Contents of /trunk/glibc/patches/glibc-2.15-vfprintf-nargs.patch
Parent Directory
| 
Revision Log
Revision 1806 -
(show annotations)
(download)
Tue Jun 12 12:33:27 2012 UTC (11 years, 10 months ago) by niro
File size: 6196 byte(s)
Tue Jun 12 12:33:27 2012 UTC (11 years, 10 months ago) by niro
File size: 6196 byte(s)
-added patches for 2.15-r1
| 1 | diff --git a/stdio-common/Makefile b/stdio-common/Makefile |
| 2 | index a847b28..080badc 100644 |
| 3 | --- a/stdio-common/Makefile |
| 4 | +++ b/stdio-common/Makefile |
| 5 | @@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ |
| 6 | tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \ |
| 7 | tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \ |
| 8 | bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ |
| 9 | - scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 |
| 10 | + scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ |
| 11 | + bug-vfprintf-nargs |
| 12 | |
| 13 | test-srcs = tst-unbputc tst-printf |
| 14 | |
| 15 | diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c |
| 16 | new file mode 100644 |
| 17 | index 0000000..13c66c0 |
| 18 | --- /dev/null |
| 19 | +++ b/stdio-common/bug-vfprintf-nargs.c |
| 20 | @@ -0,0 +1,78 @@ |
| 21 | +/* Test for vfprintf nargs allocation overflow (BZ #13656). |
| 22 | + Copyright (C) 2012 Free Software Foundation, Inc. |
| 23 | + This file is part of the GNU C Library. |
| 24 | + Contributed by Kees Cook <keescook@chromium.org>, 2012. |
| 25 | + |
| 26 | + The GNU C Library is free software; you can redistribute it and/or |
| 27 | + modify it under the terms of the GNU Lesser General Public |
| 28 | + License as published by the Free Software Foundation; either |
| 29 | + version 2.1 of the License, or (at your option) any later version. |
| 30 | + |
| 31 | + The GNU C Library is distributed in the hope that it will be useful, |
| 32 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 33 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 34 | + Lesser General Public License for more details. |
| 35 | + |
| 36 | + You should have received a copy of the GNU Lesser General Public |
| 37 | + License along with the GNU C Library; if not, write to the Free |
| 38 | + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA |
| 39 | + 02111-1307 USA. */ |
| 40 | + |
| 41 | +#include <stdio.h> |
| 42 | +#include <stdlib.h> |
| 43 | +#include <stdint.h> |
| 44 | +#include <unistd.h> |
| 45 | +#include <inttypes.h> |
| 46 | +#include <string.h> |
| 47 | +#include <signal.h> |
| 48 | + |
| 49 | +static int |
| 50 | +format_failed (const char *fmt, const char *expected) |
| 51 | +{ |
| 52 | + char output[80]; |
| 53 | + |
| 54 | + printf ("%s : ", fmt); |
| 55 | + |
| 56 | + memset (output, 0, sizeof output); |
| 57 | + /* Having sprintf itself detect a failure is good. */ |
| 58 | + if (sprintf (output, fmt, 1, 2, 3, "test") > 0 |
| 59 | + && strcmp (output, expected) != 0) |
| 60 | + { |
| 61 | + printf ("FAIL (output '%s' != expected '%s')\n", output, expected); |
| 62 | + return 1; |
| 63 | + } |
| 64 | + puts ("ok"); |
| 65 | + return 0; |
| 66 | +} |
| 67 | + |
| 68 | +static int |
| 69 | +do_test (void) |
| 70 | +{ |
| 71 | + int rc = 0; |
| 72 | + char buf[64]; |
| 73 | + |
| 74 | + /* Regular positionals work. */ |
| 75 | + if (format_failed ("%1$d", "1") != 0) |
| 76 | + rc = 1; |
| 77 | + |
| 78 | + /* Regular width positionals work. */ |
| 79 | + if (format_failed ("%1$*2$d", " 1") != 0) |
| 80 | + rc = 1; |
| 81 | + |
| 82 | + /* Positional arguments are constructed via read_int, so nargs can only |
| 83 | + overflow on 32-bit systems. On 64-bit systems, it will attempt to |
| 84 | + allocate a giant amount of memory and possibly crash, which is the |
| 85 | + expected situation. Since the 64-bit behavior is arch-specific, only |
| 86 | + test this on 32-bit systems. */ |
| 87 | + if (sizeof (long int) == 4) |
| 88 | + { |
| 89 | + sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int)); |
| 90 | + if (format_failed (buf, "1 %$d") != 0) |
| 91 | + rc = 1; |
| 92 | + } |
| 93 | + |
| 94 | + return rc; |
| 95 | +} |
| 96 | + |
| 97 | +#define TEST_FUNCTION do_test () |
| 98 | +#include "../test-skeleton.c" |
| 99 | diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c |
| 100 | index 863cd5d..c802e46 100644 |
| 101 | --- a/stdio-common/vfprintf.c |
| 102 | +++ b/stdio-common/vfprintf.c |
| 103 | @@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) |
| 104 | 0 if unknown. */ |
| 105 | int readonly_format = 0; |
| 106 | |
| 107 | + /* For the argument descriptions, which may be allocated on the heap. */ |
| 108 | + void *args_malloced = NULL; |
| 109 | + |
| 110 | /* This table maps a character into a number representing a |
| 111 | class. In each step there is a destination label for each |
| 112 | class. */ |
| 113 | @@ -1647,9 +1650,10 @@ do_positional: |
| 114 | determine the size of the array needed to store the argument |
| 115 | attributes. */ |
| 116 | size_t nargs = 0; |
| 117 | - int *args_type; |
| 118 | - union printf_arg *args_value = NULL; |
| 119 | + size_t bytes_per_arg; |
| 120 | + union printf_arg *args_value; |
| 121 | int *args_size; |
| 122 | + int *args_type; |
| 123 | |
| 124 | /* Positional parameters refer to arguments directly. This could |
| 125 | also determine the maximum number of arguments. Track the |
| 126 | @@ -1698,13 +1702,38 @@ do_positional: |
| 127 | |
| 128 | /* Determine the number of arguments the format string consumes. */ |
| 129 | nargs = MAX (nargs, max_ref_arg); |
| 130 | + /* Calculate total size needed to represent a single argument across |
| 131 | + all three argument-related arrays. */ |
| 132 | + bytes_per_arg = sizeof (*args_value) + sizeof (*args_size) |
| 133 | + + sizeof (*args_type); |
| 134 | + |
| 135 | + /* Check for potential integer overflow. */ |
| 136 | + if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0)) |
| 137 | + { |
| 138 | + __set_errno (ERANGE); |
| 139 | + done = -1; |
| 140 | + goto all_done; |
| 141 | + } |
| 142 | |
| 143 | - /* Allocate memory for the argument descriptions. */ |
| 144 | - args_type = alloca (nargs * sizeof (int)); |
| 145 | + /* Allocate memory for all three argument arrays. */ |
| 146 | + if (__libc_use_alloca (nargs * bytes_per_arg)) |
| 147 | + args_value = alloca (nargs * bytes_per_arg); |
| 148 | + else |
| 149 | + { |
| 150 | + args_value = args_malloced = malloc (nargs * bytes_per_arg); |
| 151 | + if (args_value == NULL) |
| 152 | + { |
| 153 | + done = -1; |
| 154 | + goto all_done; |
| 155 | + } |
| 156 | + } |
| 157 | + |
| 158 | + /* Set up the remaining two arrays to each point past the end of the |
| 159 | + prior array, since space for all three has been allocated now. */ |
| 160 | + args_size = &args_value[nargs].pa_int; |
| 161 | + args_type = &args_size[nargs]; |
| 162 | memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0', |
| 163 | - nargs * sizeof (int)); |
| 164 | - args_value = alloca (nargs * sizeof (union printf_arg)); |
| 165 | - args_size = alloca (nargs * sizeof (int)); |
| 166 | + nargs * sizeof (*args_type)); |
| 167 | |
| 168 | /* XXX Could do sanity check here: If any element in ARGS_TYPE is |
| 169 | still zero after this loop, format is invalid. For now we |
| 170 | @@ -1973,8 +2002,8 @@ do_positional: |
| 171 | } |
| 172 | |
| 173 | all_done: |
| 174 | - if (__builtin_expect (workstart != NULL, 0)) |
| 175 | - free (workstart); |
| 176 | + free (args_malloced); |
| 177 | + free (workstart); |
| 178 | /* Unlock the stream. */ |
| 179 | _IO_funlockfile (s); |
| 180 | _IO_cleanup_region_end (0); |