From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from dragonfly.birch.relay.mailchannels.net
 (dragonfly.birch.relay.mailchannels.net [23.83.209.51])
 by sourceware.org (Postfix) with ESMTPS id 6C5613858D33
 for <libc-stable@sourceware.org>; Mon, 25 Apr 2022 13:15:55 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6C5613858D33
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id CF4A1560404;
 Mon, 25 Apr 2022 13:15:52 +0000 (UTC)
Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 70D9756005D;
 Mon, 25 Apr 2022 13:15:52 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1650892552; a=rsa-sha256;
 cv=none;
 b=Z/HPBpwFV1O25roxyyhTcTCrf9JPno4jWEZx2mOUHlWYMn59ysY8m1I58+Y6m2Ns/up8Ji
 aXvpHwUo+LJ9iMEQ0pX0tXS27J/VGopFw0HPpaRDXlRnonKLeKnXBg8oGFCzCPE8enNioQ
 yWOF0M5LvJnIbjz6EVxvuT01SikwfCTr1C1BLUi2w0ZJQr8XY7/cbVgsPdbWG+/BXkmLXx
 4D24U+GJ5NlKz3ZlIJC7MqJ5cGumIOwyP7L3RaPqpt9hly6vX/dIlUDKPuR3/0yFkPswSM
 6b1ZYubDTTkE5Ek7zPDgb8ioBGF0sYjApGiiPQ8WDOtN6kDRBKGZuFWagUQyhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1650892552;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=9xFXJmOhuYEfZ0d+t19tTCdWRLFtiP6dZBiwJRjUqQE=;
 b=X47k181RKg5v6vBe0wHhkgxN+5orYRE74/bjAjZ+4Jhjt1vtiwkpx+iQ9YwZx05ktzOKyG
 tDvQBZJUWUpH++agc1Vgt0B4qUXuECM97mEGmnYVg/qF6d7MX7xwsMrjtN2SyIKN96Sn72
 /39c9J6IY5WKk9OboOIeT3/kZZ8Mq/lGcV/NeVKDXvt1bhEHBgObzxl7+F9KN5d1jFCuly
 I6rtd+TcRp+O2zntPC0Q82PmKlcXlakCjVriCaFdpW6TQKwhwFVcNVz30a12/AugmBXm0h
 VR4GAmCj2W2QSy1L9aHcpx2IezFABx63yA3yrOrCfgnTHL8POmNCjxIBfhHItA==
ARC-Authentication-Results: i=1; rspamd-6dfbdcb948-n5r4t;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Celery-Gusty: 1110f18a3c3b0aab_1650892552714_1926546486
X-MC-Loop-Signature: 1650892552714:659941248
X-MC-Ingress-Time: 1650892552713
Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.125.123.28 (trex/6.7.1); Mon, 25 Apr 2022 13:15:52 +0000
Received: from rhbox.redhat.com (unknown [1.186.121.46])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Kn59g0JWYz1Vg; 
 Mon, 25 Apr 2022 06:15:50 -0700 (PDT)
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-stable@sourceware.org
Cc: Joan Bruguera <joanbrugueram@gmail.com>
Subject: [committed 2.35] misc: Fix rare fortify crash on wchar funcs. [BZ
 29030]
Date: Mon, 25 Apr 2022 18:45:43 +0530
Message-Id: <20220425131543.2452740-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3495.8 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
 RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 13:15:57 -0000

From: Joan Bruguera <joanbrugueram@gmail.com>

If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
checks should pass, and `__whatever_alias` should be called.

Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`.

A comment says the -1 case should work as: "The -1 check is redundant because
since it implies that __glibc_safe_len_cond is true.". But this fails when:
* `__s > 1`
* `__osz == -1` (i.e. unknown size at compile time)
* `__l` is big enough
* `__l * __s <= __osz` can be folded to a constant
(I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)

In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.

This commit adds the explicit `__osz == -1` check again.
moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041

Minimal test case (test.c):
    #include <wchar.h>

    int main (void)
    {
        const char *hw = "HelloWorld";
        mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
        return 0;
    }

Build with:
    gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test

Output:
    *** buffer overflow detected ***: terminated

Fixes: BZ #29030
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 33e03f9cd2be4f2cd62f93fda539cc07d9c8130e)
---
 debug/tst-fortify.c |  5 +++++
 misc/sys/cdefs.h    | 12 ++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
index d65a2fe6e1..03c9867714 100644
--- a/debug/tst-fortify.c
+++ b/debug/tst-fortify.c
@@ -1504,6 +1504,11 @@ do_test (void)
       CHK_FAIL_END
 #endif
 
+      /* Bug 29030 regresion check */
+      cp = "HelloWorld";
+      if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10)
+        FAIL ();
+
       cp = "A";
       if (mbstowcs (wenough, cp, 10) != 1
 	  || wcscmp (wenough, L"A") != 0)
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 44d3826bca..f1faf8292c 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -162,13 +162,13 @@
    || (__builtin_constant_p (__l) && (__l) > 0))
 
 /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
-   condition can be folded to a constant and if it is true.  The -1 check is
-   redundant because since it implies that __glibc_safe_len_cond is true.  */
+   condition can be folded to a constant and if it is true, or unknown (-1) */
 #define __glibc_safe_or_unknown_len(__l, __s, __osz) \
-  (__glibc_unsigned_or_positive (__l)					      \
-   && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l),     \
-						   __s, __osz))		      \
-   && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
+  ((__osz) == (__SIZE_TYPE__) -1					      \
+   || (__glibc_unsigned_or_positive (__l)				      \
+       && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
+						       (__s), (__osz)))	      \
+       && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
 
 /* Conversely, we know at compile time that the length is unsafe if the
    __L * __S <= __OBJSZ condition can be folded to a constant and if it is
-- 
2.35.1