glibc: CVE-2020-1752

Backport the CVE patch from upstream: git://sourceware.org/git/glibc.git commit ddc650e9b3dc916eab417ce9f79e67337b05035c (From OE-Core rev: 50b04216e47b1bf0da8170c7fd62d18a07d10152) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-06-01 13:09:50 +00:00 · 2020-05-12 01:37:24 -07:00
parent 45c9f45b85
commit 786a0678db
2 changed files with 67 additions and 0 deletions
@@ -0,0 +1,66 @@
+From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 17:21:46 +0100
+Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
+
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+
+CVE: CVE-2020-1752
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ posix/glob.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/posix/glob.c b/posix/glob.c
+index cba9cd1819..4580cefb9f 100644
+--- a/posix/glob.c
+++ b/posix/glob.c
+@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+ 	      {
+ 		size_t home_len = strlen (p->pw_dir);
+ 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
+ 
+-		if (__glibc_unlikely (malloc_dirname))
+-		  free (dirname);
+-		malloc_dirname = 0;
+-
+-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-		  dirname = alloca_account (home_len + rest_len + 1,
+-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
+ 		else
+ 		  {
+-		    dirname = malloc (home_len + rest_len + 1);
+-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
+ 		      {
+ 			scratch_buffer_free (&pwtmpbuf);
+ 			retval = GLOB_NOSPACE;
+ 			goto out;
+ 		      }
+-		    malloc_dirname = 1;
+ 		  }
+-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
+ 		if (end_name != NULL)
+ 		  d = mempcpy (d, end_name, rest_len);
+ 		*d = '\0';
+ 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
+ 		dirlen = home_len + rest_len;
+ 		dirname_modified = 1;
+ 	      }
+-- 
+2.18.2
@@ -44,6 +44,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://CVE-2019-19126.patch \
           file://CVE-2020-10029.patch \
           file://CVE-2020-1751.patch \
+           file://CVE-2020-1752.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"