From patchwork Wed May 14 10:59:54 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aurelien Jarno <aurelien@aurel32.net>
X-Patchwork-Id: 905
Return-Path: <x14307373@homiemail-mx20.g.dreamhost.com>
X-Original-To: siddhesh@wilcox.dreamhost.com
Delivered-To: siddhesh@wilcox.dreamhost.com
Received: from homiemail-mx20.g.dreamhost.com
	(mx2.sub5.homie.mail.dreamhost.com [208.113.200.128])
	by wilcox.dreamhost.com (Postfix) with ESMTP id 6D985360098
	for <siddhesh@wilcox.dreamhost.com>;
	Wed, 14 May 2014 04:00:15 -0700 (PDT)
Received: by homiemail-mx20.g.dreamhost.com (Postfix, from userid 14307373)
	id 12CA241B26789; Wed, 14 May 2014 04:00:15 -0700 (PDT)
X-Original-To: glibc@patchwork.siddhesh.in
Delivered-To: x14307373@homiemail-mx20.g.dreamhost.com
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by homiemail-mx20.g.dreamhost.com (Postfix) with ESMTPS id
	E274741B21DA8 for <glibc@patchwork.siddhesh.in>;
	Wed, 14 May 2014 04:00:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id; q=dns; s=
	default; b=KcdJFnDXO3UWsg5iy/9I2WvkU00mTEaw6mMXvIT/QOPM2eeggymDE
	TltMopQ8YgEm4r3dO7CRJMXtKJu0JUsRbyRZjP9/UTabNNOFCwm1lw4++MltSmOx
	e6m5zwN1DPYG82ttz//ZGRqIB2PhxnlZlwFqBPgy3mWxuSJllBG2H0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id; s=default;
	bh=KrIp7Q7k5uM81vFMPTwAfx+bdgg=; b=pCANN+pj+2eIWYNoJh8bynfi4Fiu
	obkQnB1fgO5GZXKVWcvpVF+YKseUM7nXuaSJ66bnBdHr9oPPIqz1Y2CZ8hMUOaIK
	iyxMkPwp84bUBCmH5o5yBMcn7jnm4H7ZAQkW5UJ1aDl6PN/q/Kx+YuQ4OQSlqhPT
	mrX18OZcf0N6XcU=
Received: (qmail 11598 invoked by alias); 14 May 2014 11:00:12 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-glibc=patchwork.siddhesh.in@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 11569 invoked by uid 89); 14 May 2014 11:00:11 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,
	RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: hall.aurel32.net
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH v4] ptsname_r: don't leak uninitialized memory (BZ #16917)
Date: Wed, 14 May 2014 12:59:54 +0200
Message-Id: <1400065194-31515-1-git-send-email-aurelien@aurel32.net>
X-DH-Original-To: glibc@patchwork.siddhesh.in

If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.

Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).

Also add tests to the ptsname_r function (and ptsname at the same time).

Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
---
 ChangeLog                         |   9 ++++
 NEWS                              |   4 +-
 login/Makefile                    |   2 +-
 login/tst-ptsname.c               | 108 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/ptsname.c |   4 +-
 5 files changed, 123 insertions(+), 4 deletions(-)
 create mode 100644 login/tst-ptsname.c

v1 -> v2: add tests.
v2 -> v3: Fix changelog.
          Rewrite the tests using test-skeleton.c and the comments
          from Roland McGrath.
v3 -> v4: Don't ignore test results of /dev/tty test.

diff --git a/ChangeLog b/ChangeLog
index c2bed53..04fdbe1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2014-05-14  Aurelien Jarno  <aurelien@aurel32.net>
 
+	[BZ #16917]
+	* sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): Return
+	errno if the TIOCGPTN ioctl fails with an error different than
+	EINVAL.
+	* login/tst-ptsname.c: New file.
+	* login/Makefile (tests): Add tst-ptsname.
+
+2014-05-14  Aurelien Jarno  <aurelien@aurel32.net>
+
 	[BZ #16915]
 	* locale/nl_langinfo_l.c: Make direct reference to every
 	_nl_current_CATEGORY symbol.
diff --git a/NEWS b/NEWS
index d35e1bb..f081e8e 100644
--- a/NEWS
+++ b/NEWS
@@ -16,8 +16,8 @@ Version 2.20
   16677, 16680, 16683, 16689, 16695, 16701, 16706, 16707, 16712, 16713,
   16714, 16731, 16739, 16740, 16743, 16754, 16758, 16759, 16760, 16770,
   16786, 16789, 16791, 16799, 16800, 16815, 16823, 16824, 16831, 16838,
-  16854, 16876, 16877, 16885, 16888, 16890, 16912, 16915, 16916, 16922,
-  16932.
+  16854, 16876, 16877, 16885, 16888, 16890, 16912, 16915, 16916, 16917,
+  16922, 16932.
 
 * The minimum Linux kernel version that this version of the GNU C Library
   can be used with is 2.6.32.
diff --git a/login/Makefile b/login/Makefile
index ca55808..d758ac5 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -43,7 +43,7 @@ endif
 subdir-dirs = programs
 vpath %.c programs
 
-tests := tst-utmp tst-utmpx tst-grantpt
+tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname
 
 # Build the -lutil library with these extra functions.
 extra-libs      := libutil
diff --git a/login/tst-ptsname.c b/login/tst-ptsname.c
new file mode 100644
index 0000000..edcdbc5
--- /dev/null
+++ b/login/tst-ptsname.c
@@ -0,0 +1,108 @@
+/* Test for ptsname/ptsname_r.
+   Copyright (C) 2014 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Contributed by Aurelien Jarno <aurelien@aurel32.net>, 2014.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define DEV_TTY		"/dev/tty"
+#define PTSNAME_EINVAL	"./ptsname-einval"
+
+static int
+do_single_test (int fd, char *buf, size_t buflen, int expected_err)
+{
+
+  int ret = ptsname_r (fd, buf, buflen);
+  int err = errno;
+
+  if (expected_err == 0)
+    {
+      if (ret != 0)
+	{
+	  printf ("ptsname_r: expected: return = 0\n");
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+  else
+    {
+      if (ret == 0 || errno != expected_err)
+	{
+	  printf ("ptsname_r: expected: return = %d, errno = %d (%s)\n",
+	          -1, expected_err, strerror (expected_err));
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+
+  return 0;
+}
+
+static int
+do_test (void)
+{
+  char buf[512];
+  int result = 0;
+
+  /* Tests with a real PTS master.  */
+  int fd = posix_openpt (O_RDWR);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), 0);
+      result |= do_single_test (fd, NULL, sizeof (buf), EINVAL);
+      result |= do_single_test (fd, buf, 1, ERANGE);
+      close (fd);
+    }
+  else
+    printf ("posix_openpt (O_RDWR) failed\nerrno %d (%s)\n",
+	    errno, strerror (errno));
+
+  /* Test with a terminal device which is not a PTS master.  */
+  fd = open (DEV_TTY, O_RDONLY);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR) failed\nerrno %d (%s)\n",
+	    DEV_TTY, errno, strerror (errno));
+
+  /* Test with a file.  */
+  fd = open (PTSNAME_EINVAL, O_RDWR | O_CREAT, 0600);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+      unlink (PTSNAME_EINVAL);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR | OCREAT) failed\nerrno %d (%s)\n",
+	    PTSNAME_EINVAL, errno, strerror (errno));
+
+  return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/sysdeps/unix/sysv/linux/ptsname.c b/sysdeps/unix/sysv/linux/ptsname.c
index ed39f8f..3fc14a7 100644
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
 
       memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
     }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
     {
       char *p;