glibc/sysdeps/posix
Siddhesh Poyarekar 23e0e8f5f1 getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE.  This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:

- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory

Sequence of events:

- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
  because the linux kernel checks for name length before it checks
  buffer size

- The code falls back to the generic getcwd in sysdeps/posix

- In the generic func, the buf[0] is set to '\0' on line 250

- this while loop on line 262 is bypassed:

    while (!(thisdev == rootdev && thisino == rootino))

  since the rootfs (/) is bind mounted onto the directory and the flow
  goes on to line 449, where it puts a '/' in the byte before the
  buffer.

- Finally on line 458, it moves 2 bytes (the underflowed byte and the
  '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

- buf is returned on line 469 and errno is not set.

This resolves BZ #28769.

Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2022-01-24 11:00:17 +05:30
..
alarm.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
clock_getres.c hurd: Fix timer/clock_getres crash on NULL res parameter 2022-01-15 15:37:03 +01:00
clock.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
ctermid.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
cuserid.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
dl-fileid.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
dup2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
dup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
euidaccess.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
flock.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
fpathconf.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
gai_strerror-strs.h
gai_strerror.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getaddrinfo.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getcwd.c getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) 2022-01-24 11:00:17 +05:30
getdtsz.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
gethostname.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getpagesize.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
isatty.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
isfdtype.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
killpg.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
libc_fatal.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
Makefile linux: Require /dev/shm as the shared memory file system 2021-02-08 14:10:42 -03:00
mkfifo.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
mkfifoat.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nice.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
open64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pathconf.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pause.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
posix_fallocate64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
posix_fallocate.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pread64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pread.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
preadv2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
preadv64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
preadv64v2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
preadv_common.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
preadv.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
profil.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwrite64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwrite.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwritev2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwritev64.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwritev64v2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwritev_common.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwritev.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
raise.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
readv.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
remove.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
rename.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigblock.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigignore.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigintr.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
signal.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigpause.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigset.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigsetmask.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigsuspend.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sigwait.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sleep.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sprofil.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
Subdirs Make sysdeps/posix bring in login subdir. 2015-07-23 17:04:22 -07:00
sysconf-pthread_stack_min.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sysconf.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
system.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sysv_signal.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tempname.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
truncate.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
ttyname_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
ttyname.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
ulimit.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
usleep.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
utime.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
utimes.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
writev_nocancel.c hurd: Fix __writev_nocancel_nostatus 2020-06-14 17:45:04 +00:00
writev.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00