From patchwork Fri Jan 1 22:34:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Sebor X-Patchwork-Id: 41611 X-Patchwork-Delegate: siddhesh@gotplt.org Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4D05D3844035; Fri, 1 Jan 2021 22:34:10 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4D05D3844035 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1609540450; bh=MaZHFJA1M8N2j7zfEEJCV+n4fkjSgyJh6bB3VOjcHtw=; h=Subject:To:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=XwJfUSryjdo7yvYyM+uUSrHe8ltN05qaavTcsfoVKVuuVO331EgDzwVW07FayjrM7 uTnAzHhzrTTluq8cMCztXODOdaGAFJY2NpDPAuRfagc8CzVdnAQn6Xs1UzfRIA2c/Q YEHxzXQk+YZEJi+6naJe7WlE/W3FK/GvUnv38M9s= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by sourceware.org (Postfix) with ESMTPS id 5A4A83846012 for ; Fri, 1 Jan 2021 22:34:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5A4A83846012 Received: by mail-ot1-x32b.google.com with SMTP id r9so20844599otk.11 for ; Fri, 01 Jan 2021 14:34:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=MaZHFJA1M8N2j7zfEEJCV+n4fkjSgyJh6bB3VOjcHtw=; b=CpMhjRBpuH6HicXWpK5WP7QpPoBQYQK8bMrZqHwSLKbzqhTEtLh+Gl++kOHf3l2IuR lDoUSHgCJgXPgeEkY5NkiTWp4k9EFSUgZmNN/PkKLepci3oQvN7YpIw237s7F6fK2afp 1QDvdRdf2UxOo4xLQKWsNnNT8qKziuQfAM/K3HM4ens2We/vFDJRYr6UpURGW7sp1bQT +mDjJ2i3TxQ7qeVPWd8RzSJoyy17HqJ4zSKD/k7PGJ7fi0UBONcAYjOiv/+mofrwnV1V 6cYiaZSAyUMWeQjXRy6eKfYbnK3/AZVwaQoSJy4NraOSm0w44sci4jTa5LuwPU/M/SgV maaQ== X-Gm-Message-State: AOAM533yan1gnTr8MWl5aJG7BlViWD/SVbGWji2T6GziK0jCbRia5EKE npTGRTxJKF9h3u1seoC6R0GXz1QevMw= X-Google-Smtp-Source: ABdhPJyTGVplkokqS2pf5oi0kGJTx5Bf4slyvNi2deTClHXTKXVZOcO6XK05AwBFIBGWy+cXMP8Qtg== X-Received: by 2002:a9d:3e2:: with SMTP id f89mr45797356otf.278.1609540447652; Fri, 01 Jan 2021 14:34:07 -0800 (PST) Received: from [192.168.0.41] (75-166-96-128.hlrn.qwest.net. [75.166.96.128]) by smtp.gmail.com with ESMTPSA id p28sm12044917ota.14.2021.01.01.14.34.06 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Jan 2021 14:34:07 -0800 (PST) Subject: [PATCH] correct buffer end pointer in IO_wdefault_doallocate (BZ #26874) To: GNU C Library Message-ID: <92cfb8c8-4fe9-8793-f378-a2c593de7493@gmail.com> Date: Fri, 1 Jan 2021 15:34:05 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Language: en-US X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Martin Sebor via Libc-alpha From: Martin Sebor Reply-To: Martin Sebor Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" An experimental build of GCC 11 with an enhanced -Warray-bounds reports a bug in IO_wdefault_doallocate where the function forms an invalid past-the-end pointer to an allocated wchar_t buffer by failingf to consider the scaling by sizeof (wchar_t). The fix path below corrects this problem. It keeps the buffer size the same as opposed to increasing it according to what other code like it does. Since the bug looks like it might be exploitable I tried to create a test case to trigger a call to _IO_wdefault_doallocate but couldn't. No test in the test suite seems to either, so I post this patch without one. Martin diff --git a/libio/wgenops.c b/libio/wgenops.c index 0a242d93ca..153b1da8dc 100644 --- a/libio/wgenops.c +++ b/libio/wgenops.c @@ -379,12 +379,11 @@ libc_hidden_def (_IO_wdoallocbuf) int _IO_wdefault_doallocate (FILE *fp) { - wchar_t *buf; - - buf = malloc (BUFSIZ); + wchar_t *buf = (wchar_t *)malloc (BUFSIZ); if (__glibc_unlikely (buf == NULL)) return EOF; - _IO_wsetb (fp, buf, buf + BUFSIZ, 1); + + _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1); return 1; } libc_hidden_def (_IO_wdefault_doallocate)