[Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input

[Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input

[ricilake at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17703

            Bug ID: 17703
           Summary: iconv(1) EFAULTs reading the second non-mmapable input
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: ricilake at gmail dot com
                CC: drepper.fsp at gmail dot com

This bug report is the result of a StackOverflow question:
http://stackoverflow.com/questions/27432033/process-substitution-not-working-for-input-files-with-iconv/27435671#27435671

A minimal reproducible test (linux):

$ iconv -f ISO-8859-1 -t UTF-8 <(printf \\xa3) <(printf \\xa5)
£iconv: error while reading the input: Bad address

The error message is the result of an EFAULT during execution of read(2).

The bug is in the function process_fd in iconv/iconv_prog.c:

566   static char *inbuf = NULL;
567   static size_t maxlen = 0;
568   char *inptr = NULL;

inbuf is a temporary buffer used to read the entire input stream in the case
that an input argument cannot be mmap'd; maxlen is its current length. They are
declared static presumably to allow the buffer to be reused for subsequent
input streams. However, inptr (which is the point in the buffer at which to
read the next chunk of input) is always initialized to NULL, which is incorrect
if inbuf has been previously allocated; it should instead be initialized to
inbuf.

After the initialization, the function proceeds to attempt to fill inbuf up to
its current maximum size, maxlen:

569   size_t actlen = 0;
570
571   while (actlen < maxlen)
572     {
573       ssize_t n = read (fd, inptr, maxlen - actlen);

On the second invocation of process_fd, maxlen is not zero, so the loop is
entered and an attempt is made to read(2) into inptr, which is NULL. This
causes an EFAULT.

The fix, as indicated above:

568   char *inptr = inbuf;

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26856-listarch-glibc-bugs=sources.redhat.com@sourceware.org Fri Dec 12 03:07:43 2014
Return-Path: <glibc-bugs-return-26856-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 9666 invoked by alias); 12 Dec 2014 03:07:43 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 9619 invoked by uid 48); 12 Dec 2014 03:07:37 -0000
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input
Date: Fri, 12 Dec 2014 03:07:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.20
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: carlos at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-17703-131-mSJYwS5BKa@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17703-131@http.sourceware.org/bugzilla/>
References: <bug-17703-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-12/txt/msg00099.txt.bz2
Content-length: 777

https://sourceware.org/bugzilla/show_bug.cgi?id\x17703

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
Good analysis. Needs a test case. See wordexp-tst.sh or globtest.sh for
examples on how to write test cases in shell. Note that iconv is iconv_prog in
the object directory.

See: https://sourceware.org/glibc/wiki/Contribution%20checklist

Once you have a patch together post to libc-alpha@sourceware.org for review.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17703

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
iconvdata/run-iconv-test.sh has existing iconv shell tests.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/17703] iconv(1) EFAULTs reading the second non-mmapable input

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17703

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |locale

-- 
You are receiving this mail because:
You are on the CC list for the bug.