From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>, Mark Wielaard <mark@klomp.org>
Subject: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand
Date: Thu, 28 Jul 2022 15:48:44 +0200 [thread overview]
Message-ID: <20220728134844.8618-1-mark@klomp.org> (raw)
With GCC 12.1.1, glibc 2.3a, -fsanitize=undefined and
-D_FORTIFY_SOURCE=3 we get the following error message:
In file included from /usr/include/ar.h:22,
from ../libelf/libelfP.h:33,
from core-file.c:31:
In function ‘pread’,
inlined from ‘pread_retry’ at ../lib/system.h:188:21,
inlined from ‘elf_begin_rand’ at core-file.c:86:16,
inlined from ‘core_file_read_eagerly’ at core-file.c:205:15:
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 58 or more bytes into a region of size 10 overflows the destination [-Werror=stringop-overflow=]
74 | return __glibc_fortify (pread, __nbytes, sizeof (char),
| ^~~~~~~~~~~~~~~
/usr/include/ar.h: In function ‘core_file_read_eagerly’:
/usr/include/ar.h:41:10: note: destination object ‘ar_size’ of size 10
41 | char ar_size[10]; /* File size, in ASCII decimal. */
| ^~~~~~~
/usr/include/bits/unistd.h:50:16: note: in a call to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
50 | extern ssize_t __REDIRECT (__pread_alias,
| ^~~~~~~~~~
cc1: all warnings being treated as errors
The warning disappears when dropping either -fsanitize=undefined
or when using -D_FORTIFY_SOURCE=2. It looks like a false positive.
But I haven't figured out how/why it happens.
The code is a little tricky to proof correct though. The ar_size
field is a not-zero terminated string ASCII decimal, right-paddedr
with spaces. Which is then converted with strtoll. Relying on the
fact that the struct ar_hdr is zero initialized, so there will be
a zero byte after the ar_size field.
Rewrite the code to just use a zero byte terminated char array.
Which is much easier to reason about. As a bonus the error disappears.
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
libdwfl/ChangeLog | 5 +++++
libdwfl/core-file.c | 26 ++++++++++++++++----------
2 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 75c53948..acdaa013 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2022-07-28 Mark Wielaard <mark@klomp.org>
+
+ * core-file.c (elf_begin_rand): Replace struct ar_hdr h with
+ a char ar_size[AR_SIZE_CHARS + 1] array to read size.
+
2022-07-18 Shahab Vahedi <shahab@synopsys.com>
* debuginfod-client.c (dwfl_get_debuginfod_client stub):
diff --git a/libdwfl/core-file.c b/libdwfl/core-file.c
index cefc3db0..4418ef33 100644
--- a/libdwfl/core-file.c
+++ b/libdwfl/core-file.c
@@ -75,26 +75,32 @@ elf_begin_rand (Elf *parent, off_t offset, off_t size, off_t *next)
from the archive header to override SIZE. */
if (parent->kind == ELF_K_AR)
{
- struct ar_hdr h = { .ar_size = "" };
-
- if (unlikely (parent->maximum_size - offset < sizeof h))
+ /* File size, in ASCII decimal, right-padded with ASCII spaces.
+ Max 10 characters. Not zero terminated. So make this ar_size
+ array one larger and explicitly zero terminate it. As needed
+ for strtoll. */
+ #define AR_SIZE_CHARS 10
+ char ar_size[AR_SIZE_CHARS + 1];
+ ar_size[AR_SIZE_CHARS] = '\0';
+
+ if (unlikely (parent->maximum_size - offset < sizeof (struct ar_hdr)))
return fail (ELF_E_RANGE);
if (parent->map_address != NULL)
- memcpy (h.ar_size, parent->map_address + parent->start_offset + offset,
- sizeof h.ar_size);
+ memcpy (ar_size, parent->map_address + parent->start_offset + offset,
+ AR_SIZE_CHARS);
else if (unlikely (pread_retry (parent->fildes,
- h.ar_size, sizeof (h.ar_size),
+ ar_size, AR_SIZE_CHARS,
parent->start_offset + offset
+ offsetof (struct ar_hdr, ar_size))
- != sizeof (h.ar_size)))
+ != AR_SIZE_CHARS))
return fail (ELF_E_READ_ERROR);
- offset += sizeof h;
+ offset += sizeof (struct ar_hdr);
char *endp;
- size = strtoll (h.ar_size, &endp, 10);
- if (unlikely (endp == h.ar_size)
+ size = strtoll (ar_size, &endp, 10);
+ if (unlikely (endp == ar_size)
|| unlikely ((off_t) parent->maximum_size - offset < size))
return fail (ELF_E_INVALID_ARCHIVE);
}
--
2.18.4
next reply other threads:[~2022-07-28 13:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-28 13:48 Mark Wielaard [this message]
2022-07-28 13:54 ` Mark Wielaard
2022-07-28 17:27 ` Siddhesh Poyarekar
2022-07-29 16:31 ` Siddhesh Poyarekar
2022-07-29 18:34 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220728134844.8618-1-mark@klomp.org \
--to=mark@klomp.org \
--cc=elfutils-devel@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).