This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.18-351-g5d30d85
- From: neleai at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 31 Oct 2013 13:01:38 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.18-351-g5d30d85
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 5d30d853295a5fe04cad22fdf649c5e0da6ded8c (commit)
from 8a43e768d9404c64e0d98d7a54871abad427fd69 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5d30d853295a5fe04cad22fdf649c5e0da6ded8c
commit 5d30d853295a5fe04cad22fdf649c5e0da6ded8c
Author: OndÅ?ej BÃlka <neleai@seznam.cz>
Date: Thu Oct 31 13:58:01 2013 +0100
Restrict shm_open and shm_unlink to SHMDIR. Fixes bugs 14752 and 15763.
diff --git a/ChangeLog b/ChangeLog
index ceaccba..23d5f8c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-10-31 OndÅ?ej BÃlka <neleai@seznam.cz>
+
+ [BZ #14752], [BZ #15763]
+ * sysdeps/unix/sysv/linux/shm_open.c (shm_open, shm_unlink):
+ Validate name.
+ * rt/tst_shm.c: Add test for escaping directory.
+
2013-10-31 Andreas Schwab <schwab@suse.de>
[BZ #15917]
diff --git a/NEWS b/NEWS
index 23a3c9e..3ceed0c 100644
--- a/NEWS
+++ b/NEWS
@@ -10,14 +10,14 @@ Version 2.19
* The following bugs are resolved with this release:
156, 431, 832, 2801, 9954, 10278, 11087, 13028, 13982, 13985, 14029,
- 14155, 14547, 14699, 14876, 14910, 15048, 15218, 15277, 15308, 15362,
- 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, 15640,
- 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749,
- 15754, 15760, 15764, 15797, 15799, 15825, 15844, 15847, 15849, 15855,
- 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895,
- 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939, 15948, 15963,
- 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071, 16072, 16074,
- 16078.
+ 14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218, 15277, 15308,
+ 15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632,
+ 15640, 15670, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748,
+ 15749, 15754, 15760, 15763, 15764, 15797, 15799, 15825, 15844, 15847,
+ 15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892,
+ 15893, 15895, 15897, 15905, 15909, 15917, 15919, 15921, 15923, 15939,
+ 15948, 15963, 15966, 15988, 16032, 16034, 16036, 16037, 16041, 16071,
+ 16072, 16074, 16078.
* CVE-2012-4412 The strcoll implementation caches indices and rules for
large collation sequences to optimize multiple passes. This cache
diff --git a/rt/tst-shm.c b/rt/tst-shm.c
index f9d5ab0..cb4b1ee 100644
--- a/rt/tst-shm.c
+++ b/rt/tst-shm.c
@@ -134,6 +134,14 @@ do_test (void)
int status2;
struct stat64 st;
+ fd = shm_open ("/../escaped", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
+ if (fd != -1)
+ {
+ perror ("read file outside of SHMDIR directory");
+ return 1;
+ }
+
+
/* Create the shared memory object. */
fd = shm_open ("/shm-test", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0600);
if (fd == -1)
diff --git a/sysdeps/unix/sysv/linux/shm_open.c b/sysdeps/unix/sysv/linux/shm_open.c
index 41d9315..482b49c 100644
--- a/sysdeps/unix/sysv/linux/shm_open.c
+++ b/sysdeps/unix/sysv/linux/shm_open.c
@@ -148,14 +148,15 @@ shm_open (const char *name, int oflag, mode_t mode)
while (name[0] == '/')
++name;
- if (name[0] == '\0')
+ namelen = strlen (name);
+
+ /* Validate the filename. */
+ if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
{
- /* The name "/" is not supported. */
__set_errno (EINVAL);
return -1;
}
- namelen = strlen (name);
fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
__mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
name, namelen + 1);
@@ -237,14 +238,15 @@ shm_unlink (const char *name)
while (name[0] == '/')
++name;
- if (name[0] == '\0')
+ namelen = strlen (name);
+
+ /* Validate the filename. */
+ if (name[0] == '\0' || namelen > NAME_MAX || strchr (name, '/') == NULL)
{
- /* The name "/" is not supported. */
__set_errno (ENOENT);
return -1;
}
- namelen = strlen (name);
fname = (char *) alloca (mountpoint.dirlen + namelen + 1);
__mempcpy (__mempcpy (fname, mountpoint.dir, mountpoint.dirlen),
name, namelen + 1);
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 16 ++++++++--------
rt/tst-shm.c | 8 ++++++++
sysdeps/unix/sysv/linux/shm_open.c | 14 ++++++++------
4 files changed, 31 insertions(+), 14 deletions(-)
hooks/post-receive
--
GNU C Library master sources