aboutsummaryrefslogtreecommitdiff
path: root/io
diff options
context:
space:
mode:
authorXiaoming Ni <nixiaoming@huawei.com>2020-11-26 13:35:10 -0300
committerAdhemerval Zanella <adhemerval.zanella@linaro.org>2020-11-26 17:35:58 -0300
commit106ff08526d3ca574ba86d891450ea55aa929712 (patch)
treebdf0f8a9fee37a63ce497ccdce712711023f7a61 /io
parentdb07fae8250401adb2b97ab3e53d41da2a6bd767 (diff)
downloadglibc-106ff08526d3ca574ba86d891450ea55aa929712.zip
glibc-106ff08526d3ca574ba86d891450ea55aa929712.tar.gz
glibc-106ff08526d3ca574ba86d891450ea55aa929712.tar.bz2
io: nftw/ftw: Fix stack overflow with large nopenfd [BZ #26353]
The nopenfd value is used as argument for the internal buffer on ftw_statup, which is allocated with alloca and might trigger a stack overflow for large values. This patch replaces the memory allocation to use malloc instead. Checked on x86_64-linux-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Diffstat (limited to 'io')
-rw-r--r--io/Makefile3
-rw-r--r--io/ftw.c16
-rw-r--r--io/tst-ftw-bz26353.c70
3 files changed, 81 insertions, 8 deletions
diff --git a/io/Makefile b/io/Makefile
index 6dd2c33..33f5b0b 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -68,7 +68,8 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \
tst-posix_fallocate tst-posix_fallocate64 \
tst-fts tst-fts-lfs tst-open-tmpfile \
tst-copy_file_range tst-getcwd-abspath tst-lockf \
- tst-ftw-lnk tst-file_change_detection tst-lchmod
+ tst-ftw-lnk tst-file_change_detection tst-lchmod \
+ tst-ftw-bz26353
# Likewise for statx, but we do not need static linking here.
tests-internal += tst-statx
diff --git a/io/ftw.c b/io/ftw.c
index 7104816..92e08c5 100644
--- a/io/ftw.c
+++ b/io/ftw.c
@@ -646,15 +646,17 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
data.maxdir = descriptors < 1 ? 1 : descriptors;
data.actdir = 0;
- data.dirstreams = (struct dir_data **) alloca (data.maxdir
- * sizeof (struct dir_data *));
- memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *));
-
/* PATH_MAX is always defined when we get here. */
data.dirbufsize = MAX (2 * strlen (dir), PATH_MAX);
- data.dirbuf = (char *) malloc (data.dirbufsize);
- if (data.dirbuf == NULL)
+ data.dirstreams = malloc (data.maxdir * sizeof (struct dir_data *)
+ + data.dirbufsize);
+ if (data.dirstreams == NULL)
return -1;
+
+ memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *));
+
+ data.dirbuf = (char *) data.dirstreams
+ + data.maxdir * sizeof (struct dir_data *);
cp = __stpcpy (data.dirbuf, dir);
/* Strip trailing slashes. */
while (cp > data.dirbuf + 1 && cp[-1] == '/')
@@ -803,7 +805,7 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
out_fail:
save_err = errno;
__tdestroy (data.known_objects, free);
- free (data.dirbuf);
+ free (data.dirstreams);
__set_errno (save_err);
return result;
diff --git a/io/tst-ftw-bz26353.c b/io/tst-ftw-bz26353.c
new file mode 100644
index 0000000..a0725dc
--- /dev/null
+++ b/io/tst-ftw-bz26353.c
@@ -0,0 +1,70 @@
+/* test ftw bz26353: Check whether stack overflow occurs when the value
+ of the nopenfd parameter is too large.
+
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <ftw.h>
+#include <errno.h>
+#include <sys/resource.h>
+
+#include <support/temp_file.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+
+static int
+my_func (const char *file, const struct stat *sb, int flag)
+{
+ return 0;
+}
+
+static int
+get_large_nopenfd (void)
+{
+ struct rlimit r;
+ TEST_COMPARE (getrlimit (RLIMIT_STACK, &r), 0);
+ if (r.rlim_cur == RLIM_INFINITY)
+ {
+ r.rlim_cur = 8 * 1024 * 1024;
+ TEST_COMPARE (setrlimit (RLIMIT_STACK, &r), 0);
+ }
+ return (int) r.rlim_cur;
+}
+
+static void
+do_ftw (void *unused)
+{
+ char *tempdir = support_create_temp_directory ("tst-bz26353");
+ int large_nopenfd = get_large_nopenfd ();
+ TEST_COMPARE (ftw (tempdir, my_func, large_nopenfd), 0);
+ free (tempdir);
+}
+
+/* Check whether stack overflow occurs. */
+static int
+do_test (void)
+{
+ struct support_capture_subprocess result;
+ result = support_capture_subprocess (do_ftw, NULL);
+ support_capture_subprocess_check (&result, "bz26353", 0, sc_allow_none);
+ support_capture_subprocess_free (&result);
+ return 0;
+}
+
+#include <support/test-driver.c>