87c1f6
commit 33e03f9cd2be4f2cd62f93fda539cc07d9c8130e
87c1f6
Author: Joan Bruguera <joanbrugueram@gmail.com>
87c1f6
Date:   Mon Apr 11 19:49:56 2022 +0200
87c1f6
87c1f6
    misc: Fix rare fortify crash on wchar funcs. [BZ 29030]
87c1f6
    
87c1f6
    If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
87c1f6
    checks should pass, and `__whatever_alias` should be called.
87c1f6
    
87c1f6
    Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
87c1f6
    on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`.
87c1f6
    
87c1f6
    A comment says the -1 case should work as: "The -1 check is redundant because
87c1f6
    since it implies that __glibc_safe_len_cond is true.". But this fails when:
87c1f6
    * `__s > 1`
87c1f6
    * `__osz == -1` (i.e. unknown size at compile time)
87c1f6
    * `__l` is big enough
87c1f6
    * `__l * __s <= __osz` can be folded to a constant
87c1f6
    (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)
87c1f6
    
87c1f6
    In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
87c1f6
    called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.
87c1f6
    
87c1f6
    This commit adds the explicit `__osz == -1` check again.
87c1f6
    moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041
87c1f6
    
87c1f6
    Minimal test case (test.c):
87c1f6
        #include <wchar.h>
87c1f6
    
87c1f6
        int main (void)
87c1f6
        {
87c1f6
            const char *hw = "HelloWorld";
87c1f6
            mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
87c1f6
            return 0;
87c1f6
        }
87c1f6
    
87c1f6
    Build with:
87c1f6
        gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test
87c1f6
    
87c1f6
    Output:
87c1f6
        *** buffer overflow detected ***: terminated
87c1f6
    
87c1f6
    Fixes: BZ #29030
87c1f6
    Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
87c1f6
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
87c1f6
87c1f6
diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
87c1f6
index 1668294e48b5c63c..701bffd1d664f289 100644
87c1f6
--- a/debug/tst-fortify.c
87c1f6
+++ b/debug/tst-fortify.c
87c1f6
@@ -1505,6 +1505,11 @@ do_test (void)
87c1f6
       CHK_FAIL_END
87c1f6
 #endif
87c1f6
 
87c1f6
+      /* Bug 29030 regresion check */
87c1f6
+      cp = "HelloWorld";
87c1f6
+      if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10)
87c1f6
+        FAIL ();
87c1f6
+
87c1f6
       cp = "A";
87c1f6
       if (mbstowcs (wenough, cp, 10) != 1
87c1f6
 	  || wcscmp (wenough, L"A") != 0)
87c1f6
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
87c1f6
index a17ae0ed87e6163f..404496c7d6da4fb3 100644
87c1f6
--- a/misc/sys/cdefs.h
87c1f6
+++ b/misc/sys/cdefs.h
87c1f6
@@ -143,13 +143,13 @@
87c1f6
    || (__builtin_constant_p (__l) && (__l) > 0))
87c1f6
 
87c1f6
 /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
87c1f6
-   condition can be folded to a constant and if it is true.  The -1 check is
87c1f6
-   redundant because since it implies that __glibc_safe_len_cond is true.  */
87c1f6
+   condition can be folded to a constant and if it is true, or unknown (-1) */
87c1f6
 #define __glibc_safe_or_unknown_len(__l, __s, __osz) \
87c1f6
-  (__glibc_unsigned_or_positive (__l)					      \
87c1f6
-   && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l),     \
87c1f6
-						   __s, __osz))		      \
87c1f6
-   && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
87c1f6
+  ((__osz) == (__SIZE_TYPE__) -1					      \
87c1f6
+   || (__glibc_unsigned_or_positive (__l)				      \
87c1f6
+       && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
87c1f6
+						       (__s), (__osz)))	      \
87c1f6
+       && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
87c1f6
 
87c1f6
 /* Conversely, we know at compile time that the length is unsafe if the
87c1f6
    __L * __S <= __OBJSZ condition can be folded to a constant and if it is