d8307d
commit 2f498f3d140ab5152bd784df2be7af7d9c5e63ed
d8307d
Author: Florian Weimer <fweimer@redhat.com>
d8307d
Date:   Tue Aug 14 10:57:48 2018 +0200
d8307d
d8307d
    nss_files: Fix file stream leak in aliases lookup [BZ #23521]
d8307d
    
d8307d
    In order to get a clean test case, it was necessary to fix partially
d8307d
    fixed bug 23522 as well.
d8307d
    
d8307d
    (cherry picked from commit e95c6f61920a0f9237cfb292fa44ad500e1df09b)
d8307d
d8307d
diff --git a/nss/Makefile b/nss/Makefile
d8307d
index 66fac7f5b8a4c0d8..5209fc0456dd6786 100644
d8307d
--- a/nss/Makefile
d8307d
+++ b/nss/Makefile
d8307d
@@ -65,6 +65,7 @@ ifeq (yes,$(build-shared))
d8307d
 tests += tst-nss-files-hosts-erange
d8307d
 tests += tst-nss-files-hosts-multi
d8307d
 tests += tst-nss-files-hosts-getent
d8307d
+tests += tst-nss-files-alias-leak
d8307d
 endif
d8307d
 
d8307d
 # If we have a thread library then we can test cancellation against
d8307d
@@ -171,3 +172,5 @@ endif
d8307d
 $(objpfx)tst-nss-files-hosts-erange: $(libdl)
d8307d
 $(objpfx)tst-nss-files-hosts-multi: $(libdl)
d8307d
 $(objpfx)tst-nss-files-hosts-getent: $(libdl)
d8307d
+$(objpfx)tst-nss-files-alias-leak: $(libdl)
d8307d
+$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
d8307d
diff --git a/nss/nss_files/files-alias.c b/nss/nss_files/files-alias.c
d8307d
index cfd34b66b921bbff..35b0bfc5d2479ab6 100644
d8307d
--- a/nss/nss_files/files-alias.c
d8307d
+++ b/nss/nss_files/files-alias.c
d8307d
@@ -221,6 +221,13 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
d8307d
 			{
d8307d
 			  while (! feof_unlocked (listfile))
d8307d
 			    {
d8307d
+			      if (room_left < 2)
d8307d
+				{
d8307d
+				  free (old_line);
d8307d
+				  fclose (listfile);
d8307d
+				  goto no_more_room;
d8307d
+				}
d8307d
+
d8307d
 			      first_unused[room_left - 1] = '\xff';
d8307d
 			      line = fgets_unlocked (first_unused, room_left,
d8307d
 						     listfile);
d8307d
@@ -229,6 +236,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
d8307d
 			      if (first_unused[room_left - 1] != '\xff')
d8307d
 				{
d8307d
 				  free (old_line);
d8307d
+				  fclose (listfile);
d8307d
 				  goto no_more_room;
d8307d
 				}
d8307d
 
d8307d
@@ -256,6 +264,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
d8307d
 						       + __alignof__ (char *)))
d8307d
 					{
d8307d
 					  free (old_line);
d8307d
+					  fclose (listfile);
d8307d
 					  goto no_more_room;
d8307d
 					}
d8307d
 				      room_left -= ((first_unused - cp)
d8307d
diff --git a/nss/tst-nss-files-alias-leak.c b/nss/tst-nss-files-alias-leak.c
d8307d
new file mode 100644
d8307d
index 0000000000000000..26d38e2dba1ddaf3
d8307d
--- /dev/null
d8307d
+++ b/nss/tst-nss-files-alias-leak.c
d8307d
@@ -0,0 +1,237 @@
d8307d
+/* Check for file descriptor leak in alias :include: processing (bug 23521).
d8307d
+   Copyright (C) 2018 Free Software Foundation, Inc.
d8307d
+   This file is part of the GNU C Library.
d8307d
+
d8307d
+   The GNU C Library is free software; you can redistribute it and/or
d8307d
+   modify it under the terms of the GNU Lesser General Public
d8307d
+   License as published by the Free Software Foundation; either
d8307d
+   version 2.1 of the License, or (at your option) any later version.
d8307d
+
d8307d
+   The GNU C Library is distributed in the hope that it will be useful,
d8307d
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
d8307d
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
d8307d
+   Lesser General Public License for more details.
d8307d
+
d8307d
+   You should have received a copy of the GNU Lesser General Public
d8307d
+   License along with the GNU C Library; if not, see
d8307d
+   <http://www.gnu.org/licenses/>.  */
d8307d
+
d8307d
+#include <aliases.h>
d8307d
+#include <array_length.h>
d8307d
+#include <dlfcn.h>
d8307d
+#include <errno.h>
d8307d
+#include <gnu/lib-names.h>
d8307d
+#include <nss.h>
d8307d
+#include <stdlib.h>
d8307d
+#include <string.h>
d8307d
+#include <support/check.h>
d8307d
+#include <support/namespace.h>
d8307d
+#include <support/support.h>
d8307d
+#include <support/temp_file.h>
d8307d
+#include <support/test-driver.h>
d8307d
+#include <support/xstdio.h>
d8307d
+#include <support/xunistd.h>
d8307d
+
d8307d
+static struct support_chroot *chroot_env;
d8307d
+
d8307d
+/* Number of the aliases for the "many" user.  This must be large
d8307d
+   enough to trigger reallocation for the pointer array, but result in
d8307d
+   answers below the maximum size tried in do_test.  */
d8307d
+enum { many_aliases = 30 };
d8307d
+
d8307d
+static void
d8307d
+prepare (int argc, char **argv)
d8307d
+{
d8307d
+  chroot_env = support_chroot_create
d8307d
+    ((struct support_chroot_configuration) { } );
d8307d
+
d8307d
+  char *path = xasprintf ("%s/etc/aliases", chroot_env->path_chroot);
d8307d
+  add_temp_file (path);
d8307d
+  support_write_file_string
d8307d
+    (path,
d8307d
+     "user1: :include:/etc/aliases.user1\n"
d8307d
+     "user2: :include:/etc/aliases.user2\n"
d8307d
+     "comment: comment1, :include:/etc/aliases.comment\n"
d8307d
+     "many: :include:/etc/aliases.many\n");
d8307d
+  free (path);
d8307d
+
d8307d
+  path = xasprintf ("%s/etc/aliases.user1", chroot_env->path_chroot);
d8307d
+  add_temp_file (path);
d8307d
+  support_write_file_string (path, "alias1\n");
d8307d
+  free (path);
d8307d
+
d8307d
+  path = xasprintf ("%s/etc/aliases.user2", chroot_env->path_chroot);
d8307d
+  add_temp_file (path);
d8307d
+  support_write_file_string (path, "alias1a, alias2\n");
d8307d
+  free (path);
d8307d
+
d8307d
+  path = xasprintf ("%s/etc/aliases.comment", chroot_env->path_chroot);
d8307d
+  add_temp_file (path);
d8307d
+  support_write_file_string
d8307d
+    (path,
d8307d
+     /* The line must be longer than the line with the :include:
d8307d
+        directive in /etc/aliases.  */
d8307d
+     "# Long line.  ##############################################\n"
d8307d
+     "comment2\n");
d8307d
+  free (path);
d8307d
+
d8307d
+  path = xasprintf ("%s/etc/aliases.many", chroot_env->path_chroot);
d8307d
+  add_temp_file (path);
d8307d
+  FILE *fp = xfopen (path, "w");
d8307d
+  for (int i = 0; i < many_aliases; ++i)
d8307d
+    fprintf (fp, "a%d\n", i);
d8307d
+  TEST_VERIFY_EXIT (! ferror (fp));
d8307d
+  xfclose (fp);
d8307d
+  free (path);
d8307d
+}
d8307d
+
d8307d
+/* The names of the users to test.  */
d8307d
+static const char *users[] = { "user1", "user2", "comment", "many" };
d8307d
+
d8307d
+static void
d8307d
+check_aliases (int id, const struct aliasent *e)
d8307d
+{
d8307d
+  TEST_VERIFY_EXIT (id >= 0 || id < array_length (users));
d8307d
+  const char *name = users[id];
d8307d
+  TEST_COMPARE_BLOB (e->alias_name, strlen (e->alias_name),
d8307d
+                     name, strlen (name));
d8307d
+
d8307d
+  switch (id)
d8307d
+    {
d8307d
+    case 0:
d8307d
+      TEST_COMPARE (e->alias_members_len, 1);
d8307d
+      TEST_COMPARE_BLOB (e->alias_members[0], strlen (e->alias_members[0]),
d8307d
+                         "alias1", strlen ("alias1"));
d8307d
+      break;
d8307d
+
d8307d
+    case 1:
d8307d
+      TEST_COMPARE (e->alias_members_len, 2);
d8307d
+      TEST_COMPARE_BLOB (e->alias_members[0], strlen (e->alias_members[0]),
d8307d
+                         "alias1a", strlen ("alias1a"));
d8307d
+      TEST_COMPARE_BLOB (e->alias_members[1], strlen (e->alias_members[1]),
d8307d
+                         "alias2", strlen ("alias2"));
d8307d
+      break;
d8307d
+
d8307d
+    case 2:
d8307d
+      TEST_COMPARE (e->alias_members_len, 2);
d8307d
+      TEST_COMPARE_BLOB (e->alias_members[0], strlen (e->alias_members[0]),
d8307d
+                         "comment1", strlen ("comment1"));
d8307d
+      TEST_COMPARE_BLOB (e->alias_members[1], strlen (e->alias_members[1]),
d8307d
+                         "comment2", strlen ("comment2"));
d8307d
+      break;
d8307d
+
d8307d
+    case 3:
d8307d
+      TEST_COMPARE (e->alias_members_len, many_aliases);
d8307d
+      for (int i = 0; i < e->alias_members_len; ++i)
d8307d
+        {
d8307d
+          char alias[30];
d8307d
+          int len = snprintf (alias, sizeof (alias), "a%d", i);
d8307d
+          TEST_VERIFY_EXIT (len > 0);
d8307d
+          TEST_COMPARE_BLOB (e->alias_members[i], strlen (e->alias_members[i]),
d8307d
+                             alias, len);
d8307d
+        }
d8307d
+      break;
d8307d
+    }
d8307d
+}
d8307d
+
d8307d
+static int
d8307d
+do_test (void)
d8307d
+{
d8307d
+  /* Make sure we don't try to load the module in the chroot.  */
d8307d
+  if (dlopen (LIBNSS_FILES_SO, RTLD_NOW) == NULL)
d8307d
+    FAIL_EXIT1 ("could not load " LIBNSS_FILES_SO ": %s", dlerror ());
d8307d
+
d8307d
+  /* Some of these descriptors will become unavailable if there is a
d8307d
+     file descriptor leak.  10 is chosen somewhat arbitrarily.  The
d8307d
+     array must be longer than the number of files opened by nss_files
d8307d
+     at the same time (currently that number is 2).  */
d8307d
+  int next_descriptors[10];
d8307d
+  for (size_t i = 0; i < array_length (next_descriptors); ++i)
d8307d
+    {
d8307d
+      next_descriptors[i] = dup (0);
d8307d
+      TEST_VERIFY_EXIT (next_descriptors[i] > 0);
d8307d
+    }
d8307d
+  for (size_t i = 0; i < array_length (next_descriptors); ++i)
d8307d
+    xclose (next_descriptors[i]);
d8307d
+
d8307d
+  support_become_root ();
d8307d
+  if (!support_can_chroot ())
d8307d
+    return EXIT_UNSUPPORTED;
d8307d
+
d8307d
+  __nss_configure_lookup ("aliases", "files");
d8307d
+
d8307d
+  xchroot (chroot_env->path_chroot);
d8307d
+
d8307d
+  /* Attempt various buffer sizes.  If the operation succeeds, we
d8307d
+     expect correct data.  */
d8307d
+  for (int id = 0; id < array_length (users); ++id)
d8307d
+    {
d8307d
+      bool found = false;
d8307d
+      for (size_t size = 1; size <= 1000; ++size)
d8307d
+        {
d8307d
+          void *buffer = malloc (size);
d8307d
+          struct aliasent result;
d8307d
+          struct aliasent *res;
d8307d
+          errno = EINVAL;
d8307d
+          int ret = getaliasbyname_r (users[id], &result, buffer, size, &res;;
d8307d
+          if (ret == 0)
d8307d
+            {
d8307d
+              if (res != NULL)
d8307d
+                {
d8307d
+                  found = true;
d8307d
+                  check_aliases (id, res);
d8307d
+                }
d8307d
+              else
d8307d
+                {
d8307d
+                  support_record_failure ();
d8307d
+                  printf ("error: failed lookup for user \"%s\", size %zu\n",
d8307d
+                          users[id], size);
d8307d
+                }
d8307d
+            }
d8307d
+          else if (ret != ERANGE)
d8307d
+            {
d8307d
+              support_record_failure ();
d8307d
+              printf ("error: invalid return code %d (user \%s\", size %zu)\n",
d8307d
+                      ret, users[id], size);
d8307d
+            }
d8307d
+          free (buffer);
d8307d
+
d8307d
+          /* Make sure that we did not have a file descriptor leak.  */
d8307d
+          for (size_t i = 0; i < array_length (next_descriptors); ++i)
d8307d
+            {
d8307d
+              int new_fd = dup (0);
d8307d
+              if (new_fd != next_descriptors[i])
d8307d
+                {
d8307d
+                  support_record_failure ();
d8307d
+                  printf ("error: descriptor %d at index %zu leaked"
d8307d
+                          " (user \"%s\", size %zu)\n",
d8307d
+                          next_descriptors[i], i, users[id], size);
d8307d
+
d8307d
+                  /* Close unexpected descriptor, the leak probing
d8307d
+                     descriptors, and the leaked descriptor
d8307d
+                     next_descriptors[i].  */
d8307d
+                  xclose (new_fd);
d8307d
+                  for (size_t j = 0; j <= i; ++j)
d8307d
+                    xclose (next_descriptors[j]);
d8307d
+                  goto next_size;
d8307d
+                }
d8307d
+            }
d8307d
+          for (size_t i = 0; i < array_length (next_descriptors); ++i)
d8307d
+            xclose (next_descriptors[i]);
d8307d
+
d8307d
+        next_size:
d8307d
+          ;
d8307d
+        }
d8307d
+      if (!found)
d8307d
+        {
d8307d
+          support_record_failure ();
d8307d
+          printf ("error: user %s not found\n", users[id]);
d8307d
+        }
d8307d
+    }
d8307d
+
d8307d
+  support_chroot_free (chroot_env);
d8307d
+  return 0;
d8307d
+}
d8307d
+
d8307d
+#define PREPARE prepare
d8307d
+#include <support/test-driver.c>