From patchwork Tue Jun 6 17:20:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arjun Shankar X-Patchwork-Id: 1791337 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=UTo1u3Ok; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QbHLf23Bdz20QH for ; Wed, 7 Jun 2023 03:20:58 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 42E63385662B for ; Tue, 6 Jun 2023 17:20:56 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 42E63385662B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1686072056; bh=Ly07q42gt2PyQG/zPXGISuPoN/tNvjFFx685SLekB1s=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=UTo1u3OkyOhdgLzq++qTY77YGp7KDDEvXQ2yLTmA7LUUfCUZ48Wct6AkZsMsR1Ajp w8+Nhud1qcC9g0ExYR+Hdx/TtunXartR5++nuaVo/jKVNUaRVH/NJEFTJATnQBCbsD 0onKQupVN/DpMVAq0ruIZr8P449FnyCBjNImcxyg= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 34CC83858288 for ; Tue, 6 Jun 2023 17:20:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 34CC83858288 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-184-9a8oGxddMiSoXwUMmy1Zkw-1; Tue, 06 Jun 2023 13:20:36 -0400 X-MC-Unique: 9a8oGxddMiSoXwUMmy1Zkw-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5150F85A5BB for ; Tue, 6 Jun 2023 17:20:36 +0000 (UTC) Received: from x1carbon.redhat.com (unknown [10.45.225.134]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5C25A492B00; Tue, 6 Jun 2023 17:20:35 +0000 (UTC) To: libc-alpha@sourceware.org Cc: Arjun Shankar , Martin Coufal Subject: [PATCH] time: Fix use-after-free in getdate Date: Tue, 6 Jun 2023 19:20:31 +0200 Message-Id: <20230606172031.2176656-1-arjun@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Arjun Shankar via Libc-alpha From: Arjun Shankar Reply-To: Arjun Shankar Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" getdate would free the buffer pointed to by the result of its call to strptime, then reference the same buffer later on -- leading to a use-after-free. This commit fixes that. Reported-by: Martin Coufal Reviewed-by: Adhemerval Zanella --- time/getdate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/time/getdate.c b/time/getdate.c index 1dcbd77188..ca058394a3 100644 --- a/time/getdate.c +++ b/time/getdate.c @@ -114,6 +114,7 @@ __getdate_r (const char *string, struct tm *tp) struct tm tm; struct __stat64_t64 st; bool mday_ok = false; + bool found = false; datemsk = getenv ("DATEMSK"); if (datemsk == NULL || *datemsk == '\0') @@ -181,7 +182,7 @@ __getdate_r (const char *string, struct tm *tp) tp->tm_gmtoff = 0; tp->tm_zone = NULL; result = strptime (string, line, tp); - if (result && *result == '\0') + if ((found = (result && *result == '\0'))) break; } while (!__feof_unlocked (fp)); @@ -201,7 +202,7 @@ __getdate_r (const char *string, struct tm *tp) /* Close template file. */ fclose (fp); - if (result == NULL || *result != '\0') + if (!found) return 7; /* Get current time. */