From patchwork Thu Oct 27 15:32:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 59528 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9E6EE388B692 for ; Thu, 27 Oct 2022 15:32:51 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9E6EE388B692 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1666884771; bh=fsB7k7xYqngB0j547PNaWqpYGitiiaTxAOphE5ChwjA=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=VrUxobUdblQG9rrtcx0aPHzctN7fnzkT9iVFkEio1lGAATWggM87J1zLsxxDshLmV dahGLZ/i11l0oYMVBmXRxhZ7PaIVKgbt6vMM5cYTaUHJ3Q2JUcdqupsd1yuTOFd7d5 rvQTljsagQYrrTlDLuwU+fGcQ2UzoPXnZ76kEjtM= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2056.outbound.protection.outlook.com [40.107.105.56]) by sourceware.org (Postfix) with ESMTPS id 1038E383FBBD for ; Thu, 27 Oct 2022 15:32:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 1038E383FBBD ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=l27v9r5l4vOti3PUdB519cMhK+PDtwJYrZQ/Zkzyr8e4Ofvg+KUwdc0ahKSEaBjte6cfUN4tgEPfSM9bLz+fXRxFduxuRPsK4XUFvSVXNKZINPGGigV3KZnqUkmv07QI5rnh4hNisiijbGdA6PKk7wSX1TCPGTb1fX/s2Tuz6QQdQcOKWCfxvOmbKXYA1E5wg/piYY816tDCoGWmhT+kr/G8eX/7Jqt7UU+rwuw18ZDl13eX+WubKzH0mNcY1WFauR27JhBHtV+3XXD54aeMKgcJAyGjeI2jLeGt8nzwRAJvdVhAgsSUGniFAjY0uUgMmHDrxif8+eEIHr3fOgA8zw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fsB7k7xYqngB0j547PNaWqpYGitiiaTxAOphE5ChwjA=; b=nImfh2RNCe5dFmjMdhyFi5N/XPCXH8Jzas9hJm2UYg74MzxGUcFnMhMsHpBbf63HJtWcfIgaxhf2Mx2BMuK9JlYidNJiA0Cz9hBWLsiEVdkxkBUB0s70X/ZjKjNBgGj4ONUX2BF9t20OmYmcKYY0mislnz34liJko8KyRQgWLwv1DV3pY3q1bM9tsrweUth7rFgcaNHYcZT9stScuQISchfGGmtDd/v7S0oTvKkJvzmUjJRwUKkxJAHQ2gvz+1hfL8pLF8Iv+UDgFty/MoFmttTbUgShLzUU+z7k/hA7mSwzWSYUixlpibh4zHcnf961ojh86MfOndyHl8b4LViBFQ== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1, 1, smtp.mailfrom=arm.com] dmarc=[1, 1, header.from=arm.com]) Received: from DU2PR04CA0327.eurprd04.prod.outlook.com (2603:10a6:10:2b5::32) by AS8PR08MB7864.eurprd08.prod.outlook.com (2603:10a6:20b:52f::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Thu, 27 Oct 2022 15:32:20 +0000 Received: from DBAEUR03FT020.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:2b5:cafe::c3) by DU2PR04CA0327.outlook.office365.com (2603:10a6:10:2b5::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.15 via Frontend Transport; Thu, 27 Oct 2022 15:32:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT020.mail.protection.outlook.com (100.127.143.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.14 via Frontend Transport; Thu, 27 Oct 2022 15:32:20 +0000 Received: ("Tessian outbound aeae1c7b66fd:v130"); Thu, 27 Oct 2022 15:32:20 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b93e5823625188b2 X-CR-MTA-TID: 64aa7808 Received: from 38139668bfa6.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C789CF0A-B0E2-42F7-A4F7-374B624CF191.1; Thu, 27 Oct 2022 15:32:12 +0000 Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 38139668bfa6.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 27 Oct 2022 15:32:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MmV37D8B2g3aGSUTallJ9Obg1/fxvVbm/s1sYXW/ZLJLWEDfWL7u8xnllvSOuUgevmvOTTOqkch9/X95wAwpiV4vBF9RsNEA3BBnKfEg0qNigWoRD47S/jEON2b12qC+XRNaE1KRPtFqasFTaLF1jYdyo3WPZZbtnQDyr+S6tLWz+KDKNUej6joHVLATbjBTK7gZsqeOsn8snv6XTQIUA/asjBr3baQ/ktwmS5rlCebW0YsQlKYfEvzU7pOGefKnUXDrlGjUJ+KSmT6tzCa62i5tMUcqAVpkplVCRjwe3omDkKV1wOB1KAc5+5pIG2xw07+HLyCa7y+TN6o+WJPagg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fsB7k7xYqngB0j547PNaWqpYGitiiaTxAOphE5ChwjA=; b=lURhsKwMLedpdZkPMY6weciHwWHcBuhOpdTIgHSYAgPFBuDFZRHjmAKtxCEdOa+J0E8Nq620uC9VTxg5auQXw2NKkQtFPRTJs56qvD2WIPLIHx/qC4IqRRS6kdAtnLbNMT3Hiy+1/WtaIB7uMMQ6MFxPY8r+G19E7gPDZ2XU7bfDDhQdeuSwrHt3XjNK915/e6UtNKKY7rCI5WzR48+s7ZtXNn4KUpu1cCgR43GdnskA16aT/jnFY37lgC7iZ1Kq9Dgml2Wk81isu89RyCkrzVql91UeF4z3Xsg7gCDRV945ULWAV3Xydrvi2FbqWM2IaR0sWKzUGgotgACqqKPfLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 40.67.248.234) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=none (message not signed); arc=none Received: from DB9PR01CA0010.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::15) by GVXPR08MB7752.eurprd08.prod.outlook.com (2603:10a6:150:6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Thu, 27 Oct 2022 15:32:08 +0000 Received: from DBAEUR03FT030.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:1d8:cafe::e5) by DB9PR01CA0010.outlook.office365.com (2603:10a6:10:1d8::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.29 via Frontend Transport; Thu, 27 Oct 2022 15:32:07 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; pr=C Received: from nebula.arm.com (40.67.248.234) by DBAEUR03FT030.mail.protection.outlook.com (100.127.142.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.5746.19 via Frontend Transport; Thu, 27 Oct 2022 15:32:07 +0000 Received: from AZ-NEU-EX02.Emea.Arm.com (10.251.26.5) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Thu, 27 Oct 2022 15:32:07 +0000 Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX02.Emea.Arm.com (10.251.26.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Thu, 27 Oct 2022 15:32:07 +0000 Received: from armchair.cambridge.arm.com (10.2.80.71) by mail.arm.com (10.251.24.31) with Microsoft SMTP Server id 15.1.2507.12 via Frontend Transport; Thu, 27 Oct 2022 15:32:06 +0000 To: Subject: [PATCH 01/20] Fix OOB read in stdlib thousand grouping parsing [BZ #29727] Date: Thu, 27 Oct 2022 16:32:06 +0100 Message-ID: <2650014080d5ad13f0a3968c0c9fd371127b29ca.1666877952.git.szabolcs.nagy@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-TrafficTypeDiagnostic: DBAEUR03FT030:EE_|GVXPR08MB7752:EE_|DBAEUR03FT020:EE_|AS8PR08MB7864:EE_ X-MS-Office365-Filtering-Correlation-Id: a2e03ec9-4426-490e-753d-08dab8307000 x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: i8GjOavVILZk18Sk5naIGsP2ZYcL1i76Z26M/oUH3wFWyrWGsRW85iRH4Z+SfeQOT6poPazfiWsCwmiX9W9OsqrQd818vlmkiM5PsfVPcfBeptAxgOVyd1Ee590SAJ/0LkMM5KxndTDal4tHOfy//1akjzJ4A5hI0mtssf/PR7wi02sM6s88ySyJP4ilziTKbPxYXFJHjXBZJbWnp00aqfGOFsIgGWFgTXjK61THD1kPU0hFkl+x7YR2DC6X2Qul7CeyZAIwtAFzSUYzHvQe7FWb+Ps9Tu92K5NshHelNEHyUXSr0w79NySgI4GC+fNEPR5QvbPDqVjD4t9t65vSHKzA+6zI6MsLnN67QW2LX4Flzs/5/rnOHrhfxAXpa7xYEHwo9n3D6RR3y1aBM/MrOGnlx2TtmkxF8FUBYNm9MlWRUz1VxlK9Xpioa8Y1FgHJMD8OqyJm/BBVN0Opmhp5o4oiYiq+8NUpzBSbshQKxx4pIdwT/bHl6knsXJFs3Y0wlkRut2pddlPEmolgpRWbJMgMTvx8OUwZD2m6B6evhkiJxsVjzRmwoUmkh5XRDSePB/f3lpXeHtiEEpd0O6ABq/BkQRrCVsSmhaKuz6clR5RbRSR5qROhjlqNTRQ9H2K3SXCSk9sf2xJ6rpxAVRLBXKCfQFhdZ0SlMd9IXxjcqQnXiBFa6WpmmsTzjbu+us3PjVSkP4GE9hmTSE2QT3RDbMGQSLXK1a+ss/mqRqxml19eS4OZZK94HtxkdmNSLJVZm1fkHfhC1okpZDTju6b5Nox6ypm8504mc7nr0oA8dJAD+xkPXNjfzCpE8f21E8sO X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:nebula.arm.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230022)(4636009)(346002)(39860400002)(396003)(376002)(136003)(451199015)(36840700001)(46966006)(40470700004)(82740400003)(356005)(426003)(82310400005)(40480700001)(81166007)(86362001)(47076005)(478600001)(6916009)(83380400001)(8936002)(7696005)(316002)(36756003)(26005)(40460700003)(70586007)(41300700001)(44832011)(36860700001)(2906002)(336012)(186003)(5660300002)(70206006)(8676002)(2616005)(36900700001); DIR:OUT; SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR08MB7752 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT020.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 0ec41236-5457-40e3-c1e6-08dab830684d X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OT92kyjGMCnIswE+DThiixOBTEFix1RcLzepVGhs5v142BvIgshEOu58h9SlmhqfreKdt/WuyMg0wc3VQBeZ86OYAvRVZ2xmvqfBGVYyj1nhC6UQNpRF34xDt5bPR4Rgb1zGjf9XrspBTyYl+SkKgty0sbg3ycQfZnvZSbIWSAY6MVAGCNpzoD+HwcWCGaVvUxhUXhF+3LfSqgYc/BqOFKwW3XH8oAT8WYmceHO6xsnsNl11V39wAkmvIKHxvUhv/JXJtB7h81bbgKyJvfvdy8E2cfjpm/YclYxJZcT8R/bFmCVFtkF1PBHeFl/b81wKyrn9XC4mBJlbVW/FNzUZ2gu5a7Oax8+U+8HsrJgkucV5+kl3U1L7ea9niNrL59vPsxBgVr8gAxkvN6hfXtpOubfzoWp8+Jd94AN6TbEvIttQtKOY+1zbSZtnt0iRfFzwarneYnUbFcwUiEZFj8J0IEDCq5Vtma3ZXnw8efNsnda6ywbO9AbKKZiQCzQ3j3yVvrMgORGJT6k0yPE/lJ3ph0UxPMhVUnrXh6oF/JNIteE0ijOas8NPUhVw+4RTVhrNesOV3DqUnQX7j2/nuZpuFMomhG0lKRwHO72TkN8JQkmpB0BprWM96oksbd3o0c2lCN9p4khyJtOpxKswR11S1Bq+TgF5uFZXsvyt/Ll0xPetzUjM150mKC89QJziqLsyPl0r+idq9CJtFiC1QMpPUQeAN6EPkBlKAhFAx8Ruf00QrKO8E8m6a7HLjgJ4F55XR42V6uUMzf92kVQto1Tytg== X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(376002)(346002)(39860400002)(396003)(136003)(451199015)(46966006)(40470700004)(36840700001)(2906002)(186003)(47076005)(426003)(82310400005)(336012)(2616005)(26005)(83380400001)(7696005)(36860700001)(44832011)(40460700003)(70586007)(41300700001)(70206006)(478600001)(5660300002)(6916009)(40480700001)(316002)(36756003)(81166007)(86362001)(8676002)(82740400003)(8936002); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2022 15:32:20.3209 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a2e03ec9-4426-490e-753d-08dab8307000 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT020.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB7864 X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, FORGED_SPF_HELO, GIT_PATCH_0, KAM_DMARC_NONE, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_NONE, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha From: Szabolcs Nagy Reply-To: Szabolcs Nagy Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" __correctly_grouped_prefixmb only worked with thousands_len == 1, otherwise it read past the end of cp or thousands. This affects scanf formats like %'d, %'f and the internal but exposed __strto{l,ul,f,d,..}_internal with grouping flag set and an LC_NUMERIC locale where thousands_len > 1. Avoid OOB access by considering thousands_len when initializing cp. This fixes bug 29727. Found by the morello port with strict bounds checking where FAIL: stdlib/tst-strtod4 FAIL: stdlib/tst-strtod5i crashed using a locale with thousands_len==3. --- stdlib/grouping.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/stdlib/grouping.c b/stdlib/grouping.c index be7922f5fd..4622897488 100644 --- a/stdlib/grouping.c +++ b/stdlib/grouping.c @@ -64,9 +64,17 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end, thousands_len = strlen (thousands); #endif +#ifdef USE_WIDE_CHAR while (end > begin) +#else + while (end - begin >= thousands_len) +#endif { +#ifdef USE_WIDE_CHAR const STRING_TYPE *cp = end - 1; +#else + const STRING_TYPE *cp = end - thousands_len; +#endif const char *gp = grouping; /* Check first group. */