From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-151-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 113682 invoked by alias); 25 May 2016 15:47:45 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 113660 invoked by uid 89); 25 May 2016 15:47:45 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.1 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_05,KAM_LAZY_DOMAIN_SECURITY,MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=H*m:pphosted, Hx-spam-relays-external:sk:mx0a-00, H*RU:sk:mx0a-00, HX-Proofpoint-Spam-Details:sk:outboun
X-Spam-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_05,KAM_LAZY_DOMAIN_SECURITY,MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level: 
X-HELO: mx0a-001b2d01.pphosted.com
Message-Id: <201605251311.u4PD4gUb045737@mx0a-001b2d01.pphosted.com>
X-IBM-Helo: d24dlp02.br.ibm.com
X-IBM-MailFrom: gftg@linux.vnet.ibm.com
X-IBM-RcptTo: libc-stable@sourceware.org
From: "Gabriel F. T. Gomes" <gftg@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Subject: [COMMITTED 2.20] Fix BZ #17905
Date: Fri, 01 Jan 2016 00:00:00 -0000
X-Mailer: git-send-email 2.4.11
In-Reply-To: <1464181904-28722-1-git-send-email-gftg@linux.vnet.ibm.com>
References: <1464181904-28722-1-git-send-email-gftg@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 16052513-0028-0000-0000-0000010C6576
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 16052513-0029-0000-0000-0000139440F9
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-05-25_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=43
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000
 definitions=main-1605250162
X-SW-Source: 2016-05/txt/msg00051.txt.bz2

From: Paul Pluzhnikov <ppluzhnikov@google.com>

(cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)
---
 ChangeLog              |  8 ++++++++
 NEWS                   |  4 ++--
 catgets/Makefile       |  9 ++++++++-
 catgets/catgets.c      | 19 ++++++++++++-------
 catgets/open_catalog.c | 23 ++++++++++++++---------
 catgets/tst-catgets.c  | 31 +++++++++++++++++++++++++++++++
 6 files changed, 75 insertions(+), 19 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c2b1307..3652d5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-05-24  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17905]
+	* catgets/Makefile (tst-catgets-mem): New test.
+	* catgets/catgets.c (catopen): Don't use unbounded alloca.
+	* catgets/open_catalog.c (__open_catalog): Likewise.
+	* catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+
 2016-05-24  Florian Weimer  <fweimer@redhat.com>
 
 	* misc/bug18240.c (do_test): Set RLIMIT_AS.
diff --git a/NEWS b/NEWS
index d601938..e6a5207 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,8 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
-  17625, 17630, 17801, 18032, 18080, 18240, 18508, 18665, 18694, 18928,
-  19018, 19682.
+  17625, 17630, 17801, 17905, 18032, 18080, 18240, 18508, 18665, 18694,
+  18928, 19018, 19682.
 
 * The glob function suffered from a stack-based buffer overflow when it was
   called with the GLOB_ALTDIRFUNC flag and encountered a long file name.
diff --git a/catgets/Makefile b/catgets/Makefile
index 008d7db..bc144e3 100644
--- a/catgets/Makefile
+++ b/catgets/Makefile
@@ -34,6 +34,7 @@ test-srcs = test-gencat
 ifeq ($(run-built-tests),yes)
 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
 		 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+tests-special += $(objpfx)tst-catgets-mem.out
 endif
 
 gencat-modules	= xmalloc
@@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/%
 
 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
 	     test-gencat.h
+generated += tst-catgets.mtrace tst-catgets-mem.out
+
 generated-dirs += de
 
-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
 
 ifeq ($(run-built-tests),yes)
 # This test just checks whether the program produces any error or not.
@@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \
 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
 	$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
 	$(evaluate-test)
+
+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+	$(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+	$(evaluate-test)
 endif
diff --git a/catgets/catgets.c b/catgets/catgets.c
index eac2827..820c0f6 100644
--- a/catgets/catgets.c
+++ b/catgets/catgets.c
@@ -16,7 +16,6 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
-#include <alloca.h>
 #include <errno.h>
 #include <locale.h>
 #include <nl_types.h>
@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
   __nl_catd result;
   const char *env_var = NULL;
   const char *nlspath = NULL;
+  char *tmp = NULL;
 
   if (strchr (cat_name, '/') == NULL)
     {
@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
 	{
 	  /* Append the system dependent directory.  */
 	  size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
-	  char *tmp = alloca (len);
+	  tmp = malloc (len);
+
+	  if (__glibc_unlikely (tmp == NULL))
+	    return (nl_catd) -1;
 
 	  __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
 	  nlspath = tmp;
@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
 
   result = (__nl_catd) malloc (sizeof (*result));
   if (result == NULL)
-    /* We cannot get enough memory.  */
-    return (nl_catd) -1;
-
-  if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+    {
+      /* We cannot get enough memory.  */
+      result = (nl_catd) -1;
+    }
+  else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
     {
       /* Couldn't open the file.  */
       free ((void *) result);
-      return (nl_catd) -1;
+      result = (nl_catd) -1;
     }
 
+  free (tmp);
   return (nl_catd) result;
 }
 
diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c
index d582270..40251d6 100644
--- a/catgets/open_catalog.c
+++ b/catgets/open_catalog.c
@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
   size_t tab_size;
   const char *lastp;
   int result = -1;
+  char *buf = NULL;
 
   if (strchr (cat_name, '/') != NULL || nlspath == NULL)
     fd = open_not_cancel_2 (cat_name, O_RDONLY);
@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
   if (__glibc_unlikely (bufact + (n) >= bufmax))			      \
     {									      \
       char *old_buf = buf;						      \
-      bufmax += 256 + (n);						      \
-      buf = (char *) alloca (bufmax);					      \
-      memcpy (buf, old_buf, bufact);					      \
+      bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax;		      \
+      buf = realloc (buf, bufmax);					      \
+      if (__glibc_unlikely (buf == NULL))				      \
+	{								      \
+	  free (old_buf);						      \
+	  return -1;							      \
+	}								      \
     }
 
       /* The RUN_NLSPATH variable contains a colon separated list of
 	 descriptions where we expect to find catalogs.  We have to
 	 recognize certain % substitutions and stop when we found the
 	 first existing file.  */
-      char *buf;
       size_t bufact;
-      size_t bufmax;
+      size_t bufmax = 0;
       size_t len;
 
-      buf = NULL;
-      bufmax = 0;
-
       fd = -1;
       while (*run_nlspath != '\0')
 	{
@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
 
   /* Avoid dealing with directories and block devices */
   if (__builtin_expect (fd, 0) < 0)
-    return -1;
+    {
+      free (buf);
+      return -1;
+    }
 
   if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
     goto close_unlock_return;
@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
   /* Release the lock again.  */
  close_unlock_return:
   close_not_cancel_no_status (fd);
+  free (buf);
 
   return result;
 }
diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
index fdaa834..25ef056 100644
--- a/catgets/tst-catgets.c
+++ b/catgets/tst-catgets.c
@@ -1,7 +1,10 @@
+#include <assert.h>
 #include <mcheck.h>
 #include <nl_types.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
+#include <sys/resource.h>
 
 
 static const char *msgs[] =
@@ -12,6 +15,33 @@ static const char *msgs[] =
 };
 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
 
+
+/* Test for unbounded alloca.  */
+static int
+do_bz17905 (void)
+{
+  char *buf;
+  struct rlimit rl;
+  nl_catd result;
+
+  const int sz = 1024 * 1024;
+
+  getrlimit (RLIMIT_STACK, &rl);
+  rl.rlim_cur = sz;
+  setrlimit (RLIMIT_STACK, &rl);
+
+  buf = malloc (sz + 1);
+  memset (buf, 'A', sz);
+  buf[sz] = '\0';
+  setenv ("NLSPATH", buf, 1);
+
+  result = catopen (buf, NL_CAT_LOCALE);
+  assert (result == (nl_catd) -1);
+
+  free (buf);
+  return 0;
+}
+
 #define ROUNDS 5
 
 int
@@ -62,5 +92,6 @@ main (void)
 	}
     }
 
+  result += do_bz17905 ();
   return result;
 }
-- 
2.4.11