CVE-2021-3999: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-3999) was discovered in the GNU C Library (glibc) affecting versions prior to 2.31. The flaw involves an off-by-one buffer overflow and underflow in the getcwd() function that occurs when the size of the buffer is exactly 1 byte. This vulnerability was discovered in January 2022 and was assigned a CVSS v3.1 base score of 7.8 (HIGH) (NVD, Red Hat).

The vulnerability occurs under specific conditions where the buffer size passed to getcwd() is exactly 1 byte, the current working directory is too long, and '/' is mounted on the current working directory. When these conditions are met, the syscall returns ENAMETOOLONG, causing a fallback to the generic getcwd implementation. This leads to a sequence where a null byte is written, followed by a '/' character written one byte before the buffer (underflow), and finally a buffer overflow when moving two bytes into a one-byte buffer (Openwall).

A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could potentially exploit this vulnerability to execute arbitrary code and escalate their privileges on the system. The vulnerability could lead to memory corruption, disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability was patched in glibc with a fix that rejects buffer sizes of 1 byte early and returns NULL with errno set to ERANGE. The fix was implemented in multiple versions through patches and backports. Organizations are advised to update to patched versions of glibc. For systems that cannot be immediately updated, configuring applications to use buffer sizes larger than 1 byte for getcwd() calls can prevent exploitation (Sourceware).