Fix use-after-free in glob when expanding ~user (bug 25414)

The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.

(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)

diff --git a/NEWS b/NEWS
index 038541c83b07c7e2cdcd05224576b684555b2958..1d00542a5db791c14ea8e19b1afc57e7b14eecbd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -73,6 +73,7 @@ The following bugs are resolved with this release:
   [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
   [25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
   [25232] No const correctness for strchr et al. for Clang++
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)
   [25423] Array overflow in backtrace on powerpc
 
 Security related changes:
@@ -109,6 +110,9 @@ Security related changes:
   addresses for loaded libraries and thus bypass ASLR for a setuid
   program.  Reported by Marcin Kościelnicki.
 
+  CVE-2020-1752: A use-after-free vulnerability in the glob function when
+  expanding ~user has been fixed.
+
 \f
 Version 2.28
 

diff --git a/posix/glob.c b/posix/glob.c
index 8444b2f79e3b2edb09a47cfa03fc4ae469e8a188..1b389d2da1a0ecbb9273377e52f3345d4b3e8ca0 100644 (file)
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
              {
                size_t home_len = strlen (p->pw_dir);
                size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
-               char *d;
+               char *d, *newp;
+               bool use_alloca = glob_use_alloca (alloca_used,
+                                                  home_len + rest_len + 1);
 
-               if (__glibc_unlikely (malloc_dirname))
-                 free (dirname);
-               malloc_dirname = 0;
-
-               if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-                 dirname = alloca_account (home_len + rest_len + 1,
-                                           alloca_used);
+               if (use_alloca)
+                 newp = alloca_account (home_len + rest_len + 1, alloca_used);
                else
                  {
-                   dirname = malloc (home_len + rest_len + 1);
-                   if (dirname == NULL)
+                   newp = malloc (home_len + rest_len + 1);
+                   if (newp == NULL)
                      {
                        scratch_buffer_free (&pwtmpbuf);
                        retval = GLOB_NOSPACE;
                        goto out;
                      }
-                   malloc_dirname = 1;
                  }
-               d = mempcpy (dirname, p->pw_dir, home_len);
+               d = mempcpy (newp, p->pw_dir, home_len);
                if (end_name != NULL)
                  d = mempcpy (d, end_name, rest_len);
                *d = '\0';
 
+               if (__glibc_unlikely (malloc_dirname))
+                 free (dirname);
+               dirname = newp;
+               malloc_dirname = !use_alloca;
+
                dirlen = home_len + rest_len;
                dirname_modified = 1;
              }