ptsname_r: don't leak uninitialized memory (BZ #16917)

If the fd refers to a terminal device, but not a pty master, the TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the possibly undefined buffer passed to ptsname_r is sent directly to the stat64 syscall. Fix this by using a fallback to the old method only if the TIOCGPTN ioctl fails with EINVAL. This also fix the return value in that specific case (it return ENOENT without this patch). Also add tests to the ptsname_r function (and ptsname at the same time). Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
2014-05-16 00:03:37 +02:00 · 2014-05-16 00:03:37 +02:00 · d0583c4039
parent c0c08d02c8
commit d0583c4039
5 changed files with 122 additions and 3 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2014-05-16  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #16917]
+	* sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): Return
+	errno if the TIOCGPTN ioctl fails with an error different than
+	EINVAL.
+	* login/tst-ptsname.c: New file.
+	* login/Makefile (tests): Add tst-ptsname.
+
 2014-05-15  Siddhesh Poyarekar  <siddhesh@redhat.com>

 	[BZ #16849]
--- a/2
+++ b/2
@ -17,7 +17,7 @@ Version 2.20
  16712, 16713, 16714, 16731, 16739, 16740, 16743, 16754, 16758, 16759,
  16760, 16770, 16786, 16789, 16791, 16799, 16800, 16815, 16823, 16824,
  16831, 16838, 16849, 16854, 16876, 16877, 16885, 16888, 16890, 16912,
-  16916, 16922, 16927, 16928, 16932.
+  16916, 16917, 16922, 16927, 16928, 16932.

 * The minimum Linux kernel version that this version of the GNU C Library
  can be used with is 2.6.32.
--- a/login/Makefile
+++ b/login/Makefile
@ -43,7 +43,7 @@ endif
 subdir-dirs = programs
 vpath %.c programs

-tests := tst-utmp tst-utmpx tst-grantpt
+tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname

 # Build the -lutil library with these extra functions.
 extra-libs      := libutil
--- a/login/tst-ptsname.c
+++ b/login/tst-ptsname.c
@ -0,0 +1,108 @@
+/* Test for ptsname/ptsname_r.
+   Copyright (C) 2014 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Contributed by Aurelien Jarno <aurelien@aurel32.net>, 2014.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define DEV_TTY		"/dev/tty"
+#define PTSNAME_EINVAL	"./ptsname-einval"
+
+static int
+do_single_test (int fd, char *buf, size_t buflen, int expected_err)
+{
+
+  int ret = ptsname_r (fd, buf, buflen);
+  int err = errno;
+
+  if (expected_err == 0)
+    {
+      if (ret != 0)
+	{
+	  printf ("ptsname_r: expected: return = 0\n");
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+  else
+    {
+      if (ret == 0 || errno != expected_err)
+	{
+	  printf ("ptsname_r: expected: return = %d, errno = %d (%s)\n",
+	          -1, expected_err, strerror (expected_err));
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+
+  return 0;
+}
+
+static int
+do_test (void)
+{
+  char buf[512];
+  int result = 0;
+
+  /* Tests with a real PTS master.  */
+  int fd = posix_openpt (O_RDWR);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), 0);
+      result |= do_single_test (fd, NULL, sizeof (buf), EINVAL);
+      result |= do_single_test (fd, buf, 1, ERANGE);
+      close (fd);
+    }
+  else
+    printf ("posix_openpt (O_RDWR) failed\nerrno %d (%s)\n",
+	    errno, strerror (errno));
+
+  /* Test with a terminal device which is not a PTS master.  */
+  fd = open (DEV_TTY, O_RDONLY);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR) failed\nerrno %d (%s)\n",
+	    DEV_TTY, errno, strerror (errno));
+
+  /* Test with a file.  */
+  fd = open (PTSNAME_EINVAL, O_RDWR | O_CREAT, 0600);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+      unlink (PTSNAME_EINVAL);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR | OCREAT) failed\nerrno %d (%s)\n",
+	    PTSNAME_EINVAL, errno, strerror (errno));
+
+  return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)

      memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
    }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
    {
      char *p;