glibc/sysdeps/posix
Siddhesh Poyarekar 472e799a5f getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
No valid path returned by getcwd would fit into 1 byte, so reject the
size early and return NULL with errno set to ERANGE.  This change is
prompted by CVE-2021-3999, which describes a single byte buffer
underflow and overflow when all of the following conditions are met:

- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory

Sequence of events:

- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
  because the linux kernel checks for name length before it checks
  buffer size

- The code falls back to the generic getcwd in sysdeps/posix

- In the generic func, the buf[0] is set to '\0' on line 250

- this while loop on line 262 is bypassed:

    while (!(thisdev == rootdev && thisino == rootino))

  since the rootfs (/) is bind mounted onto the directory and the flow
  goes on to line 449, where it puts a '/' in the byte before the
  buffer.

- Finally on line 458, it moves 2 bytes (the underflowed byte and the
  '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

- buf is returned on line 469 and errno is not set.

This resolves BZ #28769.

Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 23e0e8f5f1)
2022-01-24 11:37:06 +05:30
..
alarm.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
clock_getres.c Add C2X timespec_getres 2021-05-17 20:55:21 +00:00
clock.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
ctermid.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
cuserid.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
dl-fileid.h Use 64 bit time_t stat internally 2021-06-22 12:09:52 -03:00
dup2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
dup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
euidaccess.c Use 64 bit time_t stat internally 2021-06-22 12:09:52 -03:00
flock.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
fpathconf.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
gai_strerror-strs.h * sysdeps/posix/gai_strerror.c: Complete rewrite. Avoid relocations. 2005-12-20 17:53:00 +00:00
gai_strerror.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getaddrinfo.c gaiconf_init: Avoid double-free in label and precedence lists 2021-08-04 15:53:46 +05:30
getcwd.c getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) 2022-01-24 11:37:06 +05:30
getdtsz.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
gethostname.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getpagesize.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
isatty.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
isfdtype.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
killpg.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
libc_fatal.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
Makefile linux: Require /dev/shm as the shared memory file system 2021-02-08 14:10:42 -03:00
mkfifo.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
mkfifoat.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nice.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
open64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pathconf.c Use 64 bit time_t stat internally 2021-06-22 12:09:52 -03:00
pause.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
posix_fallocate64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
posix_fallocate.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pread64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pread.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
preadv2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
preadv64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
preadv64v2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
preadv_common.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
preadv.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
profil.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwrite64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwrite.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwritev2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwritev64.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwritev64v2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwritev_common.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwritev.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
raise.c nptl: Implement raise in terms of pthread_kill 2021-06-09 15:16:45 -03:00
readv.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
remove.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
rename.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigblock.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigignore.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigintr.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
signal.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigpause.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigset.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigsetmask.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigsuspend.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sigwait.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sleep.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
spawni.c posix: Add posix_spawn_file_actions_addclosefrom_np 2021-07-08 14:08:15 -03:00
sprofil.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
Subdirs Make sysdeps/posix bring in login subdir. 2015-07-23 17:04:22 -07:00
sysconf-pthread_stack_min.h Define PTHREAD_STACK_MIN to sysconf(_SC_THREAD_STACK_MIN) 2021-07-09 15:10:35 -07:00
sysconf.c posix: Add sysconf(_SC_{MIN,}SIGSTKSZ) support 2021-07-22 01:24:52 +02:00
system.c nptl: Move pthread_setcancelstate into libc 2021-04-21 19:49:50 +02:00
sysv_signal.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tempname.c Use 64 bit time_t stat internally 2021-06-22 12:09:52 -03:00
truncate.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
ttyname_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
ttyname.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
ulimit.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
usleep.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
utime.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
utimes.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
writev_nocancel.c hurd: Fix __writev_nocancel_nostatus 2020-06-14 17:45:04 +00:00
writev.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00