From: Dirk Mueller <daywalker@users.sourceforge.net>
Date: Sat, 22 Nov 2008 12:03:19 +0000 (+0000)
Subject: ignore .valgrindrc files that are world writeable
X-Git-Tag: svn/VALGRIND_3_4_0~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=706dd9fa67e94ee9ccedcd075a135bbc0a5bbc0b;p=thirdparty%2Fvalgrind.git

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)


git-svn-id: svn://svn.valgrind.org/valgrind/trunk@8798
---

diff --git a/coregrind/m_commandline.c b/coregrind/m_commandline.c
index 7a22c0869f..e979a7f460 100644
--- a/coregrind/m_commandline.c
+++ b/coregrind/m_commandline.c
@@ -57,7 +57,7 @@ static HChar* read_dot_valgrindrc ( HChar* dir )
 {
    Int    n;
    SysRes fd;
-   Long   size;
+   struct vg_stat stat_buf;
    HChar* f_clo = NULL;
    HChar  filename[VKI_PATH_MAX];
 
@@ -65,15 +65,24 @@ static HChar* read_dot_valgrindrc ( HChar* dir )
                            ( NULL == dir ? "" : dir ) );
    fd = VG_(open)(filename, 0, VKI_S_IRUSR);
    if ( !fd.isError ) {
-      size = VG_(fsize)(fd.res);
-      if (size > 0) {
-         f_clo = VG_(malloc)("commandline.rdv.1", size+1);
-         vg_assert(f_clo);
-         n = VG_(read)(fd.res, f_clo, size);
-         if (n == -1) n = 0;
-         vg_assert(n >= 0 && n <= size+1);
-         f_clo[n] = '\0';
+      Int res = VG_(fstat)( fd.res, &stat_buf );
+      // Ignore if not owned by current user or world writeable (CVE-2008-4865)
+      if (!res && stat_buf.st_uid == VG_(geteuid)()
+          && (!(stat_buf.st_mode & VKI_S_IWOTH))) {
+         if ( stat_buf.st_size > 0 ) {
+            f_clo = VG_(malloc)("commandline.rdv.1", stat_buf.st_size+1);
+            vg_assert(f_clo);
+            n = VG_(read)(fd.res, f_clo, stat_buf.st_size);
+            if (n == -1) n = 0;
+            vg_assert(n >= 0 && n <= stat_buf.st_size+1);
+            f_clo[n] = '\0';
+         }
       }
+      else
+         VG_(message)(Vg_UserMsg,
+               "%s was not read as it is world writeable or not owned by the "
+               "current user", filename);
+
       VG_(close)(fd.res);
    }
    return f_clo;
diff --git a/docs/xml/manual-core.xml b/docs/xml/manual-core.xml
index d090559470..eac04f6e12 100644
--- a/docs/xml/manual-core.xml
+++ b/docs/xml/manual-core.xml
@@ -1346,7 +1346,15 @@ processed earlier; for example, options in
 precedence over those in
 <computeroutput>~/.valgrindrc</computeroutput>.  The first two
 are particularly useful for setting the default tool to
-use.</para>
+use.
+</para>
+
+<para>Please note that the <computeroutput>./.valgrindrc</computeroutput>
+file is ignored if it is marked as world writeable or not owned 
+by the current user. This is because the .valgrindrc can contain options
+that are potentially harmful or can be used by a local attacker to
+execute code under your user account.
+</para>
 
 <para>Any tool-specific options put in
 <computeroutput>$VALGRIND_OPTS</computeroutput> or the