|
 |
c5d972 |
commit 33e03f9cd2be4f2cd62f93fda539cc07d9c8130e
|
|
|
c5d972 |
Author: Joan Bruguera <joanbrugueram@gmail.com>
|
|
|
c5d972 |
Date: Mon Apr 11 19:49:56 2022 +0200
|
|
|
c5d972 |
|
|
|
c5d972 |
misc: Fix rare fortify crash on wchar funcs. [BZ 29030]
|
|
|
c5d972 |
|
|
|
c5d972 |
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
|
|
|
c5d972 |
checks should pass, and `__whatever_alias` should be called.
|
|
|
c5d972 |
|
|
|
c5d972 |
Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
|
|
|
c5d972 |
on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`.
|
|
|
c5d972 |
|
|
|
c5d972 |
A comment says the -1 case should work as: "The -1 check is redundant because
|
|
|
c5d972 |
since it implies that __glibc_safe_len_cond is true.". But this fails when:
|
|
|
c5d972 |
* `__s > 1`
|
|
|
c5d972 |
* `__osz == -1` (i.e. unknown size at compile time)
|
|
|
c5d972 |
* `__l` is big enough
|
|
|
c5d972 |
* `__l * __s <= __osz` can be folded to a constant
|
|
|
c5d972 |
(I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)
|
|
|
c5d972 |
|
|
|
c5d972 |
In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
|
|
|
c5d972 |
called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.
|
|
|
c5d972 |
|
|
|
c5d972 |
This commit adds the explicit `__osz == -1` check again.
|
|
|
c5d972 |
moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041
|
|
|
c5d972 |
|
|
|
c5d972 |
Minimal test case (test.c):
|
|
|
c5d972 |
#include <wchar.h>
|
|
|
c5d972 |
|
|
|
c5d972 |
int main (void)
|
|
|
c5d972 |
{
|
|
|
c5d972 |
const char *hw = "HelloWorld";
|
|
|
c5d972 |
mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
|
|
|
c5d972 |
return 0;
|
|
|
c5d972 |
}
|
|
|
c5d972 |
|
|
|
c5d972 |
Build with:
|
|
|
c5d972 |
gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test
|
|
|
c5d972 |
|
|
|
c5d972 |
Output:
|
|
|
c5d972 |
*** buffer overflow detected ***: terminated
|
|
|
c5d972 |
|
|
|
c5d972 |
Fixes: BZ #29030
|
|
|
c5d972 |
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
|
|
|
c5d972 |
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
|
c5d972 |
|
|
|
c5d972 |
diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
|
|
|
c5d972 |
index 1668294e48b5c63c..701bffd1d664f289 100644
|
|
|
c5d972 |
--- a/debug/tst-fortify.c
|
|
|
c5d972 |
+++ b/debug/tst-fortify.c
|
|
|
c5d972 |
@@ -1505,6 +1505,11 @@ do_test (void)
|
|
|
c5d972 |
CHK_FAIL_END
|
|
|
c5d972 |
#endif
|
|
|
c5d972 |
|
|
|
c5d972 |
+ /* Bug 29030 regresion check */
|
|
|
c5d972 |
+ cp = "HelloWorld";
|
|
|
c5d972 |
+ if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10)
|
|
|
c5d972 |
+ FAIL ();
|
|
|
c5d972 |
+
|
|
|
c5d972 |
cp = "A";
|
|
|
c5d972 |
if (mbstowcs (wenough, cp, 10) != 1
|
|
|
c5d972 |
|| wcscmp (wenough, L"A") != 0)
|
|
|
c5d972 |
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
|
|
|
c5d972 |
index a17ae0ed87e6163f..404496c7d6da4fb3 100644
|
|
|
c5d972 |
--- a/misc/sys/cdefs.h
|
|
|
c5d972 |
+++ b/misc/sys/cdefs.h
|
|
|
c5d972 |
@@ -143,13 +143,13 @@
|
|
|
c5d972 |
|| (__builtin_constant_p (__l) && (__l) > 0))
|
|
|
c5d972 |
|
|
|
c5d972 |
/* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
|
|
|
c5d972 |
- condition can be folded to a constant and if it is true. The -1 check is
|
|
|
c5d972 |
- redundant because since it implies that __glibc_safe_len_cond is true. */
|
|
|
c5d972 |
+ condition can be folded to a constant and if it is true, or unknown (-1) */
|
|
|
c5d972 |
#define __glibc_safe_or_unknown_len(__l, __s, __osz) \
|
|
|
c5d972 |
- (__glibc_unsigned_or_positive (__l) \
|
|
|
c5d972 |
- && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
|
|
|
c5d972 |
- __s, __osz)) \
|
|
|
c5d972 |
- && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
|
|
|
c5d972 |
+ ((__osz) == (__SIZE_TYPE__) -1 \
|
|
|
c5d972 |
+ || (__glibc_unsigned_or_positive (__l) \
|
|
|
c5d972 |
+ && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
|
|
|
c5d972 |
+ (__s), (__osz))) \
|
|
|
c5d972 |
+ && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
|
|
|
c5d972 |
|
|
|
c5d972 |
/* Conversely, we know at compile time that the length is unsafe if the
|
|
|
c5d972 |
__L * __S <= __OBJSZ condition can be folded to a constant and if it is
|