* [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
@ 2023-05-10 19:59 Joe Simmons-Talbott
2023-05-16 19:28 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 7+ messages in thread
From: Joe Simmons-Talbott @ 2023-05-10 19:59 UTC (permalink / raw)
To: libc-alpha; +Cc: Joe Simmons-Talbott
Avoid possible stack overflow by replacing alloca() with malloc().
---
time/strftime_l.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/time/strftime_l.c b/time/strftime_l.c
index 402c6c4111..59d3e1a3b2 100644
--- a/time/strftime_l.c
+++ b/time/strftime_l.c
@@ -273,8 +273,9 @@ static const CHAR_T zeroes[16] = /* "0000000000000000" */
const char *__s = os; \
memset (&__st, '\0', sizeof (__st)); \
l = __mbsrtowcs_l (NULL, &__s, 0, &__st, loc); \
- ws = alloca ((l + 1) * sizeof (wchar_t)); \
- (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
+ ws = malloc ((l + 1) * sizeof (wchar_t)); \
+ if (ws != NULL) \
+ (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
}
#endif
@@ -1346,7 +1347,10 @@ __strftime_internal (CHAR_T *s, size_t maxsize, const CHAR_T *format,
wchar_t *wczone;
size_t len;
widen (zone, wczone, len);
+ if (wczone == NULL)
+ return 0;
cpy (len, wczone);
+ free (wczone);
}
#else
cpy (strlen (zone), zone);
--
2.39.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-10 19:59 [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca Joe Simmons-Talbott
@ 2023-05-16 19:28 ` Adhemerval Zanella Netto
2023-05-16 19:53 ` Joe Simmons-Talbott
2023-05-16 22:00 ` Paul Eggert
0 siblings, 2 replies; 7+ messages in thread
From: Adhemerval Zanella Netto @ 2023-05-16 19:28 UTC (permalink / raw)
To: Joe Simmons-Talbott, libc-alpha
On 10/05/23 16:59, Joe Simmons-Talbott via Libc-alpha wrote:
> Avoid possible stack overflow by replacing alloca() with malloc().
> ---
> time/strftime_l.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/time/strftime_l.c b/time/strftime_l.c
> index 402c6c4111..59d3e1a3b2 100644
> --- a/time/strftime_l.c
> +++ b/time/strftime_l.c
> @@ -273,8 +273,9 @@ static const CHAR_T zeroes[16] = /* "0000000000000000" */
> const char *__s = os; \
> memset (&__st, '\0', sizeof (__st)); \
> l = __mbsrtowcs_l (NULL, &__s, 0, &__st, loc); \
> - ws = alloca ((l + 1) * sizeof (wchar_t)); \
> - (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
> + ws = malloc ((l + 1) * sizeof (wchar_t)); \
> + if (ws != NULL) \
> + (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
> }
> #endif
>
> @@ -1346,7 +1347,10 @@ __strftime_internal (CHAR_T *s, size_t maxsize, const CHAR_T *format,
> wchar_t *wczone;
> size_t len;
> widen (zone, wczone, len);
> + if (wczone == NULL)
> + return 0;
> cpy (len, wczone);
> + free (wczone);
> }
> #else
> cpy (strlen (zone), zone);
Do we have a practical maximum size for the abbreviate timezone name? The
internal tz_rule 'name' field is just a pointer, but I think all timezones
uses a maximum name size.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-16 19:28 ` Adhemerval Zanella Netto
@ 2023-05-16 19:53 ` Joe Simmons-Talbott
2023-05-16 22:00 ` Paul Eggert
1 sibling, 0 replies; 7+ messages in thread
From: Joe Simmons-Talbott @ 2023-05-16 19:53 UTC (permalink / raw)
To: Adhemerval Zanella Netto; +Cc: libc-alpha
On Tue, May 16, 2023 at 04:28:58PM -0300, Adhemerval Zanella Netto wrote:
>
>
> On 10/05/23 16:59, Joe Simmons-Talbott via Libc-alpha wrote:
> > Avoid possible stack overflow by replacing alloca() with malloc().
> > ---
> > time/strftime_l.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/time/strftime_l.c b/time/strftime_l.c
> > index 402c6c4111..59d3e1a3b2 100644
> > --- a/time/strftime_l.c
> > +++ b/time/strftime_l.c
> > @@ -273,8 +273,9 @@ static const CHAR_T zeroes[16] = /* "0000000000000000" */
> > const char *__s = os; \
> > memset (&__st, '\0', sizeof (__st)); \
> > l = __mbsrtowcs_l (NULL, &__s, 0, &__st, loc); \
> > - ws = alloca ((l + 1) * sizeof (wchar_t)); \
> > - (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
> > + ws = malloc ((l + 1) * sizeof (wchar_t)); \
> > + if (ws != NULL) \
> > + (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
> > }
> > #endif
> >
> > @@ -1346,7 +1347,10 @@ __strftime_internal (CHAR_T *s, size_t maxsize, const CHAR_T *format,
> > wchar_t *wczone;
> > size_t len;
> > widen (zone, wczone, len);
> > + if (wczone == NULL)
> > + return 0;
> > cpy (len, wczone);
> > + free (wczone);
> > }
> > #else
> > cpy (strlen (zone), zone);
>
> Do we have a practical maximum size for the abbreviate timezone name? The
> internal tz_rule 'name' field is just a pointer, but I think all timezones
> uses a maximum name size.
>
I was able to pass a random string in via the TZ environment variable.
I'm not sure if that matters since the size of the buffer (s) and
maxsize would still limit the amount of bytes from the TZ variable.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-16 19:28 ` Adhemerval Zanella Netto
2023-05-16 19:53 ` Joe Simmons-Talbott
@ 2023-05-16 22:00 ` Paul Eggert
2023-05-17 11:04 ` Adhemerval Zanella Netto
1 sibling, 1 reply; 7+ messages in thread
From: Paul Eggert @ 2023-05-16 22:00 UTC (permalink / raw)
To: Adhemerval Zanella Netto, Joe Simmons-Talbott, libc-alpha
On 5/16/23 12:28, Adhemerval Zanella Netto via Libc-alpha wrote:
> Do we have a practical maximum size for the abbreviate timezone name? The
> internal tz_rule 'name' field is just a pointer, but I think all timezones
> uses a maximum name size.
In current TZDB data the longest abbreviation has four bytes (e.g.,
"AKST", "NZST"). Before TZDB release 2016g (2016-09-13) the longest was
48 bytes, for the Factory zone's "Local time zone must be set--see zic
manual page" abbreviation.
Although the TZif file format's limit is 2**32 - 1 bytes, the 'zic'
command won't process TZif files with abbreviations longer than about
2000 bytes, due to its internal input line buffer.
There is a limit even if you use long strings in TZ environment
variables, as glibc strftime is buggy when a buffer contains more than
INT_MAX bytes (it uses 'int' to store byte counts). This means you can't
effectively use a time zone abbreviation longer than about 2**31 - 1
bytes with glibc, even on 64-bit platforms. For example, a program like
the one shown below won't work with glibc.
For what it's worth, _POSIX_TZNAME_MAX is 6, that is, every POSIX
platform must support at least 6 bytes.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
int
main ()
{
size_t Xs = (1LL << 32) + 1;
char *tzbuf = malloc (sizeof "TZ=" - 1 + Xs + sizeof "0");
if (!tzbuf)
return perror ("malloc tzbuf"), 1;
size_t strftimebufsize = Xs + 2;
char *strftimebuf = malloc (strftimebufsize);
if (!strftimebuf)
return perror ("malloc strftimebuf"), 1;
strcpy (tzbuf, "TZ=");
memset (tzbuf + 3, 'X', Xs);
strcpy (tzbuf + 3 + Xs, "0");
if (putenv (tzbuf))
return perror ("putenv"), 1;
time_t t0 = 0;
struct tm *tm = localtime (&t0);
if (!tm)
return perror ("localtime"), 1;
size_t nbytes = strftime (strftimebuf, strftimebufsize, "%Z", tm);
if (!nbytes)
return perror ("strftime"), 1;
if (puts (strftimebuf) < 0)
return perror ("puts"), 1;
if (fclose (stdout) < 0)
return perror ("fclose"), 1;
return 0;
}
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-16 22:00 ` Paul Eggert
@ 2023-05-17 11:04 ` Adhemerval Zanella Netto
2023-05-17 17:40 ` Paul Eggert
0 siblings, 1 reply; 7+ messages in thread
From: Adhemerval Zanella Netto @ 2023-05-17 11:04 UTC (permalink / raw)
To: Paul Eggert, Joe Simmons-Talbott, libc-alpha
On 16/05/23 19:00, Paul Eggert wrote:
> On 5/16/23 12:28, Adhemerval Zanella Netto via Libc-alpha wrote:
>> Do we have a practical maximum size for the abbreviate timezone name? The
>> internal tz_rule 'name' field is just a pointer, but I think all timezones
>> uses a maximum name size.
>
> In current TZDB data the longest abbreviation has four bytes (e.g., "AKST", "NZST"). Before TZDB release 2016g (2016-09-13) the longest was 48 bytes, for the Factory zone's "Local time zone must be set--see zic manual page" abbreviation.
>
> Although the TZif file format's limit is 2**32 - 1 bytes, the 'zic' command won't process TZif files with abbreviations longer than about 2000 bytes, due to its internal input line buffer.
>
> There is a limit even if you use long strings in TZ environment variables, as glibc strftime is buggy when a buffer contains more than INT_MAX bytes (it uses 'int' to store byte counts). This means you can't effectively use a time zone abbreviation longer than about 2**31 - 1 bytes with glibc, even on 64-bit platforms. For example, a program like the one shown below won't work with glibc.
>
> For what it's worth, _POSIX_TZNAME_MAX is 6, that is, every POSIX platform must support at least 6 bytes.
Thanks for the information, so do you think it would be feasible to assume
_POSIX_TZNAME_MAX or 48 (for Factory zone) to avoid the malloc call on
strftime_l?
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <time.h>
>
> int
> main ()
> {
> size_t Xs = (1LL << 32) + 1;
> char *tzbuf = malloc (sizeof "TZ=" - 1 + Xs + sizeof "0");
> if (!tzbuf)
> return perror ("malloc tzbuf"), 1;
> size_t strftimebufsize = Xs + 2;
> char *strftimebuf = malloc (strftimebufsize);
> if (!strftimebuf)
> return perror ("malloc strftimebuf"), 1;
> strcpy (tzbuf, "TZ=");
> memset (tzbuf + 3, 'X', Xs);
> strcpy (tzbuf + 3 + Xs, "0");
> if (putenv (tzbuf))
> return perror ("putenv"), 1;
> time_t t0 = 0;
> struct tm *tm = localtime (&t0);
> if (!tm)
> return perror ("localtime"), 1;
> size_t nbytes = strftime (strftimebuf, strftimebufsize, "%Z", tm);
> if (!nbytes)
> return perror ("strftime"), 1;
> if (puts (strftimebuf) < 0)
> return perror ("puts"), 1;
> if (fclose (stdout) < 0)
> return perror ("fclose"), 1;
> return 0;
> }
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-17 11:04 ` Adhemerval Zanella Netto
@ 2023-05-17 17:40 ` Paul Eggert
2023-05-22 18:35 ` Joe Simmons-Talbott
0 siblings, 1 reply; 7+ messages in thread
From: Paul Eggert @ 2023-05-17 17:40 UTC (permalink / raw)
To: Adhemerval Zanella Netto; +Cc: Joe Simmons-Talbott, libc-alpha, Gnulib bugs
[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]
On 2023-05-17 04:04, Adhemerval Zanella Netto wrote:
> do you think it would be feasible to assume
> _POSIX_TZNAME_MAX or 48 (for Factory zone) to avoid the malloc call on
> strftime_l?
ALthough it's technically feasible, it'd be some work. Among other
things, whatever limit we chose would have to become visible via
<limits.h> and sysconf and etc., and we'd need to document that there is
now a limit. Better, I think, would be to continue to follow the GNU
coding standards and not impose an arbitrary limit on time zone
abbreviation length, even for the highly unusual case where code is
calling wcsftime or wcsftime_l.
How about avoiding the malloc in the following way? I installed the
attached patch into Gnulib lib/nstrftime.c, which has forked from glibc
but with some work could be merged back in, and this should also fix the
glibc bugs with buffer sizes exceeding INT_MAX.
If you don't want all the hassle of merging, you can cherry-pick this
patch. I haven't tested the patch, though, as Gnulib does not use this code.
[-- Attachment #2: 0001-nstrftime-suggest-to-glibc-how-to-avoid-alloca.patch --]
[-- Type: text/x-patch, Size: 3620 bytes --]
From 197eec6075bbaf2b97137115a09a6bbce43b4dd4 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 17 May 2023 10:27:40 -0700
Subject: [PATCH] nstrftime: suggest to glibc how to avoid alloca
* lib/nstrftime.c (widen) [COMPILE_WIDE]: Remove.
(__strftime_internal) [COMPILE_WIDE): Instead of converting the
multibyte time zone abbreviation into a potentially unbounded
alloca buffer, convert it directly into the output buffer.
Although this code is not used in Gnulib, this can help the glibc
developers avoid the problem on the glibc side.
---
ChangeLog | 10 ++++++++++
lib/nstrftime.c | 39 +++++++++++++++++++++++++--------------
2 files changed, 35 insertions(+), 14 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index ecbc25ef06..36b3c65b81 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2023-05-17 Paul Eggert <eggert@cs.ucla.edu>
+
+ nstrftime: suggest to glibc how to avoid alloca
+ * lib/nstrftime.c (widen) [COMPILE_WIDE]: Remove.
+ (__strftime_internal) [COMPILE_WIDE): Instead of converting the
+ multibyte time zone abbreviation into a potentially unbounded
+ alloca buffer, convert it directly into the output buffer.
+ Although this code is not used in Gnulib, this can help the glibc
+ developers avoid the problem on the glibc side.
+
2023-05-15 Bruno Haible <bruno@clisp.org>
doc: New chapter "Strings and Characters".
diff --git a/lib/nstrftime.c b/lib/nstrftime.c
index 68bb560910..35a9307e1a 100644
--- a/lib/nstrftime.c
+++ b/lib/nstrftime.c
@@ -226,15 +226,6 @@ extern char *tzname[];
# undef __mbsrtowcs_l
# define __mbsrtowcs_l(d, s, l, st, loc) __mbsrtowcs (d, s, l, st)
# endif
-# define widen(os, ws, l) \
- { \
- mbstate_t __st; \
- const char *__s = os; \
- memset (&__st, '\0', sizeof (__st)); \
- l = __mbsrtowcs_l (NULL, &__s, 0, &__st, loc); \
- ws = (wchar_t *) alloca ((l + 1) * sizeof (wchar_t)); \
- (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
- }
#endif
@@ -1374,11 +1365,31 @@ __strftime_internal (STREAM_OR_CHAR_T *s, STRFTIME_ARG (size_t maxsize)
#ifdef COMPILE_WIDE
{
/* The zone string is always given in multibyte form. We have
- to transform it first. */
- wchar_t *wczone;
- size_t len;
- widen (zone, wczone, len);
- cpy (len, wczone);
+ to convert it to wide character. */
+ size_t w = pad == L_('-') || width < 0 ? 0 : width;
+ char const *z = zone;
+ mbstate_t st = {0};
+ size_t len = __mbsrtowcs_l (p, &z, maxsize - i, &st, loc);
+ if (len == (size_t) -1)
+ return 0;
+ size_t incr = len < w ? w : len;
+ if (incr >= maxsize - i)
+ {
+ errno = ERANGE;
+ return 0;
+ }
+ if (p)
+ {
+ if (len < w)
+ {
+ size_t delta = w - len;
+ wmemmove (p + delta, p, len);
+ wchar_t wc = pad == L_('0') || pad == L_('+') ? L'0' : L' ';
+ wmemset (p, wc, delta);
+ }
+ p += incr;
+ }
+ i += incr;
}
#else
cpy (strlen (zone), zone);
--
2.39.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca.
2023-05-17 17:40 ` Paul Eggert
@ 2023-05-22 18:35 ` Joe Simmons-Talbott
0 siblings, 0 replies; 7+ messages in thread
From: Joe Simmons-Talbott @ 2023-05-22 18:35 UTC (permalink / raw)
To: Paul Eggert; +Cc: Adhemerval Zanella Netto, libc-alpha, Gnulib bugs
On Wed, May 17, 2023 at 10:40:05AM -0700, Paul Eggert wrote:
> On 2023-05-17 04:04, Adhemerval Zanella Netto wrote:
> > do you think it would be feasible to assume
> > _POSIX_TZNAME_MAX or 48 (for Factory zone) to avoid the malloc call on
> > strftime_l?
>
> ALthough it's technically feasible, it'd be some work. Among other things,
> whatever limit we chose would have to become visible via <limits.h> and
> sysconf and etc., and we'd need to document that there is now a limit.
> Better, I think, would be to continue to follow the GNU coding standards and
> not impose an arbitrary limit on time zone abbreviation length, even for the
> highly unusual case where code is calling wcsftime or wcsftime_l.
>
> How about avoiding the malloc in the following way? I installed the attached
> patch into Gnulib lib/nstrftime.c, which has forked from glibc but with some
> work could be merged back in, and this should also fix the glibc bugs with
> buffer sizes exceeding INT_MAX.
>
> If you don't want all the hassle of merging, you can cherry-pick this patch.
> I haven't tested the patch, though, as Gnulib does not use this code.
I've pushed your suggested patch after testing on x86_64 and i686. [1]
Thanks,
Joe
[1] https://sourceware.org/pipermail/libc-alpha/2023-May/148384.html
> From 197eec6075bbaf2b97137115a09a6bbce43b4dd4 Mon Sep 17 00:00:00 2001
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Wed, 17 May 2023 10:27:40 -0700
> Subject: [PATCH] nstrftime: suggest to glibc how to avoid alloca
>
> * lib/nstrftime.c (widen) [COMPILE_WIDE]: Remove.
> (__strftime_internal) [COMPILE_WIDE): Instead of converting the
> multibyte time zone abbreviation into a potentially unbounded
> alloca buffer, convert it directly into the output buffer.
> Although this code is not used in Gnulib, this can help the glibc
> developers avoid the problem on the glibc side.
> ---
> ChangeLog | 10 ++++++++++
> lib/nstrftime.c | 39 +++++++++++++++++++++++++--------------
> 2 files changed, 35 insertions(+), 14 deletions(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index ecbc25ef06..36b3c65b81 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,13 @@
> +2023-05-17 Paul Eggert <eggert@cs.ucla.edu>
> +
> + nstrftime: suggest to glibc how to avoid alloca
> + * lib/nstrftime.c (widen) [COMPILE_WIDE]: Remove.
> + (__strftime_internal) [COMPILE_WIDE): Instead of converting the
> + multibyte time zone abbreviation into a potentially unbounded
> + alloca buffer, convert it directly into the output buffer.
> + Although this code is not used in Gnulib, this can help the glibc
> + developers avoid the problem on the glibc side.
> +
> 2023-05-15 Bruno Haible <bruno@clisp.org>
>
> doc: New chapter "Strings and Characters".
> diff --git a/lib/nstrftime.c b/lib/nstrftime.c
> index 68bb560910..35a9307e1a 100644
> --- a/lib/nstrftime.c
> +++ b/lib/nstrftime.c
> @@ -226,15 +226,6 @@ extern char *tzname[];
> # undef __mbsrtowcs_l
> # define __mbsrtowcs_l(d, s, l, st, loc) __mbsrtowcs (d, s, l, st)
> # endif
> -# define widen(os, ws, l) \
> - { \
> - mbstate_t __st; \
> - const char *__s = os; \
> - memset (&__st, '\0', sizeof (__st)); \
> - l = __mbsrtowcs_l (NULL, &__s, 0, &__st, loc); \
> - ws = (wchar_t *) alloca ((l + 1) * sizeof (wchar_t)); \
> - (void) __mbsrtowcs_l (ws, &__s, l, &__st, loc); \
> - }
> #endif
>
>
> @@ -1374,11 +1365,31 @@ __strftime_internal (STREAM_OR_CHAR_T *s, STRFTIME_ARG (size_t maxsize)
> #ifdef COMPILE_WIDE
> {
> /* The zone string is always given in multibyte form. We have
> - to transform it first. */
> - wchar_t *wczone;
> - size_t len;
> - widen (zone, wczone, len);
> - cpy (len, wczone);
> + to convert it to wide character. */
> + size_t w = pad == L_('-') || width < 0 ? 0 : width;
> + char const *z = zone;
> + mbstate_t st = {0};
> + size_t len = __mbsrtowcs_l (p, &z, maxsize - i, &st, loc);
> + if (len == (size_t) -1)
> + return 0;
> + size_t incr = len < w ? w : len;
> + if (incr >= maxsize - i)
> + {
> + errno = ERANGE;
> + return 0;
> + }
> + if (p)
> + {
> + if (len < w)
> + {
> + size_t delta = w - len;
> + wmemmove (p + delta, p, len);
> + wchar_t wc = pad == L_('0') || pad == L_('+') ? L'0' : L' ';
> + wmemset (p, wc, delta);
> + }
> + p += incr;
> + }
> + i += incr;
> }
> #else
> cpy (strlen (zone), zone);
> --
> 2.39.2
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-05-22 18:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-10 19:59 [PATCH] time: strftime_l: Use malloc rather than an unbounded alloca Joe Simmons-Talbott
2023-05-16 19:28 ` Adhemerval Zanella Netto
2023-05-16 19:53 ` Joe Simmons-Talbott
2023-05-16 22:00 ` Paul Eggert
2023-05-17 11:04 ` Adhemerval Zanella Netto
2023-05-17 17:40 ` Paul Eggert
2023-05-22 18:35 ` Joe Simmons-Talbott
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).