https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ee8d5e33adb284601c00c94687bc907e10aec9bb From: Siddhesh Poyarekar Date: Thu, 13 Jan 2022 05:58:36 +0000 (+0530) Subject: realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770] X-Git-Tag: glibc-2.35~52 X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ee8d5e33adb284601c00c94687bc907e10aec9bb realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770] realpath returns an allocated string when the result exceeds PATH_MAX, which is unexpected when its second argument is not NULL. This results in the second argument (resolved) being uninitialized and also results in a memory leak since the caller expects resolved to be the same as the returned value. Return NULL and set errno to ENAMETOOLONG if the result exceeds PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. Reviewed-by: Adhemerval Zanella Signed-off-by: Siddhesh Poyarekar --- diff -Naur glibc-2.33/stdlib/canonicalize.c glibc-2.33_patched/stdlib/canonicalize.c --- glibc-2.33/stdlib/canonicalize.c 2021-02-01 20:15:33.000000000 +0300 +++ glibc-2.33_patched/stdlib/canonicalize.c 2022-12-02 14:06:12.728325086 +0300 @@ -400,8 +400,16 @@ error: *dest++ = '\0'; - if (resolved != NULL && dest - rname <= get_path_max ()) - rname = strcpy (resolved, rname); + if (resolved != NULL) + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); + else + { + failed = true; + __set_errno (ENAMETOOLONG); + } + } error_nomem: scratch_buffer_free (&extra_buffer); diff -Naur glibc-2.33/stdlib/Makefile glibc-2.33_patched/stdlib/Makefile --- glibc-2.33/stdlib/Makefile 2021-02-01 20:15:33.000000000 +0300 +++ glibc-2.33_patched/stdlib/Makefile 2022-12-02 14:05:28.762444242 +0300 @@ -68,6 +68,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ test-canon test-canon2 tst-strtoll tst-environ \ tst-xpg-basename tst-random tst-random2 tst-bsearch \ + tst-realpath-toolong \ tst-limits tst-rand48 bug-strtod tst-setcontext \ tst-setcontext2 test-a64l tst-qsort testmb2 \ bug-strtod2 tst-atof1 tst-atof2 tst-strtod2 \ diff -Naur glibc-2.33/stdlib/tst-realpath-toolong.c glibc-2.33_patched/stdlib/tst-realpath-toolong.c --- glibc-2.33/stdlib/tst-realpath-toolong.c 1970-01-01 03:00:00.000000000 +0300 +++ glibc-2.33_patched/stdlib/tst-realpath-toolong.c 2022-12-02 14:01:40.401257000 +0300 @@ -0,0 +1,49 @@ +/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds + NAME_MAX. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define BASENAME "tst-realpath-toolong." + +int +do_test (void) +{ + char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); + + char buf[PATH_MAX + 1]; + const char *res = realpath (".", buf); + + /* canonicalize.c states that if the real path is >= PATH_MAX, then + realpath returns NULL and sets ENAMETOOLONG. */ + TEST_VERIFY (res == NULL); + TEST_VERIFY (errno == ENAMETOOLONG); + + free (base); + return 0; +} + +#include