow
Security related changes:
{
/* If this is the first entry in the buffer, we can report the
error. */
- if (count == 0)
+ if (offset == 0)
{
__set_errno (EOVERFLOW);
return -1;
}
/* Otherwise, seek to the overflowing entry, so that the next call
- will report the error, and return the data read so far.. */
+ will report the error, and return the data read so far. */
if (__lseek64 (fd, offset, SEEK_SET) != 0)
return -1;
return count;
ssize_t retval = INLINE_SYSCALL_CALL (getdents64, fd, buf, nbytes);
if (retval > 0)
{
+ /* This is the marker for the first entry. Offset 0 is reserved
+ for the first entry (see rewinddir). Here, we use it as a
+ marker for the first entry in the buffer. We never actually
+ seek to offset 0 because handle_overflow reports the error
+ directly, so it does not matter that the offset is incorrect
+ if entries have been read from the descriptor before (so that
+ the descriptor is not actually at offset 0). */
+ __off64_t previous_offset = 0;
+
char *p = buf;
char *end = buf + retval;
while (p < end)
/* Check for ino_t overflow. */
if (__glibc_unlikely (ino != source->d_ino))
- return handle_overflow (fd, offset, p - buf);
+ return handle_overflow (fd, previous_offset, p - buf);
/* Convert to the target layout. Use a separate struct and
memcpy to side-step aliasing issues. */
reclen - offsetof (struct dirent64, d_name));
p += reclen;
+ previous_offset = offset;
}
}
return retval;
else
TEST_VERIFY_EXIT (entry_test != NULL);
+ /* d_off is never zero because it is the offset of the next
+ entry (not the current entry). */
+ TEST_VERIFY (entry_reference->d_off > 0);
+
/* Check that the entries are the same. */
TEST_COMPARE_BLOB (entry_reference->d_name,
strlen (entry_reference->d_name),
projects / thirdparty / glibc.git / commitdiff
