realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]

realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL.  This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.

Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
This commit is contained in:
Siddhesh Poyarekar 2022-01-13 11:28:36 +05:30
parent fb7bff12e8
commit ee8d5e33ad
4 changed files with 64 additions and 2 deletions

4
NEWS
View File

@ -166,6 +166,10 @@ Security related changes:
CVE-2022-23218: Passing an overlong file name to the svcunix_create
legacy function could result in a stack-based buffer overflow.
CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath
function could result in a memory leak and potential access of
uninitialized memory. Reported by Qualys.
The following bugs are resolved with this release:
[The release manager will add the list generated by

View File

@ -109,6 +109,7 @@ tests := \
tst-random \
tst-random2 \
tst-realpath \
tst-realpath-toolong \
tst-secure-getenv \
tst-setcontext \
tst-setcontext2 \

View File

@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved,
error:
*dest++ = '\0';
if (resolved != NULL && dest - rname <= get_path_max ())
rname = strcpy (resolved, rname);
if (resolved != NULL)
{
if (dest - rname <= get_path_max ())
rname = strcpy (resolved, rname);
else
{
failed = true;
__set_errno (ENAMETOOLONG);
}
}
error_nomem:
scratch_buffer_free (&extra_buffer);

View File

@ -0,0 +1,49 @@
/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds
NAME_MAX.
Copyright The GNU Toolchain Authors.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <support/check.h>
#include <support/temp_file.h>
#include <sys/types.h>
#include <sys/stat.h>
#define BASENAME "tst-realpath-toolong."
int
do_test (void)
{
char *base = support_create_and_chdir_toolong_temp_directory (BASENAME);
char buf[PATH_MAX + 1];
const char *res = realpath (".", buf);
/* canonicalize.c states that if the real path is >= PATH_MAX, then
realpath returns NULL and sets ENAMETOOLONG. */
TEST_VERIFY (res == NULL);
TEST_VERIFY (errno == ENAMETOOLONG);
free (base);
return 0;
}
#include <support/test-driver.c>