From patchwork Tue Jan 24 11:31:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 63616
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 776893858C50
	for <patchwork@sourceware.org>; Tue, 24 Jan 2023 11:32:21 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 776893858C50
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1674559941;
	bh=PJPgxUgYr8rHNm/qv3ncL90lrz/h5m46pt5SaoLyXik=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=SwlO3CEq3mi4AQ5ZHstwnfbNJink7DO0ozn35ds0TDlviArNVrMjFCbkbVwdhdCS4
	 KVNhwUe5v3Jf/3tlsT7J0wzVO8MwJ8lwIbmDO7f4Nt2H7PXO49XUiRPRxVgiRe4EQx
	 G8tggzWgfmUas1EWJe27oA4GA3Ljx2IZPMH5OHe4=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id F1F903858D28
 for <libc-alpha@sourceware.org>; Tue, 24 Jan 2023 11:31:59 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F1F903858D28
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-481-rlKGUI46NmSG01q94HxHIg-1; Tue, 24 Jan 2023 06:31:58 -0500
X-MC-Unique: rlKGUI46NmSG01q94HxHIg-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 296C81871D94
 for <libc-alpha@sourceware.org>; Tue, 24 Jan 2023 11:31:58 +0000 (UTC)
Received: from oldenburg.str.redhat.com (unknown [10.39.194.74])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F7B453A0
 for <libc-alpha@sourceware.org>; Tue, 24 Jan 2023 11:31:57 +0000 (UTC)
To: libc-alpha@sourceware.org
Subject: [PATCH] stdio-common: Handle -1 buffer size in __sprintf_chk & co
 (bug 30039)
Date: Tue, 24 Jan 2023 12:31:55 +0100
Message-ID: <874jsggod0.fsf@oldenburg.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-10.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 KAM_SHORT,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Florian Weimer via Libc-alpha
 <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Reply-To: Florian Weimer <fweimer@redhat.com>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>

This shows up as an assertion failure when sprintf is called with
a specifier like "%.8g" and libquadmath is linked in:

Fatal glibc error: printf_buffer_as_file.c:31
  (__printf_buffer_as_file_commit): assertion failed:
  file->stream._IO_write_ptr <= file->next->write_end

Fix this by detecting pointer wraparound in __vsprintf_internal
and saturate the addition to the end of the address space instead.

Tested on i686-linux-gnu, x86_64-linux-gnu.  Proposed as a release
blocker.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
---
 debug/Makefile                        |   5 ++
 debug/tst-sprintf-fortify-unchecked.c | 126 ++++++++++++++++++++++++++++++++++
 include/printf_buffer.h               |  19 +++--
 libio/iovsprintf.c                    |  15 ++--
 4 files changed, 155 insertions(+), 10 deletions(-)


base-commit: 103a469dc7755fd9e8ccf362f3dd4c55dc761908

diff --git a/debug/Makefile b/debug/Makefile
index 13f15d15d3..52f9a7852c 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -200,6 +200,10 @@ LDFLAGS-tst-backtrace6 = -rdynamic
 
 CFLAGS-tst-ssp-1.c += -fstack-protector-all
 
+# Disable compiler optimizations around vsprintf (the function under test).
+CFLAGS-tst-sprintf-fortify-unchecked.c = \
+  -fno-builtin-vsprintf -fno-builtin-__vsprintf_chk
+
 tests = backtrace-tst \
 	tst-longjmp_chk \
 	test-strcpy_chk \
@@ -211,6 +215,7 @@ tests = backtrace-tst \
 	tst-backtrace5 \
 	tst-backtrace6 \
 	tst-realpath-chk \
+	tst-sprintf-fortify-unchecked \
 	$(tests-all-chk)
 
 tests-time64 += \
diff --git a/debug/tst-sprintf-fortify-unchecked.c b/debug/tst-sprintf-fortify-unchecked.c
new file mode 100644
index 0000000000..7c7bd1b5e4
--- /dev/null
+++ b/debug/tst-sprintf-fortify-unchecked.c
@@ -0,0 +1,126 @@
+/* Tests for fortified sprintf with unknown buffer bounds (bug 30039).
+   Copyright (C) 2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <printf.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <support/check.h>
+
+/* This test is not built with _FORTIFY_SOURCE.  Instead it calls the
+   appropriate implementation directly.  The fortify mode is specified
+   in this variable.  */
+static int fortify_mode;
+
+/* This does not handle long-double redirects etc., but we test only
+   format strings that stay within the confines of the base
+   implementation.  */
+int __vsprintf_chk (char *s, int flag, size_t slen, const char *format,
+                    va_list ap);
+
+/* Invoke vsprintf or __vsprintf_chk according to fortify_mode.  */
+static int
+my_vsprintf (char *buf, const char *format, va_list ap)
+{
+  int result;
+  if (fortify_mode == 0)
+    result = vsprintf (buf, format, ap);
+  else
+    /* Call the fortified version with an unspecified length.  */
+    result = __vsprintf_chk (buf, fortify_mode - 1, -1, format, ap);
+  return result;
+}
+
+/* Run one test, with the specified expected output.  */
+static void __attribute ((format (printf, 2, 3)))
+do_check (const char *expected, const char *format, ...)
+{
+  va_list ap;
+  va_start (ap, format);
+
+  char buf_expected[24];
+  memset (buf_expected, '@', sizeof (buf_expected));
+  TEST_VERIFY (strlen (expected) < sizeof (buf_expected));
+  strcpy (buf_expected, expected);
+
+  char buf[sizeof (buf_expected)];
+  memset (buf, '@', sizeof (buf));
+
+  int ret = my_vsprintf (buf, format, ap);
+  TEST_COMPARE_BLOB (buf_expected, sizeof (buf_expected), buf, sizeof (buf));
+  TEST_COMPARE (ret, strlen (expected));
+
+  va_end (ap);
+}
+
+/* Run the tests in all fortify modes.  */
+static void
+do_tests (void)
+{
+  for (fortify_mode = 0; fortify_mode <= 3; ++fortify_mode)
+    {
+      do_check ("0", "%d", 0);
+      do_check ("-2147483648", "%d", -2147483647 - 1);
+      do_check ("-9223372036854775808", "%lld", -9223372036854775807LL - 1);
+      do_check ("", "%s", "");
+      do_check ("                      ", "%22s", "");
+      do_check ("XXXXXXXXXXXXXXXXXXXXXX", "%s", "XXXXXXXXXXXXXXXXXXXXXX");
+      do_check ("1.125000", "%f", 1.125);
+      do_check ("1.125", "%g", 1.125);
+      do_check ("1.125", "%.8g", 1.125);
+    }
+}
+
+/* printf callback that falls back to the glibc-supplied
+   implementation.  */
+static int
+dummy_printf_function (FILE *__stream,
+                       const struct printf_info *__info,
+                       const void *const *__args)
+{
+  return -2;                    /* Request fallback.  */
+}
+
+/* Likewise for the type information.  */
+static int
+dummy_arginfo_function (const struct printf_info *info,
+                        size_t n, int *argtypes, int *size)
+{
+  return -1;                    /* Request fallback.  */
+}
+
+static int
+do_test (void)
+{
+  do_tests ();
+
+  /* Activate __printf_function_invoke mode.  */
+  register_printf_specifier ('d', dummy_printf_function,
+                             dummy_arginfo_function);
+  register_printf_specifier ('g', dummy_printf_function,
+                             dummy_arginfo_function);
+  register_printf_specifier ('s', dummy_printf_function,
+                             dummy_arginfo_function);
+
+  /* Rerun the tests with callback functions.  */
+  do_tests ();
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/include/printf_buffer.h b/include/printf_buffer.h
index 55feebf279..4d787e4b2c 100644
--- a/include/printf_buffer.h
+++ b/include/printf_buffer.h
@@ -115,17 +115,26 @@ __printf_buffer_has_failed (struct __printf_buffer *buf)
   return buf->mode == __printf_buffer_mode_failed;
 }
 
+/* Initialization of a buffer, using the memory region from [BASE,
+   END) as the initial buffer contents.  */
+static inline void
+__printf_buffer_init_end (struct __printf_buffer *buf, char *base, char *end,
+                          enum __printf_buffer_mode mode)
+{
+  buf->write_base = base;
+  buf->write_ptr = base;
+  buf->write_end = end;
+  buf->written = 0;
+  buf->mode = mode;
+}
+
 /* Initialization of a buffer, using the memory region from [BASE, BASE +LEN)
    as the initial buffer contents.  LEN can be zero.  */
 static inline void
 __printf_buffer_init (struct __printf_buffer *buf, char *base, size_t len,
                       enum __printf_buffer_mode mode)
 {
-  buf->write_base = base;
-  buf->write_ptr = base;
-  buf->write_end = base + len;
-  buf->written = 0;
-  buf->mode = mode;
+  __printf_buffer_init_end (buf, base, base + len, mode);
 }
 
 /* Called by printf_buffer_putc for a full buffer.  */
diff --git a/libio/iovsprintf.c b/libio/iovsprintf.c
index 8d53e401cc..9a4f59a06e 100644
--- a/libio/iovsprintf.c
+++ b/libio/iovsprintf.c
@@ -45,14 +45,19 @@ __vsprintf_internal (char *string, size_t maxlen,
   if ((mode_flags & PRINTF_CHK) != 0)
     {
       string[0] = '\0';
-      __printf_buffer_init (&buf, string, maxlen,
+      /* In some cases, __sprintf_chk is called with an unknown buffer
+	 size (the special value -1).  Prevent pointer wraparound in
+	 this case and saturate to the end of the address space.  */
+      uintptr_t end;
+      if (__builtin_add_overflow ((uintptr_t) string, maxlen, &end))
+	end = -1;
+      __printf_buffer_init_end (&buf, string, (char *) end,
 			    __printf_buffer_mode_sprintf_chk);
     }
   else
-    {
-      __printf_buffer_init (&buf, string, 0, __printf_buffer_mode_sprintf);
-      buf.write_end = (char *) ~(uintptr_t) 0; /* End of address space.  */
-    }
+    /* Use end of address space.  */
+    __printf_buffer_init_end (&buf, string, (char *) ~(uintptr_t) 0,
+			      __printf_buffer_mode_sprintf);
 
   __printf_buffer (&buf, format, args, mode_flags);