commit 91ce40854d0b7f865cf5024ef95a8026b76096f3 Author: Florian Weimer <fweimer@redhat.com> Date: Fri Aug 16 09:38:52 2013 +0200 CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r * sysdeps/unix/dirstream.h (struct __dirstream): Add errcode member. * sysdeps/unix/opendir.c (__alloc_dir): Initialize errcode member. * sysdeps/unix/rewinddir.c (rewinddir): Reset errcode member. * sysdeps/unix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit. Return delayed error code. Remove GETDENTS_64BIT_ALIGNED conditional. * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define GETDENTS_64BIT_ALIGNED. * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise. * manual/filesys.texi (Reading/Closing Directory): Document ENAMETOOLONG return value of readdir_r. Recommend readdir more strongly. * manual/conf.texi (Limits for Files): Add portability note to NAME_MAX, PATH_MAX. (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX. diff -Nurp glibc-2.14.1/manual/conf.texi glibc-2.14.1-cve/manual/conf.texi --- glibc-2.14.1/manual/conf.texi 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/manual/conf.texi 2013-10-06 17:14:31.525134972 +0300 @@ -1153,6 +1153,9 @@ typed ahead as input. @xref{I/O Queues} @comment POSIX.1 @deftypevr Macro int NAME_MAX The uniform system limit (if any) for the length of a file name component. + +@strong{Portability Note:} On some systems, The GNU C library defines +@code{NAME_MAX}, but does not actually enforce this limit. @end deftypevr @comment limits.h @@ -1160,6 +1163,9 @@ The uniform system limit (if any) for th @deftypevr Macro int PATH_MAX The uniform system limit (if any) for the length of an entire file name (that is, the argument given to system calls such as @code{open}). + +@strong{Portability Note:} The GNU C library does not enforce this limit +even if @code{PATH_MAX} is defined. @end deftypevr @cindex limits, pipe buffer size @@ -1480,6 +1486,9 @@ Inquire about the value of @code{POSIX_R Inquire about the value of @code{POSIX_REC_XFER_ALIGN}. @end table +@strong{Portability Note:} On some systems, The GNU C library does not +enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits. + @node Utility Limits @section Utility Program Capacity Limits diff -Nurp glibc-2.14.1/manual/filesys.texi glibc-2.14.1-cve/manual/filesys.texi --- glibc-2.14.1/manual/filesys.texi 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/manual/filesys.texi 2013-10-06 17:14:55.295652485 +0300 @@ -438,9 +438,9 @@ symbols are declared in the header file @comment POSIX.1 @deftypefun {struct dirent *} readdir (DIR *@var{dirstream}) This function reads the next entry from the directory. It normally -returns a pointer to a structure containing information about the file. -This structure is statically allocated and can be rewritten by a -subsequent call. +returns a pointer to a structure containing information about the +file. This structure is associated with the @var{dirstream} handle +and can be rewritten by a subsequent call. @strong{Portability Note:} On some systems @code{readdir} may not return entries for @file{.} and @file{..}, even though these are always @@ -455,19 +455,61 @@ conditions are defined for this function The @var{dirstream} argument is not valid. @end table -@code{readdir} is not thread safe. Multiple threads using -@code{readdir} on the same @var{dirstream} may overwrite the return -value. Use @code{readdir_r} when this is critical. +To distinguish between an end-of-directory condition or an error, you +must set @code{errno} to zero before calling @code{readdir}. To avoid +entering an infinite loop, you should stop reading from the directory +after the first error. + +In POSIX.1-2008, @code{readdir} is not thread-safe. In The GNU C library +implementation, it is safe to call @code{readdir} concurrently on +different @var{dirstream}s, but multiple threads accessing the same +@var{dirstream} result in undefined behavior. @code{readdir_r} is a +fully thread-safe alternative, but suffers from poor portability (see +below). It is recommended that you use @code{readdir}, with external +locking if multiple threads access the same @var{dirstream}. @end deftypefun @comment dirent.h @comment GNU @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result}) -This function is the reentrant version of @code{readdir}. Like -@code{readdir} it returns the next entry from the directory. But to -prevent conflicts between simultaneously running threads the result is -not stored in statically allocated memory. Instead the argument -@var{entry} points to a place to store the result. +This function is a version of @code{readdir} which performs internal +locking. Like @code{readdir} it returns the next entry from the +directory. To prevent conflicts between simultaneously running +threads the result is stored inside the @var{entry} object. + +@strong{Portability Note:} It is recommended to use @code{readdir} +instead of @code{readdir_r} for the following reasons: + +@itemize @bullet +@item +On systems which do not define @code{NAME_MAX}, it may not be possible +to use @code{readdir_r} safely because the caller does not specify the +length of the buffer for the directory entry. + +@item +On some systems, @code{readdir_r} cannot read directory entries with +very long names. If such a name is encountered, The GNU C library +implementation of @code{readdir_r} returns with an error code of +@code{ENAMETOOLONG} after the final directory entry has been read. On +other systems, @code{readdir_r} may return successfully, but the +@code{d_name} member may not be NUL-terminated or may be truncated. + +@item +POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe, +even when access to the same @var{dirstream} is serialized. But in +current implementations (including The GNU C library), it is safe to call +@code{readdir} concurrently on different @var{dirstream}s, so there is +no need to use @code{readdir_r} in most multi-threaded programs. In +the rare case that multiple threads need to read from the same +@var{dirstream}, it is still better to use @code{readdir} and external +synchronization. + +@item +It is expected that future versions of POSIX will obsolete +@code{readdir_r} and mandate the level of thread safety for +@code{readdir} which is provided by The GNU C library and other +implementations today. +@end itemize Normally @code{readdir_r} returns zero and sets @code{*@var{result}} to @var{entry}. If there are no more entries in the directory or an @@ -475,15 +517,6 @@ error is detected, @code{readdir_r} sets null pointer and returns a nonzero error code, also stored in @code{errno}, as described for @code{readdir}. -@strong{Portability Note:} On some systems @code{readdir_r} may not -return a NUL terminated string for the file name, even when there is no -@code{d_reclen} field in @code{struct dirent} and the file -name is the maximum allowed size. Modern systems all have the -@code{d_reclen} field, and on old systems multi-threading is not -critical. In any case there is no such problem with the @code{readdir} -function, so that even on systems without the @code{d_reclen} member one -could use multiple threads by using external locking. - It is also important to look at the definition of the @code{struct dirent} type. Simply passing a pointer to an object of this type for the second parameter of @code{readdir_r} might not be enough. Some diff -Nurp glibc-2.14.1/sysdeps/unix/dirstream.h glibc-2.14.1-cve/sysdeps/unix/dirstream.h --- glibc-2.14.1/sysdeps/unix/dirstream.h 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/dirstream.h 2013-10-06 16:51:59.525896282 +0300 @@ -40,6 +40,8 @@ struct __dirstream off_t filepos; /* Position of next entry to read. */ + int errcode; /* Delayed error code. */ + /* Directory block. */ char data[0] __attribute__ ((aligned (__alignof__ (void*)))); }; diff -Nurp glibc-2.14.1/sysdeps/unix/opendir.c glibc-2.14.1-cve/sysdeps/unix/opendir.c --- glibc-2.14.1/sysdeps/unix/opendir.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/opendir.c 2013-10-06 16:51:59.525896282 +0300 @@ -209,6 +209,7 @@ __alloc_dir (int fd, bool close_fd, int dirp->size = 0; dirp->offset = 0; dirp->filepos = 0; + dirp->errcode = 0; return dirp; } diff -Nurp glibc-2.14.1/sysdeps/unix/readdir_r.c glibc-2.14.1-cve/sysdeps/unix/readdir_r.c --- glibc-2.14.1/sysdeps/unix/readdir_r.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/readdir_r.c 2013-10-06 16:51:59.525896282 +0300 @@ -42,6 +42,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent DIRENT_TYPE *dp; size_t reclen; const int saved_errno = errno; + int ret; __libc_lock_lock (dirp->lock); @@ -72,10 +73,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent bytes = 0; __set_errno (saved_errno); } + if (bytes < 0) + dirp->errcode = errno; dp = NULL; - /* Reclen != 0 signals that an error occurred. */ - reclen = bytes != 0; break; } dirp->size = (size_t) bytes; @@ -108,29 +109,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent dirp->filepos += reclen; #endif - /* Skip deleted files. */ +#ifdef NAME_MAX + if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1) + { + /* The record is very long. It could still fit into the + caller-supplied buffer if we can skip padding at the + end. */ + size_t namelen = _D_EXACT_NAMLEN (dp); + if (namelen <= NAME_MAX) + reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1; + else + { + /* The name is too long. Ignore this file. */ + dirp->errcode = ENAMETOOLONG; + dp->d_ino = 0; + continue; + } + } +#endif + + /* Skip deleted and ignored files. */ } while (dp->d_ino == 0); if (dp != NULL) { -#ifdef GETDENTS_64BIT_ALIGNED - /* The d_reclen value might include padding which is not part of - the DIRENT_TYPE data structure. */ - reclen = MIN (reclen, - offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name)); -#endif *result = memcpy (entry, dp, reclen); -#ifdef GETDENTS_64BIT_ALIGNED +#ifdef _DIRENT_HAVE_D_RECLEN entry->d_reclen = reclen; #endif + ret = 0; } else - *result = NULL; + { + *result = NULL; + ret = dirp->errcode; + } __libc_lock_unlock (dirp->lock); - return dp != NULL ? 0 : reclen ? errno : 0; + return ret; } #ifdef __READDIR_R_ALIAS diff -Nurp glibc-2.14.1/sysdeps/unix/rewinddir.c glibc-2.14.1-cve/sysdeps/unix/rewinddir.c --- glibc-2.14.1/sysdeps/unix/rewinddir.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/rewinddir.c 2013-10-06 16:51:59.525896282 +0300 @@ -34,6 +34,7 @@ rewinddir (dirp) dirp->filepos = 0; dirp->offset = 0; dirp->size = 0; + dirp->errcode = 0; #ifndef NOT_IN_libc __libc_lock_unlock (dirp->lock); #endif diff -Nurp glibc-2.14.1/sysdeps/unix/sysv/linux/i386/readdir64_r.c glibc-2.14.1-cve/sysdeps/unix/sysv/linux/i386/readdir64_r.c --- glibc-2.14.1/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-06 16:51:59.525896282 +0300 @@ -19,7 +19,6 @@ #define __READDIR_R __readdir64_r #define __GETDENTS __getdents64 #define DIRENT_TYPE struct dirent64 -#define GETDENTS_64BIT_ALIGNED 1 #include <sysdeps/unix/readdir_r.c> diff -Nurp glibc-2.14.1/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c glibc-2.14.1-cve/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c --- glibc-2.14.1/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1-cve/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-06 16:51:59.525896282 +0300 @@ -1,5 +1,4 @@ #define readdir64_r __no_readdir64_r_decl -#define GETDENTS_64BIT_ALIGNED 1 #include <sysdeps/unix/readdir_r.c> #undef readdir64_r weak_alias (__readdir_r, readdir64_r)