698025 – fopen doesn't honor last byte of valid modes

Bug 698025 - fopen doesn't honor last byte of valid modes

Summary: fopen doesn't honor last byte of valid modes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Andreas Schwab
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-20 00:55 UTC by Eric Blake
Modified:	2016-11-24 16:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:	glibc-2.14-2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-07 04:25:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eric Blake 2011-04-20 00:55:03 UTC

Description of problem:
An off-by-one bug in glibc means that valid file modes to fopen() are not always honored.  In particular, this could be considered a security hole if someone used fopen(file,"rb+cmxe") to prevent leaking an fd into child processes, or fopen(file,"rb+cmex") to avoid overwriting existing files.

Version-Release number of selected component (if applicable):
glibc-2.12-1.25.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. $ cat foo.c
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>

int main (void)
{
  FILE *f = fopen ("/dev/null", "rb+cmxe");
  if (!f) exit (1);
  int fd = fileno (f);
  if (fd < 0) exit (2);
  int mode = fcntl (fd, F_GETFD);
  if (mode < 0) exit (3);
  return !(mode & FD_CLOEXEC);
}
$ ./foo; echo $?
  
Actual results:
1

Expected results:
0

Additional info:
http://sourceware.org/bugzilla/show_bug.cgi?id=12685

Comment 1 Eric Blake 2011-04-20 01:04:06 UTC

Correction - 'r' and 'x' don't generally make sense together; a better example (slightly) more likely to appear in a mode argument would be "wb+cmxe" or "wb+cmex".  And since 'c', 'm', and 'e' are glibc extensions, and 'x' is not valid until C1x, and 'b' is documented as a no-op on glibc, one could argue that anyone wanting to use all of 'c', 'm', 'e', '+', and 'x' has no business also using 'b', thus avoiding the off-by-one problem.

Comment 2 Fedora Update System 2011-05-04 12:14:22 UTC

glibc-2.13.90-10 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/glibc-2.13.90-10

Comment 3 Fedora Update System 2011-05-05 04:41:37 UTC

Package glibc-2.13.90-10:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.13.90-10'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.13.90-10
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2011-05-07 15:05:32 UTC

Package glibc-2.13.90-11:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.13.90-11'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.13.90-11
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-05-17 05:36:22 UTC

Package glibc-2.13.90-12:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.13.90-12'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.13.90-12
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-05-18 18:42:37 UTC

Package glibc-2.13.90-13:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.13.90-13'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.13.90-13
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2011-05-27 20:24:34 UTC

Package glibc-2.13.90-14:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.13.90-14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.13.90-14
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-06-02 19:08:36 UTC

Package glibc-2.14-1:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.14-1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.14-1
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2011-06-04 02:55:30 UTC

Package glibc-2.14-2:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.14-2'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.14-2
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2011-06-07 04:24:50 UTC

glibc-2.14-2 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.