From 9ec14ba8436e795b5573fee6685240721d7ca727 Mon Sep 17 00:00:00 2001 From: mancha Date: Fri, 13 Jun 2014 Subject: CVE-2014-4043 POSIX requires that we make a copy, so we allocate a new string and free it in posix_spawn_file_actions_destroy. Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug may have security implications. This backported fix for use on glibc 2.17 is based on the following upstream commits: https://sourceware.org/git/?p=glibc.git;h=89e435f3559c https://sourceware.org/git/?p=glibc.git;h=35a5e3e338ae --- posix/spawn_faction_addopen.c | 14 +++++++++++--- posix/spawn_faction_destroy.c | 22 ++++++++++++++++++++-- posix/spawn_int.h | 2 +- posix/tst-spawn.c | 10 +++++++++- 4 files changed, 41 insertions(+), 7 deletions(-) --- a/posix/spawn_faction_addopen.c +++ b/posix/spawn_faction_addopen.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "spawn_int.h" @@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions, if (fd < 0 || fd >= maxfd) return EBADF; + char *path_copy = strdup (path); + if (path_copy == NULL) + return ENOMEM; + /* Allocate more memory if needed. */ if (file_actions->__used == file_actions->__allocated && __posix_spawn_file_actions_realloc (file_actions) != 0) - /* This can only mean we ran out of memory. */ - return ENOMEM; + { + /* This can only mean we ran out of memory. */ + free (path_copy); + return ENOMEM; + } /* Add the new value. */ rec = &file_actions->__actions[file_actions->__used]; rec->tag = spawn_do_open; rec->action.open_action.fd = fd; - rec->action.open_action.path = path; + rec->action.open_action.path = path_copy; rec->action.open_action.oflag = oflag; rec->action.open_action.mode = mode; --- a/posix/spawn_faction_destroy.c +++ b/posix/spawn_faction_destroy.c @@ -18,11 +18,29 @@ #include #include -/* Initialize data structure for file attribute for `spawn' call. */ +#include "spawn_int.h" + +/* Deallocate the file actions. */ int posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions) { - /* Free the memory allocated. */ + /* Free the paths in the open actions. */ + for (int i = 0; i < file_actions->__used; ++i) + { + struct __spawn_action *sa = &file_actions->__actions[i]; + switch (sa->tag) + { + case spawn_do_open: + free (sa->action.open_action.path); + break; + case spawn_do_close: + case spawn_do_dup2: + /* No cleanup required. */ + break; + } + } + + /* Free the array of actions. */ free (file_actions->__actions); return 0; } --- a/posix/spawn_int.h +++ b/posix/spawn_int.h @@ -22,7 +22,7 @@ struct __spawn_action struct { int fd; - const char *path; + char *path; int oflag; mode_t mode; } open_action; --- a/posix/tst-spawn.c +++ b/posix/tst-spawn.c @@ -168,6 +168,7 @@ do_test (int argc, char *argv[]) char fd2name[18]; char fd3name[18]; char fd4name[18]; + char *name3_copy; char *spargv[12]; /* We must have @@ -221,9 +222,15 @@ do_test (int argc, char *argv[]) if (posix_spawn_file_actions_addclose (&actions, fd1) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose"); /* We want to open the third file. */ - if (posix_spawn_file_actions_addopen (&actions, fd3, name3, + name3_copy = strdup (name3); + if (name3_copy == NULL) + error (EXIT_FAILURE, errno, "strdup"); + if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy, O_RDONLY, 0666) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen"); + /* Overwrite the name to check that a copy has been made. */ + memset (name3_copy, 'X', strlen (name3_copy)); + /* We dup the second descriptor. */ fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1; if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0) @@ -254,6 +261,7 @@ do_test (int argc, char *argv[]) /* Cleanup. */ if (posix_spawn_file_actions_destroy (&actions) != 0) error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy"); + free (name3_copy); /* Wait for the child. */ if (waitpid (pid, &status, 0) != pid)