commit 91ce40854d0b7f865cf5024ef95a8026b76096f3
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Aug 16 09:38:52 2013 +0200
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/unix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/unix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/unix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/unix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
diff -Nurp glibc-2.14.1/manual/conf.texi glibc-2.14.1-cve/manual/conf.texi
--- glibc-2.14.1/manual/conf.texi 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/manual/conf.texi 2013-10-06 17:14:31.525134972 +0300
@@ -1153,6 +1153,9 @@ typed ahead as input. @xref{I/O Queues}
@comment POSIX.1
@deftypevr Macro int NAME_MAX
The uniform system limit (if any) for the length of a file name component.
+
+@strong{Portability Note:} On some systems, The GNU C library defines
+@code{NAME_MAX}, but does not actually enforce this limit.
@end deftypevr
@comment limits.h
@@ -1160,6 +1163,9 @@ The uniform system limit (if any) for th
@deftypevr Macro int PATH_MAX
The uniform system limit (if any) for the length of an entire file name (that
is, the argument given to system calls such as @code{open}).
+
+@strong{Portability Note:} The GNU C library does not enforce this limit
+even if @code{PATH_MAX} is defined.
@end deftypevr
@cindex limits, pipe buffer size
@@ -1480,6 +1486,9 @@ Inquire about the value of @code{POSIX_R
Inquire about the value of @code{POSIX_REC_XFER_ALIGN}.
@end table
+@strong{Portability Note:} On some systems, The GNU C library does not
+enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits.
+
@node Utility Limits
@section Utility Program Capacity Limits
diff -Nurp glibc-2.14.1/manual/filesys.texi glibc-2.14.1-cve/manual/filesys.texi
--- glibc-2.14.1/manual/filesys.texi 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/manual/filesys.texi 2013-10-06 17:14:55.295652485 +0300
@@ -438,9 +438,9 @@ symbols are declared in the header file
@comment POSIX.1
@deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
This function reads the next entry from the directory. It normally
-returns a pointer to a structure containing information about the file.
-This structure is statically allocated and can be rewritten by a
-subsequent call.
+returns a pointer to a structure containing information about the
+file. This structure is associated with the @var{dirstream} handle
+and can be rewritten by a subsequent call.
@strong{Portability Note:} On some systems @code{readdir} may not
return entries for @file{.} and @file{..}, even though these are always
@@ -455,19 +455,61 @@ conditions are defined for this function
The @var{dirstream} argument is not valid.
@end table
-@code{readdir} is not thread safe. Multiple threads using
-@code{readdir} on the same @var{dirstream} may overwrite the return
-value. Use @code{readdir_r} when this is critical.
+To distinguish between an end-of-directory condition or an error, you
+must set @code{errno} to zero before calling @code{readdir}. To avoid
+entering an infinite loop, you should stop reading from the directory
+after the first error.
+
+In POSIX.1-2008, @code{readdir} is not thread-safe. In The GNU C library
+implementation, it is safe to call @code{readdir} concurrently on
+different @var{dirstream}s, but multiple threads accessing the same
+@var{dirstream} result in undefined behavior. @code{readdir_r} is a
+fully thread-safe alternative, but suffers from poor portability (see
+below). It is recommended that you use @code{readdir}, with external
+locking if multiple threads access the same @var{dirstream}.
@end deftypefun
@comment dirent.h
@comment GNU
@deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
-This function is the reentrant version of @code{readdir}. Like
-@code{readdir} it returns the next entry from the directory. But to
-prevent conflicts between simultaneously running threads the result is
-not stored in statically allocated memory. Instead the argument
-@var{entry} points to a place to store the result.
+This function is a version of @code{readdir} which performs internal
+locking. Like @code{readdir} it returns the next entry from the
+directory. To prevent conflicts between simultaneously running
+threads the result is stored inside the @var{entry} object.
+
+@strong{Portability Note:} It is recommended to use @code{readdir}
+instead of @code{readdir_r} for the following reasons:
+
+@itemize @bullet
+@item
+On systems which do not define @code{NAME_MAX}, it may not be possible
+to use @code{readdir_r} safely because the caller does not specify the
+length of the buffer for the directory entry.
+
+@item
+On some systems, @code{readdir_r} cannot read directory entries with
+very long names. If such a name is encountered, The GNU C library
+implementation of @code{readdir_r} returns with an error code of
+@code{ENAMETOOLONG} after the final directory entry has been read. On
+other systems, @code{readdir_r} may return successfully, but the
+@code{d_name} member may not be NUL-terminated or may be truncated.
+
+@item
+POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe,
+even when access to the same @var{dirstream} is serialized. But in
+current implementations (including The GNU C library), it is safe to call
+@code{readdir} concurrently on different @var{dirstream}s, so there is
+no need to use @code{readdir_r} in most multi-threaded programs. In
+the rare case that multiple threads need to read from the same
+@var{dirstream}, it is still better to use @code{readdir} and external
+synchronization.
+
+@item
+It is expected that future versions of POSIX will obsolete
+@code{readdir_r} and mandate the level of thread safety for
+@code{readdir} which is provided by The GNU C library and other
+implementations today.
+@end itemize
Normally @code{readdir_r} returns zero and sets @code{*@var{result}}
to @var{entry}. If there are no more entries in the directory or an
@@ -475,15 +517,6 @@ error is detected, @code{readdir_r} sets
null pointer and returns a nonzero error code, also stored in
@code{errno}, as described for @code{readdir}.
-@strong{Portability Note:} On some systems @code{readdir_r} may not
-return a NUL terminated string for the file name, even when there is no
-@code{d_reclen} field in @code{struct dirent} and the file
-name is the maximum allowed size. Modern systems all have the
-@code{d_reclen} field, and on old systems multi-threading is not
-critical. In any case there is no such problem with the @code{readdir}
-function, so that even on systems without the @code{d_reclen} member one
-could use multiple threads by using external locking.
-
It is also important to look at the definition of the @code{struct
dirent} type. Simply passing a pointer to an object of this type for
the second parameter of @code{readdir_r} might not be enough. Some
diff -Nurp glibc-2.14.1/sysdeps/unix/dirstream.h glibc-2.14.1-cve/sysdeps/unix/dirstream.h
--- glibc-2.14.1/sysdeps/unix/dirstream.h 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/dirstream.h 2013-10-06 16:51:59.525896282 +0300
@@ -40,6 +40,8 @@ struct __dirstream
off_t filepos; /* Position of next entry to read. */
+ int errcode; /* Delayed error code. */
+
/* Directory block. */
char data[0] __attribute__ ((aligned (__alignof__ (void*))));
};
diff -Nurp glibc-2.14.1/sysdeps/unix/opendir.c glibc-2.14.1-cve/sysdeps/unix/opendir.c
--- glibc-2.14.1/sysdeps/unix/opendir.c 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/opendir.c 2013-10-06 16:51:59.525896282 +0300
@@ -209,6 +209,7 @@ __alloc_dir (int fd, bool close_fd, int
dirp->size = 0;
dirp->offset = 0;
dirp->filepos = 0;
+ dirp->errcode = 0;
return dirp;
}
diff -Nurp glibc-2.14.1/sysdeps/unix/readdir_r.c glibc-2.14.1-cve/sysdeps/unix/readdir_r.c
--- glibc-2.14.1/sysdeps/unix/readdir_r.c 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/readdir_r.c 2013-10-06 16:51:59.525896282 +0300
@@ -42,6 +42,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
DIRENT_TYPE *dp;
size_t reclen;
const int saved_errno = errno;
+ int ret;
__libc_lock_lock (dirp->lock);
@@ -72,10 +73,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
bytes = 0;
__set_errno (saved_errno);
}
+ if (bytes < 0)
+ dirp->errcode = errno;
dp = NULL;
- /* Reclen != 0 signals that an error occurred. */
- reclen = bytes != 0;
break;
}
dirp->size = (size_t) bytes;
@@ -108,29 +109,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
dirp->filepos += reclen;
#endif
- /* Skip deleted files. */
+#ifdef NAME_MAX
+ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
+ {
+ /* The record is very long. It could still fit into the
+ caller-supplied buffer if we can skip padding at the
+ end. */
+ size_t namelen = _D_EXACT_NAMLEN (dp);
+ if (namelen <= NAME_MAX)
+ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
+ else
+ {
+ /* The name is too long. Ignore this file. */
+ dirp->errcode = ENAMETOOLONG;
+ dp->d_ino = 0;
+ continue;
+ }
+ }
+#endif
+
+ /* Skip deleted and ignored files. */
}
while (dp->d_ino == 0);
if (dp != NULL)
{
-#ifdef GETDENTS_64BIT_ALIGNED
- /* The d_reclen value might include padding which is not part of
- the DIRENT_TYPE data structure. */
- reclen = MIN (reclen,
- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
-#endif
*result = memcpy (entry, dp, reclen);
-#ifdef GETDENTS_64BIT_ALIGNED
+#ifdef _DIRENT_HAVE_D_RECLEN
entry->d_reclen = reclen;
#endif
+ ret = 0;
}
else
- *result = NULL;
+ {
+ *result = NULL;
+ ret = dirp->errcode;
+ }
__libc_lock_unlock (dirp->lock);
- return dp != NULL ? 0 : reclen ? errno : 0;
+ return ret;
}
#ifdef __READDIR_R_ALIAS
diff -Nurp glibc-2.14.1/sysdeps/unix/rewinddir.c glibc-2.14.1-cve/sysdeps/unix/rewinddir.c
--- glibc-2.14.1/sysdeps/unix/rewinddir.c 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/rewinddir.c 2013-10-06 16:51:59.525896282 +0300
@@ -34,6 +34,7 @@ rewinddir (dirp)
dirp->filepos = 0;
dirp->offset = 0;
dirp->size = 0;
+ dirp->errcode = 0;
#ifndef NOT_IN_libc
__libc_lock_unlock (dirp->lock);
#endif
diff -Nurp glibc-2.14.1/sysdeps/unix/sysv/linux/i386/readdir64_r.c glibc-2.14.1-cve/sysdeps/unix/sysv/linux/i386/readdir64_r.c
--- glibc-2.14.1/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-06 16:51:59.525896282 +0300
@@ -19,7 +19,6 @@
#define __READDIR_R __readdir64_r
#define __GETDENTS __getdents64
#define DIRENT_TYPE struct dirent64
-#define GETDENTS_64BIT_ALIGNED 1
#include <sysdeps/unix/readdir_r.c>
diff -Nurp glibc-2.14.1/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c glibc-2.14.1-cve/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
--- glibc-2.14.1/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-06 16:51:59.525896282 +0300
@@ -1,5 +1,4 @@
#define readdir64_r __no_readdir64_r_decl
-#define GETDENTS_64BIT_ALIGNED 1
#include <sysdeps/unix/readdir_r.c>
#undef readdir64_r
weak_alias (__readdir_r, readdir64_r)
