AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-21 12:30:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

time: Avoid memcmp overread in tzset (bug 31931)

Browse Source 
The test does not necessarily trigger the crash, depending on memcmp
behavior.  A crash was observed in __memcmp_ia32 on i686 builds.

Reviewed-by: Paul Eggert <eggert@cs.ucla.edu>
This commit is contained in:
Florian Weimer 2024-06-26 19:36:58 +02:00
parent b79238db4a
commit 21738846a1
3 changed files with 51 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
time/Makefile
View File

@ -50,7 +50,8 @@ tests := test_time clocktest tst-posixtz tst-strptime tst_wcsftime \
tst-clock tst-clock2 tst-clock_nanosleep tst-cpuclock1 \ tst-clock tst-clock2 tst-clock_nanosleep tst-cpuclock1 \
tst-adjtime tst-ctime tst-difftime tst-mktime4 tst-clock_settime \ tst-adjtime tst-ctime tst-difftime tst-mktime4 tst-clock_settime \
tst-settimeofday tst-itimer tst-gmtime tst-timegm \ tst-settimeofday tst-itimer tst-gmtime tst-timegm \
tst-timespec_get tst-timespec_getres tst-strftime4 tst-timespec_get tst-timespec_getres tst-strftime4 \
tst-tzfile-fault
tests-time64 := \ tests-time64 := \
tst-adjtime-time64 \ tst-adjtime-time64 \
@ -110,3 +111,5 @@ tst-tzname-ENV = TZDIR=${common-objpfx}timezone/testdata
CPPFLAGS-tst-tzname.c += -DTZDEFRULES='"$(posixrules-file)"' CPPFLAGS-tst-tzname.c += -DTZDEFRULES='"$(posixrules-file)"'
bug-getdate1-ARGS = ${objpfx}bug-getdate1-fmt bug-getdate1-ARGS = ${objpfx}bug-getdate1-fmt
tst-tzfile-fault-ENV = GLIBC_TUNABLES=glibc.rtld.enable_secure=1

44
time/tst-tzfile-fault.c Normal file
View File

@ -0,0 +1,44 @@
/* Attempt to trigger fault with very short TZ variable (bug 31931).
Copyright (C) 2024 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#include <support/next_to_fault.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
static char tz[] = "TZ=/";
static int
do_test (void)
{
struct support_next_to_fault ntf
= support_next_to_fault_allocate (sizeof (tz));
memcpy (ntf.buffer, tz, sizeof (tz));
putenv (ntf.buffer);
tzset ();
/* Avoid dangling pointer in environ. */
putenv (tz);
support_next_to_fault_free (&ntf);
return 0;
}
#include <support/test-driver.c>

5
time/tzfile.c
View File

@ -134,8 +134,9 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
and which is not the system wide default TZDEFAULT. */ and which is not the system wide default TZDEFAULT. */
if (__libc_enable_secure if (__libc_enable_secure
&& ((*file == '/' && ((*file == '/'
&& memcmp (file, TZDEFAULT, sizeof TZDEFAULT) && strcmp (file, TZDEFAULT) != 0
&& memcmp (file, default_tzdir, sizeof (default_tzdir) - 1)) && (strncmp (file, default_tzdir, sizeof (default_tzdir) - 1)
!= 0))
|| strstr (file, "../") != NULL)) || strstr (file, "../") != NULL))
/* This test is certainly a bit too restrictive but it should /* This test is certainly a bit too restrictive but it should
catch all critical cases. */ catch all critical cases. */