sys-libs/glibc/files/local/glibc-2.35-getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch - third_party/overlays/chromiumos-overlay - Git at Google

 From 66c2480d02672c761953a8f9834b4f25c2ed7064 Mon Sep 17 00:00:00 2001
 From: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Date: Fri, 21 Jan 2022 23:32:56 +0530
 Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

 No valid path returned by getcwd would fit into 1 byte, so reject the
 size early and return NULL with errno set to ERANGE.  This change is
 prompted by CVE-2021-3999, which describes a single byte buffer
 underflow and overflow when all of the following conditions are met:

 - The buffer size (i.e. the second argument of getcwd) is 1 byte
 - The current working directory is too long
 - '/' is also mounted on the current working directory

 Sequence of events:

 - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
   because the linux kernel checks for name length before it checks
   buffer size

 - The code falls back to the generic getcwd in sysdeps/posix

 - In the generic func, the buf[0] is set to '\0' on line 250

 - this while loop on line 262 is bypassed:

     while (!(thisdev == rootdev && thisino == rootino))

   since the rootfs (/) is bind mounted onto the directory and the flow
   goes on to line 449, where it puts a '/' in the byte before the
   buffer.

 - Finally on line 458, it moves 2 bytes (the underflowed byte and the
   '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

 - buf is returned on line 469 and errno is not set.

 This resolves BZ #28769.

 Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
 Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 ---
  sysdeps/posix/getcwd.c                        |   8 +

 diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
 index b53433a2dc..154b9846a5 100644
 --- a/sysdeps/posix/getcwd.c
 +++ b/sysdeps/posix/getcwd.c
 @@ -241,6 +241,14 @@ __getcwd (char *buf, size_t size)
    char *path;
  #ifndef NO_ALLOCATION
    size_t allocated = size;
 +
 +  /* A size of 1 byte is never useful.  */
 +  if (allocated == 1)
 +    {
 +      __set_errno (ERANGE);
 +      return NULL;
 +    }
 +
    if (size == 0)
      {
        if (buf != NULL)
 --
 2.37.2.789.g6183377224-goog
	From 66c2480d02672c761953a8f9834b4f25c2ed7064 Mon Sep 17 00:00:00 2001
	From: Siddhesh Poyarekar <siddhesh@sourceware.org>
	Date: Fri, 21 Jan 2022 23:32:56 +0530
	Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)

	No valid path returned by getcwd would fit into 1 byte, so reject the
	size early and return NULL with errno set to ERANGE. This change is
	prompted by CVE-2021-3999, which describes a single byte buffer
	underflow and overflow when all of the following conditions are met:

	- The buffer size (i.e. the second argument of getcwd) is 1 byte
	- The current working directory is too long
	- '/' is also mounted on the current working directory

	Sequence of events:

	- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
	because the linux kernel checks for name length before it checks
	buffer size

	- The code falls back to the generic getcwd in sysdeps/posix

	- In the generic func, the buf[0] is set to '\0' on line 250

	- this while loop on line 262 is bypassed:

	while (!(thisdev == rootdev && thisino == rootino))

	since the rootfs (/) is bind mounted onto the directory and the flow
	goes on to line 449, where it puts a '/' in the byte before the
	buffer.

	- Finally on line 458, it moves 2 bytes (the underflowed byte and the
	'\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.

	- buf is returned on line 469 and errno is not set.

	This resolves BZ #28769.

	Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
	Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
	Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
	Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
	---
	sysdeps/posix/getcwd.c \| 8 +

	diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
	index b53433a2dc..154b9846a5 100644
	--- a/sysdeps/posix/getcwd.c
	+++ b/sysdeps/posix/getcwd.c
	@@ -241,6 +241,14 @@ __getcwd (char *buf, size_t size)
	char *path;
	#ifndef NO_ALLOCATION
	size_t allocated = size;
	+
	+ /* A size of 1 byte is never useful. */
	+ if (allocated == 1)
	+ {
	+ __set_errno (ERANGE);
	+ return NULL;
	+ }
	+
	if (size == 0)
	{
	if (buf != NULL)
	--
	2.37.2.789.g6183377224-goog