public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
@ 2011-10-24 15:19 ` bugdal at aerifal dot cx
2011-10-29 20:33 ` drepper.fsp at gmail dot com
` (11 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: bugdal at aerifal dot cx @ 2011-10-24 15:19 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugdal at aerifal dot cx
--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2011-10-24 15:18:34 UTC ---
Ping. This bug seems valid and has not been fixed. The fix is easy; change the
condition to (len >= SSIZE_MAX - cur_len)
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
2011-10-24 15:19 ` [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c bugdal at aerifal dot cx
@ 2011-10-29 20:33 ` drepper.fsp at gmail dot com
2011-10-29 20:44 ` jakub at redhat dot com
` (10 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-10-29 20:33 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #2 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-10-29 20:33:41 UTC ---
Wrong, gcc cannot and does not optimize the code away. If it does it's a
compiler problem.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
2011-10-24 15:19 ` [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c bugdal at aerifal dot cx
2011-10-29 20:33 ` drepper.fsp at gmail dot com
@ 2011-10-29 20:44 ` jakub at redhat dot com
2011-10-29 21:17 ` drepper.fsp at gmail dot com
` (9 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: jakub at redhat dot com @ 2011-10-29 20:44 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Jakub Jelinek <jakub at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at redhat dot com
--- Comment #3 from Jakub Jelinek <jakub at redhat dot com> 2011-10-29 20:43:14 UTC ---
If it is testing whether cur_len + len + 1 overflowed from positive into
negative, then it is undefined behavior, because all the additions are
performed in signed _IO_ssize_t.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2011-10-29 20:44 ` jakub at redhat dot com
@ 2011-10-29 21:17 ` drepper.fsp at gmail dot com
2011-10-29 21:20 ` bugdal at aerifal dot cx
` (8 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-10-29 21:17 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
--- Comment #4 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-10-29 21:17:08 UTC ---
(In reply to comment #3)
> If it is testing whether cur_len + len + 1 overflowed from positive into
> negative, then it is undefined behavior, because all the additions are
> performed in signed _IO_ssize_t.
The compiler cannot know that the variables are not negative. Therefore the
test has to be emitted.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2011-10-29 21:17 ` drepper.fsp at gmail dot com
@ 2011-10-29 21:20 ` bugdal at aerifal dot cx
2011-10-29 21:37 ` drepper.fsp at gmail dot com
` (7 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: bugdal at aerifal dot cx @ 2011-10-29 21:20 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #5 from Rich Felker <bugdal at aerifal dot cx> 2011-10-29 21:19:49 UTC ---
Whether gcc optimizes this away probably depends on the compiler version and
options. I would have to read the code in greater detail to claim that this is
definitely the case, but it's likely that it's provable that cur_len and len
are always non-negative. Even if not, the code is invoking undefined behavior,
so there are other reasons the test could fail to work as expected. I already
submitted a fix; please apply or write your own better fix if you prefer.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2011-10-29 21:20 ` bugdal at aerifal dot cx
@ 2011-10-29 21:37 ` drepper.fsp at gmail dot com
2011-10-29 22:12 ` ldv at altlinux dot org
` (6 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-10-29 21:37 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #6 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-10-29 21:37:11 UTC ---
Stop wasting people's time, there is nothing wrong.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (5 preceding siblings ...)
2011-10-29 21:37 ` drepper.fsp at gmail dot com
@ 2011-10-29 22:12 ` ldv at altlinux dot org
2011-10-30 5:38 ` bugdal at aerifal dot cx
` (5 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: ldv at altlinux dot org @ 2011-10-29 22:12 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Dmitry V. Levin <ldv at altlinux dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ldv at altlinux dot org
Resolution|FIXED |WONTFIX
--- Comment #7 from Dmitry V. Levin <ldv at altlinux dot org> 2011-10-29 22:11:43 UTC ---
(In reply to comment #4)
> The compiler cannot know that the variables are not negative. Therefore the
> test has to be emitted.
If a human can know the fact that these variables are not negative, then a
smart compiler also can deduce this fact.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (6 preceding siblings ...)
2011-10-29 22:12 ` ldv at altlinux dot org
@ 2011-10-30 5:38 ` bugdal at aerifal dot cx
2012-02-21 1:35 ` [Bug stdio/9914] " jsm28 at gcc dot gnu.org
` (4 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: bugdal at aerifal dot cx @ 2011-10-30 5:38 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
--- Comment #8 from Rich Felker <bugdal at aerifal dot cx> 2011-10-30 05:37:52 UTC ---
I think it's going to take someone finding a version of gcc that can make the
optimization, and then publishing an attack that results in memory corruption
and possibly privilege elevation, to break through the brick wall known as
Drepper's ego and get this bug fixed...
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug stdio/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (7 preceding siblings ...)
2011-10-30 5:38 ` bugdal at aerifal dot cx
@ 2012-02-21 1:35 ` jsm28 at gcc dot gnu.org
2012-03-17 20:36 ` bugdal at aerifal dot cx
` (3 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-02-21 1:35 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |stdio
--- Comment #9 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-02-21 01:29:46 UTC ---
FWIW I think we should fix signed integer overflows found in the code even if
we do not have any case where they cause problems in practice.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug stdio/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (8 preceding siblings ...)
2012-02-21 1:35 ` [Bug stdio/9914] " jsm28 at gcc dot gnu.org
@ 2012-03-17 20:36 ` bugdal at aerifal dot cx
2012-03-18 14:28 ` jsm28 at gcc dot gnu.org
` (2 subsequent siblings)
12 siblings, 0 replies; 13+ messages in thread
From: bugdal at aerifal dot cx @ 2012-03-17 20:36 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
--- Comment #10 from Rich Felker <bugdal at aerifal dot cx> 2012-03-17 20:34:55 UTC ---
Ping. Has this been fixed?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug stdio/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (9 preceding siblings ...)
2012-03-17 20:36 ` bugdal at aerifal dot cx
@ 2012-03-18 14:28 ` jsm28 at gcc dot gnu.org
2012-09-04 11:27 ` jsm28 at gcc dot gnu.org
2014-07-01 20:44 ` fweimer at redhat dot com
12 siblings, 0 replies; 13+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-03-18 14:28 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|drepper.fsp at gmail dot |unassigned at sourceware
|com |dot org
--- Comment #11 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-03-18 14:22:11 UTC ---
>From source inspection it appears this issue is still present, and as per my
previous comment I think we should fix it.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug stdio/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (10 preceding siblings ...)
2012-03-18 14:28 ` jsm28 at gcc dot gnu.org
@ 2012-09-04 11:27 ` jsm28 at gcc dot gnu.org
2014-07-01 20:44 ` fweimer at redhat dot com
12 siblings, 0 replies; 13+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-09-04 11:27 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=9914
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #12 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-09-04 11:27:02 UTC ---
Fixed for 2.17 by:
commit 60160d83a09c659d8d9338b210ff92be77cc87d5
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Sep 4 11:24:43 2012 +0000
Fix iogetdelim.c (latent) integer overflow (bug 9914).
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug stdio/9914] possible signed integer overflow in libio/iogetdelim.c
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
` (11 preceding siblings ...)
2012-09-04 11:27 ` jsm28 at gcc dot gnu.org
@ 2014-07-01 20:44 ` fweimer at redhat dot com
12 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2014-07-01 20:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=9914
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2014-07-01 20:44 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-9914-131@http.sourceware.org/bugzilla/>
2011-10-24 15:19 ` [Bug libc/9914] possible signed integer overflow in libio/iogetdelim.c bugdal at aerifal dot cx
2011-10-29 20:33 ` drepper.fsp at gmail dot com
2011-10-29 20:44 ` jakub at redhat dot com
2011-10-29 21:17 ` drepper.fsp at gmail dot com
2011-10-29 21:20 ` bugdal at aerifal dot cx
2011-10-29 21:37 ` drepper.fsp at gmail dot com
2011-10-29 22:12 ` ldv at altlinux dot org
2011-10-30 5:38 ` bugdal at aerifal dot cx
2012-02-21 1:35 ` [Bug stdio/9914] " jsm28 at gcc dot gnu.org
2012-03-17 20:36 ` bugdal at aerifal dot cx
2012-03-18 14:28 ` jsm28 at gcc dot gnu.org
2012-09-04 11:27 ` jsm28 at gcc dot gnu.org
2014-07-01 20:44 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).