From patchwork Fri Oct 28 16:39:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 59586 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 38929382EA01 for ; Fri, 28 Oct 2022 16:41:09 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 38929382EA01 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1666975269; bh=OAhBKPl7XRlJ/Rprj7AGlo4QpBqZhZyMizT6L1rb9R0=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=qfMUtdzEGG8lRRZyqiDjWoDWc3yn1V5sP26a1Lem2+a8VGlA52bqhm/YmwRbJbNx1 rckxj8CXvH2/Co6TcI/u1r80CctQcCjL91Whop3ioltkmrYunlNPuD/ktiG3NCzmdp /wJcO7pZQx0YFOSq/en3KEJr+e2BZsK8CpN4fQEE= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20077.outbound.protection.outlook.com [40.107.2.77]) by sourceware.org (Postfix) with ESMTPS id 786ED382EA18 for ; Fri, 28 Oct 2022 16:40:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 786ED382EA18 ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=H6QMyRlMS269pMAV5IME2wbxFx8QFz6sdQgaw2Fz+GiZ6Dc420fcVae88BrQnqV+Mmc1/weVLnYddFkCuEK+C0NBjP+ShWesK9ben7EX8J4hyeh6nIJhUk+T56feWp1J8Qfq0D3dzYk3d4PcbBLWQvmmL20oR96kcdl1sI2QXazDEhpilohxiNPdVF9PS+IFSSefCcAsCwVI206prQ5JdcPA0VRhDL934bjEk2cYLaigX5YohizLeq90c6dkD4JP7puv8h/KSrrFkYuF4eIuLkfWUNebAbwsnvGEIHRkGyEQKGjpqLeaNrv6yidICJqtLffCh4D5bMEBzTL2qt0iqw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OAhBKPl7XRlJ/Rprj7AGlo4QpBqZhZyMizT6L1rb9R0=; b=PoQ10I3Wd7fe+FozCNcAM8uOYGbH/b2KMoImbq08kz6nLuN92kFRfcdhag5NaQ40IuO4LbUozw5x+f6laByMhLLzggeR4j/ds1mqxjCht9DLbnL3fgZSqpahmFXVzjRE1PrakoHRCn6sd67GFedRTzWI+hf1NOJ3XQJilXEhn+qtYXEDrLFVnSp13J/ySODAqwjoofGryyuea7mGlrYL/CIG058JjWbmxDfvigV1gHD1TRmkfiF2rKCfB5KbnuT7LOckiSDlIqYWJo2keibmKmil0UO3lstOQAY8i7Vu/NNhyAXjYlrzUCZkL65nyLS6wcy2mtLseFXhZJ80KoqSJg== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1, 1, smtp.mailfrom=arm.com] dmarc=[1, 1, header.from=arm.com]) Received: from AS9PR06CA0072.eurprd06.prod.outlook.com (2603:10a6:20b:464::10) by AS8PR08MB6550.eurprd08.prod.outlook.com (2603:10a6:20b:31b::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.14; Fri, 28 Oct 2022 16:40:06 +0000 Received: from AM7EUR03FT008.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:464:cafe::b1) by AS9PR06CA0072.outlook.office365.com (2603:10a6:20b:464::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.29 via Frontend Transport; Fri, 28 Oct 2022 16:40:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM7EUR03FT008.mail.protection.outlook.com (100.127.141.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.14 via Frontend Transport; Fri, 28 Oct 2022 16:40:06 +0000 Received: ("Tessian outbound aeae1c7b66fd:v130"); Fri, 28 Oct 2022 16:40:06 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 4620b24ae92df8ea X-CR-MTA-TID: 64aa7808 Received: from 77b2abc5e1fd.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E04B1BC1-7426-4359-B77F-4A8893E57300.1; Fri, 28 Oct 2022 16:39:59 +0000 Received: from EUR03-AM7-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 77b2abc5e1fd.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 28 Oct 2022 16:39:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d5qjYVebChhmFzWY/T95cbMAZoFrMRQuniYxv+TyXoDfR1cHzOSVB0nRn40tMo7cDbXFvdMd9zidL1iGBdtnikjTD08vnSJgiLVzRWbYM1jboap4JBUei8g32+ESNdpSiosEjp6EbatJk/RoLrNNVqcNBoelbjvfmsdjay9MNK0jWeWi8v62dP434+jMz9xr+fNZAoGgtRxreKioSi3GNgKtHaacfAeF5xd3k9zNxIM9Hohssc2YSi2kunHHjVF0wLGlpuGFjuHpCR2mk46lnqumJhBlzsTIj20TbOc6kxgxNAeF6GSkrwQZzgGLkz00rF4Ozl/IjHtRXVKj9mP11Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OAhBKPl7XRlJ/Rprj7AGlo4QpBqZhZyMizT6L1rb9R0=; b=mTIPbMbq7l90BrHbXXrm/T8zEAYAT67gPaWKLdGfDYzzRyVQ1NsAIoz1qb2WZl2OjwBgR420BlHZYEUGybyf2aJMi+s7Gm+zCqsjRxLY4+BJucGVFlesy8UzzndPc/Th/srij1uk7GPQyg0QHUtLVqjqQjbJOGEIwqLIgdd4jeWREkfYrP/vaMXHiS+gRQbdDHcyJo/VW9KPbhbX39dp5k+X9+x07kF6YIljU3lEC4i7Bquv7YnnlkZOuI9H4e3+pM+jS5R+zfCVnEyUEHqbx3qyfsm54eCgdZdrOTbVsZfyFdvQUcELFGfKUs2gAcPXh9sYK9nW8NEnoCIejnlzsg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 40.67.248.234) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=none (message not signed); arc=none Received: from AM5PR0601CA0080.eurprd06.prod.outlook.com (2603:10a6:206::45) by PAVPR08MB9860.eurprd08.prod.outlook.com (2603:10a6:102:2f4::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Fri, 28 Oct 2022 16:39:58 +0000 Received: from AM7EUR03FT056.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:0:cafe::a2) by AM5PR0601CA0080.outlook.office365.com (2603:10a6:206::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.30 via Frontend Transport; Fri, 28 Oct 2022 16:39:58 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; pr=C Received: from nebula.arm.com (40.67.248.234) by AM7EUR03FT056.mail.protection.outlook.com (100.127.140.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.5769.14 via Frontend Transport; Fri, 28 Oct 2022 16:39:58 +0000 Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Fri, 28 Oct 2022 16:39:57 +0000 Received: from armchair.cambridge.arm.com (10.2.80.71) by mail.arm.com (10.251.24.31) with Microsoft SMTP Server id 15.1.2507.12 via Frontend Transport; Fri, 28 Oct 2022 16:39:57 +0000 To: Subject: [PATCH v2 1/4] Fix OOB read in stdlib thousand grouping parsing [BZ #29727] Date: Fri, 28 Oct 2022 17:39:57 +0100 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-TrafficTypeDiagnostic: AM7EUR03FT056:EE_|PAVPR08MB9860:EE_|AM7EUR03FT008:EE_|AS8PR08MB6550:EE_ X-MS-Office365-Filtering-Correlation-Id: e7cd5dcd-50c5-44dd-8dac-08dab9031215 x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: f+7tiv6i8Kx9HJ0RVNVB/mxay3ISgyD6OVecCbkuhKqw8gWQvnDwsE7efNkDww24GcagjbEGdIGVBrUL4keQJf0vaJUrvdEsLv/I8yDA6x62VHhYJ68m0MKc0V8qEcbbGI+A82xxxi2GZLdlWOwP91t5FuvDgwCyKwxvxmc567wFXtPnBFybpoL+RYCHnT9ckP23uiY2n++AWDkYtX/T/mu5zX7oXx0YIpbDTGco2Wr/EM7xWwK/5SzmHOhKTUhNVd6tdJS99zXti4MScYAd2+oqZNF5OAicKevEiA8jHFz4pU1Pt1qebPRfbZ6MIg+FxI3NH001DxhWj4+8xZbRVdnV4ch5xxjHdx+ljXwmYw5PVPnD39lkThuwHVsT8BJl7S2AyrkA4YU00FdDxKo6f+w2HreFaqyS1HJJJ7/jukpeW5RuXT8ZWVSXSglTjhf4w/C0B7vK8Bhz6xFsF8S1CE191Ak7q0nAUBVz04jCxw8o/p3Xfa57LIXcVpFCqEGGcbR7MwB8M0TGReP33i8TZ4wVaB+77HQ3u75CzcWig8whQgIoBBiTCFn0r5OlN2ttLa38dpH0AilagUr0ZYtvMm6mn0WS+adOhX2AykThkSaHsMCsuUQsk4Ch1XwH5BCKDJpXiXo3VyBRPexmtRPMRYmlX6Qk8aKXxPcFPLmjgFlJhyt8VrFd9p4/U9MKsaQBKdUzAmIx97A2BsraWszoYYoE5Fs/mmOvp4NRYQ0/akEMcx3Ic0IHIw35HUAf4Lal6Sqwr+ObAxDY2F92CbWRvesqsx/FC2oUl0Ukxqzov0wYj35nfngISpGZMq70Y9zi X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:nebula.arm.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(396003)(376002)(136003)(346002)(451199015)(46966006)(40470700004)(36840700001)(478600001)(26005)(36756003)(7696005)(316002)(8676002)(6916009)(36860700001)(86362001)(356005)(83380400001)(426003)(40460700003)(336012)(40480700001)(2616005)(47076005)(81166007)(186003)(82310400005)(8936002)(2906002)(41300700001)(82740400003)(44832011)(70206006)(5660300002)(70586007)(36900700001); DIR:OUT; SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAVPR08MB9860 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM7EUR03FT008.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 37c5d3d0-eb27-45e3-5a0d-08dab9030d07 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: m07VesJ1PtwTZSYgAKeXnTowVEVWaEyczQnTca4FNVsE1NVzxuVEwxGzNLyUKfCeb11T6zX3GUXt8Ejvg+xx9iBjMTQWotl5XbPbPJlG2yXc4+L9eEKNEGPhROYhFeivaM5bOZvVUP13zVYq7rEwQzCR/WA/b5rT8bJ9fU+ZLOjKKe+7GqVg0NHh962EPfBBsFaw56WpKYvuo6KvdmVc3q1//e7dv3K4XUX4MhZuOfJpkWuUs70WcxU2GfI0+/Upjfo1eRHxhodp+lMG4dPZFqW64PV30gS8S3Vxvl7gC/kxxzbmRvRxpp1NkEwvdXowV1xoEWBURkMtUf2QZlnKAmxvLQE6RYvUhH37OUfoD4ogS9kDrOrmuhdmlZUYgWT32VMacujqr5cjBkl1tOCS0JGF/aiXj9rKwow8HavY/gcf/uP79o1FCwiNu57QXQf89Q0yZRcY2hFw4HVxdDzLZkorOrTJM0wHrh6yjvjqbksxohELMmm87DohRpGMuEeoY3hHi2brsFxxR5usv+FeTdKLARi9OpibH5YZb8Wzn9iafL3H0JCqBNcgZpJmsfNXhBLvXj3dpHjENfkCgjeB23D/ERAyOy+KJX53XZCbWJ33Z85kaEot5Q2mNfsaDQfv/wSRKrlnJkor99hjaQj0l0NWiKZzHf0ZA1GPEx6LadFV/RF0hu73FNnkpR5ler/39DMWdEial0bNUic2LaIBSH1LxNoPoy41u9u+H1RwQiYOYUr5nGaNA7MX6WCnPEiM/3aGa534N7qztbZFq5/bVA== X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(346002)(39860400002)(376002)(396003)(136003)(451199015)(46966006)(36840700001)(40470700004)(40480700001)(36756003)(316002)(82740400003)(86362001)(81166007)(70586007)(6916009)(70206006)(44832011)(40460700003)(36860700001)(26005)(478600001)(83380400001)(426003)(336012)(7696005)(82310400005)(5660300002)(2616005)(8936002)(41300700001)(8676002)(47076005)(2906002)(186003); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2022 16:40:06.5164 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e7cd5dcd-50c5-44dd-8dac-08dab9031215 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM7EUR03FT008.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6550 X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, FORGED_SPF_HELO, GIT_PATCH_0, KAM_DMARC_NONE, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_NONE, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha From: Szabolcs Nagy Reply-To: Szabolcs Nagy Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" __correctly_grouped_prefixmb only worked with thousands_len == 1, otherwise it read past the end of cp or thousands. This affects scanf formats like %'d, %'f and the internal but exposed __strto{l,ul,f,d,..}_internal with grouping flag set and an LC_NUMERIC locale where thousands_len > 1. Avoid OOB access by considering thousands_len when initializing cp. This fixes bug 29727. Found by the morello port with strict bounds checking where FAIL: stdlib/tst-strtod4 FAIL: stdlib/tst-strtod5i crashed using a locale with thousands_len==3. --- v2: - use const thousands_len for !USE_WIDE_CHAR. --- stdlib/grouping.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/stdlib/grouping.c b/stdlib/grouping.c index be7922f5fd..06cbe7b9c7 100644 --- a/stdlib/grouping.c +++ b/stdlib/grouping.c @@ -52,21 +52,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end, #endif const char *grouping) { -#ifndef USE_WIDE_CHAR - size_t thousands_len; - int cnt; -#endif - if (grouping == NULL) return end; -#ifndef USE_WIDE_CHAR - thousands_len = strlen (thousands); +#ifdef USE_WIDE_CHAR + size_t thousands_len = 1; +#else + size_t thousands_len = strlen (thousands); + int cnt; #endif - while (end > begin) + while (end - begin >= thousands_len) { - const STRING_TYPE *cp = end - 1; + const STRING_TYPE *cp = end - thousands_len; const char *gp = grouping; /* Check first group. */