On failure, the contents of the resolved buffer passed in by the caller
to realpath are undefined. Do not copy any partial resolution to the
buffer and also do not test resolved contents in test-canon.c.
Resolves: BZ #28815
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Set errno and failure for paths that are too long only if no other error
occurred earlier.
Related: BZ #28770
Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL. This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.
Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
It sync with gnulib version ae9fb3d66. The testcase for BZ#23741
(stdlib/test-bz22786.c) is adjusted to check also for ENOMEM.
The patch fixes multiple realpath issues:
- Portability fixes for errno clobbering on free (BZ#10635). The
function does not call free directly anymore, although it might be
done through scratch_buffer_free. The free errno clobbering is
being tracked by BZ#17924.
- Pointer arithmetic overflows in realpath (BZ#26592).
- Realpath cyclically call __alloca(path_max) to consume too much
stack space (BZ#26341).
- Realpath mishandles EOVERFLOW; stat not needed anyway (BZ#24970).
The check is done through faccessat now.
Checked on x86_64-linux-gnu and i686-linux-gnu.
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
It replaces the internal usage of __{f,l}xstat{at}{64} with the
__{f,l}stat{at}{64}. It should not change the generate code since
sys/stat.h explicit defines redirections to internal calls back to
xstat* symbols.
Checked with a build for all affected ABIs. I also check on
x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Lukasz Majewski <lukma@denx.de>
when realpath() input length is close to SSIZE_MAX.
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
computation.
* stdlib/Makefile (test-bz22786): New test.
* stdlib/test-bz22786.c: New test.
2008-06-25 Ulrich Drepper <drepper@redhat.com>
[BZ #6654]
* stdlib/canonicalize.c (__realpath): readlink can write too much
into the buffer on platforms without PATH_MAX.
was allocated here. [Coverity CID 219]
* posix/getconf.c (print_all): Free confstr data after printing.
[Coverity CID 218]
* sysdeps/posix/getaddrinfo.c (gaih_inet): Free canon string if
list allocation fails. [Coverity CID 215]
* nss/nsswitch.c (__nss_configure_lookup): Fix loop end condition.
[Coverity CID 213]
* argp/argp-help.c (hol_entry_cmp): Don't call canon_doc_option if
string is NULL. [Coverity CID 212]
* argp/Makefile: Add rules to build and run bug-argp1.
* argp/bug-argp1.c: New file.
* io/ftw.c (ftw_dir): Use __rawmemchr instead of strchr to find
end of string.
* stdlib/canonicalize.c (__realpath): Likewise.
* locale/programs/ld-time.c (time_finish): Don't dereference NULL
pointer. [Coverity CID 206]
* elf/dl-dst.h (DL_DST_REQUIRED): Be prepared for missing link map
in statically linked code.
* elf/dl-load.c (_dl_dst_substitute): When replacing ORIGIN in
statically built code, be prepared to have no link map.
[Coverity CID 205]
* argp/argp-help.c (fill_in_uparams): Handle STATE==NULL in
dgettext calls. [Coverity CID 204]
* argp/argp-help.c (struct uparams): Remove valid member. Change
the one user.
(uparam_names): Reduce size. Avoid relative relocations.
Moved to read-only segment.
(fill_in_uparams): Update for new layout.
* sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs): Parameter can be
assumed to always be != NULL. [Coverity CID 202]
* argp/argp-help.c (hol_entry_help): Remove some dead code
[Coverity CID 200].
* nis/nss_nis/nis-service.c (_nss_nis_getservbyport_r): Optimize
away a few more unconditional yperr2nss calls.
(_nss_nis_getservbyname_r): Likewise.
for the new error case.
2004-06-02 Dmitry V. Levin <ldv@altlinux.org>
Ranjani Murthy <ranmur@gmail.com>
* stdlib/canonicalize.c (__realpath): Change realpath(3) to
return NULL and set errno to ENOTDIR for such pathnames like
"/path/to/existing-non-directory/".
* sysdeps/arm/dl-machine.h (elf_machine_rela): Handle R_ARM_COPY.
2002-11-15 Roland McGrath <roland@redhat.com>
* math/Makefile (libm-calls): Change s_ldexp to m_ldexp.
* Makerules ($(+sysdir_pfx)sysd-rules): Emit pattern rules for m_%.[Sc]
from sysdeps/.../s_%.[Sc] with commands $(+make-include-of-dep).
(+make-include-of-dep): New canned sequence.
* stdlib/canonicalize.c (__realpath): Check for malloc failure.
From Dmitry V. Levin <ldv@altlinux.org>.
2002-07-11 Ulrich Drepper <drepper@redhat.com>
* Versions.def (libc): Add GLIBC_2.3.
* stdlib/Versions [libc] (GLIBC_2.3): Add realpath.
* stdlib/canonicalize.c: Add compatibility version for realpath
and make new code available in GLIBC_2.3.
* stdlib/canonicalize.c (canonicalize): Rename to __realpath and
don't define static. Remove old __realpath function. TC1 of
POSIX 2001 will allow the second parameter to be NULL.
* stdlib/test-canon.c: Comment out test for NULL as second
parameter of realpath.
* time/offtime.c (__offtime): Set errno if overflow is detected.
2001-07-06 Paul Eggert <eggert@twinsun.com>
* manual/argp.texi: Remove ignored LGPL copyright notice; it's
not appropriate for documentation anyway.
* manual/libc-texinfo.sh: "Library General Public License" ->
"Lesser General Public License".
2001-07-06 Andreas Jaeger <aj@suse.de>
* All files under GPL/LGPL version 2: Place under LGPL version
2.1.
2000-02-11 Ulrich Drepper <drepper@redhat.com>
* stdio-common/printf-parse.h (parse_one_spec): Set wide elements.
* stdio-common/printf_fp.c: Truely support wide characater output.
Finally handle decimal points and thousands separator characters
correctly for multibyte output.
* stdio-common/printf_size.c: Likewise.
* sysdeps/generic/printf_fphex.c: Likewise.
* sysdeps/ieee754/ldbl-96/printf_fphex.c: Likewise.
* stdio-common/vfscanf.c: Implement I modifier for numbers to read
locale dependent digits.
* locale/C-monetary.c (_nl_C_LC_MONETARY): Change wide character
decimal point and thousands separator values to wide characters from
wide character strings.
* locale/C-numeric.c (_nl_C_LC_NUMERIC): Likewise.
* locale/indigitswc.h: Dereference wcdigits array elements.
2000-02-03 Jakub Jelinek <jakub@redhat.com>
* stdlib/canonicalize.c (canonicalize): Zero terminate
path to copy on error.
2000-02-01 Cristian Gafton <gafton@redhat.com>
* misc/syslog.c (closelog): Reset LogType to SOCK_DGRAM.
2000-01-31 Philip Blundell <philb@gnu.org>
* sysdeps/arm/fpu/fpu_control.h (_FPU_DEFAULT): Set the AC bit.
2000-01-31 Andreas Jaeger <aj@suse.de>
* intl/Makefile (generated): msgs.h is generated.
* localedata/Makefile (generated-dirs): Add de_DE.437.
2000-01-31 Jakub Jelinek <jakub@redhat.com>
* config.make.in: Allow default localedir to come from configure.
* configure.in: Export libc_cv_localedir.
* sysdeps/unix/sysv/linux/configure.in: For sparc64, put locale
stuff into $exec_prefix/lib/locale because it can be shared between
32bit and 64bit libraries.
* configure: Rebuilt.
* sysdeps/unix/sysv/linux/configure: Rebuilt.
2000-01-31 Andreas Jaeger <aj@suse.de>
* inet/tst-network.c: New file.
* inet/Makefile (tests): Add tst-network.
* inet/inet_net.c (inet_network): Don't overwrite memory or allow
to great last digits.
1998-04-14 16:34 Ulrich Drepper <drepper@cygnus.com>
* test-skeleton.c: Provide hook for initializing code before the fork.
* rt/tst-aio.c: Use PREPARE hook to make suer temp files are always
removed.
* libio/fcloseall.c (__fcloseall): Return return value of _IO_cleanup.
* libio/genops.c (_IO_cleanup): Return return value of _IO_flush_all.
* libio/libioP.h: Adopt _IO_cleanup prototype.
* stdlib/Makefile (tests): Add test-canon2.
* stdlib/test-canon2.c: New file.
* stdlib/canonicalize.c (canonicalize): Allow RESOLVED parameter to
be NULL. Use __lxstat, not __lstat. Correctly recognize long
symlink sequences.
(__realpath): Make real function which checks RESOLVED parameter for
not being NULL.
1998-04-14 Ulrich Drepper <drepper@cygnus.com>
* catgets/open_catalog.c (__open_catalog): Fix problems with
reading non-files. Always close file.
Reported by Cristian Gafton <gafton@redhat.com>.
* elf/dl-minimal.c (__strtol_internal): Prevent overflow warnings.
1998-04-14 13:28 Ulrich Drepper <drepper@cygnus.com>
* libc.map: Add various low-level I/O functions.
1998-04-14 10:35 Ulrich Drepper <drepper@cygnus.com>
* string/Makefile (routines): Remove strerror_r.
* string/strerror_r.c: Removed.
* string/strerror.c: Call __strerror_r for doing the real work.
* sysdeps/generic/_strerror.c: Rename function to __strerror_r and
add weak alias strerror_r.
* sysdeps/mach/_strerror.c: Likewise.
* assert/assert-perr.c: Use __strerror_r instead of _strerror_internal.
* elf/dl-error.c (_dl_signal_error): Likewise.
* elf/dl-profile.c (_dl_start_profile): Likewise.
* gmon/gmon.c (write_gmon): Likewise.
* stdio-common/perror.c: Likewise.
* stdio-common/vfprintf.c: Likewise.
1998-04-10 Mark Kettenis <kettenis@phys.uva.nl>
* sysdeps/unix/sysv/linux/Makefile [$(subdir)=inet]
(sysdep_headers): Add netatalk/at.h.
1998-04-12 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* manual/socket.texi, manual/creature.texi, manual/time.texi:
Formatting fixes.
1998-04-13 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* posix/regex.c: Rename __re_syntax_options back to
re_syntax_options, aliases do not work with global variables due
to copy relocations.
(regex_compile): Use syntax parameter instead of
re_syntax_options.
1998-04-14 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* configure.in: Document that enable-force-install is default.
1998-04-08 20:06 Ulrich Drepper <drepper@cygnus.com>
* iconv/gconv_conf.c (__gconv_read_conf): Use __realpath not realpath.
* iconv/gconv_db.c: Use __ protected regex functions.
* iconv/gconv_simple.c: Use __mbsinit not mbsinit.
* posix/getopt_init.c: Use __getpid not getpid.
* posix/regex.c: Rename all global functions to start with __ and
make old names weak aliases.
* posix/regex.h: Adopt prototypes for this.
* stdlib/canonicalize.c: Define __realpath, make canonicalize_file_name
a weak alias and use __getcwd instead of getcwd.
* stdlib/stdlib.h: Declare __realpath and __canonicalize_file_name.
* stdlib/strtod.c: Use __btowc instead of btowc.
* stdlib/strtol.c: Likewise.
* sysdeps/libm-ieee754/s_matherr.c: Weaken definition of matherr.
* sysdeps/unix/sysv/linux/errlist.c: Make sure definitions of sys_nerr
and sys_errlist are weak.
* wcsmbs/btowc.c: Define function as __btowc and make btowc weak alias.
* wcsmbs/mbrtowc.c: Use __mbsinit not mbsinit.
* wcsmbs/mbsnrtowcs.c: Likewise.
* wcsmbs/mbsrtowcs.c: Likewise.
* wcsmbs/wcsnrtombs.c: Likewise.
* wcsmbs/wcsrtombs.c: Likewise.
* wcsmbs/mbsinit.c: Define function as __mbsinit and make mbsinit
weak alias.
* wcsmbs/wchar.h: Declare __btowc and __mbsinit.
* wctype/wctype.c: Define function as __wctype and make wctype
weak alias.
* wctype/wctype.h: Declare __wctype.
Sat Dec 7 03:24:36 1996 Ulrich Drepper <drepper@cygnus.com>
* configure.in: Discard error message from test in test for
bash-2.0.
* io/getpw.c: Don't apply getcwd on user supplied buffer.
Instead always use temporary buffer and only copy the result.
Patch by HJ Lu.
* stdlib/canonicalize.c: Likewise.
* libio/fileops.c: Change comments according to libg++2.8b5.
* libio/iosetvbuf.c: Follow change in libg++-2.8b5 to clear
unbuffered flag.
Reported by HJ Lu.
* manual/nss.texi: Correct prototypes.
* misc/syslog.c: Make reentrant. Catch SIGPIPE signal to prevent
crash if syslog daemon is restarted.
* stdlib/rand_r.c: New file. Implementation of POSIX.2 function
rand_r.
* stdlib/Makefile (routines): Add rand_r.
* sysdeps/stub/libc-lock.h: Define __libc_lock_trylock and
__libc_mutex_lock.
* configure.in: Add --disable-sanity-check option.
* sysdeps/unix/sysv/linux/configure.in: If linuxthreads or
des-crypt are not available and --disbale-sanity-check is not
given abort with a message.
Thu Dec 5 19:19:53 1996 Richard Henderson <rth@tamu.edu>
* posix/glob.c: Tests against STDC_HEADERS should also test
__GNU_LIBRARY__.
Thu Dec 5 16:20:55 1996 Ulrich Drepper <drepper@cygnus.com>
* misc/err.c (vwarn): Set errno again before using %m format.
Thu Dec 5 10:14:05 1996 Andreas Jaeger <aj@arthur.pfalz.de>
* grp/grp.h: Add declaration of __getgrent_r.
* io/fts.c (fts_build): Remove "register" from variables dirbuf
and dp since their address is needed.
* sysdeps/posix/getcwd.c (__getcwd): Remove "register" from
variable d since d's address is needed.
* misc/tst-dirname.c (main): Provide prototype.
* misc/ioctltst.c (main): Dito.
* Makefile: Add gnu/lib-names.h to install-others before including
Makerules.
Wed Dec 4 16:00:09 1996 Ulrich Drepper <drepper@cygnus.com>
* sysdeps/unix/sysv/linux/sys/socketvar.h: New file. Simply use
<sys/socket.h>.
* sysdeps/unix/sysv/linux/Dist: Add sys/socketvar.h.
* sysdeps/unix/sysv/linux/Makefile [$(subdir)=inet)]: Add
sys/socketvar.h to sysdep_headers.
since the value might be outside the range of the `long int'.
Wed Aug 14 21:36:16 1996 Ulrich Drepper <drepper@cygnus.com>
* stdlib/strtod.c (STRTOD): Correct assertion about size of
wint_t and wchar_t. Reported by David Mosberger-Tang.
Mon Aug 12 22:40:16 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* elf/dl-lookup.c (_dl_lookup_symbol): Remove fifth parameter
RELOC_ADDR and make NOPLT a set of flags. All callers
changed. Delete condition that checks for resolving to the
location being filled in. Add condition to skip the
executable's symbols if requested.
* elf/link.h: Change declaration of _dl_lookup_symbol
accordingly.
(DL_LOOKUP_NOEXEC, DL_LOOKUP_NOPLT): New definitions.
* elf/dl-reloc.c (RESOLVE): Remove second parameter and rename
NOPLT to FLAGS.
* elf/dl-runtime.c (RESOLVE): Likewise.
* elf/rtld.c (RESOLVE): Likewise.
* sysdeps/m68k/dl-machine.h (elf_machine_rela): Pass
DL_LOOKUP_NOEXEC as second argument to the RESOLVE macro if
processing a copy reloc, DL_LOOKUP_NOPLT for a jump slot
reloc, zero otherwise.
* sysdeps/alpha/dl-machine.h (elf_machine_rela): Likewise.
* sysdeps/i386/dl-machine.h (elf_machine_rel): Likewise.
* sysdeps/mips/dl-machine.h (elf_machine_rel): Likewise.
Wed Aug 14 17:57:08 1996 Ulrich Drepper <drepper@cygnus.com>
* MakeTAGS: Clean up use of --omit-header and -n for xgettext.
* po/header.pot: Add empty line at end.
Sun Aug 11 13:45:33 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* MakeTAGS (all-pot): Remove $P/errlist.pot, all error messages
are now in $P/stdio-common.pot.
(XGETTEXTFLAGS-errlist.pot): Variable removed.
Mon Aug 12 19:25:03 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* Makerules (do-ar, o-iterator-doit): Compute path to autolock
script at run time, not configure time.
* config.make.in, configure.in: Undo previous change.
Wed Aug 14 13:20:02 1996 Ulrich Drepper <drepper@cygnus.com>
* sysdeps/unix/sysv/linux/i386/close.S: Push return value of thread
on stack as argument for `_exit'. Reported by Andreas Schwab.
Mon Aug 12 19:36:25 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* sysdeps/unix/sysv/linux/m68k/clone.S: New file.
Wed Aug 14 04:22:35 1996 Richard Henderson <rth@tamu.edu>
* elf/dl-load.c (_dl_map_object): Save name in malloced memory.
(_dl_map_object_from_fd): Free name on error.
Wed Aug 14 13:00:09 1996 Ulrich Drepper <drepper@cygnus.com>
* string/strdup.c: Use result of memcpy to avoid reloading.
Tue Aug 13 00:55:03 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* shadow/sgetspent_r.c (__sgetspent_r): Copy string to buffer, not
the other way round.
* resolv/Makefile (libresolv-routines): Add base64, inet_net_ntop,
inet_net_pton, inet_net.
* resolv/arpa/nameser.h (__BIND): Update version number.
Mon Aug 12 19:03:22 1996 Thomas Bushnell n/BSG <thomas@psilocin.gnu.ai.mit.edu>
* sysdeps/generic/gnu/types.h: Declare __fd_mask as `unsigned long'.
* mach/Makefile (mach/mach_host.uh): Depend on
$(objpfx)/mach-syscalls.mk.
($(objpfx)mach-shortcuts.h): Depend on $(objpfx)mach/mach_host.h.
(This fixes a make loop; thanks to Marcus Daniels
<marcus@sysc.pdx.edu> for the patch.)
* stdlib/test-canon.c: New test program contributed by David Mosberger.
* stdlib/Makefile (tests): Add test-canon.
* stdlib/canonicalize.c: Rewritten by David Mosberger.
Thu Jun 6 07:32:14 1996 Miles Bader <miles@gnu.ai.mit.edu>
* resolv/gethnamaddr.c (struct hstorage): Make NAME field a pointer.
(_gethtbyname2): Remove ALIAS variable.
Initialize NAME field of SELF and TARGET to 0.
Add SELF_NAME_SIZE static variable.
Add loop to call gethostname until the space we allocated is enough.
Use malloced strings instead of fixed size buffers.
<stdlib.h>, <unistd.h>: New includes.
* sysdeps/generic/sys/socket.h (PF_INET6, AF_INET6): New macros.
* sysdeps/mach/hurd/errlist.c (_sys_errlist): Add EILSEQ.
(_sys_nerr): Initialize to 107.
Update _HURD_ERRNOS consistency check.
* stdlib/canonicalize.c (canonicalize): Use pathconf for PATH_MAX,
not sysconf.
* login/login.c [!PATH_MAX] (PATH_MAX): Define to be 1024 if not
already defined.
* sysdeps/mach/hurd/setitimer.c (timer_thread): Supply SIGCODE
argument to __msg_sig_post_request.
* hurd/hurdmalloc.c: Changes to bring in line with the hurd
libthreads/malloc.c:
(more_memory): Use assert_perror instead of MACH_CALL.
"cthread_internals.h": Include removed.
(realloc): Use LOG2_MIN_SIZE.
(LOG2_MIN_SIZE): New macro.
(realloc): Don't bother allocating a new block if the
new size request fits in the old one and doesn't waste any space.
Only free the old block if we successfully got a new one.
[MCHECK] (struct header): New type.
(union header): Only define if !MCHECK.
(HEADER_SIZE, HEADER_NEXT, HEADER_FREE, HEADER_CHECK): New macros.
[MCHECK] (MIN_SIZE): Add correct definition for this case.
(more_memory, malloc, free, realloc): Use above macros, and add
appropiate checks & frobs in MCHECK case.