From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.5 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 90A7E1F4B4 for ; Wed, 30 Dec 2020 01:21:28 +0000 (UTC) Received: from localhost ([::1]:45644 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kuQB5-00008d-Nt for normalperson@yhbt.net; Tue, 29 Dec 2020 20:21:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42884) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kuQB2-00008J-5X for bug-gnulib@gnu.org; Tue, 29 Dec 2020 20:21:24 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:34802) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kuQAz-0008Pl-KO for bug-gnulib@gnu.org; Tue, 29 Dec 2020 20:21:23 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id AF34B1600F7; Tue, 29 Dec 2020 17:21:18 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id w07OjiUhOUeF; Tue, 29 Dec 2020 17:21:17 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 688EE1600F8; Tue, 29 Dec 2020 17:21:17 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Hw8-mmjdhioF; Tue, 29 Dec 2020 17:21:17 -0800 (PST) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 3CB391600F7; Tue, 29 Dec 2020 17:21:17 -0800 (PST) To: Adhemerval Zanella References: <20201229193454.34558-1-adhemerval.zanella@linaro.org> <20201229193454.34558-5-adhemerval.zanella@linaro.org> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [PATCH v3 4/6] stdlib: Sync canonicalize with gnulib [BZ #10635] [BZ #26592] [BZ #26341] [BZ #24970] Message-ID: Date: Tue, 29 Dec 2020 17:21:15 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <20201229193454.34558-5-adhemerval.zanella@linaro.org> Content-Type: multipart/mixed; boundary="------------A730C963634CCFD385BB0DB5" Content-Language: en-US Received-SPF: pass client-ip=131.179.128.68; envelope-from=eggert@cs.ucla.edu; helo=zimbra.cs.ucla.edu X-Spam_score_int: -52 X-Spam_score: -5.3 X-Spam_bar: ----- X-Spam_report: (-5.3 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-1.07, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org, bug-gnulib@gnu.org Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" This is a multi-part message in MIME format. --------------A730C963634CCFD385BB0DB5 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 12/29/20 11:34 AM, Adhemerval Zanella wrote: > idx_t len =3D strlen (end); > + if (INT_ADD_OVERFLOW (len, n)) > + { > + __set_errno (ENAMETOOLONG); > + goto error_nomem; > + } The other patches in this glibc patch series look good to me. However,=20 this patch has some problems. First, the overflow check does not handle=20 the case where strlen (end) does not fit into len. Second, ENAMETOOLONG=20 is not the right errno; it should be ENOMEM because not enough memory=20 can be allocated (this is what scratch_buffer, malloc, etc. do in=20 similar situations). Third (and less important), the overflow check is=20 not needed on practical 64-bit platforms either now or in the forseeable=20 future. I installed the attached patch into Gnulib to fix the bug in a way I=20 hope is better. The idea is that you should be able to sync this into=20 glibc without needing a patch like the above. --------------A730C963634CCFD385BB0DB5 Content-Type: text/x-patch; charset=UTF-8; name="0001-canonicalize-fix-ptrdiff_t-overflow-bug.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0001-canonicalize-fix-ptrdiff_t-overflow-bug.patch" =46rom b4e94717557545d613bca58a27d4ef698d551ed2 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 29 Dec 2020 17:08:11 -0800 Subject: [PATCH] canonicalize: fix ptrdiff_t overflow bug Problem reported by Adhemerval Zanella in: https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html * lib/canonicalize-lgpl.c, lib/canonicalize.c: Include intprops.h. (NARROW_ADDRESSES): New constant. * lib/canonicalize-lgpl.c (realpath_stk):m * lib/canonicalize.c (canonicalize_filename_mode_stk): Work even if strlen (END) does not fit in idx_t, or if adding N to it overflows. * modules/canonicalize, modules/canonicalize-lgpl (Depends-on): Add intprops. --- ChangeLog | 15 +++++++++++++++ lib/canonicalize-lgpl.c | 12 +++++++++++- lib/canonicalize.c | 12 +++++++++++- modules/canonicalize | 1 + modules/canonicalize-lgpl | 1 + 5 files changed, 39 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d03007b3e..0ef300f0b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2020-12-29 Paul Eggert + + canonicalize: fix ptrdiff_t overflow bug + Problem reported by Adhemerval Zanella in: + https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html + * lib/canonicalize-lgpl.c, lib/canonicalize.c: + Include intprops.h. + (NARROW_ADDRESSES): New constant. + * lib/canonicalize-lgpl.c (realpath_stk):m + * lib/canonicalize.c (canonicalize_filename_mode_stk): + Work even if strlen (END) does not fit in idx_t, or if adding + N to it overflows. + * modules/canonicalize, modules/canonicalize-lgpl (Depends-on): + Add intprops. + 2020-12-28 Bruno Haible =20 havelib: Fix for Solaris 11 OpenIndiana and Solaris 11 OmniOS. diff --git a/lib/canonicalize-lgpl.c b/lib/canonicalize-lgpl.c index 04fe95253..e8b10f0e7 100644 --- a/lib/canonicalize-lgpl.c +++ b/lib/canonicalize-lgpl.c @@ -40,6 +40,7 @@ #include #include #include +#include #include =20 #ifdef _LIBC @@ -85,6 +86,10 @@ # define IF_LINT(Code) /* empty */ #endif =20 +/* True if adding two valid object sizes might overflow idx_t. + As a practical matter, this cannot happen on 64-bit machines. */ +enum { NARROW_ADDRESSES =3D IDX_MAX >> 31 >> 31 =3D=3D 0 }; + #ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT # define DOUBLE_SLASH_IS_DISTINCT_ROOT false #endif @@ -338,7 +343,12 @@ realpath_stk (const char *name, char *resolved, idx_t end_idx IF_LINT (=3D 0); if (end_in_extra_buffer) end_idx =3D end - extra_buf; - idx_t len =3D strlen (end); + size_t len =3D strlen (end); + if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n)) + { + __set_errno (ENOMEM); + goto error; + } while (extra_buffer.length <=3D len + n) { if (!scratch_buffer_grow_preserve (&extra_buffer)) diff --git a/lib/canonicalize.c b/lib/canonicalize.c index a4d3aab96..eee3dbee6 100644 --- a/lib/canonicalize.c +++ b/lib/canonicalize.c @@ -29,6 +29,7 @@ =20 #include #include +#include #include =20 #include "attribute.h" @@ -43,6 +44,10 @@ # define IF_LINT(Code) /* empty */ #endif =20 +/* True if adding two valid object sizes might overflow idx_t. + As a practical matter, this cannot happen on 64-bit machines. */ +enum { NARROW_ADDRESSES =3D IDX_MAX >> 31 >> 31 =3D=3D 0 }; + #ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT # define DOUBLE_SLASH_IS_DISTINCT_ROOT false #endif @@ -389,7 +394,12 @@ canonicalize_filename_mode_stk (const char *name, ca= nonicalize_mode_t can_mode, idx_t end_idx IF_LINT (=3D 0); if (end_in_extra_buffer) end_idx =3D end - extra_buf; - idx_t len =3D strlen (end); + size_t len =3D strlen (end); + if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n)) + { + errno =3D ENOMEM; + goto error; + } while (extra_buffer.length <=3D len + n) { if (!scratch_buffer_grow_preserve (&extra_buffer)) diff --git a/modules/canonicalize b/modules/canonicalize index 5003f2682..a6cf76f17 100644 --- a/modules/canonicalize +++ b/modules/canonicalize @@ -19,6 +19,7 @@ free-posix getcwd hash-triple-simple idx +intprops memmove mempcpy nocrash diff --git a/modules/canonicalize-lgpl b/modules/canonicalize-lgpl index a96f9011e..b8e87a607 100644 --- a/modules/canonicalize-lgpl +++ b/modules/canonicalize-lgpl @@ -18,6 +18,7 @@ fcntl-h [test $HAVE_CANONICALIZE_FILE_NAME =3D= 0 || test $REPLACE_CANONI filename [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] free-posix [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] idx [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] +intprops [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] libc-config [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] malloc-posix [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] memmove [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL= ACE_CANONICALIZE_FILE_NAME =3D 1] --=20 2.27.0 --------------A730C963634CCFD385BB0DB5--