From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 837483858409 for ; Thu, 18 Jan 2024 15:20:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 837483858409 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 837483858409 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705591208; cv=none; b=cvqEg4VbXwWNf5W4Yx6TKQGawqaKGgp6UWKySv9o32V/jRTN2hW+7+X4SKhCmaW+PVOg2wCbSIyOHUfSAuz7qepFqjfcDqLSNQrtwIU1L/OK4a7g7NdZW+JwTeeXzWwRvJXm1EMJK47kddPq5+JPg97QECV5jX4X+tsoH/9hOUU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705591208; c=relaxed/simple; bh=oXPFao7TStAth067KdYwy37j4NwR+daC6L7LcePdWB8=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=L5fz0GRRnvDDGk9K/QEDJ6wmXOWA7qOYUtEzUyNsfArfyjBBZKVE5qmWmJPVaD+VRSTiJiG+iyoYYppA/y7BS8pbL891QHih3d+LlhwoQ6awMlAizCahFmIrRS/JmWmIyrJiOH1ovojnmCi7Lk8YcoiXGU8QwL+yzcXs7xaWTjo= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705591205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YZa65Zu/z0haWv+c6UHLAefFoQbbIPBiCk3kxEvn9LU=; b=RleuBJaGR/wKki95HdNZHX9wZVY3+dcdKRNmJpSJiJ/yMNDSxa1gPorjIRApXbeutDohWQ Hb7vudJXVDDGa8bSBFTCprBcBxw3oWviPD7G6fY17I+ajhKwh0TqXgD0sfMBx+unla24eL ikOQoAGwm3IV2YSBe/mu7oN7o9PNNSY= Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-438-HkXMPyDTPE2L5IX1fwk_yg-1; Thu, 18 Jan 2024 10:20:03 -0500 X-MC-Unique: HkXMPyDTPE2L5IX1fwk_yg-1 Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-7816e45f957so1817265385a.1 for ; Thu, 18 Jan 2024 07:20:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705591203; x=1706196003; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YZa65Zu/z0haWv+c6UHLAefFoQbbIPBiCk3kxEvn9LU=; b=bwcFvRv4OvuoybpOAmGNocW3C/fMea5lOnviFTyxvo8KKQiBn/UwG4QeeXJhnnlFFA nNcEzC5xjcka0miP1/Pf5DIYOzSFd0Uwv+Er8bJ/31jwmzzjKUEokp0CabcnYaM6zdgy 6oeiPKEzzZ0UrDz/PPN8G0snCQnGpn1pQaN9A9bTqtAB8whRgfKGUOYEQGPKeAf837IO 3UifDI5RrthdPhR8msv685M9xOLr/i7Lnp21GidQ+jv6Zufxswrha0T9pPxvniSBtByM M+PYml3RbPi/Lem46rnwbYGI2oJwQB7CQU4HxrYa6Qx+aX2LlU6oss+hrMwh1xWgdhYb 0KeQ== X-Gm-Message-State: AOJu0Yzlo4dN9V/CNgwj2RwlfNTDdJ7OElLCDz+W8b3mFMKmWI6knba+ k1gcDl9YZwu2wHff0q0n24LQM/km7luNfvXuxE/wHBCCDKwyKoSXe1bIbHUL4OoWPrKm491tZSE ozBx3jVFMC7yKynRaHFtB0vl1Lt2twVb/74Pkz54tzed5ufwmuP+tipEO8g== X-Received: by 2002:a05:622a:24d:b0:429:c276:82cd with SMTP id c13-20020a05622a024d00b00429c27682cdmr1278504qtx.46.1705591203149; Thu, 18 Jan 2024 07:20:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IHI8tzmTfirOE6puVhtXTPDwk43/RIwSwCaWke7FrwDOy6gbPcvu7m0br7A71FBETNcEUCr1A== X-Received: by 2002:a05:622a:24d:b0:429:c276:82cd with SMTP id c13-20020a05622a024d00b00429c27682cdmr1278487qtx.46.1705591202782; Thu, 18 Jan 2024 07:20:02 -0800 (PST) Received: from [192.168.0.241] ([198.48.244.52]) by smtp.gmail.com with ESMTPSA id vv25-20020a05620a563900b007832895cf8csm5356875qkn.38.2024.01.18.07.20.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 18 Jan 2024 07:20:02 -0800 (PST) Message-ID: <44212bc5-7c51-edcb-fee9-47beeb7ff233@redhat.com> Date: Thu, 18 Jan 2024 10:20:00 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH v7] posix: Deprecate group_member for Linux To: Joe Simmons-Talbott , libc-alpha@sourceware.org, "Andreas K. Huettel" References: <20231213152931.3489354-1-josimmon@redhat.com> From: Carlos O'Donell Organization: Red Hat In-Reply-To: <20231213152931.3489354-1-josimmon@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-14.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,KAM_SHORT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 12/13/23 10:29, Joe Simmons-Talbott wrote: > The alloca usage in group_member could lead to stack overflow on Linux. > Removing the alloca usage would require group_member to handle the error > condition where memory could not be allocated and that cannot be done > since group_member returns a boolean value. Thus deprecate group_member. > Add an internal only implementation of __group_member2 using a > scratch_buffer and return -1 for memory allocation errors. Use > __group_member2 for in place of __group_member internally. Add testcases > for both group_member and __group_member2. Andreas asked me about the applicability of this to upcoming glibc 2.39 release. My opinion is that this needs to wait for review and inclusion into 2.40. The internal __group_member2 usage and dependency means that we want more testing time for this in downstream rolling releases like Rawhide/Tumbleweed. > --- > Changes to v6: > * Use the intial scratch_buffer size as the starting point for > determining how much space is needed to store the group list. > * Call getgroups() with a zero size and set the scratch_buffer size > based on the returned number of groups. > > Changes to v5: > * Add __group_member2 and use it internally in the place of the now > deprecated group_member. > * Add a testcase for __group_member2. > > Changes to v4: > * Rebase onto latest commit. > > Changes to v3: > * Fix include guards to match file location _BITS_GROUP_MEMBER_H > * Fix indentation of preprocessor directives > > Changes to v2: > * Move the linux group_member.h to the bits directory > * Include the correct group_member.h in posix/unistd.h > > Changes to v1: > * Add NEWS entry > * Move group_member.h to bits/group_member.h > * Include bits/group_member.h in installed headers > * Add tests to group_member.h files to only be included from unistd.h > NEWS | 4 ++ > bits/group_member.h | 31 +++++++++++++++ > include/unistd.h | 1 + > posix/Makefile | 8 ++++ > posix/group_member.c | 35 +++++++++++++++++ > posix/tst-group_member.c | 41 ++++++++++++++++++++ > posix/tst-group_member2.c | 43 +++++++++++++++++++++ > posix/unistd.h | 6 +-- > sysdeps/posix/euidaccess.c | 9 ++++- > sysdeps/unix/sysv/linux/bits/group_member.h | 32 +++++++++++++++ > sysdeps/unix/sysv/linux/faccessat.c | 8 +++- > 11 files changed, 212 insertions(+), 6 deletions(-) > create mode 100644 bits/group_member.h > create mode 100644 posix/tst-group_member.c > create mode 100644 posix/tst-group_member2.c > create mode 100644 sysdeps/unix/sysv/linux/bits/group_member.h > > diff --git a/NEWS b/NEWS > index 3f0dee4fcc..032c5ff83d 100644 > --- a/NEWS > +++ b/NEWS > @@ -68,6 +68,10 @@ Deprecated and removed features, and other changes affecting compatibility: > of GNU libc are advised to check whether their build processes can be > simplified. > > +* Deprecated group_member on Linux as it uses alloca to allocate a large > + buffer and has no capability for indicating failure for other memory > + allocations. > + > Changes to build and runtime requirements: > > * Building on LoongArch requires at a minimum binutils 2.41 for vector > diff --git a/bits/group_member.h b/bits/group_member.h > new file mode 100644 > index 0000000000..7c43e7ee06 > --- /dev/null > +++ b/bits/group_member.h > @@ -0,0 +1,31 @@ > +/* group_member declaration > + Copyright (C) 2023 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#ifndef _UNISTD_H > +# error "Never use directly; include instead." > +#endif > + > +#ifndef _BITS_GROUP_MEMBER_H > +# define _BITS_GROUP_MEMBER_H 1 > + > +# ifdef __USE_GNU > +/* Return nonzero iff the calling process is in group GID. */ > +extern int group_member (__gid_t __gid) __THROW; > +# endif > + > +#endif /* _BITS_GROUP_MEMBER_H */ > diff --git a/include/unistd.h b/include/unistd.h > index e241603b81..39d5bda372 100644 > --- a/include/unistd.h > +++ b/include/unistd.h > @@ -131,6 +131,7 @@ extern __gid_t __getegid (void) attribute_hidden; > extern int __getgroups (int __size, __gid_t __list[]) attribute_hidden; > libc_hidden_proto (__getpgid) > extern int __group_member (__gid_t __gid) attribute_hidden; > +extern int __group_member2 (__gid_t __gid) attribute_hidden; > extern int __setuid (__uid_t __uid); > extern int __setreuid (__uid_t __ruid, __uid_t __euid); > extern int __setgid (__gid_t __gid); > diff --git a/posix/Makefile b/posix/Makefile > index 3ab124d040..c4948e3980 100644 > --- a/posix/Makefile > +++ b/posix/Makefile > @@ -29,6 +29,7 @@ headers := \ > bits/getopt_core.h \ > bits/getopt_ext.h \ > bits/getopt_posix.h \ > + bits/group_member.h \ > bits/local_lim.h \ > bits/mman_ext.h \ > bits/posix1_lim.h \ > @@ -291,6 +292,7 @@ tests := \ > tst-glob_symlinks \ > tst-gnuglob \ > tst-gnuglob64 \ > + tst-group_member \ > tst-mmap \ > tst-mmap-offset \ > tst-nanosleep \ > @@ -479,6 +481,10 @@ tests-special += \ > # tests-special > endif > > +# This test calls __group_member2 directly, which is not exported from glibc. > +tests-internal += tst-group_member2 > +tests-static += tst-group_member2 > + > include ../Rules > > ifeq ($(run-built-tests),yes) > @@ -606,6 +612,8 @@ bug-glob1-ARGS = "$(objpfx)" > tst-execvp3-ARGS = --test-dir=$(objpfx) > CFLAGS-tst-spawn3.c += -DOBJPFX=\"$(objpfx)\" > > +CFLAGS-tst-group_member.c += -Wno-error=deprecated-declarations > + > # Test voluntarily overflows struct dirent > CFLAGS-bug-glob2.c += $(no-fortify-source) > > diff --git a/posix/group_member.c b/posix/group_member.c > index 22422b1f9f..deb8bb404b 100644 > --- a/posix/group_member.c > +++ b/posix/group_member.c > @@ -18,6 +18,7 @@ > > #include > #include > +#include > #include > #include > > @@ -47,3 +48,37 @@ __group_member (gid_t gid) > return 0; > } > weak_alias (__group_member, group_member) > + > +int > +__group_member2 (gid_t gid) > +{ > + int n; > + gid_t *groups; > + struct scratch_buffer sbuf; > + scratch_buffer_init (&sbuf); > + groups = sbuf.data; > + > + do > + { > + n = __getgroups (0, NULL); > + if (n > sbuf.length) > + { > + if (!scratch_buffer_set_array_size (&sbuf, sizeof (*groups), n)) > + return -1; > + groups = sbuf.data; > + } > + > + n = __getgroups (n, groups); > + } > + while (n > sbuf.length); > + > + while (n-- > 0) > + if (groups[n] == gid) > + { > + scratch_buffer_free (&sbuf); > + return 1; > + } > + > + scratch_buffer_free (&sbuf); > + return 0; > +} > diff --git a/posix/tst-group_member.c b/posix/tst-group_member.c > new file mode 100644 > index 0000000000..7f70841832 > --- /dev/null > +++ b/posix/tst-group_member.c > @@ -0,0 +1,41 @@ > +/* Basic tests for group_member. > + Copyright (C) 2023 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#include > +#include > +#include > +#include > + > +#include > + > +static int do_test (void) > +{ > + int n; > + gid_t *groups; > + > + n = getgroups (0, NULL); > + groups = alloca (n * sizeof (*groups)); > + n = getgroups (n, groups); > + > + while (n-- > 0) > + TEST_COMPARE (1, group_member(groups[n])); > + > + return EXIT_SUCCESS; > +} > + > +#include > diff --git a/posix/tst-group_member2.c b/posix/tst-group_member2.c > new file mode 100644 > index 0000000000..ee448c578a > --- /dev/null > +++ b/posix/tst-group_member2.c > @@ -0,0 +1,43 @@ > +/* Basic tests for group_member. > + Copyright (C) 2023 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#include > +#include > +#include > +#include > + > +#include > + > +extern int __group_member2 (__gid_t __gid); > + > +static int do_test (void) > +{ > + int n; > + gid_t *groups; > + > + n = getgroups (0, NULL); > + groups = alloca (n * sizeof (*groups)); > + n = getgroups (n, groups); > + > + while (n-- > 0) > + TEST_COMPARE (1, __group_member2(groups[n])); > + > + return EXIT_SUCCESS; > +} > + > +#include > diff --git a/posix/unistd.h b/posix/unistd.h > index 5b91ad4aaa..ccc55bb501 100644 > --- a/posix/unistd.h > +++ b/posix/unistd.h > @@ -710,10 +710,10 @@ extern __gid_t getegid (void) __THROW; > of its supplementary groups in LIST and return the number written. */ > extern int getgroups (int __size, __gid_t __list[]) __THROW __wur > __fortified_attr_access (__write_only__, 2, 1); > + > #ifdef __USE_GNU > -/* Return nonzero iff the calling process is in group GID. */ > -extern int group_member (__gid_t __gid) __THROW; > -#endif > +# include > +#endif > > /* Set the user ID of the calling process to UID. > If the calling process is the super-user, set the real > diff --git a/sysdeps/posix/euidaccess.c b/sysdeps/posix/euidaccess.c > index 2282a0a8dd..2eb9db4c95 100644 > --- a/sysdeps/posix/euidaccess.c > +++ b/sysdeps/posix/euidaccess.c > @@ -81,7 +81,7 @@ extern int errno; > > #ifdef _LIBC > > -# define group_member __group_member > +# define group_member __group_member2 > # define euidaccess __euidaccess > > #else > @@ -167,9 +167,14 @@ euidaccess (const char *path, int mode) > || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) > return 0; > > + int gm = group_member (stats.st_gid); > + if (euid != stats.st_uid && egid != stats.st_gid) > + if (gm == -1) > + return -1; > + > if (euid == stats.st_uid) > granted = (unsigned int) (stats.st_mode & (mode << 6)) >> 6; > - else if (egid == stats.st_gid || group_member (stats.st_gid)) > + else if (egid == stats.st_gid || gm) > granted = (unsigned int) (stats.st_mode & (mode << 3)) >> 3; > else > granted = (stats.st_mode & mode); > diff --git a/sysdeps/unix/sysv/linux/bits/group_member.h b/sysdeps/unix/sysv/linux/bits/group_member.h > new file mode 100644 > index 0000000000..0dd9505c76 > --- /dev/null > +++ b/sysdeps/unix/sysv/linux/bits/group_member.h > @@ -0,0 +1,32 @@ > +/* group_member declaration > + Copyright (C) 2023 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#ifndef _UNISTD_H > +# error "Never use directly; include instead." > +#endif > + > +#ifndef _BITS_GROUP_MEMBER_H > +# define _BITS_GROUP_MEMBER_H 1 > + > +# ifdef __USE_GNU > +/* Return nonzero iff the calling process is in group GID. Deprecated */ > +extern int group_member (__gid_t __gid) __THROW > + __attribute_deprecated_msg__ ("may overflow the stack"); > +# endif > + > +#endif /* _BITS_GROUP_MEMBER_H */ > diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c > index 0ccbd778b5..f28ab0a6f4 100644 > --- a/sysdeps/unix/sysv/linux/faccessat.c > +++ b/sysdeps/unix/sysv/linux/faccessat.c > @@ -59,11 +59,17 @@ __faccessat (int fd, const char *file, int mode, int flag) > || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) > return 0; > > + int gm = __group_member2 (stats.st_gid); > + if (uid != stats.st_uid && > + (stats.st_gid != ((flag & AT_EACCESS) ? __getegid () : __getgid ()))) > + if (gm == -1) > + return -1; > + > int granted = (uid == stats.st_uid > ? (unsigned int) (stats.st_mode & (mode << 6)) >> 6 > : (stats.st_gid == ((flag & AT_EACCESS) > ? __getegid () : __getgid ()) > - || __group_member (stats.st_gid)) > + || gm) > ? (unsigned int) (stats.st_mode & (mode << 3)) >> 3 > : (stats.st_mode & mode)); > -- Cheers, Carlos.