From patchwork Wed Jul 8 18:01:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joseph Myers X-Patchwork-Id: 39985 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 5104A3858D35; Wed, 8 Jul 2020 18:01:42 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from esa2.mentor.iphmx.com (esa2.mentor.iphmx.com [68.232.141.98]) by sourceware.org (Postfix) with ESMTPS id 9CC843858D34 for ; Wed, 8 Jul 2020 18:01:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9CC843858D34 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=codesourcery.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=joseph_myers@mentor.com IronPort-SDR: 5KichcglQTpk9sZoAWlXoI7RDlZuY06NFZKT30/xLFWZ/L3rVLRbFJyBuZ1JoFTOWatmT84p4h Aywx1D/ylgpWiH+2L2oGm7ai6i+4Xu2eBu8+I/nsZn93Ry1TO+PKkDLeJkqRCrhw4K1D39Nj8z Giiolh24COFO/gH+p5DMG6la2b7PcqXIPKtDWVTzttDQaDGitqdlI0aSbSbfUjUXKuO60VafXc 33HyPXARaSeKogpePhZrGlsyHTIAxRvOLTgzRjFuBSQmwCOyUgqS5qVka8oN/PQwrpUhSxzrbo c5I= X-IronPort-AV: E=Sophos;i="5.75,328,1589270400"; d="scan'208";a="50725914" Received: from orw-gwy-02-in.mentorg.com ([192.94.38.167]) by esa2.mentor.iphmx.com with ESMTP; 08 Jul 2020 10:01:38 -0800 IronPort-SDR: 5eFB6irw9hVJa/lX4AR1JqX8TsVOJ4WtY/AEb2YxP6RfprGlnuP6Ofe/fg3XNvYX4SfNfZjmKD C+J7/+YoKMdrhdUW2kSKtU2pk9xTihBd+oAlU+C+z7tpvZgh2gMPZ1owobJaNYn4QybH7wXh8n BJuEaAFkpxxpd6M9Tkve3Du6VOn5n+p7ARAbye7rFVhvn3z1sFoLQ5pblvrf6jlBJ29NjPcnMG fhmO6EDwmJoeFWic5KDZT8xKOAVFc1CEDv0ddTWlufzFLm9zB71IyPH/EF0wzPWTqlaEJCB1Ge 11A= Date: Wed, 8 Jul 2020 18:01:33 +0000 From: Joseph Myers X-X-Sender: jsm28@digraph.polyomino.org.uk To: Subject: Fix double free in __printf_fp_l (bug 26214) Message-ID: User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 X-Originating-IP: [137.202.0.90] X-ClientProxiedBy: SVR-IES-MBX-03.mgc.mentorg.com (139.181.222.3) To SVR-IES-MBX-03.mgc.mentorg.com (139.181.222.3) X-Spam-Status: No, score=-3134.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, KAM_SHORT, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" __printf_fp_l has a double free bug in the case where it allocates memory with malloc internally, then has an I/O error while outputting trailing padding and tries to free that already-freed memory when the error occurs. This patch fixes this by setting the relevant pointer to NULL after the first free (the only free of this pointer that isn't immediately followed by returning from the function). Tested for x86_64 and x86. Reviewed-by: Adhemerval Zanella diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 73bf0da296..dc3fd38a19 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -67,7 +67,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ tst-renameat2 tst-bz11319 tst-bz11319-fortify2 \ scanf14a scanf16a \ tst-printf-bz25691 \ - tst-vfprintf-width-prec-alloc + tst-vfprintf-width-prec-alloc \ + tst-printf-fp-free test-srcs = tst-unbputc tst-printf tst-printfsz-islongdouble @@ -78,11 +79,13 @@ tests-special += $(objpfx)tst-unbputc.out $(objpfx)tst-printf.out \ $(objpfx)tst-setvbuf1-cmp.out \ $(objpfx)tst-vfprintf-width-prec-mem.out \ $(objpfx)tst-printfsz-islongdouble.out \ - $(objpfx)tst-printf-bz25691-mem.out + $(objpfx)tst-printf-bz25691-mem.out \ + $(objpfx)tst-printf-fp-free-mem.out generated += tst-printf-bz18872.c tst-printf-bz18872.mtrace \ tst-printf-bz18872-mem.out \ tst-vfprintf-width-prec.mtrace tst-vfprintf-width-prec-mem.out \ - tst-printf-bz25691.mtrace tst-printf-bz25691-mem.out + tst-printf-bz25691.mtrace tst-printf-bz25691-mem.out \ + tst-printf-fp-free.mtrace tst-printf-fp-free-mem.out endif tests-special += $(objpfx)tst-errno-manual.out @@ -108,6 +111,8 @@ tst-vfprintf-width-prec-ENV = \ MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace tst-printf-bz25691-ENV = \ MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace +tst-printf-fp-free-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-fp-free.mtrace $(objpfx)tst-unbputc.out: tst-unbputc.sh $(objpfx)tst-unbputc $(SHELL) $< $(common-objpfx) '$(test-program-prefix)' > $@; \ diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c index 9e0ce962f2..49c693575e 100644 --- a/stdio-common/printf_fp.c +++ b/stdio-common/printf_fp.c @@ -1250,6 +1250,9 @@ __printf_fp_l (FILE *fp, locale_t loc, { free (buffer); free (wbuffer); + /* Avoid a double free if the subsequent PADN encounters an + I/O error. */ + wbuffer = NULL; } } diff --git a/stdio-common/tst-printf-fp-free.c b/stdio-common/tst-printf-fp-free.c new file mode 100644 index 0000000000..fea52248e0 --- /dev/null +++ b/stdio-common/tst-printf-fp-free.c @@ -0,0 +1,37 @@ +/* Test double free bug in __printf_fp_l (bug 26214). + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +do_test (void) +{ + mtrace (); + FILE *fp = fopen ("/dev/full", "w"); + TEST_VERIFY_EXIT (fp != NULL); + char buf[131072]; + TEST_VERIFY_EXIT (setvbuf (fp, buf, _IOFBF, sizeof buf) == 0); + TEST_COMPARE (fprintf (fp, "%-1000000.65536f", 1.0), -1); + fclose (fp); + return 0; +} + +#include