Contents of /trunk/glibc/patches/glibc-2.15-vfprintf-nargs.patch
Parent Directory | Revision Log
Revision 1806 -
(show annotations)
(download)
Tue Jun 12 12:33:27 2012 UTC (12 years, 3 months ago) by niro
File size: 6196 byte(s)
Tue Jun 12 12:33:27 2012 UTC (12 years, 3 months ago) by niro
File size: 6196 byte(s)
-added patches for 2.15-r1
1 | diff --git a/stdio-common/Makefile b/stdio-common/Makefile |
2 | index a847b28..080badc 100644 |
3 | --- a/stdio-common/Makefile |
4 | +++ b/stdio-common/Makefile |
5 | @@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ |
6 | tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \ |
7 | tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \ |
8 | bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ |
9 | - scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 |
10 | + scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ |
11 | + bug-vfprintf-nargs |
12 | |
13 | test-srcs = tst-unbputc tst-printf |
14 | |
15 | diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c |
16 | new file mode 100644 |
17 | index 0000000..13c66c0 |
18 | --- /dev/null |
19 | +++ b/stdio-common/bug-vfprintf-nargs.c |
20 | @@ -0,0 +1,78 @@ |
21 | +/* Test for vfprintf nargs allocation overflow (BZ #13656). |
22 | + Copyright (C) 2012 Free Software Foundation, Inc. |
23 | + This file is part of the GNU C Library. |
24 | + Contributed by Kees Cook <keescook@chromium.org>, 2012. |
25 | + |
26 | + The GNU C Library is free software; you can redistribute it and/or |
27 | + modify it under the terms of the GNU Lesser General Public |
28 | + License as published by the Free Software Foundation; either |
29 | + version 2.1 of the License, or (at your option) any later version. |
30 | + |
31 | + The GNU C Library is distributed in the hope that it will be useful, |
32 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
33 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
34 | + Lesser General Public License for more details. |
35 | + |
36 | + You should have received a copy of the GNU Lesser General Public |
37 | + License along with the GNU C Library; if not, write to the Free |
38 | + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA |
39 | + 02111-1307 USA. */ |
40 | + |
41 | +#include <stdio.h> |
42 | +#include <stdlib.h> |
43 | +#include <stdint.h> |
44 | +#include <unistd.h> |
45 | +#include <inttypes.h> |
46 | +#include <string.h> |
47 | +#include <signal.h> |
48 | + |
49 | +static int |
50 | +format_failed (const char *fmt, const char *expected) |
51 | +{ |
52 | + char output[80]; |
53 | + |
54 | + printf ("%s : ", fmt); |
55 | + |
56 | + memset (output, 0, sizeof output); |
57 | + /* Having sprintf itself detect a failure is good. */ |
58 | + if (sprintf (output, fmt, 1, 2, 3, "test") > 0 |
59 | + && strcmp (output, expected) != 0) |
60 | + { |
61 | + printf ("FAIL (output '%s' != expected '%s')\n", output, expected); |
62 | + return 1; |
63 | + } |
64 | + puts ("ok"); |
65 | + return 0; |
66 | +} |
67 | + |
68 | +static int |
69 | +do_test (void) |
70 | +{ |
71 | + int rc = 0; |
72 | + char buf[64]; |
73 | + |
74 | + /* Regular positionals work. */ |
75 | + if (format_failed ("%1$d", "1") != 0) |
76 | + rc = 1; |
77 | + |
78 | + /* Regular width positionals work. */ |
79 | + if (format_failed ("%1$*2$d", " 1") != 0) |
80 | + rc = 1; |
81 | + |
82 | + /* Positional arguments are constructed via read_int, so nargs can only |
83 | + overflow on 32-bit systems. On 64-bit systems, it will attempt to |
84 | + allocate a giant amount of memory and possibly crash, which is the |
85 | + expected situation. Since the 64-bit behavior is arch-specific, only |
86 | + test this on 32-bit systems. */ |
87 | + if (sizeof (long int) == 4) |
88 | + { |
89 | + sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int)); |
90 | + if (format_failed (buf, "1 %$d") != 0) |
91 | + rc = 1; |
92 | + } |
93 | + |
94 | + return rc; |
95 | +} |
96 | + |
97 | +#define TEST_FUNCTION do_test () |
98 | +#include "../test-skeleton.c" |
99 | diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c |
100 | index 863cd5d..c802e46 100644 |
101 | --- a/stdio-common/vfprintf.c |
102 | +++ b/stdio-common/vfprintf.c |
103 | @@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) |
104 | 0 if unknown. */ |
105 | int readonly_format = 0; |
106 | |
107 | + /* For the argument descriptions, which may be allocated on the heap. */ |
108 | + void *args_malloced = NULL; |
109 | + |
110 | /* This table maps a character into a number representing a |
111 | class. In each step there is a destination label for each |
112 | class. */ |
113 | @@ -1647,9 +1650,10 @@ do_positional: |
114 | determine the size of the array needed to store the argument |
115 | attributes. */ |
116 | size_t nargs = 0; |
117 | - int *args_type; |
118 | - union printf_arg *args_value = NULL; |
119 | + size_t bytes_per_arg; |
120 | + union printf_arg *args_value; |
121 | int *args_size; |
122 | + int *args_type; |
123 | |
124 | /* Positional parameters refer to arguments directly. This could |
125 | also determine the maximum number of arguments. Track the |
126 | @@ -1698,13 +1702,38 @@ do_positional: |
127 | |
128 | /* Determine the number of arguments the format string consumes. */ |
129 | nargs = MAX (nargs, max_ref_arg); |
130 | + /* Calculate total size needed to represent a single argument across |
131 | + all three argument-related arrays. */ |
132 | + bytes_per_arg = sizeof (*args_value) + sizeof (*args_size) |
133 | + + sizeof (*args_type); |
134 | + |
135 | + /* Check for potential integer overflow. */ |
136 | + if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0)) |
137 | + { |
138 | + __set_errno (ERANGE); |
139 | + done = -1; |
140 | + goto all_done; |
141 | + } |
142 | |
143 | - /* Allocate memory for the argument descriptions. */ |
144 | - args_type = alloca (nargs * sizeof (int)); |
145 | + /* Allocate memory for all three argument arrays. */ |
146 | + if (__libc_use_alloca (nargs * bytes_per_arg)) |
147 | + args_value = alloca (nargs * bytes_per_arg); |
148 | + else |
149 | + { |
150 | + args_value = args_malloced = malloc (nargs * bytes_per_arg); |
151 | + if (args_value == NULL) |
152 | + { |
153 | + done = -1; |
154 | + goto all_done; |
155 | + } |
156 | + } |
157 | + |
158 | + /* Set up the remaining two arrays to each point past the end of the |
159 | + prior array, since space for all three has been allocated now. */ |
160 | + args_size = &args_value[nargs].pa_int; |
161 | + args_type = &args_size[nargs]; |
162 | memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0', |
163 | - nargs * sizeof (int)); |
164 | - args_value = alloca (nargs * sizeof (union printf_arg)); |
165 | - args_size = alloca (nargs * sizeof (int)); |
166 | + nargs * sizeof (*args_type)); |
167 | |
168 | /* XXX Could do sanity check here: If any element in ARGS_TYPE is |
169 | still zero after this loop, format is invalid. For now we |
170 | @@ -1973,8 +2002,8 @@ do_positional: |
171 | } |
172 | |
173 | all_done: |
174 | - if (__builtin_expect (workstart != NULL, 0)) |
175 | - free (workstart); |
176 | + free (args_malloced); |
177 | + free (workstart); |
178 | /* Unlock the stream. */ |
179 | _IO_funlockfile (s); |
180 | _IO_cleanup_region_end (0); |