glibc40/glibc-2.24-CVE-2018-11236.patch

From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Tue, 8 May 2018 18:12:41 -0700
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
 buffer overflow when realpath() input length is close to SSIZE_MAX.

2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #22786]
	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
	computation.
	* stdlib/Makefile (test-bz22786): New test.
	* stdlib/test-bz22786.c: New test.
---
 ChangeLog             |  8 +++++
 stdlib/Makefile       |  2 +-
 stdlib/canonicalize.c |  2 +-
 stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 stdlib/test-bz22786.c

diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 4135f3f..390fb43 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;
-- 
2.9.3
Backport upstream patches to fix CVE-2017-16997, CVE-2017-18269, CVE-2018-6485, CVE-2018-11236 and CVE-2018-1000001 2018-11-09 23:25:11 +10:00			`From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001`
			`From: Paul Pluzhnikov <ppluzhnikov@google.com>`
			`Date: Tue, 8 May 2018 18:12:41 -0700`
			`Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack`
			`buffer overflow when realpath() input length is close to SSIZE_MAX.`

			`2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>`

			`[BZ #22786]`
			`* stdlib/canonicalize.c (__realpath): Fix overflow in path length`
			`computation.`
			`* stdlib/Makefile (test-bz22786): New test.`
			`* stdlib/test-bz22786.c: New test.`
			`---`
			`ChangeLog \| 8 +++++`
			`stdlib/Makefile \| 2 +-`
			`stdlib/canonicalize.c \| 2 +-`
			`stdlib/test-bz22786.c \| 90 +++++++++++++++++++++++++++++++++++++++++++++++++++`
			`4 files changed, 100 insertions(+), 2 deletions(-)`
			`create mode 100644 stdlib/test-bz22786.c`

			`diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c`
			`index 4135f3f..390fb43 100644`
			`--- a/stdlib/canonicalize.c`
			`+++ b/stdlib/canonicalize.c`
			`@@ -181,7 +181,7 @@ __realpath (const char name, char resolved)`
			`extra_buf = __alloca (path_max);`

			`len = strlen (end);`
			`- if ((long int) (n + len) >= path_max)`
			`+ if (path_max - n <= len)`
			`{`
			`__set_errno (ENAMETOOLONG);`
			`goto error;`
			`--`
			`2.9.3`