From 29565817f88a630643f174796bc9f66b4643ca1f Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Mon, 24 Jan 2022 17:12:43 +0800 Subject: [PATCH] fix CVE-2021-3999 --- ...o-to-ERANGE-for-size-1-CVE-2021-3999.patch | 70 +++++++++++++++++++ glibc.spec | 10 ++- 2 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch diff --git a/getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch b/getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch new file mode 100644 index 0000000..49b7e50 --- /dev/null +++ b/getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch @@ -0,0 +1,70 @@ +From 472e799a5f2102bc0c3206dbd5a801765fceb39c Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Fri, 21 Jan 2022 23:32:56 +0530 +Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) + +No valid path returned by getcwd would fit into 1 byte, so reject the +size early and return NULL with errno set to ERANGE. This change is +prompted by CVE-2021-3999, which describes a single byte buffer +underflow and overflow when all of the following conditions are met: + +- The buffer size (i.e. the second argument of getcwd) is 1 byte +- The current working directory is too long +- '/' is also mounted on the current working directory + +Sequence of events: + +- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG + because the linux kernel checks for name length before it checks + buffer size + +- The code falls back to the generic getcwd in sysdeps/posix + +- In the generic func, the buf[0] is set to '\0' on line 269 + +- this while loop on line 282 is bypassed: + + while (!(thisdev == rootdev && thisino == rootino)) + + since the rootfs (/) is bind mounted onto the directory and the flow + goes on to line 492, where it puts a '/' in the byte before the + buffer. + +- Finally on line 500, it moves 2 bytes (the underflowed byte and the + '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. + +- buf is returned on line 514 and errno is not set. + +This resolves BZ #28769. + +Reviewed-by: Andreas Schwab +Reviewed-by: Adhemerval Zanella +Signed-off-by: Qualys Security Advisory +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) +--- + sysdeps/posix/getcwd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c +index b53433a2..e3c1d77c 100644 +--- a/sysdeps/posix/getcwd.c ++++ b/sysdeps/posix/getcwd.c +@@ -239,6 +239,14 @@ __getcwd (char *buf, size_t size) + int fd = AT_FDCWD; + + char *path; ++ ++ /* A size of 1 byte is never useful. */ ++ if (size == 1) ++ { ++ __set_errno (ERANGE); ++ return NULL; ++ } ++ + #ifndef NO_ALLOCATION + size_t allocated = size; + if (size == 0) +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index 62d1cc0..1b36f7b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 86 +Release: 87 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -148,6 +148,7 @@ Patch64: socket-Add-the-__sockaddr_un_set-function.patch Patch65: CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.patch Patch66: sunrpc-Test-case-for-clnt_create-unix-buffer-overflo.patch Patch67: CVE-2022-23218-Buffer-overflow-in-sunrpc-svcunix_cre.patch +Patch68: getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1172,10 +1173,13 @@ fi %doc hesiod/README.hesiod %changelog -* Thu Jan 20 2021 Qingqing Li - 2.28-86 +* Tue Jan 25 2022 Qingqing Li - 2.28-87 +- fix CVE-2021-3999 + +* Thu Jan 20 2022 Qingqing Li - 2.28-86 - sunrpc: fix compile error -* Wed Jan 19 2021 Qingqing Li - 2.28-85 +* Wed Jan 19 2022 Qingqing Li - 2.28-85 - sunrpc: fix CVE-2022-23218 and fix CVE-2022-23219 * Fri Dec 24 2021 Yang yanchao - 2.28-84 -- Gitee