From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <eggert@cs.ucla.edu>
Received: from zimbra.cs.ucla.edu (zimbra.cs.ucla.edu [131.179.128.68])
 by sourceware.org (Postfix) with ESMTPS id 9BF0C3857C77
 for <libc-alpha@sourceware.org>; Wed, 30 Dec 2020 01:21:19 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9BF0C3857C77
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=cs.ucla.edu
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=eggert@cs.ucla.edu
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id AF34B1600F7;
 Tue, 29 Dec 2020 17:21:18 -0800 (PST)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id w07OjiUhOUeF; Tue, 29 Dec 2020 17:21:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 688EE1600F8;
 Tue, 29 Dec 2020 17:21:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Hw8-mmjdhioF; Tue, 29 Dec 2020 17:21:17 -0800 (PST)
Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com
 [23.243.218.95])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 3CB391600F7;
 Tue, 29 Dec 2020 17:21:17 -0800 (PST)
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Cc: bug-gnulib@gnu.org, libc-alpha@sourceware.org
References: <20201229193454.34558-1-adhemerval.zanella@linaro.org>
 <20201229193454.34558-5-adhemerval.zanella@linaro.org>
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
Subject: Re: [PATCH v3 4/6] stdlib: Sync canonicalize with gnulib [BZ #10635]
 [BZ #26592] [BZ #26341] [BZ #24970]
Message-ID: <c65fa1a0-62ff-2649-d3e8-b365d010fb82@cs.ucla.edu>
Date: Tue, 29 Dec 2020 17:21:15 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <20201229193454.34558-5-adhemerval.zanella@linaro.org>
Content-Type: multipart/mixed; boundary="------------A730C963634CCFD385BB0DB5"
Content-Language: en-US
X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 01:21:21 -0000

This is a multi-part message in MIME format.
--------------A730C963634CCFD385BB0DB5
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

On 12/29/20 11:34 AM, Adhemerval Zanella wrote:
>                idx_t len =3D strlen (end);
> +              if (INT_ADD_OVERFLOW (len, n))
> +                {
> +                  __set_errno (ENAMETOOLONG);
> +                  goto error_nomem;
> +                }


The other patches in this glibc patch series look good to me. However,=20
this patch has some problems. First, the overflow check does not handle=20
the case where strlen (end) does not fit into len. Second, ENAMETOOLONG=20
is not the right errno; it should be ENOMEM because not enough memory=20
can be allocated (this is what scratch_buffer, malloc, etc. do in=20
similar situations). Third (and less important), the overflow check is=20
not needed on practical 64-bit platforms either now or in the forseeable=20
future.

I installed the attached patch into Gnulib to fix the bug in a way I=20
hope is better. The idea is that you should be able to sync this into=20
glibc without needing a patch like the above.


--------------A730C963634CCFD385BB0DB5
Content-Type: text/x-patch; charset=UTF-8;
 name="0001-canonicalize-fix-ptrdiff_t-overflow-bug.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="0001-canonicalize-fix-ptrdiff_t-overflow-bug.patch"

=46rom b4e94717557545d613bca58a27d4ef698d551ed2 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 29 Dec 2020 17:08:11 -0800
Subject: [PATCH] canonicalize: fix ptrdiff_t overflow bug

Problem reported by Adhemerval Zanella in:
https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html
* lib/canonicalize-lgpl.c, lib/canonicalize.c:
Include intprops.h.
(NARROW_ADDRESSES): New constant.
* lib/canonicalize-lgpl.c (realpath_stk):m
* lib/canonicalize.c (canonicalize_filename_mode_stk):
Work even if strlen (END) does not fit in idx_t, or if adding
N to it overflows.
* modules/canonicalize, modules/canonicalize-lgpl (Depends-on):
Add intprops.
---
 ChangeLog                 | 15 +++++++++++++++
 lib/canonicalize-lgpl.c   | 12 +++++++++++-
 lib/canonicalize.c        | 12 +++++++++++-
 modules/canonicalize      |  1 +
 modules/canonicalize-lgpl |  1 +
 5 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d03007b3e..0ef300f0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2020-12-29  Paul Eggert  <eggert@cs.ucla.edu>
+
+	canonicalize: fix ptrdiff_t overflow bug
+	Problem reported by Adhemerval Zanella in:
+	https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html
+	* lib/canonicalize-lgpl.c, lib/canonicalize.c:
+	Include intprops.h.
+	(NARROW_ADDRESSES): New constant.
+	* lib/canonicalize-lgpl.c (realpath_stk):m
+	* lib/canonicalize.c (canonicalize_filename_mode_stk):
+	Work even if strlen (END) does not fit in idx_t, or if adding
+	N to it overflows.
+	* modules/canonicalize, modules/canonicalize-lgpl (Depends-on):
+	Add intprops.
+
 2020-12-28  Bruno Haible  <bruno@clisp.org>
=20
 	havelib: Fix for Solaris 11 OpenIndiana and Solaris 11 OmniOS.
diff --git a/lib/canonicalize-lgpl.c b/lib/canonicalize-lgpl.c
index 04fe95253..e8b10f0e7 100644
--- a/lib/canonicalize-lgpl.c
+++ b/lib/canonicalize-lgpl.c
@@ -40,6 +40,7 @@
 #include <eloop-threshold.h>
 #include <filename.h>
 #include <idx.h>
+#include <intprops.h>
 #include <scratch_buffer.h>
=20
 #ifdef _LIBC
@@ -85,6 +86,10 @@
 # define IF_LINT(Code) /* empty */
 #endif
=20
+/* True if adding two valid object sizes might overflow idx_t.
+   As a practical matter, this cannot happen on 64-bit machines.  */
+enum { NARROW_ADDRESSES =3D IDX_MAX >> 31 >> 31 =3D=3D 0 };
+
 #ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT
 # define DOUBLE_SLASH_IS_DISTINCT_ROOT false
 #endif
@@ -338,7 +343,12 @@ realpath_stk (const char *name, char *resolved,
               idx_t end_idx IF_LINT (=3D 0);
               if (end_in_extra_buffer)
                 end_idx =3D end - extra_buf;
-              idx_t len =3D strlen (end);
+              size_t len =3D strlen (end);
+              if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n))
+                {
+                  __set_errno (ENOMEM);
+                  goto error;
+                }
               while (extra_buffer.length <=3D len + n)
                 {
                   if (!scratch_buffer_grow_preserve (&extra_buffer))
diff --git a/lib/canonicalize.c b/lib/canonicalize.c
index a4d3aab96..eee3dbee6 100644
--- a/lib/canonicalize.c
+++ b/lib/canonicalize.c
@@ -29,6 +29,7 @@
=20
 #include <filename.h>
 #include <idx.h>
+#include <intprops.h>
 #include <scratch_buffer.h>
=20
 #include "attribute.h"
@@ -43,6 +44,10 @@
 # define IF_LINT(Code) /* empty */
 #endif
=20
+/* True if adding two valid object sizes might overflow idx_t.
+   As a practical matter, this cannot happen on 64-bit machines.  */
+enum { NARROW_ADDRESSES =3D IDX_MAX >> 31 >> 31 =3D=3D 0 };
+
 #ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT
 # define DOUBLE_SLASH_IS_DISTINCT_ROOT false
 #endif
@@ -389,7 +394,12 @@ canonicalize_filename_mode_stk (const char *name, ca=
nonicalize_mode_t can_mode,
               idx_t end_idx IF_LINT (=3D 0);
               if (end_in_extra_buffer)
                 end_idx =3D end - extra_buf;
-              idx_t len =3D strlen (end);
+              size_t len =3D strlen (end);
+              if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n))
+                {
+                  errno =3D ENOMEM;
+                  goto error;
+                }
               while (extra_buffer.length <=3D len + n)
                 {
                   if (!scratch_buffer_grow_preserve (&extra_buffer))
diff --git a/modules/canonicalize b/modules/canonicalize
index 5003f2682..a6cf76f17 100644
--- a/modules/canonicalize
+++ b/modules/canonicalize
@@ -19,6 +19,7 @@ free-posix
 getcwd
 hash-triple-simple
 idx
+intprops
 memmove
 mempcpy
 nocrash
diff --git a/modules/canonicalize-lgpl b/modules/canonicalize-lgpl
index a96f9011e..b8e87a607 100644
--- a/modules/canonicalize-lgpl
+++ b/modules/canonicalize-lgpl
@@ -18,6 +18,7 @@ fcntl-h           [test $HAVE_CANONICALIZE_FILE_NAME =3D=
 0 || test $REPLACE_CANONI
 filename          [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
 free-posix        [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
 idx               [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
+intprops          [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
 libc-config       [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
 malloc-posix      [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
 memmove           [test $HAVE_CANONICALIZE_FILE_NAME =3D 0 || test $REPL=
ACE_CANONICALIZE_FILE_NAME =3D 1]
--=20
2.27.0


--------------A730C963634CCFD385BB0DB5--