From: fweimer@redhat.com (Florian Weimer)
To: libc-stable@sourceware.org
Subject: [2.22 COMMITTED] fopencookie: Mangle function pointers stored on the heap [BZ #20222]
Date: Fri, 01 Jan 2016 00:00:00 -0000 [thread overview]
Message-ID: <20160819132637.B199C439942E2@oldenburg.str.redhat.com> (raw)
(cherry picked from commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8)
2016-06-11 Florian Weimer <fweimer@redhat.com>
[BZ #20222]
* libio/iofopncook.c (_IO_cookie_read): Demangle callback pointer.
(_IO_cookie_write): Likewise.
(_IO_cookie_seek): Likewise.
(_IO_cookie_close): Likewise.
(_IO_old_cookie_seek): Likewise.
(set_callbacks): New function.
(_IO_cookie_init): Call set_callbacks to copy callbacks.
diff --git a/libio/iofopncook.c b/libio/iofopncook.c
index b845d29..3aad3d3 100644
--- a/libio/iofopncook.c
+++ b/libio/iofopncook.c
@@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size)
_IO_ssize_t size;
{
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+ cookie_read_function_t *read_cb = cfile->__io_functions.read;
+ PTR_DEMANGLE (read_cb);
- if (cfile->__io_functions.read == NULL)
+ if (read_cb == NULL)
return -1;
- return cfile->__io_functions.read (cfile->__cookie, buf, size);
+ return read_cb (cfile->__cookie, buf, size);
}
static _IO_ssize_t
@@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size)
_IO_ssize_t size;
{
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+ cookie_write_function_t *write_cb = cfile->__io_functions.write;
+ PTR_DEMANGLE (write_cb);
- if (cfile->__io_functions.write == NULL)
+ if (write_cb == NULL)
{
fp->_flags |= _IO_ERR_SEEN;
return 0;
}
- _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size);
+ _IO_ssize_t n = write_cb (cfile->__cookie, buf, size);
if (n < size)
fp->_flags |= _IO_ERR_SEEN;
@@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir)
int dir;
{
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+ cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
+ PTR_DEMANGLE (seek_cb);
- return ((cfile->__io_functions.seek == NULL
- || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir)
+ return ((seek_cb == NULL
+ || (seek_cb (cfile->__cookie, &offset, dir)
== -1)
|| offset == (_IO_off64_t) -1)
? _IO_pos_BAD : offset);
@@ -94,11 +100,13 @@ _IO_cookie_close (fp)
_IO_FILE *fp;
{
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+ cookie_close_function_t *close_cb = cfile->__io_functions.close;
+ PTR_DEMANGLE (close_cb);
- if (cfile->__io_functions.close == NULL)
+ if (close_cb == NULL)
return 0;
- return cfile->__io_functions.close (cfile->__cookie);
+ return close_cb (cfile->__cookie);
}
@@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps = {
};
+/* Copy the callbacks from SOURCE to *TARGET, with pointer
+ mangling. */
+static void
+set_callbacks (_IO_cookie_io_functions_t *target,
+ _IO_cookie_io_functions_t source)
+{
+ PTR_MANGLE (source.read);
+ PTR_MANGLE (source.write);
+ PTR_MANGLE (source.seek);
+ PTR_MANGLE (source.close);
+ *target = source;
+}
+
void
_IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
void *cookie, _IO_cookie_io_functions_t io_functions)
@@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
_IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps;
cfile->__cookie = cookie;
- cfile->__io_functions = io_functions;
+ set_callbacks (&cfile->__io_functions, io_functions);
_IO_file_init (&cfile->__fp);
@@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir)
int dir;
{
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
- int (*seek) (_IO_FILE *, _IO_off_t, int);
- int ret;
+ int (*seek_cb) (_IO_FILE *, _IO_off_t, int)
+ = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;;
+ PTR_DEMANGLE (seek_cb);
- seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;
- if (seek == NULL)
+ if (seek_cb == NULL)
return _IO_pos_BAD;
- ret = seek (cfile->__cookie, offset, dir);
+ int ret = seek_cb (cfile->__cookie, offset, dir);
return (ret == -1) ? _IO_pos_BAD : ret;
}
reply other threads:[~2016-08-19 13:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160819132637.B199C439942E2@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).