From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-8952-listarch-libc-hacker=sources.redhat.com@sourceware.org>
Received: (qmail 3786 invoked by alias); 24 Apr 2006 16:32:47 -0000
Received: (qmail 3765 invoked by uid 22791); 24 Apr 2006 16:32:46 -0000
X-Spam-Check-By: sourceware.org
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 24 Apr 2006 16:32:41 +0000
Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k3OGWNBP017163;
	Mon, 24 Apr 2006 18:32:23 +0200
Received: (from jj@localhost)
	by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id k3OGWNk6017162;
	Mon, 24 Apr 2006 18:32:23 +0200
Date: Mon, 24 Apr 2006 16:32:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>, Roland McGrath <roland@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fortify readlinkat when -D_FORTIFY_SOURCE={1,2}
Message-ID: <20060424163223.GE4651@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sourceware.org>
List-Help: <mailto:libc-hacker-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-hacker-owner@sourceware.org
X-SW-Source: 2006-04/txt/msg00012.txt.bz2

Hi!

readlinkat needs very similar treatment to readlink to fortify it.
Tested with make check subdirs=debug.

2006-04-24  Jakub Jelinek  <jakub@redhat.com>

	* posix/bits/unistd.h (__readlinkat_chk): New prototype.
	(__readlinkat_alias): New alias.
	(readlinkat): New inline function.
	* include/unistd.h (readlinkat): Add libc_hidden_proto.
	* sysdeps/unix/sysv/linux/readlinkat.c (readlinkat): Add
	libc_hidden_def.
	* io/readlinkat.c (readlinkat): Likewise.
	* debug/readlinkat_chk.c: New file.
	* debug/Makefile (routines): Add readlinkat_chk.
	* debug/Versions (libc): Export __readlinkat_chk@@GLIBC_2.5.
	* debug/tst-chk1.c (do_test): Add readlinkat tests.
	
--- libc/posix/bits/unistd.h.jj	2006-04-07 12:51:01.000000000 +0200
+++ libc/posix/bits/unistd.h	2006-04-24 18:11:29.000000000 +0200
@@ -100,6 +100,28 @@ __NTH (readlink (__const char *__restric
 }
 #endif
 
+#ifdef __USE_ATFILE
+extern ssize_t __readlinkat_chk (int __fd, __const char *__restrict __path,
+				 char *__restrict __buf, size_t __len,
+				 size_t __buflen)
+     __THROW __nonnull ((2, 3)) __wur;
+extern ssize_t __REDIRECT_NTH (__readlinkat_alias,
+			       (int __fd, __const char *__restrict __path,
+				char *__restrict __buf, size_t __len),
+			       readlinkat)
+     __nonnull ((2, 3)) __wur;
+
+extern __always_inline __nonnull ((2, 3)) __wur ssize_t
+__NTH (readlinkat (int __fd, __const char *__restrict __path,
+		   char *__restrict __buf, size_t __len))
+{
+  if (__bos (__buf) != (size_t) -1
+      && (!__builtin_constant_p (__len) || __len > __bos (__buf)))
+    return __readlinkat_chk (__fd, __path, __buf, __len, __bos (__buf));
+  return __readlinkat_alias (__fd, __path, __buf, __len);
+}
+#endif
+
 extern char *__getcwd_chk (char *__buf, size_t __size, size_t __buflen)
      __THROW __wur;
 extern char *__REDIRECT_NTH (__getcwd_alias,
--- libc/sysdeps/unix/sysv/linux/readlinkat.c.jj	2006-04-04 18:19:12.000000000 +0200
+++ libc/sysdeps/unix/sysv/linux/readlinkat.c	2006-04-24 18:04:41.000000000 +0200
@@ -87,3 +87,4 @@ readlinkat (fd, path, buf, len)
   return result;
 #endif
 }
+libc_hidden_def (readlinkat)
--- libc/io/readlinkat.c.jj	2006-04-04 18:19:11.000000000 +0200
+++ libc/io/readlinkat.c	2006-04-24 18:28:25.000000000 +0200
@@ -46,5 +46,6 @@ readlinkat (fd, path, buf, len)
   return -1;
 }
 stub_warning (readlinkat)
+libc_hidden_def (readlinkat)
 
 #include <stub-tag.h>
--- libc/debug/tst-chk1.c.jj	2005-09-12 09:20:17.000000000 +0200
+++ libc/debug/tst-chk1.c	2006-04-24 18:18:55.000000000 +0200
@@ -1,4 +1,4 @@
-/* Copyright (C) 2004, 2005 Free Software Foundation, Inc.
+/* Copyright (C) 2004, 2005, 2006 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Jakub Jelinek <jakub@redhat.com>, 2004.
 
@@ -944,6 +944,34 @@ do_test (void)
   CHK_FAIL_END
 #endif
 
+  int tmpfd = open ("/tmp", O_RDONLY | O_DIRECTORY);
+  if (tmpfd < 0)
+    FAIL ();
+
+  if (readlinkat (tmpfd, fname + sizeof ("/tmp/") - 1, readlinkbuf, 4) != 3
+      || memcmp (readlinkbuf, "bar", 3) != 0)
+    FAIL ();
+  if (readlinkat (tmpfd, fname + sizeof ("/tmp/") - 1, readlinkbuf + 1,
+		  l0 + 3) != 3
+      || memcmp (readlinkbuf, "bbar", 4) != 0)
+    FAIL ();
+
+#if __USE_FORTIFY_LEVEL >= 1
+  CHK_FAIL_START
+  if (readlinkat (tmpfd, fname + sizeof ("/tmp/") - 1, readlinkbuf + 2,
+		  l0 + 3) != 3)
+    FAIL ();
+  CHK_FAIL_END
+
+  CHK_FAIL_START
+  if (readlinkat (tmpfd, fname + sizeof ("/tmp/") - 1, readlinkbuf + 3,
+		  4) != 3)
+    FAIL ();
+  CHK_FAIL_END
+#endif
+
+  close (tmpfd);
+
   char *cwd1 = getcwd (NULL, 0);
   if (cwd1 == NULL)
     FAIL ();
--- libc/debug/Versions.jj	2005-07-28 15:56:58.000000000 +0200
+++ libc/debug/Versions	2006-04-24 18:13:26.000000000 +0200
@@ -36,4 +36,7 @@ libc {
 
     __stack_chk_fail;
   }
+  GLIBC_2.5 {
+    __readlinkat_chk;
+  }
 }
--- libc/debug/readlinkat_chk.c.jj	2006-04-24 18:01:51.000000000 +0200
+++ libc/debug/readlinkat_chk.c	2006-04-24 18:04:50.000000000 +0200
@@ -0,0 +1,31 @@
+/* Copyright (C) 2006 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+#include <unistd.h>
+#include <sys/param.h>
+
+
+ssize_t
+__readlinkat_chk (int fd, const char *path, void *buf, size_t len,
+		  size_t buflen)
+{
+  if (len > buflen)
+    __chk_fail ();
+
+  return readlinkat (fd, path, buf, len);
+}
--- libc/debug/Makefile.jj	2005-07-28 15:56:58.000000000 +0200
+++ libc/debug/Makefile	2006-04-24 18:12:35.000000000 +0200
@@ -31,7 +31,8 @@ routines  = backtrace backtracesyms back
 	    printf_chk fprintf_chk vprintf_chk vfprintf_chk \
 	    gets_chk chk_fail readonly-area fgets_chk fgets_u_chk \
 	    read_chk pread_chk pread64_chk recv_chk recvfrom_chk \
-	    readlink_chk getwd_chk getcwd_chk realpath_chk ptsname_r_chk \
+	    readlink_chk readlinkat_chk getwd_chk getcwd_chk \
+	    realpath_chk ptsname_r_chk \
 	    wctomb_chk wcscpy_chk wmemcpy_chk wmemmove_chk wmempcpy_chk \
 	    wcpcpy_chk wcsncpy_chk wcscat_chk wcsncat_chk wmemset_chk \
 	    wcpncpy_chk \
--- libc/include/unistd.h.jj	2006-02-23 14:29:22.000000000 +0100
+++ libc/include/unistd.h	2006-02-23 14:29:22.000000000 +0100
@@ -15,6 +15,7 @@ libc_hidden_proto (getlogin_r)
 libc_hidden_proto (seteuid)
 libc_hidden_proto (setegid)
 libc_hidden_proto (tcgetpgrp)
+libc_hidden_proto (readlinkat)
 
 /* Now define the internal interfaces.  */
 extern int __access (__const char *__name, int __type);

	Jakub