QA Regression Testing

Merge qa-regression-testing:glibc-cve-2021-35942 into qa-regression-testing:master

  1. Git
  2. lp:qa-regression-testing
  3. glibc-cve-2021-35942
  4. Merge into master
Proposed by Mark Esler
Status: Merged
Merged at revision: d87a9ae579e3ad186824dab8dc2e76c9590dd178
Proposed branch: qa-regression-testing:glibc-cve-2021-35942
Merge into: qa-regression-testing:master
Diff against target: 62 lines (+29/-2)
4 files modified
scripts/glibc/Makefile (+2/-2)
scripts/glibc/wordexp/Makefile (+6/-0)
scripts/glibc/wordexp/cve-2021-35942.c (+10/-0)
scripts/test-glibc.py (+11/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Marc Deslauriers Pending
Review via email: mp+424805@code.launchpad.net

Commit message

test-glibc.py: add testcase for CVE-2021-35942

Description of the change

Alphabetized directories with files to build.

Added PoC and testcase for CVE-2021-35942.

I tested PoC on two patched systems (Jammy and Bionic) and each gave exit code 5. An unpatched system (Xenial) gave exit code -11.

Also, all glibc tests pass on Bionic, but Jammy needs to be fixed. It errors on test_d_tag_underflow and test_crypt for DES.

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Mark, this looks pretty good. I'm assuming this testcase is based on a PoC from somewhere else? Can you include a reference or origin either as a comment in the source code or else as aa README, just so that we have an attribution reference where possible?

review: Needs Fixing
Revision history for this message
Mark Esler (eslerm) wrote :

Thanks Steve.

An attribution was added.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry for the delayed review, I've gone ahead and merged this (noting in the commit that the CVE is unfixed in a couple of releases still).

Thanks!

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

(Also, I fixed up the failing tests for newer releases.)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/glibc/Makefile b/scripts/glibc/Makefile
2index 47be630..76de490 100644
3--- a/scripts/glibc/Makefile
4+++ b/scripts/glibc/Makefile
5@@ -1,5 +1,5 @@
6-SUBDIRS=crypt fnmatch getaddrinfo getcwd getdents strstr strspn strtod \
7- sscanf vfprintf strcoll regex malloc
8+SUBDIRS=crypt fnmatch getaddrinfo getcwd getdents malloc regex sscanf \
9+ strcoll strspn strstr strtod vfprintf wordexp
10
11 all:
12 set -e && for dir in $(SUBDIRS) ; do \
13diff --git a/scripts/glibc/wordexp/Makefile b/scripts/glibc/wordexp/Makefile
14new file mode 100644
15index 0000000..927dfef
16--- /dev/null
17+++ b/scripts/glibc/wordexp/Makefile
18@@ -0,0 +1,6 @@
19+CFLAGS=-O2 -g -Wall
20+
21+all: cve-2021-35942
22+
23+clean:
24+ rm -f cve-2021-35942
25diff --git a/scripts/glibc/wordexp/cve-2021-35942.c b/scripts/glibc/wordexp/cve-2021-35942.c
26new file mode 100644
27index 0000000..750d874
28--- /dev/null
29+++ b/scripts/glibc/wordexp/cve-2021-35942.c
30@@ -0,0 +1,10 @@
31+#include <wordexp.h>
32+
33+/* PoC for CVE-2021-35942 created by Philippe Antoine
34+ * https://sourceware.org/bugzilla/show_bug.cgi?id=28011
35+ */
36+int main() {
37+wordexp_t p;
38+int ret = wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap gi37 },},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888 ##sioiondata:ap gi37 TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\ xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap )", &p, 0);
39+return ret;
40+}
41diff --git a/scripts/test-glibc.py b/scripts/test-glibc.py
42index e84c511..0c8e428 100755
43--- a/scripts/test-glibc.py
44+++ b/scripts/test-glibc.py
45@@ -300,6 +300,17 @@ class GlibcTest(testlib.TestlibCase):
46 os.chdir('getcwd')
47 self.assertShellExitEquals(expected, ["./cve-2018-1000001"])
48
49+ def test_wordexp_cve_2021_35942(self):
50+ '''wordexp atoi overflow (CVE-2021-35942)'''
51+
52+ os.chdir('wordexp')
53+
54+ # This test segfaults when vulnerable
55+ # and denies access when patched
56+ expected = 5
57+
58+ self.assertShellExitEquals(expected, ["./cve-2021-35942"])
59+
60
61 if __name__ == '__main__':
62 # CVE-2010-3856 test fails if we're running as root

Subscribers

People subscribed via source and target branches