From patchwork Mon Apr 25 12:04:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 53174 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E87BB385843E for ; Mon, 25 Apr 2022 12:05:11 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E87BB385843E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1650888311; bh=JnKTTGZuTiH+VBYvfQI8Rqp4/udIAhhezEFEj+cIA/8=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=KBeIBI8PBcRdezmA0GuAkPoqsC5027Co5EDfahASJbXWT2I8Qj7Pg3yC7oOOBPOMZ CaHq6P6lqhH4FpeVTZhrQ+TSrlTTT/9VKlnqqgkssUc8/R+QsmkCnbue9cT6oWqPkS t1hqyzmnoLD39CH+5H4a93e0hnmIQjWeZHNjI5lo= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from crane.ash.relay.mailchannels.net (crane.ash.relay.mailchannels.net [23.83.222.43]) by sourceware.org (Postfix) with ESMTPS id E688B3858D28 for ; Mon, 25 Apr 2022 12:04:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E688B3858D28 Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 17407225CC; Mon, 25 Apr 2022 12:04:43 +0000 (UTC) Received: from pdx1-sub0-mail-a307.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4218821600; Mon, 25 Apr 2022 12:04:42 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1650888282; a=rsa-sha256; cv=none; b=epnZrcDoi9B7Qs6Qvhbnm0lSwq0WYOfqjDRw3n8wy9yBWAA89dtHyKhOdRT4nHF9M6p5IS lSuvIY7b2nkLVnXijvEyg+OMeTS0YNDVH0ustHu3ptBUH3VnZh1iD6sRZQRkhYjB3Z6FJb NM+Okxj0/UacVP5HJCA4j4EWrPEv4lNfcDIWxIy4o9DvOmv54ulRRy7ZNIv8djUan4ESi2 vPkIEBRUJDUC+EqgbsaC3ewF6bjVbz4Q+Q4j9ExlgLKHzT1imlp0WNrN7Ta6ZqYkEorm8a QG9NEPcXuF1Ajw5P5K8IH3oLpehE6GeHaWagfDgi5Cq16vawMLO9UHAcQz/U9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1650888282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JnKTTGZuTiH+VBYvfQI8Rqp4/udIAhhezEFEj+cIA/8=; b=ZGkaLZ3BO1oXJYT+1IZ3HhOCodhWDyNXuemxUrmoOwYOT8PHaYkv8TnvZcyfMZi7qfD4pl +mSL7W+W25K6dlc477zLUbmbSq0iqpDXDYIgkYTzft1hopNu0Gv3wLkKbf6xNcRQxpYNdj XxBdd6Wh1CxKN9A0Kc8UIy5dpXndC4alWnjkA0R1MO0DK/MQy61VNCpYd9SwgnUiu8X46H O3D/guTwGLErhHPRTriEgpGo4QqYk8G+nLhVpzoTUBsk127sYBJF8WzdpARsQbL3kXmfKI zrLdrI7bX0Ik16fOt16C1p384XovYwLJOQNWY2qRcE7h1ufuDYRBPDBOMfNRXw== ARC-Authentication-Results: i=1; rspamd-67b64f579b-vfz5z; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Bubble-Bored: 5f2b6e380e34109e_1650888282543_997957694 X-MC-Loop-Signature: 1650888282543:793797721 X-MC-Ingress-Time: 1650888282542 Received: from pdx1-sub0-mail-a307.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.121.210.129 (trex/6.7.1); Mon, 25 Apr 2022 12:04:42 +0000 Received: from rhbox.redhat.com (unknown [1.186.121.46]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a307.dreamhost.com (Postfix) with ESMTPSA id 4Kn3bX1SvHz1Pl; Mon, 25 Apr 2022 05:04:39 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [committed] misc: Fix rare fortify crash on wchar funcs. [BZ 29030] Date: Mon, 25 Apr 2022 17:34:22 +0530 Message-Id: <20220425120422.954129-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220411174956.2657622-1-joanbrugueram@gmail.com> References: <20220411174956.2657622-1-joanbrugueram@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-3495.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Cc: Joan Bruguera Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" From: Joan Bruguera Hi, I've pushed this now, which is your fix + changes I suggested during review. Thanks, Siddhesh --->8--- If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify checks should pass, and `__whatever_alias` should be called. Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`. A comment says the -1 case should work as: "The -1 check is redundant because since it implies that __glibc_safe_len_cond is true.". But this fails when: * `__s > 1` * `__osz == -1` (i.e. unknown size at compile time) * `__l` is big enough * `__l * __s <= __osz` can be folded to a constant (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h) In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program. This commit adds the explicit `__osz == -1` check again. moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041 Minimal test case (test.c): #include int main (void) { const char *hw = "HelloWorld"; mbsrtowcs (NULL, &hw, (size_t)-1, NULL); return 0; } Build with: gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test Output: *** buffer overflow detected ***: terminated Fixes: BZ #29030 Signed-off-by: Joan Bruguera Signed-off-by: Siddhesh Poyarekar --- debug/tst-fortify.c | 5 +++++ misc/sys/cdefs.h | 12 ++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c index d65a2fe6e1..03c9867714 100644 --- a/debug/tst-fortify.c +++ b/debug/tst-fortify.c @@ -1504,6 +1504,11 @@ do_test (void) CHK_FAIL_END #endif + /* Bug 29030 regresion check */ + cp = "HelloWorld"; + if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10) + FAIL (); + cp = "A"; if (mbstowcs (wenough, cp, 10) != 1 || wcscmp (wenough, L"A") != 0) diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 44d3826bca..f1faf8292c 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -162,13 +162,13 @@ || (__builtin_constant_p (__l) && (__l) > 0)) /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ - condition can be folded to a constant and if it is true. The -1 check is - redundant because since it implies that __glibc_safe_len_cond is true. */ + condition can be folded to a constant and if it is true, or unknown (-1) */ #define __glibc_safe_or_unknown_len(__l, __s, __osz) \ - (__glibc_unsigned_or_positive (__l) \ - && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \ - __s, __osz)) \ - && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz)) + ((__osz) == (__SIZE_TYPE__) -1 \ + || (__glibc_unsigned_or_positive (__l) \ + && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \ + (__s), (__osz))) \ + && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz)))) /* Conversely, we know at compile time that the length is unsafe if the __L * __S <= __OBJSZ condition can be folded to a constant and if it is