From patchwork Mon Aug  6 15:12:08 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@google.com>
X-Patchwork-Id: 28762
Received: (qmail 53385 invoked by alias); 6 Aug 2018 15:12:39 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 53368 invoked by uid 89); 6 Aug 2018 15:12:38 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-33.0 required=5.0 tests=AWL, BAYES_00,
	ENV_AND_HDR_SPF_MATCH, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_PASS,
	USER_IN_DEF_SPF_WL autolearn=ham version=3.3.2 spammy=Adhemerval,
	Zanella, zanella, adhemerval
X-HELO: mail-yb0-f173.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=cofaMFW452Qb03Q/5L/c5ypeTrdPm23Zn4VkImdlJrY=;
	b=C/vlpmNExFlljXfK82D+iYSQ7ihPuvv0TxvzpXYN1lSi6FGdaC7Efb8U8ElZ8dIAfD
	iEwel8GebOWaNfQVc4aLvxIRQ092Jc5F8V7CT7RNVtSK7wL2YMNorjRhwMg32iKE2gcI
	JHPeZqEH//W612LiSU2K69Oep0AINTsyEc4jx+8bfW86umIj4CaS90MNEznfRbX/kTSG
	K2vx3RcM4csq318LyTaQXbH/xzBVMrHMPUjhWpD14LCVZXIL1YNIavXIjPkcOyBNL6q6
	P7j+8chA4U0GFPt2nnQ+1fibLfKTOV2DmmMzwDBtRkNLb1ZpYy3Hs7uZzBePIY0vWNzn
	BjfQ==
MIME-Version: 1.0
References: 
 <CALoOobOOo0z5FtsAE4s2rdM_0DwtJ50XoPEDrL=qUgasKzNp8Q@mail.gmail.com>
	<910a25b4-8df2-8ac0-6859-1431d60b5265@linaro.org>
In-Reply-To: <910a25b4-8df2-8ac0-6859-1431d60b5265@linaro.org>
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Mon, 6 Aug 2018 08:12:08 -0700
Message-ID: 
 <CALoOobMWw+Byy_yzToc5usky8X=SdbQSx93vxn7Chr_zmJWhKg@mail.gmail.com>
Subject: Re: [patch] Fix BZ 23400 -- stdlib/test-bz22786.c creates temporary
	files in glibc source tree
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: GLIBC Devel <libc-alpha@sourceware.org>

Thanks for review!

On Mon, Jul 30, 2018 at 1:13 PM Adhemerval Zanella
<adhemerval.zanella@linaro.org> wrote:

> > +  strcpy (lnk, dir);
> > +  strcat (lnk, "/symlink");
>
> Maybe just 'char *lnk = xasprintf ("%s/symlink", dir);' instead?

Done.

> > +  if (symlink (".", lnk) != 0)
> >      {
> >        printf ("symlink (%s, %s): %m\n", dir, lnk);
> >        return EXIT_FAILURE;
>
> Use FAIL_EXIT1 or just TEST_VERIFY_EXIT.

Done.

> >    memset (p, 'a', path_len - (path - p) - 2);
> >    p[path_len - (path - p) - 1] = '\0';
>
> Shouldn't it 'p - path' instead? The subtraction is clearly issuing a
> overflow and I think it is not what the test meant here.

Good catch. Turns out that this was a buffer overflow in the original
test. Fixed.

Thanks,

2018-08-06  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #23400]
        * stdlib/test-bz22786.c (do_test): Fix undefined behavior.

diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
index e7837f98c1..879d61dafa 100644
--- a/stdlib/test-bz22786.c
+++ b/stdlib/test-bz22786.c
@@ -26,28 +26,20 @@
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/temp_file.h>
 #include <support/test-driver.h>
 #include <libc-diag.h>
 
 static int
 do_test (void)
 {
-  const char dir[] = "bz22786";
-  const char lnk[] = "bz22786/symlink";
+  const char *dir = support_create_temp_directory ("bz22786.");
+  const char *lnk = xasprintf ("%s/symlink", dir);
+  const size_t path_len = (size_t) INT_MAX + strlen (lnk) + 1;
 
-  rmdir (dir);
-  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
-    {
-      printf ("mkdir %s: %m\n", dir);
-      return EXIT_FAILURE;
-    }
-  if (symlink (".", lnk) != 0 && errno != EEXIST)
-    {
-      printf ("symlink (%s, %s): %m\n", dir, lnk);
-      return EXIT_FAILURE;
-    }
-
-  const size_t path_len = (size_t) INT_MAX + 1;
+  TEST_VERIFY_EXIT (symlink (".", lnk) == 0);
 
   DIAG_PUSH_NEEDS_COMMENT;
 #if __GNUC_PREREQ (7, 0)
@@ -55,20 +47,14 @@ do_test (void)
      allocation to succeed for the test to work.  */
   DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
 #endif
-  char *path = malloc (path_len);
+  char *path = xmalloc (path_len);
   DIAG_POP_NEEDS_COMMENT;
 
-  if (path == NULL)
-    {
-      printf ("malloc (%zu): %m\n", path_len);
-      return EXIT_UNSUPPORTED;
-    }
-
-  /* Construct very long path = "bz22786/symlink/aaaa....."  */
-  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+  /* Construct very long path = "/tmp/bz22786.XXXX/symlink/aaaa....."  */
+  char *p = mempcpy (path, lnk, strlen (lnk));
   *(p++) = '/';
-  memset (p, 'a', path_len - (path - p) - 2);
-  p[path_len - (path - p) - 1] = '\0';
+  memset (p, 'a', path_len - (p - path) - 2);
+  p[path_len - (p - path) - 1] = '\0';
 
   /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
   p = realpath (path, NULL);
@@ -81,7 +67,6 @@ do_test (void)
 
   /* Cleanup.  */
   unlink (lnk);
-  rmdir (dir);
 
   return 0;
 }