[gentoo-commits] gentoo commit in src/patchsets/glibc/2.19: 00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch 00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch

[Mike Frysinger (vapier)]

vapier      14/06/14 23:33:02

  Added:               
                        
00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch
                        
00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch
  Log:
  fix from upstream for bug in posix_spawn_file_actions_addopen #513090

Revision  Changes    Path
1.1                  
src/patchsets/glibc/2.19/00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.19/00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.19/00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch?rev=1.1&content-type=text/plain

Index: 00_all_0012-posix_spawn_file_actions_addopen-needs-to-copy-the-p.patch
===================================================================
>From 49ca74fb26ce91b00de6df7bcae7ee2923f5f047 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fwei...@redhat.com>
Date: Wed, 11 Jun 2014 23:12:52 +0200
Subject: [PATCH 12/14] posix_spawn_file_actions_addopen needs to copy the path
 argument (BZ 17048)

POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.

Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
may have security implications.

(cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

https://bugs.gentoo.org/513090
https://sourceware.org/bugzilla/show_bug.cgi?id=17048
---
 posix/spawn_faction_addopen.c | 13 ++++++++++---
 posix/spawn_faction_destroy.c | 22 ++++++++++++++++++++--
 posix/spawn_int.h             |  2 +-
 posix/tst-spawn.c             | 10 +++++++++-
 4 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/posix/spawn_faction_addopen.c b/posix/spawn_faction_addopen.c
index 47f6242..40800b8 100644
--- a/posix/spawn_faction_addopen.c
+++ b/posix/spawn_faction_addopen.c
@@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen 
(posix_spawn_file_actions_t *file_actions,
   if (fd < 0 || fd >= maxfd)
     return EBADF;
 
+  char *path_copy = strdup (path);
+  if (path_copy == NULL)
+    return ENOMEM;
+
   /* Allocate more memory if needed.  */
   if (file_actions->__used == file_actions->__allocated
       && __posix_spawn_file_actions_realloc (file_actions) != 0)
-    /* This can only mean we ran out of memory.  */
-    return ENOMEM;
+    {
+      /* This can only mean we ran out of memory.  */
+      free (path_copy);
+      return ENOMEM;
+    }
 
   /* Add the new value.  */
   rec = &file_actions->__actions[file_actions->__used];
   rec->tag = spawn_do_open;
   rec->action.open_action.fd = fd;
-  rec->action.open_action.path = path;
+  rec->action.open_action.path = path_copy;
   rec->action.open_action.oflag = oflag;
   rec->action.open_action.mode = mode;
 
diff --git a/posix/spawn_faction_destroy.c b/posix/spawn_faction_destroy.c
index 4d165aa..1b87010 100644
--- a/posix/spawn_faction_destroy.c
+++ b/posix/spawn_faction_destroy.c
@@ -18,11 +18,29 @@
 #include <spawn.h>
 #include <stdlib.h>
 
-/* Initialize data structure for file attribute for `spawn' call.  */
+#include "spawn_int.h"
+
+/* Deallocate the file actions.  */
 int
 posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
 {
-  /* Free the memory allocated.  */
+  /* Free the paths in the open actions.  */
+  for (int i = 0; i < file_actions->__used; ++i)
+    {
+      struct __spawn_action *sa = &file_actions->__actions[i];
+      switch (sa->tag)
+       {
+       case spawn_do_open:
+         free (sa->action.open_action.path);
+         break;
+       case spawn_do_close:
+       case spawn_do_dup2:
+         /* No cleanup required.  */
+         break;
+       }
+    }
+
+  /* Free the array of actions.  */
   free (file_actions->__actions);
   return 0;
 }
diff --git a/posix/spawn_int.h b/posix/spawn_int.h
index 5609e58..861e3b4 100644
--- a/posix/spawn_int.h
+++ b/posix/spawn_int.h
@@ -22,7 +22,7 @@ struct __spawn_action
     struct
     {
       int fd;
-      const char *path;
+      char *path;
       int oflag;
       mode_t mode;
     } open_action;
diff --git a/posix/tst-spawn.c b/posix/tst-spawn.c
index 84cecf2..6cd874a 100644
--- a/posix/tst-spawn.c
+++ b/posix/tst-spawn.c
@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
   char fd2name[18];
   char fd3name[18];
   char fd4name[18];
+  char *name3_copy;
   char *spargv[12];
   int i;
 
@@ -222,9 +223,15 @@ do_test (int argc, char *argv[])
    if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
    /* We want to open the third file.  */
-   if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
+   name3_copy = strdup (name3);
+   if (name3_copy == NULL)
+     error (EXIT_FAILURE, errno, "strdup");
+   if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
                                         O_RDONLY, 0666) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
+   /* Overwrite the name to check that a copy has been made.  */
+   memset (name3_copy, 'X', strlen (name3_copy));
+
    /* We dup the second descriptor.  */
    fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
    if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
@@ -253,6 +260,7 @@ do_test (int argc, char *argv[])
    /* Cleanup.  */
    if (posix_spawn_file_actions_destroy (&actions) != 0)
      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
+   free (name3_copy);
 
   /* Wait for the child.  */
   if (waitpid (pid, &status, 0) != pid)
-- 
2.0.0




1.1                  
src/patchsets/glibc/2.19/00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.19/00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.19/00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch?rev=1.1&content-type=text/plain

Index: 00_all_0013-posix_spawn_faction_addopen-Add-missing-string.h-inc.patch
===================================================================
>From e1449bcd91f738ea4b0b6d75bb3e1f21827cf047 Mon Sep 17 00:00:00 2001
From: Stefan Liebler <s...@linux.vnet.ibm.com>
Date: Thu, 12 Jun 2014 14:15:25 +0200
Subject: [PATCH 13/14] posix_spawn_faction_addopen: Add missing string.h
 include directive

This is needed to avoid a PLT call on s390.

(cherry picked from commit 35a5e3e338ae17f3d42c60a708763c5d498fb840)

https://bugs.gentoo.org/513090
https://sourceware.org/bugzilla/show_bug.cgi?id=17048
---
 posix/spawn_faction_addopen.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/posix/spawn_faction_addopen.c b/posix/spawn_faction_addopen.c
index 40800b8..eba158c 100644
--- a/posix/spawn_faction_addopen.c
+++ b/posix/spawn_faction_addopen.c
@@ -18,6 +18,7 @@
 #include <errno.h>
 #include <spawn.h>
 #include <unistd.h>
+#include <string.h>
 
 #include "spawn_int.h"
 
-- 
2.0.0