Message ID | 92cfb8c8-4fe9-8793-f378-a2c593de7493@gmail.com |
---|---|
State | Committed |
Delegated to: | Siddhesh Poyarekar |
Headers |
Return-Path: <libc-alpha-bounces@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4D05D3844035; Fri, 1 Jan 2021 22:34:10 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4D05D3844035 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1609540450; bh=MaZHFJA1M8N2j7zfEEJCV+n4fkjSgyJh6bB3VOjcHtw=; h=Subject:To:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=XwJfUSryjdo7yvYyM+uUSrHe8ltN05qaavTcsfoVKVuuVO331EgDzwVW07FayjrM7 uTnAzHhzrTTluq8cMCztXODOdaGAFJY2NpDPAuRfagc8CzVdnAQn6Xs1UzfRIA2c/Q YEHxzXQk+YZEJi+6naJe7WlE/W3FK/GvUnv38M9s= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by sourceware.org (Postfix) with ESMTPS id 5A4A83846012 for <libc-alpha@sourceware.org>; Fri, 1 Jan 2021 22:34:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5A4A83846012 Received: by mail-ot1-x32b.google.com with SMTP id r9so20844599otk.11 for <libc-alpha@sourceware.org>; Fri, 01 Jan 2021 14:34:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=MaZHFJA1M8N2j7zfEEJCV+n4fkjSgyJh6bB3VOjcHtw=; b=CpMhjRBpuH6HicXWpK5WP7QpPoBQYQK8bMrZqHwSLKbzqhTEtLh+Gl++kOHf3l2IuR lDoUSHgCJgXPgeEkY5NkiTWp4k9EFSUgZmNN/PkKLepci3oQvN7YpIw237s7F6fK2afp 1QDvdRdf2UxOo4xLQKWsNnNT8qKziuQfAM/K3HM4ens2We/vFDJRYr6UpURGW7sp1bQT +mDjJ2i3TxQ7qeVPWd8RzSJoyy17HqJ4zSKD/k7PGJ7fi0UBONcAYjOiv/+mofrwnV1V 6cYiaZSAyUMWeQjXRy6eKfYbnK3/AZVwaQoSJy4NraOSm0w44sci4jTa5LuwPU/M/SgV maaQ== X-Gm-Message-State: AOAM533yan1gnTr8MWl5aJG7BlViWD/SVbGWji2T6GziK0jCbRia5EKE npTGRTxJKF9h3u1seoC6R0GXz1QevMw= X-Google-Smtp-Source: ABdhPJyTGVplkokqS2pf5oi0kGJTx5Bf4slyvNi2deTClHXTKXVZOcO6XK05AwBFIBGWy+cXMP8Qtg== X-Received: by 2002:a9d:3e2:: with SMTP id f89mr45797356otf.278.1609540447652; Fri, 01 Jan 2021 14:34:07 -0800 (PST) Received: from [192.168.0.41] (75-166-96-128.hlrn.qwest.net. [75.166.96.128]) by smtp.gmail.com with ESMTPSA id p28sm12044917ota.14.2021.01.01.14.34.06 for <libc-alpha@sourceware.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Jan 2021 14:34:07 -0800 (PST) Subject: [PATCH] correct buffer end pointer in IO_wdefault_doallocate (BZ #26874) To: GNU C Library <libc-alpha@sourceware.org> Message-ID: <92cfb8c8-4fe9-8793-f378-a2c593de7493@gmail.com> Date: Fri, 1 Jan 2021 15:34:05 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-10.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: Martin Sebor via Libc-alpha <libc-alpha@sourceware.org> Reply-To: Martin Sebor <msebor@gmail.com> Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org> |
Series |
correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)
|
|
Commit Message
Martin Sebor
Jan. 1, 2021, 10:34 p.m. UTC
An experimental build of GCC 11 with an enhanced -Warray-bounds reports a bug in IO_wdefault_doallocate where the function forms an invalid past-the-end pointer to an allocated wchar_t buffer by failingf to consider the scaling by sizeof (wchar_t). The fix path below corrects this problem. It keeps the buffer size the same as opposed to increasing it according to what other code like it does. Since the bug looks like it might be exploitable I tried to create a test case to trigger a call to _IO_wdefault_doallocate but couldn't. No test in the test suite seems to either, so I post this patch without one. Martin
Comments
On 1/2/21 4:04 AM, Martin Sebor via Libc-alpha wrote: > An experimental build of GCC 11 with an enhanced -Warray-bounds > reports a bug in IO_wdefault_doallocate where the function forms > an invalid past-the-end pointer to an allocated wchar_t buffer > by failingf to consider the scaling by sizeof (wchar_t). > > The fix path below corrects this problem. It keeps the buffer > size the same as opposed to increasing it according to what other > code like it does. > > Since the bug looks like it might be exploitable I tried to create > a test case to trigger a call to _IO_wdefault_doallocate but couldn't. > No test in the test suite seems to either, so I post this patch without > one. I spent some time following those vtable setups and I don't think _IO_wdefault_doallocate gets called at all. The only instances it is set as the doallocate callback are in strops, wmemstream and in vswprintf. In all those cases, the backing buffer is either user supplied or is sized without using doallocate (as in the case of strops overflow). The only time libio needs to allocate buffers in the wide context is in wfileops when it's actually using the underlying buffer. In that case however, the doallocate callback is different. Nevertheless, this is a good cleanup, so LGTM. Thanks, Siddhesh > Martin > > diff --git a/libio/wgenops.c b/libio/wgenops.c > index 0a242d93ca..153b1da8dc 100644 > --- a/libio/wgenops.c > +++ b/libio/wgenops.c > @@ -379,12 +379,11 @@ libc_hidden_def (_IO_wdoallocbuf) > int > _IO_wdefault_doallocate (FILE *fp) > { > - wchar_t *buf; > - > - buf = malloc (BUFSIZ); > + wchar_t *buf = (wchar_t *)malloc (BUFSIZ); > if (__glibc_unlikely (buf == NULL)) > return EOF; > - _IO_wsetb (fp, buf, buf + BUFSIZ, 1); > + > + _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1); > return 1; > } > libc_hidden_def (_IO_wdefault_doallocate) >
On 2/4/21 3:17 PM, Siddhesh Poyarekar wrote: > On 1/2/21 4:04 AM, Martin Sebor via Libc-alpha wrote: >> An experimental build of GCC 11 with an enhanced -Warray-bounds >> reports a bug in IO_wdefault_doallocate where the function forms >> an invalid past-the-end pointer to an allocated wchar_t buffer >> by failingf to consider the scaling by sizeof (wchar_t). >> >> The fix path below corrects this problem. It keeps the buffer >> size the same as opposed to increasing it according to what other >> code like it does. >> >> Since the bug looks like it might be exploitable I tried to create >> a test case to trigger a call to _IO_wdefault_doallocate but couldn't. >> No test in the test suite seems to either, so I post this patch without >> one. > > I spent some time following those vtable setups and I don't think > _IO_wdefault_doallocate gets called at all. The only instances it is > set as the doallocate callback are in strops, wmemstream and in > vswprintf. In all those cases, the backing buffer is either user > supplied or is sized without using doallocate (as in the case of strops > overflow). > > The only time libio needs to allocate buffers in the wide context is in > wfileops when it's actually using the underlying buffer. In that case > however, the doallocate callback is different. > > Nevertheless, this is a good cleanup, so LGTM. Martin, I've pushed this patch for you. Siddhesh
On 3/1/21 7:06 AM, Siddhesh Poyarekar wrote: > On 2/4/21 3:17 PM, Siddhesh Poyarekar wrote: >> On 1/2/21 4:04 AM, Martin Sebor via Libc-alpha wrote: >>> An experimental build of GCC 11 with an enhanced -Warray-bounds >>> reports a bug in IO_wdefault_doallocate where the function forms >>> an invalid past-the-end pointer to an allocated wchar_t buffer >>> by failingf to consider the scaling by sizeof (wchar_t). >>> >>> The fix path below corrects this problem. It keeps the buffer >>> size the same as opposed to increasing it according to what other >>> code like it does. >>> >>> Since the bug looks like it might be exploitable I tried to create >>> a test case to trigger a call to _IO_wdefault_doallocate but couldn't. >>> No test in the test suite seems to either, so I post this patch without >>> one. >> >> I spent some time following those vtable setups and I don't think >> _IO_wdefault_doallocate gets called at all. The only instances it is >> set as the doallocate callback are in strops, wmemstream and in >> vswprintf. In all those cases, the backing buffer is either user >> supplied or is sized without using doallocate (as in the case of >> strops overflow). >> >> The only time libio needs to allocate buffers in the wide context is >> in wfileops when it's actually using the underlying buffer. In that >> case however, the doallocate callback is different. >> >> Nevertheless, this is a good cleanup, so LGTM. > > Martin, I've pushed this patch for you. Thanks! (And sorry for not getting to it myself. I'm behind on a number of fronts.) Martin > > Siddhesh
diff --git a/libio/wgenops.c b/libio/wgenops.c index 0a242d93ca..153b1da8dc 100644 --- a/libio/wgenops.c +++ b/libio/wgenops.c @@ -379,12 +379,11 @@ libc_hidden_def (_IO_wdoallocbuf) int _IO_wdefault_doallocate (FILE *fp) { - wchar_t *buf; - - buf = malloc (BUFSIZ); + wchar_t *buf = (wchar_t *)malloc (BUFSIZ); if (__glibc_unlikely (buf == NULL)) return EOF; - _IO_wsetb (fp, buf, buf + BUFSIZ, 1); + + _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1); return 1; } libc_hidden_def (_IO_wdefault_doallocate)