loadarchive: guard against locale-archive corruption

Message ID	xn1rv9hhqq.fsf@greed.delorie.com
State	Committed
Commit	ef21bd2d8c6805c0c186a01f7c5039189f51b8c4
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org Date: Fri, 18 Oct 2019 17:21:49 -0400 Message-Id: <xn1rv9hhqq.fsf@greed.delorie.com> From: DJ Delorie <dj@redhat.com> To: libc-alpha@sourceware.org Subject: [patch] loadarchive: guard against locale-archive corruption

Message ID

xn1rv9hhqq.fsf@greed.delorie.com

State

Committed

Commit

ef21bd2d8c6805c0c186a01f7c5039189f51b8c4

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
Date: Fri, 18 Oct 2019 17:21:49 -0400
Message-Id: <xn1rv9hhqq.fsf@greed.delorie.com>
From: DJ Delorie <dj@redhat.com>
To: libc-alpha@sourceware.org
Subject: [patch] loadarchive: guard against locale-archive corruption

Commit Message

DJ Delorie Oct. 18, 2019, 9:21 p.m. UTC

  From 1c9ebf0296d4dfe32dd856fc6d1932212a0b0175 Mon Sep 17 00:00:00 2001
From: DJ Delorie <dj@redhat.com>
Date: Fri, 18 Oct 2019 17:15:52 -0400
Subject: loadarchive: guard against locale-archive corruption

_nl_load_locale_from_archive() checks for a zero size, but
divides by both (size) and (size-2).  Extend the check to
guard against a size of two or less.

Tested by manually corrupting locale-archive and running a program
that calls setlocale() with LOCPATH unset (size is typically very
large).

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1470124

Comments

Carlos O'Donell Oct. 18, 2019, 9:29 p.m. UTC | #1

On 10/18/19 5:21 PM, DJ Delorie wrote:
> From 1c9ebf0296d4dfe32dd856fc6d1932212a0b0175 Mon Sep 17 00:00:00 2001
> From: DJ Delorie <dj@redhat.com>
> Date: Fri, 18 Oct 2019 17:15:52 -0400
> Subject: loadarchive: guard against locale-archive corruption
> 

This is a user visible bug and so needs a sourceware bug.

The sourceware bug should be part of the first git commit message line e.g.

loadarchive: guard against locale-archive corruption (Bug XXXX)

OK for master with bug created and bug # on commit line.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

> _nl_load_locale_from_archive() checks for a zero size, but
> divides by both (size) and (size-2).  Extend the check to
> guard against a size of two or less.

OK.

> 
> Tested by manually corrupting locale-archive and running a program
> that calls setlocale() with LOCPATH unset (size is typically very
> large).

OK.

> 
> Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1470124
> 
> diff --git a/locale/loadarchive.c b/locale/loadarchive.c
> index 981f68d410..b4a73d5c94 100644
> --- a/locale/loadarchive.c
> +++ b/locale/loadarchive.c
> @@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep)
>  					+ head->namehash_offset);
>  
>    /* Avoid division by 0 if the file is corrupted.  */
> -  if (__glibc_unlikely (head->namehash_size == 0))
> +  if (__glibc_unlikely (head->namehash_size <= 2))

OK. Reviewed the surrounding code which does the two divisions, and this looks correct.

>      goto close_and_out;
>  
>    idx = hval % head->namehash_size;
>

diff --git a/locale/loadarchive.c b/locale/loadarchive.c
index 981f68d410..b4a73d5c94 100644
--- a/locale/loadarchive.c
+++ b/locale/loadarchive.c
@@ -274,7 +274,7 @@  _nl_load_locale_from_archive (int category, const char **namep)
 					+ head->namehash_offset);
 
   /* Avoid division by 0 if the file is corrupted.  */
-  if (__glibc_unlikely (head->namehash_size == 0))
+  if (__glibc_unlikely (head->namehash_size <= 2))
     goto close_and_out;
 
   idx = hval % head->namehash_size;

loadarchive: guard against locale-archive corruption

Commit Message

Comments

Patch