QA Regression Testing

Merge qa-regression-testing:glibc-cve-2021-35942 into qa-regression-testing:master

  1. Git
  2. lp:qa-regression-testing
  3. glibc-cve-2021-35942
  4. Merge into master
Proposed by Mark Esler
Status: Merged
Merged at revision: d87a9ae579e3ad186824dab8dc2e76c9590dd178
Proposed branch: qa-regression-testing:glibc-cve-2021-35942
Merge into: qa-regression-testing:master
Diff against target: 62 lines (+29/-2)
4 files modified
scripts/glibc/Makefile (+2/-2)
scripts/glibc/wordexp/Makefile (+6/-0)
scripts/glibc/wordexp/cve-2021-35942.c (+10/-0)
scripts/test-glibc.py (+11/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Marc Deslauriers Pending
Review via email: mp+424805@code.launchpad.net

Commit message

test-glibc.py: add testcase for CVE-2021-35942

Description of the change

Alphabetized directories with files to build.

Added PoC and testcase for CVE-2021-35942.

I tested PoC on two patched systems (Jammy and Bionic) and each gave exit code 5. An unpatched system (Xenial) gave exit code -11.

Also, all glibc tests pass on Bionic, but Jammy needs to be fixed. It errors on test_d_tag_underflow and test_crypt for DES.

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Mark, this looks pretty good. I'm assuming this testcase is based on a PoC from somewhere else? Can you include a reference or origin either as a comment in the source code or else as aa README, just so that we have an attribution reference where possible?

review: Needs Fixing
Revision history for this message
Mark Esler (eslerm) wrote :

Thanks Steve.

An attribution was added.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry for the delayed review, I've gone ahead and merged this (noting in the commit that the CVE is unfixed in a couple of releases still).

Thanks!

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

(Also, I fixed up the failing tests for newer releases.)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/glibc/Makefile b/scripts/glibc/Makefile
index 47be630..76de490 100644
--- a/scripts/glibc/Makefile
+++ b/scripts/glibc/Makefile
@@ -1,5 +1,5 @@
1SUBDIRS=crypt fnmatch getaddrinfo getcwd getdents strstr strspn strtod \1SUBDIRS=crypt fnmatch getaddrinfo getcwd getdents malloc regex sscanf \
2 sscanf vfprintf strcoll regex malloc2 strcoll strspn strstr strtod vfprintf wordexp
33
4all:4all:
5 set -e && for dir in $(SUBDIRS) ; do \5 set -e && for dir in $(SUBDIRS) ; do \
diff --git a/scripts/glibc/wordexp/Makefile b/scripts/glibc/wordexp/Makefile
6new file mode 1006446new file mode 100644
index 0000000..927dfef
--- /dev/null
+++ b/scripts/glibc/wordexp/Makefile
@@ -0,0 +1,6 @@
1CFLAGS=-O2 -g -Wall
2
3all: cve-2021-35942
4
5clean:
6 rm -f cve-2021-35942
diff --git a/scripts/glibc/wordexp/cve-2021-35942.c b/scripts/glibc/wordexp/cve-2021-35942.c
0new file mode 1006447new file mode 100644
index 0000000..750d874
--- /dev/null
+++ b/scripts/glibc/wordexp/cve-2021-35942.c
@@ -0,0 +1,10 @@
1#include <wordexp.h>
2
3/* PoC for CVE-2021-35942 created by Philippe Antoine
4 * https://sourceware.org/bugzilla/show_bug.cgi?id=28011
5 */
6int main() {
7wordexp_t p;
8int ret = wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap gi37 },},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888 ##sioiondata:ap gi37 TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\ xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap )", &p, 0);
9return ret;
10}
diff --git a/scripts/test-glibc.py b/scripts/test-glibc.py
index e84c511..0c8e428 100755
--- a/scripts/test-glibc.py
+++ b/scripts/test-glibc.py
@@ -300,6 +300,17 @@ class GlibcTest(testlib.TestlibCase):
300 os.chdir('getcwd')300 os.chdir('getcwd')
301 self.assertShellExitEquals(expected, ["./cve-2018-1000001"])301 self.assertShellExitEquals(expected, ["./cve-2018-1000001"])
302302
303 def test_wordexp_cve_2021_35942(self):
304 '''wordexp atoi overflow (CVE-2021-35942)'''
305
306 os.chdir('wordexp')
307
308 # This test segfaults when vulnerable
309 # and denies access when patched
310 expected = 5
311
312 self.assertShellExitEquals(expected, ["./cve-2021-35942"])
313
303314
304if __name__ == '__main__':315if __name__ == '__main__':
305 # CVE-2010-3856 test fails if we're running as root316 # CVE-2010-3856 test fails if we're running as root

Subscribers

People subscribed via source and target branches