From: Paul Eggert <eggert@cs.ucla.edu>
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: bug-gnulib@gnu.org, libc-alpha@sourceware.org
Subject: Re: [PATCH v3 4/6] stdlib: Sync canonicalize with gnulib [BZ #10635] [BZ #26592] [BZ #26341] [BZ #24970]
Date: Tue, 29 Dec 2020 17:21:15 -0800 [thread overview]
Message-ID: <c65fa1a0-62ff-2649-d3e8-b365d010fb82@cs.ucla.edu> (raw)
In-Reply-To: <20201229193454.34558-5-adhemerval.zanella@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 992 bytes --]
On 12/29/20 11:34 AM, Adhemerval Zanella wrote:
> idx_t len = strlen (end);
> + if (INT_ADD_OVERFLOW (len, n))
> + {
> + __set_errno (ENAMETOOLONG);
> + goto error_nomem;
> + }
The other patches in this glibc patch series look good to me. However,
this patch has some problems. First, the overflow check does not handle
the case where strlen (end) does not fit into len. Second, ENAMETOOLONG
is not the right errno; it should be ENOMEM because not enough memory
can be allocated (this is what scratch_buffer, malloc, etc. do in
similar situations). Third (and less important), the overflow check is
not needed on practical 64-bit platforms either now or in the forseeable
future.
I installed the attached patch into Gnulib to fix the bug in a way I
hope is better. The idea is that you should be able to sync this into
glibc without needing a patch like the above.
[-- Attachment #2: 0001-canonicalize-fix-ptrdiff_t-overflow-bug.patch --]
[-- Type: text/x-patch, Size: 5658 bytes --]
From b4e94717557545d613bca58a27d4ef698d551ed2 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 29 Dec 2020 17:08:11 -0800
Subject: [PATCH] canonicalize: fix ptrdiff_t overflow bug
Problem reported by Adhemerval Zanella in:
https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html
* lib/canonicalize-lgpl.c, lib/canonicalize.c:
Include intprops.h.
(NARROW_ADDRESSES): New constant.
* lib/canonicalize-lgpl.c (realpath_stk):m
* lib/canonicalize.c (canonicalize_filename_mode_stk):
Work even if strlen (END) does not fit in idx_t, or if adding
N to it overflows.
* modules/canonicalize, modules/canonicalize-lgpl (Depends-on):
Add intprops.
---
ChangeLog | 15 +++++++++++++++
lib/canonicalize-lgpl.c | 12 +++++++++++-
lib/canonicalize.c | 12 +++++++++++-
modules/canonicalize | 1 +
modules/canonicalize-lgpl | 1 +
5 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d03007b3e..0ef300f0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2020-12-29 Paul Eggert <eggert@cs.ucla.edu>
+
+ canonicalize: fix ptrdiff_t overflow bug
+ Problem reported by Adhemerval Zanella in:
+ https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html
+ * lib/canonicalize-lgpl.c, lib/canonicalize.c:
+ Include intprops.h.
+ (NARROW_ADDRESSES): New constant.
+ * lib/canonicalize-lgpl.c (realpath_stk):m
+ * lib/canonicalize.c (canonicalize_filename_mode_stk):
+ Work even if strlen (END) does not fit in idx_t, or if adding
+ N to it overflows.
+ * modules/canonicalize, modules/canonicalize-lgpl (Depends-on):
+ Add intprops.
+
2020-12-28 Bruno Haible <bruno@clisp.org>
havelib: Fix for Solaris 11 OpenIndiana and Solaris 11 OmniOS.
diff --git a/lib/canonicalize-lgpl.c b/lib/canonicalize-lgpl.c
index 04fe95253..e8b10f0e7 100644
--- a/lib/canonicalize-lgpl.c
+++ b/lib/canonicalize-lgpl.c
@@ -40,6 +40,7 @@
#include <eloop-threshold.h>
#include <filename.h>
#include <idx.h>
+#include <intprops.h>
#include <scratch_buffer.h>
#ifdef _LIBC
@@ -85,6 +86,10 @@
# define IF_LINT(Code) /* empty */
#endif
+/* True if adding two valid object sizes might overflow idx_t.
+ As a practical matter, this cannot happen on 64-bit machines. */
+enum { NARROW_ADDRESSES = IDX_MAX >> 31 >> 31 == 0 };
+
#ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT
# define DOUBLE_SLASH_IS_DISTINCT_ROOT false
#endif
@@ -338,7 +343,12 @@ realpath_stk (const char *name, char *resolved,
idx_t end_idx IF_LINT (= 0);
if (end_in_extra_buffer)
end_idx = end - extra_buf;
- idx_t len = strlen (end);
+ size_t len = strlen (end);
+ if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n))
+ {
+ __set_errno (ENOMEM);
+ goto error;
+ }
while (extra_buffer.length <= len + n)
{
if (!scratch_buffer_grow_preserve (&extra_buffer))
diff --git a/lib/canonicalize.c b/lib/canonicalize.c
index a4d3aab96..eee3dbee6 100644
--- a/lib/canonicalize.c
+++ b/lib/canonicalize.c
@@ -29,6 +29,7 @@
#include <filename.h>
#include <idx.h>
+#include <intprops.h>
#include <scratch_buffer.h>
#include "attribute.h"
@@ -43,6 +44,10 @@
# define IF_LINT(Code) /* empty */
#endif
+/* True if adding two valid object sizes might overflow idx_t.
+ As a practical matter, this cannot happen on 64-bit machines. */
+enum { NARROW_ADDRESSES = IDX_MAX >> 31 >> 31 == 0 };
+
#ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT
# define DOUBLE_SLASH_IS_DISTINCT_ROOT false
#endif
@@ -389,7 +394,12 @@ canonicalize_filename_mode_stk (const char *name, canonicalize_mode_t can_mode,
idx_t end_idx IF_LINT (= 0);
if (end_in_extra_buffer)
end_idx = end - extra_buf;
- idx_t len = strlen (end);
+ size_t len = strlen (end);
+ if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n))
+ {
+ errno = ENOMEM;
+ goto error;
+ }
while (extra_buffer.length <= len + n)
{
if (!scratch_buffer_grow_preserve (&extra_buffer))
diff --git a/modules/canonicalize b/modules/canonicalize
index 5003f2682..a6cf76f17 100644
--- a/modules/canonicalize
+++ b/modules/canonicalize
@@ -19,6 +19,7 @@ free-posix
getcwd
hash-triple-simple
idx
+intprops
memmove
mempcpy
nocrash
diff --git a/modules/canonicalize-lgpl b/modules/canonicalize-lgpl
index a96f9011e..b8e87a607 100644
--- a/modules/canonicalize-lgpl
+++ b/modules/canonicalize-lgpl
@@ -18,6 +18,7 @@ fcntl-h [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONI
filename [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
free-posix [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
idx [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
+intprops [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
libc-config [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
malloc-posix [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
memmove [test $HAVE_CANONICALIZE_FILE_NAME = 0 || test $REPLACE_CANONICALIZE_FILE_NAME = 1]
--
2.27.0
next prev parent reply other threads:[~2020-12-30 1:21 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-29 19:34 [PATCH v3 0/6] Multiple fixes to realpath Adhemerval Zanella
2020-12-29 19:34 ` [PATCH v3 1/6] Import idx.h from gnulib Adhemerval Zanella
2020-12-29 19:34 ` [PATCH v3 2/6] Import filename.h " Adhemerval Zanella
2020-12-29 19:34 ` [PATCH v3 3/6] malloc: Add scratch_buffer_dupfree Adhemerval Zanella
2020-12-29 19:34 ` [PATCH v3 4/6] stdlib: Sync canonicalize with gnulib [BZ #10635] [BZ #26592] [BZ #26341] [BZ #24970] Adhemerval Zanella
2020-12-30 1:21 ` Paul Eggert [this message]
2020-12-30 3:39 ` Paul Eggert
2020-12-30 6:19 ` Paul Eggert
2020-12-30 12:34 ` Adhemerval Zanella
2020-12-30 13:10 ` Adhemerval Zanella
2021-01-02 0:04 ` Paul Eggert
2021-01-04 12:52 ` Adhemerval Zanella
2021-01-09 1:24 ` Paul Eggert
2020-12-29 19:34 ` [PATCH v3 5/6] support: Add support_small_thread_stack_size Adhemerval Zanella
2020-12-30 8:54 ` Florian Weimer
2020-12-29 19:34 ` [PATCH v3 6/6] stdlib: Add testcase fro BZ #26241 Adhemerval Zanella
2021-01-20 4:33 ` DJ Delorie
2021-01-20 14:13 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c65fa1a0-62ff-2649-d3e8-b365d010fb82@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=adhemerval.zanella@linaro.org \
--cc=bug-gnulib@gnu.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).