[PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[Mark Wielaard]

With GCC 12.1.1, glibc 2.3a, -fsanitize=undefined and
-D_FORTIFY_SOURCE=3 we get the following error message:

In file included from /usr/include/ar.h:22,
                 from ../libelf/libelfP.h:33,
                 from core-file.c:31:
In function ‘pread’,
    inlined from ‘pread_retry’ at ../lib/system.h:188:21,
    inlined from ‘elf_begin_rand’ at core-file.c:86:16,
    inlined from ‘core_file_read_eagerly’ at core-file.c:205:15:
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 58 or more bytes into a region of size 10 overflows the destination [-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~
/usr/include/ar.h: In function ‘core_file_read_eagerly’:
/usr/include/ar.h:41:10: note: destination object ‘ar_size’ of size 10
   41 |     char ar_size[10];           /* File size, in ASCII decimal.  */
      |          ^~~~~~~
/usr/include/bits/unistd.h:50:16: note: in a call to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
   50 | extern ssize_t __REDIRECT (__pread_alias,
      |                ^~~~~~~~~~
cc1: all warnings being treated as errors

The warning disappears when dropping either -fsanitize=undefined
or when using -D_FORTIFY_SOURCE=2. It looks like a false positive.
But I haven't figured out how/why it happens.

The code is a little tricky to proof correct though. The ar_size
field is a not-zero terminated string ASCII decimal, right-paddedr
with spaces. Which is then converted with strtoll. Relying on the
fact that the struct ar_hdr is zero initialized, so there will be
a zero byte after the ar_size field.

Rewrite the code to just use a zero byte terminated char array.
Which is much easier to reason about. As a bonus the error disappears.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdwfl/ChangeLog   |  5 +++++
 libdwfl/core-file.c | 26 ++++++++++++++++----------
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 75c53948..acdaa013 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2022-07-28  Mark Wielaard  <mark@klomp.org>
+
+	* core-file.c (elf_begin_rand): Replace struct ar_hdr h with
+	a char ar_size[AR_SIZE_CHARS + 1] array to read size.
+
 2022-07-18  Shahab Vahedi  <shahab@synopsys.com>
 
 	* debuginfod-client.c (dwfl_get_debuginfod_client stub):
diff --git a/libdwfl/core-file.c b/libdwfl/core-file.c
index cefc3db0..4418ef33 100644
--- a/libdwfl/core-file.c
+++ b/libdwfl/core-file.c
@@ -75,26 +75,32 @@ elf_begin_rand (Elf *parent, off_t offset, off_t size, off_t *next)
      from the archive header to override SIZE.  */
   if (parent->kind == ELF_K_AR)
     {
-      struct ar_hdr h = { .ar_size = "" };
-
-      if (unlikely (parent->maximum_size - offset < sizeof h))
+      /* File size, in ASCII decimal, right-padded with ASCII spaces.
+         Max 10 characters. Not zero terminated. So make this ar_size
+         array one larger and explicitly zero terminate it.  As needed
+         for strtoll.  */
+      #define AR_SIZE_CHARS 10
+      char ar_size[AR_SIZE_CHARS + 1];
+      ar_size[AR_SIZE_CHARS] = '\0';
+
+      if (unlikely (parent->maximum_size - offset < sizeof (struct ar_hdr)))
 	return fail (ELF_E_RANGE);
 
       if (parent->map_address != NULL)
-	memcpy (h.ar_size, parent->map_address + parent->start_offset + offset,
-		sizeof h.ar_size);
+	memcpy (ar_size, parent->map_address + parent->start_offset + offset,
+		AR_SIZE_CHARS);
       else if (unlikely (pread_retry (parent->fildes,
-				      h.ar_size, sizeof (h.ar_size),
+				      ar_size, AR_SIZE_CHARS,
 				      parent->start_offset + offset
 				      + offsetof (struct ar_hdr, ar_size))
-			 != sizeof (h.ar_size)))
+			 != AR_SIZE_CHARS))
 	return fail (ELF_E_READ_ERROR);
 
-      offset += sizeof h;
+      offset += sizeof (struct ar_hdr);
 
       char *endp;
-      size = strtoll (h.ar_size, &endp, 10);
-      if (unlikely (endp == h.ar_size)
+      size = strtoll (ar_size, &endp, 10);
+      if (unlikely (endp == ar_size)
 	  || unlikely ((off_t) parent->maximum_size - offset < size))
 	return fail (ELF_E_INVALID_ARCHIVE);
     }
-- 
2.18.4

Re: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[Mark Wielaard]

On Thu, 2022-07-28 at 15:48 +0200, Mark Wielaard wrote:
> With GCC 12.1.1, glibc 2.3a, -fsanitize=undefined and
> -D_FORTIFY_SOURCE=3 we get the following error message:

Sorry for the typo, it is glibc 2.35. Basically an up to date Fedora 36
system (replicated on x86_64, ppc64le and s390x).

Re: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[Siddhesh Poyarekar]

On 2022-07-28 09:48, Mark Wielaard wrote:
> With GCC 12.1.1, glibc 2.3a, -fsanitize=undefined and
> -D_FORTIFY_SOURCE=3 we get the following error message:
> 
> In file included from /usr/include/ar.h:22,
>                   from ../libelf/libelfP.h:33,
>                   from core-file.c:31:
> In function ‘pread’,
>      inlined from ‘pread_retry’ at ../lib/system.h:188:21,
>      inlined from ‘elf_begin_rand’ at core-file.c:86:16,
>      inlined from ‘core_file_read_eagerly’ at core-file.c:205:15:
> /usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 58 or more bytes into a region of size 10 overflows the destination [-Werror=stringop-overflow=]
>     74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
>        |          ^~~~~~~~~~~~~~~
> /usr/include/ar.h: In function ‘core_file_read_eagerly’:
> /usr/include/ar.h:41:10: note: destination object ‘ar_size’ of size 10
>     41 |     char ar_size[10];           /* File size, in ASCII decimal.  */
>        |          ^~~~~~~
> /usr/include/bits/unistd.h:50:16: note: in a call to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
>     50 | extern ssize_t __REDIRECT (__pread_alias,
>        |                ^~~~~~~~~~
> cc1: all warnings being treated as errors
> 
> The warning disappears when dropping either -fsanitize=undefined
> or when using -D_FORTIFY_SOURCE=2. It looks like a false positive.
> But I haven't figured out how/why it happens.

Interesting, I'll take a closer look at this from the gcc context.  I 
obviously don't have any strong opinions about the elfutils patch :)

Thanks,
Sid

> The code is a little tricky to proof correct though. The ar_size
> field is a not-zero terminated string ASCII decimal, right-paddedr
> with spaces. Which is then converted with strtoll. Relying on the
> fact that the struct ar_hdr is zero initialized, so there will be
> a zero byte after the ar_size field.
> 
> Rewrite the code to just use a zero byte terminated char array.
> Which is much easier to reason about. As a bonus the error disappears.
> 
> Signed-off-by: Mark Wielaard <mark@klomp.org>
> ---
>   libdwfl/ChangeLog   |  5 +++++
>   libdwfl/core-file.c | 26 ++++++++++++++++----------
>   2 files changed, 21 insertions(+), 10 deletions(-)
> 
> diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
> index 75c53948..acdaa013 100644
> --- a/libdwfl/ChangeLog
> +++ b/libdwfl/ChangeLog
> @@ -1,3 +1,8 @@
> +2022-07-28  Mark Wielaard  <mark@klomp.org>
> +
> +	* core-file.c (elf_begin_rand): Replace struct ar_hdr h with
> +	a char ar_size[AR_SIZE_CHARS + 1] array to read size.
> +
>   2022-07-18  Shahab Vahedi  <shahab@synopsys.com>
>   
>   	* debuginfod-client.c (dwfl_get_debuginfod_client stub):
> diff --git a/libdwfl/core-file.c b/libdwfl/core-file.c
> index cefc3db0..4418ef33 100644
> --- a/libdwfl/core-file.c
> +++ b/libdwfl/core-file.c
> @@ -75,26 +75,32 @@ elf_begin_rand (Elf *parent, off_t offset, off_t size, off_t *next)
>        from the archive header to override SIZE.  */
>     if (parent->kind == ELF_K_AR)
>       {
> -      struct ar_hdr h = { .ar_size = "" };
> -
> -      if (unlikely (parent->maximum_size - offset < sizeof h))
> +      /* File size, in ASCII decimal, right-padded with ASCII spaces.
> +         Max 10 characters. Not zero terminated. So make this ar_size
> +         array one larger and explicitly zero terminate it.  As needed
> +         for strtoll.  */
> +      #define AR_SIZE_CHARS 10
> +      char ar_size[AR_SIZE_CHARS + 1];
> +      ar_size[AR_SIZE_CHARS] = '\0';
> +
> +      if (unlikely (parent->maximum_size - offset < sizeof (struct ar_hdr)))
>   	return fail (ELF_E_RANGE);
>   
>         if (parent->map_address != NULL)
> -	memcpy (h.ar_size, parent->map_address + parent->start_offset + offset,
> -		sizeof h.ar_size);
> +	memcpy (ar_size, parent->map_address + parent->start_offset + offset,
> +		AR_SIZE_CHARS);
>         else if (unlikely (pread_retry (parent->fildes,
> -				      h.ar_size, sizeof (h.ar_size),
> +				      ar_size, AR_SIZE_CHARS,
>   				      parent->start_offset + offset
>   				      + offsetof (struct ar_hdr, ar_size))
> -			 != sizeof (h.ar_size)))
> +			 != AR_SIZE_CHARS))
>   	return fail (ELF_E_READ_ERROR);
>   
> -      offset += sizeof h;
> +      offset += sizeof (struct ar_hdr);
>   
>         char *endp;
> -      size = strtoll (h.ar_size, &endp, 10);
> -      if (unlikely (endp == h.ar_size)
> +      size = strtoll (ar_size, &endp, 10);
> +      if (unlikely (endp == ar_size)
>   	  || unlikely ((off_t) parent->maximum_size - offset < size))
>   	return fail (ELF_E_INVALID_ARCHIVE);
>       }

Re: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[Siddhesh Poyarekar]

On 2022-07-28 13:27, Siddhesh Poyarekar wrote:
> Interesting, I'll take a closer look at this from the gcc context.  I 
> obviously don't have any strong opinions about the elfutils patch :)

I reduced this to the below program and I see it warns with 
`-D_FORTIFY_SOURCE=3 -O2 -fsanitize=undefined` as well as 
`-D_FORTIFY_SOURCE=2 -O2 -fsanitize=undefined`.  This is definitely a 
false positive on unreachable code; __pread_alias will never be called 
when nbytes is greater than object size.

So I can confirm that this is harmless.

Sid

~~~

typedef long ssize_t;
typedef unsigned long size_t;
typedef long off_t;


struct ar_hdr
{
   char ar_mode;
   char ar_size[10];
};

extern ssize_t __pread_chk (int fd, void *buf, size_t nbytes, off_t offset,
			    size_t bufsize)
   __attribute__((__access__ (__write_only__, 2, 3)));
extern ssize_t __pread_alias (int fd, void *buf, size_t nbytes, off_t 
offset)
   __attribute__((__access__ (__write_only__, 2, 3)));
extern ssize_t __pread_chk_warn (int fd, void *buf, size_t nbytes,
				 off_t offset, size_t bufsize);

extern __inline __attribute__((__always_inline__))
   __attribute__((__gnu_inline__)) ssize_t
pread (int fd, void *buf, size_t nbytes, off_t offset)
{
   size_t osz = __builtin_dynamic_object_size (buf, 0);
   if (__builtin_constant_p (osz) && osz == (size_t) -1)
     return __pread_alias (fd, buf, nbytes, offset);
   return (((__typeof (nbytes)) 0 < (__typeof (nbytes)) - 1
	   || (__builtin_constant_p (nbytes) && (nbytes) > 0))
	  && __builtin_constant_p (nbytes <= osz / 1)
	  && nbytes <= osz / 1)
     ? __pread_alias (fd, buf, nbytes, offset)
     : __pread_chk (fd, buf, nbytes, offset, osz);
}

ssize_t
pread_retry (int fd, off_t start_offset, off_t offset)
{
   ssize_t recvd = 0;
   struct ar_hdr h = {.ar_size = {0} };
   void *buf = h.ar_size;
   size_t len = sizeof (h.ar_size);
   off_t off =
     start_offset + offset + __builtin_offsetof (struct ar_hdr, ar_size);

   do
     {
       long int res;
       do
	{
           res = pread (fd, ((char *) buf) + recvd, len - recvd, off + 
recvd);
	}
       while (res == -1L);
       recvd += res;
     }
   while ((size_t) recvd < len);

   return recvd;
}

Re: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand

[Mark Wielaard]

Hi,

On Thu, 2022-07-28 at 15:48 +0200, Mark Wielaard wrote:
> With GCC 12.1.1, glibc 2.3a, -fsanitize=undefined and
> -D_FORTIFY_SOURCE=3 we get the following error message:
> 
> In file included from /usr/include/ar.h:22,
>                  from ../libelf/libelfP.h:33,
>                  from core-file.c:31:
> In function ‘pread’,
>     inlined from ‘pread_retry’ at ../lib/system.h:188:21,
>     inlined from ‘elf_begin_rand’ at core-file.c:86:16,
>     inlined from ‘core_file_read_eagerly’ at core-file.c:205:15:
> /usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 58
> or more bytes into a region of size 10 overflows the destination [-
> Werror=stringop-overflow=]
>    74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
>       |          ^~~~~~~~~~~~~~~
> /usr/include/ar.h: In function ‘core_file_read_eagerly’:
> /usr/include/ar.h:41:10: note: destination object ‘ar_size’ of size
> 10
>    41 |     char ar_size[10];           /* File size, in ASCII
> decimal.  */
>       |          ^~~~~~~
> /usr/include/bits/unistd.h:50:16: note: in a call to function
> ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
>    50 | extern ssize_t __REDIRECT (__pread_alias,
>       |                ^~~~~~~~~~
> cc1: all warnings being treated as errors
> 
> The warning disappears when dropping either -fsanitize=undefined
> or when using -D_FORTIFY_SOURCE=2. It looks like a false positive.
> But I haven't figured out how/why it happens.
> 
> The code is a little tricky to proof correct though. The ar_size
> field is a not-zero terminated string ASCII decimal, right-paddedr
> with spaces. Which is then converted with strtoll. Relying on the
> fact that the struct ar_hdr is zero initialized, so there will be
> a zero byte after the ar_size field.
> 
> Rewrite the code to just use a zero byte terminated char array.
> Which is much easier to reason about. As a bonus the error
> disappears.

The try build turned out green (ppc64le and s390x were red before)
except for the centos7 builder where the native-biarch-core failed
(this is a flaky test apparently because of a kernel issue dumping
biarch cores?) An explicit rebuild made all tests PASS.

So I have pushed this to get all our builders green again.

Cheers,

Mark