From: "Gabriel F. T. Gomes" <gftg@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Subject: [COMMITTED 2.20] Fix BZ #17905
Date: Fri, 01 Jan 2016 00:00:00 -0000 [thread overview]
Message-ID: <201605251311.u4PD4gUb045737@mx0a-001b2d01.pphosted.com> (raw)
In-Reply-To: <1464181904-28722-1-git-send-email-gftg@linux.vnet.ibm.com>
From: Paul Pluzhnikov <ppluzhnikov@google.com>
(cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)
---
ChangeLog | 8 ++++++++
NEWS | 4 ++--
catgets/Makefile | 9 ++++++++-
catgets/catgets.c | 19 ++++++++++++-------
catgets/open_catalog.c | 23 ++++++++++++++---------
catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
6 files changed, 75 insertions(+), 19 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c2b1307..3652d5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-05-24 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17905]
+ * catgets/Makefile (tst-catgets-mem): New test.
+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
+ * catgets/open_catalog.c (__open_catalog): Likewise.
+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+
2016-05-24 Florian Weimer <fweimer@redhat.com>
* misc/bug18240.c (do_test): Set RLIMIT_AS.
diff --git a/NEWS b/NEWS
index d601938..e6a5207 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,8 @@ Version 2.20.1
* The following bugs are resolved with this release:
16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
- 17625, 17630, 17801, 18032, 18080, 18240, 18508, 18665, 18694, 18928,
- 19018, 19682.
+ 17625, 17630, 17801, 17905, 18032, 18080, 18240, 18508, 18665, 18694,
+ 18928, 19018, 19682.
* The glob function suffered from a stack-based buffer overflow when it was
called with the GLOB_ALTDIRFUNC flag and encountered a long file name.
diff --git a/catgets/Makefile b/catgets/Makefile
index 008d7db..bc144e3 100644
--- a/catgets/Makefile
+++ b/catgets/Makefile
@@ -34,6 +34,7 @@ test-srcs = test-gencat
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
$(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+tests-special += $(objpfx)tst-catgets-mem.out
endif
gencat-modules = xmalloc
@@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/%
generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
test-gencat.h
+generated += tst-catgets.mtrace tst-catgets-mem.out
+
generated-dirs += de
-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
ifeq ($(run-built-tests),yes)
# This test just checks whether the program produces any error or not.
@@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \
$(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
$(evaluate-test)
+
+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+ $(evaluate-test)
endif
diff --git a/catgets/catgets.c b/catgets/catgets.c
index eac2827..820c0f6 100644
--- a/catgets/catgets.c
+++ b/catgets/catgets.c
@@ -16,7 +16,6 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
-#include <alloca.h>
#include <errno.h>
#include <locale.h>
#include <nl_types.h>
@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
__nl_catd result;
const char *env_var = NULL;
const char *nlspath = NULL;
+ char *tmp = NULL;
if (strchr (cat_name, '/') == NULL)
{
@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
{
/* Append the system dependent directory. */
size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
- char *tmp = alloca (len);
+ tmp = malloc (len);
+
+ if (__glibc_unlikely (tmp == NULL))
+ return (nl_catd) -1;
__stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
nlspath = tmp;
@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
result = (__nl_catd) malloc (sizeof (*result));
if (result == NULL)
- /* We cannot get enough memory. */
- return (nl_catd) -1;
-
- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+ {
+ /* We cannot get enough memory. */
+ result = (nl_catd) -1;
+ }
+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
{
/* Couldn't open the file. */
free ((void *) result);
- return (nl_catd) -1;
+ result = (nl_catd) -1;
}
+ free (tmp);
return (nl_catd) result;
}
diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c
index d582270..40251d6 100644
--- a/catgets/open_catalog.c
+++ b/catgets/open_catalog.c
@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
size_t tab_size;
const char *lastp;
int result = -1;
+ char *buf = NULL;
if (strchr (cat_name, '/') != NULL || nlspath == NULL)
fd = open_not_cancel_2 (cat_name, O_RDONLY);
@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
if (__glibc_unlikely (bufact + (n) >= bufmax)) \
{ \
char *old_buf = buf; \
- bufmax += 256 + (n); \
- buf = (char *) alloca (bufmax); \
- memcpy (buf, old_buf, bufact); \
+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
+ buf = realloc (buf, bufmax); \
+ if (__glibc_unlikely (buf == NULL)) \
+ { \
+ free (old_buf); \
+ return -1; \
+ } \
}
/* The RUN_NLSPATH variable contains a colon separated list of
descriptions where we expect to find catalogs. We have to
recognize certain % substitutions and stop when we found the
first existing file. */
- char *buf;
size_t bufact;
- size_t bufmax;
+ size_t bufmax = 0;
size_t len;
- buf = NULL;
- bufmax = 0;
-
fd = -1;
while (*run_nlspath != '\0')
{
@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
/* Avoid dealing with directories and block devices */
if (__builtin_expect (fd, 0) < 0)
- return -1;
+ {
+ free (buf);
+ return -1;
+ }
if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
goto close_unlock_return;
@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
/* Release the lock again. */
close_unlock_return:
close_not_cancel_no_status (fd);
+ free (buf);
return result;
}
diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
index fdaa834..25ef056 100644
--- a/catgets/tst-catgets.c
+++ b/catgets/tst-catgets.c
@@ -1,7 +1,10 @@
+#include <assert.h>
#include <mcheck.h>
#include <nl_types.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/resource.h>
static const char *msgs[] =
@@ -12,6 +15,33 @@ static const char *msgs[] =
};
#define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+
+/* Test for unbounded alloca. */
+static int
+do_bz17905 (void)
+{
+ char *buf;
+ struct rlimit rl;
+ nl_catd result;
+
+ const int sz = 1024 * 1024;
+
+ getrlimit (RLIMIT_STACK, &rl);
+ rl.rlim_cur = sz;
+ setrlimit (RLIMIT_STACK, &rl);
+
+ buf = malloc (sz + 1);
+ memset (buf, 'A', sz);
+ buf[sz] = '\0';
+ setenv ("NLSPATH", buf, 1);
+
+ result = catopen (buf, NL_CAT_LOCALE);
+ assert (result == (nl_catd) -1);
+
+ free (buf);
+ return 0;
+}
+
#define ROUNDS 5
int
@@ -62,5 +92,6 @@ main (void)
}
}
+ result += do_bz17905 ();
return result;
}
--
2.4.11
prev parent reply other threads:[~2016-05-25 15:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1464181904-28722-1-git-send-email-gftg@linux.vnet.ibm.com>
2016-01-01 0:00 ` [COMMITTED 2.20] CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779] Gabriel F. T. Gomes
2016-01-01 0:00 ` [COMMITTED 2.20] glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir Gabriel F. T. Gomes
2016-01-01 0:00 ` [COMMITTED 2.20] Handle overflow in __hcreate_r Gabriel F. T. Gomes
2016-01-01 0:00 ` [COMMITTED 2.20] Improve check against integer wraparound in hcreate_r [BZ #18240] Gabriel F. T. Gomes
2016-01-01 0:00 ` [COMMITTED 2.20] hsearch_r: Apply VM size limit in test case Gabriel F. T. Gomes
2016-01-01 0:00 ` [COMMITTED 2.20] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] Gabriel F. T. Gomes
2016-01-01 0:00 ` Gabriel F. T. Gomes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201605251311.u4PD4gUb045737@mx0a-001b2d01.pphosted.com \
--to=gftg@linux.vnet.ibm.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).