This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

GNU C Library master sources branch master updated. glibc-2.18-351-g5d30d85

From: neleai at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 31 Oct 2013 13:01:38 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.18-351-g5d30d85

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  5d30d853295a5fe04cad22fdf649c5e0da6ded8c (commit)
      from  8a43e768d9404c64e0d98d7a54871abad427fd69 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d30d853295a5fe04cad22fdf649c5e0da6ded8c

commit 5d30d853295a5fe04cad22fdf649c5e0da6ded8c
Author: OndÅ?ej BÃlka <neleai@seznam.cz>
Date:   Thu Oct 31 13:58:01 2013 +0100

    Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and 15763.

diff --git a/ChangeLog b/ChangeLog
index ceaccba..23d5f8c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-10-31  OndÅ?ej BÃlka  <neleai@seznam.cz>
+
+	[BZ #14752], [BZ #15763]
+	* sysdeps/unix/sysv/linux/shm_open.c (shm_open, shm_unlink):
+	Validate name.
+	* rt/tst_shm.c: Add test for escaping directory.
+
 2013-10-31  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #15917]
diff --git a/NEWS b/NEWS
index 23a3c9e..3ceed0c 100644
--- a/NEWS
+++ b/NEWS
@@ -10,14 +10,14 @@ Version 2.19
 * The following bugs are resolved with this release:
 
   156, 431, 832, 2801, 9954, 10278, 11087, 13028, 13982, 13985, 14029,
-  14155, 14547, 14699, 14876, 14910, 15048, 15218, 15277, 15308, 15362,
-  15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, 15640,
-  15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749,
-  15754, 15760, 15764, 15797, 15799, 15825, 15844, 15847, 15849, 15855,
-  15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895,
-  15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963,
-  15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071, 16072, 16074,
-  16078.
+  14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218, 15277, 15308,
+  15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632,
+  15640, 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748,
+  15749, 15754, 15760, 15763, 15764, 15797, 15799, 15825, 15844, 15847,
+  15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892,
+  15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939,
+  15948, 15963, 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071,
+  16072, 16074, 16078.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache
diff --git a/rt/tst-shm.c b/rt/tst-shm.c
index f9d5ab0..cb4b1ee 100644
--- a/rt/tst-shm.c
+++ b/rt/tst-shm.c
@@ -134,6 +134,14 @@ do_test (void)
   int status2;
   struct stat64 st;
 
+  fd = shm_open ("/../escaped", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
+  if (fd != -1)
+    {
+      perror ("read file outside of SHMDIR directory");
+      return 1;
+    }
+
+
   /* Create the shared memory object.  */
   fd = shm_open ("/shm-test", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
   if (fd == -1)
diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c
index 41d9315..482b49c 100644
--- a/sysdeps/unix/sysv/linux/shm_open.c
+++ b/sysdeps/unix/sysv/linux/shm_open.c
@@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (EINVAL);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);
@@ -237,14 +238,15 @@ shm_unlink (const char *name)
   while (name[0] == '/')
     ++name;
 
-  if (name[0] == '\0')
+  namelen = strlen (name);
+
+  /* Validate the filename.  */
+  if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
     {
-      /* The name "/" is not supported.  */
       __set_errno (ENOENT);
       return -1;
     }
 
-  namelen = strlen (name);
   fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
   __mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
 	     name, namelen + 1);

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                          |    7 +++++++
 NEWS                               |   16 ++++++++--------
 rt/tst-shm.c                       |    8 ++++++++
 sysdeps/unix/sysv/linux/shm_open.c |   14 ++++++++------
 4 files changed, 31 insertions(+), 14 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]