mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-24 03:31:07 +00:00
io: nftw/ftw: Fix stack overflow with large nopenfd [BZ #26353]
The nopenfd value is used as argument for the internal buffer on ftw_statup, which is allocated with alloca and might trigger a stack overflow for large values. This patch replaces the memory allocation to use malloc instead. Checked on x86_64-linux-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This commit is contained in:
parent
db07fae825
commit
106ff08526
@ -68,7 +68,8 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \
|
||||
tst-posix_fallocate tst-posix_fallocate64 \
|
||||
tst-fts tst-fts-lfs tst-open-tmpfile \
|
||||
tst-copy_file_range tst-getcwd-abspath tst-lockf \
|
||||
tst-ftw-lnk tst-file_change_detection tst-lchmod
|
||||
tst-ftw-lnk tst-file_change_detection tst-lchmod \
|
||||
tst-ftw-bz26353
|
||||
|
||||
# Likewise for statx, but we do not need static linking here.
|
||||
tests-internal += tst-statx
|
||||
|
16
io/ftw.c
16
io/ftw.c
@ -646,15 +646,17 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
|
||||
|
||||
data.maxdir = descriptors < 1 ? 1 : descriptors;
|
||||
data.actdir = 0;
|
||||
data.dirstreams = (struct dir_data **) alloca (data.maxdir
|
||||
* sizeof (struct dir_data *));
|
||||
memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *));
|
||||
|
||||
/* PATH_MAX is always defined when we get here. */
|
||||
data.dirbufsize = MAX (2 * strlen (dir), PATH_MAX);
|
||||
data.dirbuf = (char *) malloc (data.dirbufsize);
|
||||
if (data.dirbuf == NULL)
|
||||
data.dirstreams = malloc (data.maxdir * sizeof (struct dir_data *)
|
||||
+ data.dirbufsize);
|
||||
if (data.dirstreams == NULL)
|
||||
return -1;
|
||||
|
||||
memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *));
|
||||
|
||||
data.dirbuf = (char *) data.dirstreams
|
||||
+ data.maxdir * sizeof (struct dir_data *);
|
||||
cp = __stpcpy (data.dirbuf, dir);
|
||||
/* Strip trailing slashes. */
|
||||
while (cp > data.dirbuf + 1 && cp[-1] == '/')
|
||||
@ -803,7 +805,7 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
|
||||
out_fail:
|
||||
save_err = errno;
|
||||
__tdestroy (data.known_objects, free);
|
||||
free (data.dirbuf);
|
||||
free (data.dirstreams);
|
||||
__set_errno (save_err);
|
||||
|
||||
return result;
|
||||
|
70
io/tst-ftw-bz26353.c
Normal file
70
io/tst-ftw-bz26353.c
Normal file
@ -0,0 +1,70 @@
|
||||
/* test ftw bz26353: Check whether stack overflow occurs when the value
|
||||
of the nopenfd parameter is too large.
|
||||
|
||||
Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
This file is part of the GNU C Library.
|
||||
|
||||
The GNU C Library is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU Lesser General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
The GNU C Library is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with the GNU C Library; if not, see
|
||||
<https://www.gnu.org/licenses/>. */
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <ftw.h>
|
||||
#include <errno.h>
|
||||
#include <sys/resource.h>
|
||||
|
||||
#include <support/temp_file.h>
|
||||
#include <support/capture_subprocess.h>
|
||||
#include <support/check.h>
|
||||
|
||||
static int
|
||||
my_func (const char *file, const struct stat *sb, int flag)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
get_large_nopenfd (void)
|
||||
{
|
||||
struct rlimit r;
|
||||
TEST_COMPARE (getrlimit (RLIMIT_STACK, &r), 0);
|
||||
if (r.rlim_cur == RLIM_INFINITY)
|
||||
{
|
||||
r.rlim_cur = 8 * 1024 * 1024;
|
||||
TEST_COMPARE (setrlimit (RLIMIT_STACK, &r), 0);
|
||||
}
|
||||
return (int) r.rlim_cur;
|
||||
}
|
||||
|
||||
static void
|
||||
do_ftw (void *unused)
|
||||
{
|
||||
char *tempdir = support_create_temp_directory ("tst-bz26353");
|
||||
int large_nopenfd = get_large_nopenfd ();
|
||||
TEST_COMPARE (ftw (tempdir, my_func, large_nopenfd), 0);
|
||||
free (tempdir);
|
||||
}
|
||||
|
||||
/* Check whether stack overflow occurs. */
|
||||
static int
|
||||
do_test (void)
|
||||
{
|
||||
struct support_capture_subprocess result;
|
||||
result = support_capture_subprocess (do_ftw, NULL);
|
||||
support_capture_subprocess_check (&result, "bz26353", 0, sc_allow_none);
|
||||
support_capture_subprocess_free (&result);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#include <support/test-driver.c>
|
Loading…
Reference in New Issue
Block a user