From: Carlos O'Donell <carlos@redhat.com>
To: Martin Sebor <msebor@gmail.com>, libc-alpha@sourceware.org
Subject: Re: [PATCH v2 5/5] avoid -Wuse-after-free [BZ #26779]
Date: Tue, 25 Jan 2022 12:49:36 -0500 [thread overview]
Message-ID: <b480e565-2283-6f1a-172f-68afff44891d@redhat.com> (raw)
In-Reply-To: <50baa5fb-c1ee-f7dc-b7d6-cf4587782062@gmail.com>
On 1/24/22 19:58, Martin Sebor via Libc-alpha wrote:
> On 1/24/22 17:52, Martin Sebor wrote:
>> This is a repost of the original patch but broken down by source
>> file and with some suppression done by #pragma GCC diagnostic
>> instead of conversion to intptr_t. It also adds fixes for
>> the same problem in the test suite that I overlooked before.
>
> The attached patch suppresses the -Wuse-after-free instance in
> the testsuite.
>
>>
>> On 1/15/22 17:21, Martin Sebor wrote:
>>> GCC 12 features a couple of new warnings designed to detect uses
>>> of pointers made invalid by the pointees lifetimes having ended.
>>> Building Glibc with the enhanced GCC exposes a few such uses,
>>> mostly after successful calls to realloc. The attached patch
>>> avoids the new warnings by converting the pointers to uintptr_t
>>> first and using the converted integers instead.
>>>
>>> The patch suppresses all instances of the warning at the strictest
>>> setting (-Wuse-after-free=3), which includes even uses in equality
>>> expressions. The default setting approved for GCC 12 is
>>> -Wuse-after-free=2, which doesn't warn on such uses to accommodate
>>> the pointer-adjustment-after-realloc idiom. At the default setting,
>>> the changes to ldconfig.c and setenv are not necessary.
>>>
>>> Martin
>>
This patch is not ready.
Some tests are going to do invalid things to test specific behaviour and we need
to possibly suppress those warnings. The malloc tests look correct.
The support/tst-support-open-dev-null-range.c doesn't look correct, please send v3
of just this *whole* patch as a new patch. I'll review again.
> diff --git a/malloc/tst-malloc-backtrace.c b/malloc/tst-malloc-backtrace.c
> index ea66da23ef..8a3f4a0b55 100644
> --- a/malloc/tst-malloc-backtrace.c
> +++ b/malloc/tst-malloc-backtrace.c
> @@ -20,6 +20,7 @@
> #include <stdlib.h>
>
> #include <support/support.h>
> +#include <libc-diag.h>
OK. Add header required for DIAG_* macros.
>
> #define SIZE 4096
>
> @@ -29,7 +30,15 @@ __attribute__((noinline))
> call_free (void *ptr)
> {
> free (ptr);
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a valid warning about using a pointer made indeterminate
> + by a prior call to malloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> *(size_t *)(ptr - sizeof (size_t)) = 1;
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK. Specifically testing use-after-free write to chunk to corrupt memory.
> }
>
> int
> diff --git a/malloc/tst-malloc-check.c b/malloc/tst-malloc-check.c
> index 46938c0dbb..eb46cf3bbb 100644
> --- a/malloc/tst-malloc-check.c
> +++ b/malloc/tst-malloc-check.c
OK. Already includes libc-diag.h.
> @@ -86,7 +86,15 @@ do_test (void)
> merror ("errno is not set correctly.");
> DIAG_POP_NEEDS_COMMENT;
>
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a valid warning about using a pointer made indeterminate
> + by a prior call to realloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> free (p);
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK. Previous realloc made p indeterminate.
>
> p = malloc (512);
> if (p == NULL)
> @@ -104,7 +112,15 @@ do_test (void)
> merror ("errno is not set correctly.");
> DIAG_POP_NEEDS_COMMENT;
>
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a valid warning about using a pointer made indeterminate
> + by a prior call to realloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> free (p);
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK. Likewise.
> free (q);
>
> return errors != 0;
> diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
> index e23aa08e4f..dac3c8086c 100644
> --- a/malloc/tst-malloc-too-large.c
> +++ b/malloc/tst-malloc-too-large.c
OK. Already includes libc-diag.h.
> @@ -95,7 +95,15 @@ test_large_allocations (size_t size)
> DIAG_POP_NEEDS_COMMENT;
> #endif
> TEST_VERIFY (errno == ENOMEM);
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a warning about using a pointer made indeterminate by
> + a prior call to realloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> free (ptr_to_realloc);
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK.
>
> for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2)
> if ((size % nmemb) == 0)
> @@ -113,14 +121,30 @@ test_large_allocations (size_t size)
> test_setup ();
> TEST_VERIFY (reallocarray (ptr_to_realloc, nmemb, size / nmemb) == NULL);
> TEST_VERIFY (errno == ENOMEM);
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a warning about using a pointer made indeterminate by
> + a prior call to realloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> free (ptr_to_realloc);
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK.
>
> ptr_to_realloc = malloc (16);
> TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
> test_setup ();
> TEST_VERIFY (reallocarray (ptr_to_realloc, size / nmemb, nmemb) == NULL);
> TEST_VERIFY (errno == ENOMEM);
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a warning about using a pointer made indeterminate by
> + a prior call to realloc(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> free (ptr_to_realloc);
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
OK.
> }
> else
> break;
> diff --git a/support/tst-support-open-dev-null-range.c b/support/tst-support-open-dev-null-range.c
> index 3ed3177d57..e7526597ce 100644
> --- a/support/tst-support-open-dev-null-range.c
> +++ b/support/tst-support-open-dev-null-range.c
> @@ -26,6 +26,8 @@
> #include <sys/resource.h>
> #include <stdlib.h>
>
> +#include <libc-diag.h>
OK. New macros required.
> +
> #ifndef PATH_MAX
> # define PATH_MAX 1024
> #endif
> @@ -41,8 +43,18 @@ check_path (int fd)
> = readlink (proc_fd_path, file_path, sizeof (file_path));
> free (proc_fd_path);
> if (file_path_length < 0)
> - FAIL_EXIT1 ("readlink (%s, %p, %zu)", proc_fd_path, file_path,
> - sizeof (file_path));
> + {
> +#if __GNUC_PREREQ (12, 0)
> + /* Ignore a valid warning about using a pointer made indeterminate
> + by a prior call to free(). */
> + DIAG_IGNORE_NEEDS_COMMENT (12, "-Wuse-after-free");
> +#endif
> + FAIL_EXIT1 ("readlink (%s, %p, %zu)", proc_fd_path, file_path,
> + sizeof (file_path));
> +#if __GNUC_PREREQ (12, 0)
> + DIAG_POP_NEEDS_COMMENT;
> +#endif
> + }
We should move free (proc_fd_path) to after the check to correct the use-after-free.
> file_path[file_path_length] = '\0';
> TEST_COMPARE_STRING (file_path, "/dev/null");
> }
--
Cheers,
Carlos.
next prev parent reply other threads:[~2022-01-25 17:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-16 0:21 [PATCH] " Martin Sebor
2022-01-16 2:25 ` Paul Eggert
2022-01-21 23:14 ` Martin Sebor
2022-01-22 0:42 ` Paul Eggert
2022-01-25 0:42 ` Martin Sebor
2022-01-25 1:08 ` Jeff Law
2022-01-18 9:48 ` Florian Weimer
2022-01-20 21:50 ` Martin Sebor
2022-01-25 0:52 ` [PATCH v2 0/5] " Martin Sebor
2022-01-25 0:57 ` [PATCH v2 1/5] " Martin Sebor
2022-01-25 17:46 ` Carlos O'Donell
2022-01-25 0:58 ` [PATCH v2 2/5] " Martin Sebor
2022-01-25 17:46 ` Carlos O'Donell
2022-01-25 0:58 ` [PATCH v2 3/5] " Martin Sebor
2022-01-25 17:47 ` Carlos O'Donell
2022-01-25 0:58 ` [PATCH v2 4/5] " Martin Sebor
2022-01-25 17:49 ` Carlos O'Donell
2022-01-25 17:51 ` Carlos O'Donell
2022-01-25 21:47 ` Florian Weimer
2022-01-26 13:55 ` Carlos O'Donell
2022-01-25 0:58 ` [PATCH v2 5/5] " Martin Sebor
2022-01-25 17:49 ` Carlos O'Donell [this message]
2022-01-25 22:50 ` [PATCH v3 " Martin Sebor
2022-01-26 14:56 ` Carlos O'Donell
2022-01-28 13:10 ` Joseph Myers
2022-01-28 17:33 ` Carlos O'Donell
2022-01-28 17:51 ` Joseph Myers
2022-01-28 23:21 ` Jeff Law
2022-01-31 15:12 ` Carlos O'Donell
2022-02-04 20:40 ` Joseph Myers
2022-01-25 17:46 ` [PATCH v2 0/5] " Carlos O'Donell
2022-01-26 3:08 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b480e565-2283-6f1a-172f-68afff44891d@redhat.com \
--to=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=msebor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).