From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13026
Path: news.gmane.org!.POSTED!not-for-mail
From: Dhiraj <mortalfw@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: overflow() at stdlib.h
Date: Thu, 12 Jul 2018 21:21:38 +0530
Message-ID: <CAOs05YYMcc_1GNeheZM0BVSVx5q_7gGvnT=S3Xy7NbB5NuXmAg@mail.gmail.com>
References: <CAOs05YaDsSSctj=3che2OQ7Gqjd919NVsd_H=y1cbt0vDkH4aw@mail.gmail.com>
 <20180712154209.GJ4418@port70.net>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="000000000000b051a00570cf56c8"
X-Trace: blaine.gmane.org 1531410587 31924 195.159.176.226 (12 Jul 2018 15:49:47 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 12 Jul 2018 15:49:47 +0000 (UTC)
To: musl@lists.openwall.com, "m0rtal f!w" <mortalfw@gmail.com>
Original-X-From: musl-return-13042-gllmg-musl=m.gmane.org@lists.openwall.com Thu Jul 12 17:49:43 2018
Return-path: <musl-return-13042-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.84_2)
	(envelope-from <musl-return-13042-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1fddqg-0008Ds-J4
	for gllmg-musl@m.gmane.org; Thu, 12 Jul 2018 17:49:42 +0200
Original-Received: (qmail 16029 invoked by uid 550); 12 Jul 2018 15:51:50 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 16011 invoked from network); 12 Jul 2018 15:51:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=qNQhuoMRvbACgWVMvSAEBpXVFsxZQLK7teL3DVQOULU=;
        b=Ezu1kW1+ejbtWQlxPnAQtHR1sjRmkv0mk2pYV+jHRs5IOoxHMGPDuxT33gLAAcg442
         Glz+NM0Vk9YOiukS2AdaAMXm2r39tXmdIiBM/o/k81hO3sVjElubqzSxocF/Mdp+uIEA
         TgTl5Xsg44X9brhnSZgBVFtv5fTT7fUYSG7LwzXIfUoZpSYISRnpZwj0I2ScUehzRx96
         HUTzY74MlhZUrxKdn6ZDCBUIi5PR26PTmLv/pG/fcjF8ZQxbD8EFTBUnVZvLv8TEt6nz
         hBLgqlwdgrS5Tl/ng4HqQgwPfvx/kbLrewReiqeTNWTLQmhQHIndC1hFs4rwaX5NJCv/
         xFhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=qNQhuoMRvbACgWVMvSAEBpXVFsxZQLK7teL3DVQOULU=;
        b=LYBJcaGb//6/EiIzk1DbTcj0un7YREZCghPXj//cNQ5fBuatoM8haqciph9gPbjHPW
         +/Wt50bKF0ZbM0maShKudJNLoL9nlB3wYNHyEPMmj9Y5AsdgwiwnUEklagJM1WGyLfKk
         cx9RqtmHvmTuJ/aCYSYEZvYx0l6eEGfle4d1zz0V4+VXoz7ZbnqLvq6R2cGWQxvCZrvS
         EgDNd+ftXd4YH3H8EOfqBUelGjtqHUjgKq2N98reuaClQWEG4cf0CrYL48z2bTSZ09ey
         KH2Z3WTkrQ7ElJzB7GF0oNLMoZ4vNdfWXbR1owhynri0mhUVSMgmx/7grKAlGV+wl8Bp
         1vlw==
X-Gm-Message-State: AOUpUlEkGN01UYPTWrTOIJmVNL+Mc0jjCdaWBMfECs0JSOb5zNsnKJn9
	w7OoDQa3CpX2+f/C34sOuD58HAnDhgQKI37QUvuGttqBeVU=
X-Google-Smtp-Source: AAOMgpc1snR9+B2k2UPi/0iqJ3LaRNThRGD2j2mxOAtnn/IrlHml/fkpircFF1xwfpDVNKx1ds1qCaKeGj4u7XVCwTY=
X-Received: by 2002:a1c:928c:: with SMTP id u134-v6mr1667268wmd.106.1531410698487;
 Thu, 12 Jul 2018 08:51:38 -0700 (PDT)
In-Reply-To: <20180712154209.GJ4418@port70.net>
Xref: news.gmane.org gmane.linux.lib.musl.general:13026
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/13026>

--000000000000b051a00570cf56c8
Content-Type: text/plain; charset="UTF-8"

Thanks Szabolcs for taking look into this,

> But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is
> used.
>

> where?

In stdlib.h file.

However, we can allocate a "PATH_MAX + 1" or POSIX.1-2008 would allow us to
pass in a NULL poiter and have realpath allocating enough memory.



Regards
Dhiraj

On Thu, Jul 12, 2018 at 9:12 PM, Szabolcs Nagy <nsz@port70.net> wrote:

> * m0rtal f!w <mortalfw@gmail.com> [2018-07-12 19:55:56 +0530]:
> > Team,
> >
> > File: stdlib.h#L:113
> >
> > i.e
> > char *realpath (const char *__restrict, char *__restrict);
> >
> > According to the documentation of realpath() the output buffer needs to
> be
> > at least of size PATH_MAX specifying output buffers large enough to
> handle
> > the maximum-size possible result from path manipulation functions. (In
> that
> > instance, buf's size comes from uv__fs_pathmax_size(). That function
> > attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(3)
> > docs)
> >
>
> sounds like a portability bug in uv__fs_pathmax_size()
>
> http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpath.html
>
> it should use PATH_MAX if defined or null pointer if not
> to be portable to posix conforming targets.
>
> > But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is
> > used.
> >
>
> where?
>
> > Passing an inadequately-sized output buffer to a path manipulation
> function
> > can result in a buffer overflow. Such functions include realpath()
> > readlink() PathAppend() and others.
> >
> > Request team to have a look and validate.
> >
> >
> > Thank you
>

--000000000000b051a00570cf56c8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thanks Szabolcs for taking look into this,</div><div>=
<br></div><div>
<span class=3D"gmail-im">&gt; But over here uv__fs_pathmax_size() nor pathc=
onf(path, _PC_PATH_MAX) is<br>
&gt; used.<br>
&gt; <br>
<br>
</span>&gt; where?=C2=A0</div><div><br></div><div>In=20
stdlib.h file.</div><div><br></div><div>However, we can allocate a &quot;PA=
TH_MAX + 1&quot;

 or=20
POSIX.1-2008 would allow us to pass in a NULL poiter and have realpath allo=
cating enough memory.<br>


</div><div><br></div><div><br></div><div><br></div><div>Regards</div><div>D=
hiraj<br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Thu, Jul 12, 2018 at 9:12 PM, Szabolcs Nagy <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:nsz@port70.net" target=3D"_blank">nsz@port70.net</a>&gt;</s=
pan> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">* m0rtal f!w &lt;<a href=3D"m=
ailto:mortalfw@gmail.com">mortalfw@gmail.com</a>&gt; [2018-07-12 19:55:56 +=
0530]:<br>
<span class=3D"">&gt; Team,<br>
&gt; <br>
&gt; File: stdlib.h#L:113<br>
&gt; <br>
&gt; i.e<br>
&gt; char *realpath (const char *__restrict, char *__restrict);<br>
&gt; <br>
&gt; According to the documentation of realpath() the output buffer needs t=
o be<br>
&gt; at least of size PATH_MAX specifying output buffers large enough to ha=
ndle<br>
&gt; the maximum-size possible result from path manipulation functions. (In=
 that<br>
&gt; instance, buf&#39;s size comes from uv__fs_pathmax_size(). That functi=
on<br>
&gt; attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(=
3)<br>
&gt; docs)<br>
&gt; <br>
<br>
</span>sounds like a portability bug in uv__fs_pathmax_size()<br>
<br>
<a href=3D"http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpa=
th.html" rel=3D"noreferrer" target=3D"_blank">http://pubs.opengroup.org/<wb=
r>onlinepubs/9699919799/<wbr>functions/realpath.html</a><br>
<br>
it should use PATH_MAX if defined or null pointer if not<br>
to be portable to posix conforming targets.<br>
<span class=3D""><br>
&gt; But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) i=
s<br>
&gt; used.<br>
&gt; <br>
<br>
</span>where?<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
&gt; Passing an inadequately-sized output buffer to a path manipulation fun=
ction<br>
&gt; can result in a buffer overflow. Such functions include realpath()<br>
&gt; readlink() PathAppend() and others.<br>
&gt; <br>
&gt; Request team to have a look and validate.<br>
&gt; <br>
&gt; <br>
&gt; Thank you<br>
</div></div></blockquote></div><br></div>

--000000000000b051a00570cf56c8--