Annotation of /trunk/glibc/patches/glibc-2.15-vfprintf-nargs.patch
Parent Directory | Revision Log
Revision 1806 -
(hide annotations)
(download)
Tue Jun 12 12:33:27 2012 UTC (12 years, 3 months ago) by niro
File size: 6196 byte(s)
Tue Jun 12 12:33:27 2012 UTC (12 years, 3 months ago) by niro
File size: 6196 byte(s)
-added patches for 2.15-r1
1 | niro | 1806 | diff --git a/stdio-common/Makefile b/stdio-common/Makefile |
2 | index a847b28..080badc 100644 | ||
3 | --- a/stdio-common/Makefile | ||
4 | +++ b/stdio-common/Makefile | ||
5 | @@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ | ||
6 | tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \ | ||
7 | tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \ | ||
8 | bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ | ||
9 | - scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 | ||
10 | + scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ | ||
11 | + bug-vfprintf-nargs | ||
12 | |||
13 | test-srcs = tst-unbputc tst-printf | ||
14 | |||
15 | diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c | ||
16 | new file mode 100644 | ||
17 | index 0000000..13c66c0 | ||
18 | --- /dev/null | ||
19 | +++ b/stdio-common/bug-vfprintf-nargs.c | ||
20 | @@ -0,0 +1,78 @@ | ||
21 | +/* Test for vfprintf nargs allocation overflow (BZ #13656). | ||
22 | + Copyright (C) 2012 Free Software Foundation, Inc. | ||
23 | + This file is part of the GNU C Library. | ||
24 | + Contributed by Kees Cook <keescook@chromium.org>, 2012. | ||
25 | + | ||
26 | + The GNU C Library is free software; you can redistribute it and/or | ||
27 | + modify it under the terms of the GNU Lesser General Public | ||
28 | + License as published by the Free Software Foundation; either | ||
29 | + version 2.1 of the License, or (at your option) any later version. | ||
30 | + | ||
31 | + The GNU C Library is distributed in the hope that it will be useful, | ||
32 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
33 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
34 | + Lesser General Public License for more details. | ||
35 | + | ||
36 | + You should have received a copy of the GNU Lesser General Public | ||
37 | + License along with the GNU C Library; if not, write to the Free | ||
38 | + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA | ||
39 | + 02111-1307 USA. */ | ||
40 | + | ||
41 | +#include <stdio.h> | ||
42 | +#include <stdlib.h> | ||
43 | +#include <stdint.h> | ||
44 | +#include <unistd.h> | ||
45 | +#include <inttypes.h> | ||
46 | +#include <string.h> | ||
47 | +#include <signal.h> | ||
48 | + | ||
49 | +static int | ||
50 | +format_failed (const char *fmt, const char *expected) | ||
51 | +{ | ||
52 | + char output[80]; | ||
53 | + | ||
54 | + printf ("%s : ", fmt); | ||
55 | + | ||
56 | + memset (output, 0, sizeof output); | ||
57 | + /* Having sprintf itself detect a failure is good. */ | ||
58 | + if (sprintf (output, fmt, 1, 2, 3, "test") > 0 | ||
59 | + && strcmp (output, expected) != 0) | ||
60 | + { | ||
61 | + printf ("FAIL (output '%s' != expected '%s')\n", output, expected); | ||
62 | + return 1; | ||
63 | + } | ||
64 | + puts ("ok"); | ||
65 | + return 0; | ||
66 | +} | ||
67 | + | ||
68 | +static int | ||
69 | +do_test (void) | ||
70 | +{ | ||
71 | + int rc = 0; | ||
72 | + char buf[64]; | ||
73 | + | ||
74 | + /* Regular positionals work. */ | ||
75 | + if (format_failed ("%1$d", "1") != 0) | ||
76 | + rc = 1; | ||
77 | + | ||
78 | + /* Regular width positionals work. */ | ||
79 | + if (format_failed ("%1$*2$d", " 1") != 0) | ||
80 | + rc = 1; | ||
81 | + | ||
82 | + /* Positional arguments are constructed via read_int, so nargs can only | ||
83 | + overflow on 32-bit systems. On 64-bit systems, it will attempt to | ||
84 | + allocate a giant amount of memory and possibly crash, which is the | ||
85 | + expected situation. Since the 64-bit behavior is arch-specific, only | ||
86 | + test this on 32-bit systems. */ | ||
87 | + if (sizeof (long int) == 4) | ||
88 | + { | ||
89 | + sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int)); | ||
90 | + if (format_failed (buf, "1 %$d") != 0) | ||
91 | + rc = 1; | ||
92 | + } | ||
93 | + | ||
94 | + return rc; | ||
95 | +} | ||
96 | + | ||
97 | +#define TEST_FUNCTION do_test () | ||
98 | +#include "../test-skeleton.c" | ||
99 | diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c | ||
100 | index 863cd5d..c802e46 100644 | ||
101 | --- a/stdio-common/vfprintf.c | ||
102 | +++ b/stdio-common/vfprintf.c | ||
103 | @@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) | ||
104 | 0 if unknown. */ | ||
105 | int readonly_format = 0; | ||
106 | |||
107 | + /* For the argument descriptions, which may be allocated on the heap. */ | ||
108 | + void *args_malloced = NULL; | ||
109 | + | ||
110 | /* This table maps a character into a number representing a | ||
111 | class. In each step there is a destination label for each | ||
112 | class. */ | ||
113 | @@ -1647,9 +1650,10 @@ do_positional: | ||
114 | determine the size of the array needed to store the argument | ||
115 | attributes. */ | ||
116 | size_t nargs = 0; | ||
117 | - int *args_type; | ||
118 | - union printf_arg *args_value = NULL; | ||
119 | + size_t bytes_per_arg; | ||
120 | + union printf_arg *args_value; | ||
121 | int *args_size; | ||
122 | + int *args_type; | ||
123 | |||
124 | /* Positional parameters refer to arguments directly. This could | ||
125 | also determine the maximum number of arguments. Track the | ||
126 | @@ -1698,13 +1702,38 @@ do_positional: | ||
127 | |||
128 | /* Determine the number of arguments the format string consumes. */ | ||
129 | nargs = MAX (nargs, max_ref_arg); | ||
130 | + /* Calculate total size needed to represent a single argument across | ||
131 | + all three argument-related arrays. */ | ||
132 | + bytes_per_arg = sizeof (*args_value) + sizeof (*args_size) | ||
133 | + + sizeof (*args_type); | ||
134 | + | ||
135 | + /* Check for potential integer overflow. */ | ||
136 | + if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0)) | ||
137 | + { | ||
138 | + __set_errno (ERANGE); | ||
139 | + done = -1; | ||
140 | + goto all_done; | ||
141 | + } | ||
142 | |||
143 | - /* Allocate memory for the argument descriptions. */ | ||
144 | - args_type = alloca (nargs * sizeof (int)); | ||
145 | + /* Allocate memory for all three argument arrays. */ | ||
146 | + if (__libc_use_alloca (nargs * bytes_per_arg)) | ||
147 | + args_value = alloca (nargs * bytes_per_arg); | ||
148 | + else | ||
149 | + { | ||
150 | + args_value = args_malloced = malloc (nargs * bytes_per_arg); | ||
151 | + if (args_value == NULL) | ||
152 | + { | ||
153 | + done = -1; | ||
154 | + goto all_done; | ||
155 | + } | ||
156 | + } | ||
157 | + | ||
158 | + /* Set up the remaining two arrays to each point past the end of the | ||
159 | + prior array, since space for all three has been allocated now. */ | ||
160 | + args_size = &args_value[nargs].pa_int; | ||
161 | + args_type = &args_size[nargs]; | ||
162 | memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0', | ||
163 | - nargs * sizeof (int)); | ||
164 | - args_value = alloca (nargs * sizeof (union printf_arg)); | ||
165 | - args_size = alloca (nargs * sizeof (int)); | ||
166 | + nargs * sizeof (*args_type)); | ||
167 | |||
168 | /* XXX Could do sanity check here: If any element in ARGS_TYPE is | ||
169 | still zero after this loop, format is invalid. For now we | ||
170 | @@ -1973,8 +2002,8 @@ do_positional: | ||
171 | } | ||
172 | |||
173 | all_done: | ||
174 | - if (__builtin_expect (workstart != NULL, 0)) | ||
175 | - free (workstart); | ||
176 | + free (args_malloced); | ||
177 | + free (workstart); | ||
178 | /* Unlock the stream. */ | ||
179 | _IO_funlockfile (s); | ||
180 | _IO_cleanup_region_end (0); |