[v4] linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]

Message ID 20180111220320.GA20747@altlinux.org
State New
Headers show
Series
  • [v4] linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]
Related show

Commit Message

Dmitry V. Levin Jan. 11, 2018, 10:03 p.m.
Currently getcwd(3) can succeed without returning an absolute path
because the underlying getcwd syscall, starting with linux commit
v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

This is a conformance issue because "The getcwd() function shall
place an absolute pathname of the current working directory
in the array pointed to by buf, and return buf".

This is also a security issue because a non-absolute path returned
by getcwd(3) causes a buffer underflow in realpath(3).

Fix this by checking the path returned by getcwd syscall and falling
back to generic_getcwd if the path is not absolute, effectively making
getcwd(3) fail with ENOENT.  The error code is chosen for consistency
with the case when the current directory is unlinked.

[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
* sysdeps/unix/sysv/linux/tst-getcwd-abspath.c: New test.
* sysdeps/unix/sysv/linux/Makefile (tests): Add tst-getcwd-abspath.
---

This is the same patch as v3; I've just added information about
security implications.

 ChangeLog                                    |  9 +++++
 NEWS                                         |  4 ++
 sysdeps/unix/sysv/linux/Makefile             |  2 +-
 sysdeps/unix/sysv/linux/getcwd.c             |  8 ++--
 sysdeps/unix/sysv/linux/tst-getcwd-abspath.c | 59 ++++++++++++++++++++++++++++
 5 files changed, 77 insertions(+), 5 deletions(-)
 create mode 100644 sysdeps/unix/sysv/linux/tst-getcwd-abspath.c

Comments

Florian Weimer Jan. 11, 2018, 11:44 p.m. | #1
On 01/11/2018 11:03 PM, Dmitry V. Levin wrote:
> +  char *cwd = getcwd (NULL, 0);
> +  TEST_COMPARE (errno, ENOENT);
> +  TEST_VERIFY (cwd == NULL);

Maybe also add this?

   cwd = realpath (".", NULL);
   TEST_VERIFY (cwd == NULL);
   TEST_COMPARE (errno, ENOENT);

I assume that we expect to fail realpath with ENOENT as well.

Thanks,
Florian
Dmitry V. Levin Jan. 12, 2018, 12:11 a.m. | #2
On Fri, Jan 12, 2018 at 12:44:17AM +0100, Florian Weimer wrote:
> On 01/11/2018 11:03 PM, Dmitry V. Levin wrote:
> > +  char *cwd = getcwd (NULL, 0);
> > +  TEST_COMPARE (errno, ENOENT);
> > +  TEST_VERIFY (cwd == NULL);
> 
> Maybe also add this?
> 
>    cwd = realpath (".", NULL);

I don't mind adding this, but where do we stop?
This is a test of getcwd, after all.

>    TEST_VERIFY (cwd == NULL);
>    TEST_COMPARE (errno, ENOENT);

The check for errno should go first because TEST_VERIFY potentially
clobbers errno (it invokes printf).

> I assume that we expect to fail realpath with ENOENT as well.

Sure.  Would you be happy with the following amendment to the test?

@@ -36,10 +36,19 @@ static void
 getcwd_callback (void *closure)
 {
   xchroot (chroot_dir);
+
   errno = 0;
   char *cwd = getcwd (NULL, 0);
   TEST_COMPARE (errno, ENOENT);
   TEST_VERIFY (cwd == NULL);
+  free (cwd);
+
+  errno = 0;
+  cwd = realpath (".", NULL);
+  TEST_COMPARE (errno, ENOENT);
+  TEST_VERIFY (cwd == NULL);
+  free (cwd);
+
   _exit (0);
 }
Florian Weimer Jan. 12, 2018, 12:56 p.m. | #3
On 01/11/2018 11:03 PM, Dmitry V. Levin wrote:
> [BZ #22679]
> CVE-2018-1000001
> * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
> generic_getcwd if the path returned by getcwd syscall is not absolute.
> * sysdeps/unix/sysv/linux/tst-getcwd-abspath.c: New test.
> * sysdeps/unix/sysv/linux/Makefile (tests): Add tst-getcwd-abspath.

The patch as such looks good to me.  The test case should go into the 
top-level io directory, where getcwd resides.  I don't think it is 
Linux-specific.  Can you move it and commit it?

I still think we should have a realpath test as well, but that should 
delaying committing this fix.

Thanks,
Florian

Patch

diff --git a/NEWS b/NEWS
index 75bf467..79736db 100644
--- a/NEWS
+++ b/NEWS
@@ -199,6 +199,10 @@  Security related changes:
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
 
+  CVE-2018-1000001: Buffer underflow in realpath function when getcwd function
+  succeeds without returning an absolute path due to unexpected behaviour
+  of the Linux kernel getcwd syscall.  Reported by halfdog.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 8f19e0e..34c5c39 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -45,7 +45,7 @@  sysdep_headers += sys/mount.h sys/acct.h sys/sysctl.h \
 tests += tst-clone tst-clone2 tst-clone3 tst-fanotify tst-personality \
 	 tst-quota tst-sync_file_range tst-sysconf-iov_max tst-ttyname \
 	 test-errno-linux tst-memfd_create tst-mlock2 tst-pkey \
-	 tst-rlimit-infinity
+	 tst-rlimit-infinity tst-getcwd-abspath
 
 # Generate the list of SYS_* macros for the system calls (__NR_*
 # macros).  The file syscall-names.list contains all possible system
diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c
index f545106..866b9d2 100644
--- a/sysdeps/unix/sysv/linux/getcwd.c
+++ b/sysdeps/unix/sysv/linux/getcwd.c
@@ -76,7 +76,7 @@  __getcwd (char *buf, size_t size)
   int retval;
 
   retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
-  if (retval >= 0)
+  if (retval > 0 && path[0] == '/')
     {
 #ifndef NO_ALLOCATION
       if (buf == NULL && size == 0)
@@ -92,10 +92,10 @@  __getcwd (char *buf, size_t size)
       return buf;
     }
 
-  /* The system call cannot handle paths longer than a page.
-     Neither can the magic symlink in /proc/self.  Just use the
+  /* The system call either cannot handle paths longer than a page
+     or can succeed without returning an absolute path.  Just use the
      generic implementation right away.  */
-  if (errno == ENAMETOOLONG)
+  if (retval >= 0 || errno == ENAMETOOLONG)
     {
 #ifndef NO_ALLOCATION
       if (buf == NULL && size == 0)
diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-abspath.c b/sysdeps/unix/sysv/linux/tst-getcwd-abspath.c
new file mode 100644
index 0000000..ea3562c
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-getcwd-abspath.c
@@ -0,0 +1,59 @@ 
+/* BZ #22679 getcwd(3) does not succeed without returning an absolute path.
+
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <support/test-driver.h>
+#include <support/xunistd.h>
+#include <unistd.h>
+
+static char *chroot_dir;
+
+/* The actual test.  Run it in a subprocess, so that the test harness
+   can remove the temporary directory in --direct mode.  */
+static void
+getcwd_callback (void *closure)
+{
+  xchroot (chroot_dir);
+  errno = 0;
+  char *cwd = getcwd (NULL, 0);
+  TEST_COMPARE (errno, ENOENT);
+  TEST_VERIFY (cwd == NULL);
+  _exit (0);
+}
+
+static int
+do_test (void)
+{
+  support_become_root ();
+  if (!support_can_chroot ())
+    return EXIT_UNSUPPORTED;
+
+  chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");
+  support_isolate_in_subprocess (getcwd_callback, NULL);
+
+  return 0;
+}
+
+#include <support/test-driver.c>