commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94

Author: Dmitry V. Levin <ldv@altlinux.org>

Date:   Sun Jan 7 02:03:41 2018 +0000

    linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679]

    Currently getcwd(3) can succeed without returning an absolute path

    because the underlying getcwd syscall, starting with linux commit

    v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

    This is a conformance issue because "The getcwd() function shall

    place an absolute pathname of the current working directory

    in the array pointed to by buf, and return buf".

    This is also a security issue because a non-absolute path returned

    by getcwd(3) causes a buffer underflow in realpath(3).

    Fix this by checking the path returned by getcwd syscall and falling

    back to generic_getcwd if the path is not absolute, effectively making

    getcwd(3) fail with ENOENT.  The error code is chosen for consistency

    with the case when the current directory is unlinked.

    [BZ #22679]

    CVE-2018-1000001

    * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to

    generic_getcwd if the path returned by getcwd syscall is not absolute.

    * io/tst-getcwd-abspath.c: New test.

    * io/Makefile (tests): Add tst-getcwd-abspath.

Index: glibc-2.17-c758a686/io/Makefile

===================================================================

--- glibc-2.17-c758a686.orig/io/Makefile

+++ glibc-2.17-c758a686/io/Makefile

@@ -70,7 +70,8 @@ tests		:= test-utime test-stat test-stat

 		   tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \

 		   tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \

 		   tst-posix_fallocate \

-		   tst-open-tmpfile

+		   tst-open-tmpfile \

+		   tst-getcwd-abspath

 include ../Rules

Index: glibc-2.17-c758a686/io/tst-getcwd-abspath.c

===================================================================

--- /dev/null

+++ glibc-2.17-c758a686/io/tst-getcwd-abspath.c

@@ -0,0 +1,66 @@

+/* BZ #22679 getcwd(3) should not succeed without returning an absolute path.

+

+   Copyright (C) 2018 Free Software Foundation, Inc.

+   This file is part of the GNU C Library.

+

+   The GNU C Library is free software; you can redistribute it and/or

+   modify it under the terms of the GNU Lesser General Public

+   License as published by the Free Software Foundation; either

+   version 2.1 of the License, or (at your option) any later version.

+

+   The GNU C Library is distributed in the hope that it will be useful,

+   but WITHOUT ANY WARRANTY; without even the implied warranty of

+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

+   Lesser General Public License for more details.

+

+   You should have received a copy of the GNU Lesser General Public

+   License along with the GNU C Library; if not, see

+   <https://www.gnu.org/licenses/>.  */

+

+#include <errno.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <support/check.h>

+#include <support/namespace.h>

+#include <support/support.h>

+#include <support/temp_file.h>

+#include <support/test-driver.h>

+#include <support/xunistd.h>

+#include <unistd.h>

+

+static char *chroot_dir;

+

+/* The actual test.  Run it in a subprocess, so that the test harness

+   can remove the temporary directory in --direct mode.  */

+static void

+getcwd_callback (void *closure)

+{

+  xchroot (chroot_dir);

+

+  errno = 0;

+  char *cwd = getcwd (NULL, 0);

+  TEST_COMPARE (errno, ENOENT);

+  TEST_VERIFY (cwd == NULL);

+

+  errno = 0;

+  cwd = realpath (".", NULL);

+  TEST_COMPARE (errno, ENOENT);

+  TEST_VERIFY (cwd == NULL);

+

+  _exit (0);

+}

+

+static int

+do_test (void)

+{

+  support_become_root ();

+  if (!support_can_chroot ())

+    return EXIT_UNSUPPORTED;

+

+  chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");

+  support_isolate_in_subprocess (getcwd_callback, NULL);

+

+  return 0;

+}

+

+#include <support/test-driver.c>

Index: glibc-2.17-c758a686/sysdeps/unix/sysv/linux/getcwd.c

===================================================================

--- glibc-2.17-c758a686.orig/sysdeps/unix/sysv/linux/getcwd.c

+++ glibc-2.17-c758a686/sysdeps/unix/sysv/linux/getcwd.c

@@ -79,7 +79,7 @@ __getcwd (char *buf, size_t size)

   int retval;

   retval = INLINE_SYSCALL (getcwd, 2, CHECK_STRING (path), alloc_size);

-  if (retval >= 0)

+  if (retval >= 0 && path[0] == '/')

     {

 #ifndef NO_ALLOCATION

       if (buf == NULL && size == 0)

@@ -95,10 +95,10 @@ __getcwd (char *buf, size_t size)

       return buf;

     }

-  /* The system call cannot handle paths longer than a page.

-     Neither can the magic symlink in /proc/self.  Just use the

+  /* The system call either cannot handle paths longer than a page

+     or can succeed without returning an absolute path.  Just use the

      generic implementation right away.  */

-  if (errno == ENAMETOOLONG)

+  if (retval >= 0 || errno == ENAMETOOLONG)

     {

 #ifndef NO_ALLOCATION

       if (buf == NULL && size == 0)