From 263e6175999bc7f5adb8b32fd12fcfae3f0bb05a Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 19 Feb 2020 17:21:46 +0100 Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. (cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c with changes from commit d711a00f93fa964f41a53839228598fbf1a6b482) --- NEWS | 4 ++++ posix/glob.c | 28 +++++++++++++++++----------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/NEWS b/NEWS index cb62587dbb6..b18a0f3d290 100644 --- a/NEWS +++ b/NEWS @@ -394,6 +394,9 @@ Security related changes: * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been fixed (CVE-2017-12133). +* A use-after-free vulnerability in the glob function when expanding ~user has + been fixed (CVE-2020-1752). + The following bugs are resolved with this release: [984] network: Respond to changed resolv.conf in gethostbyname @@ -621,6 +624,7 @@ The following bugs are resolved with this release: [21839] localedata: Fix LC_MONETARY for ta_LK [21844] localedata: Fix Latin characters and Months Sequence. [21848] localedata: Fix mai_NP Title Name + [25414] 'glob' use-after-free bug (CVE-2020-1752) Version 2.25 diff --git a/posix/glob.c b/posix/glob.c index b2273ea7bce..0c6eeb36378 100644 --- a/posix/glob.c +++ b/posix/glob.c @@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int), size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); - if (__glibc_unlikely (malloc_dirname)) - free (dirname); - malloc_dirname = 0; + char *d, *newp; + bool use_alloca = glob_use_alloca (alloca_used, + home_len + rest_len + 1); - if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) - dirname = alloca_account (home_len + rest_len + 1, - alloca_used); + if (use_alloca) + newp = alloca_account (home_len + rest_len + 1, alloca_used); else { - dirname = malloc (home_len + rest_len + 1); - if (dirname == NULL) + newp = malloc (home_len + rest_len + 1); + if (newp == NULL) { free (malloc_pwtmpbuf); retval = GLOB_NOSPACE; goto out; } - malloc_dirname = 1; } - *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len), - end_name, rest_len)) = '\0'; + + d = mempcpy (newp, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; + + if (__glibc_unlikely (malloc_dirname)) + free (dirname); + dirname = newp; + malloc_dirname = !use_alloca; dirlen = home_len + rest_len; dirname_modified = 1; -- 2.47.2