From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from olivedrab.birch.relay.mailchannels.net
 (olivedrab.birch.relay.mailchannels.net [23.83.209.135])
 by sourceware.org (Postfix) with ESMTPS id E30E23858C83
 for <libc-stable@sourceware.org>; Mon, 25 Apr 2022 16:11:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E30E23858C83
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id AB94F6A0CAF;
 Mon, 25 Apr 2022 16:11:28 +0000 (UTC)
Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 370196A0FBF;
 Mon, 25 Apr 2022 16:11:28 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1650903088; a=rsa-sha256;
 cv=none;
 b=Rno5WgDZ6Sr5oD1I9vnJ+XJ6DvloD1dodLppDmRItcOff81jfmQXBvBeJoRAuZ1j0VAlAU
 H/7w3M5NU4iak6L9oeXYmtBKanqftFBbSFNYam2W+bf2q75mJQSSCdnkBNa/fHlM6XbGkm
 dJX2s7b2jhbz9C7g7DE86iqiGyeLvtbe+rPy13nBys+FHNXw/biLAeciuAMoms6u44s4yz
 I5BwxOywUbybdMkPegjBtHo+vs+TXkDGuBdmCuIExHrgXQa77bdI6UklqA3CyqyKQRPStw
 gi9w/PKrJc545pvyHCdSbOHFpchj4Dzu4IXE/8Jd4cWxX8VLPMj/jQcliQyHmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1650903088;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=9xFXJmOhuYEfZ0d+t19tTCdWRLFtiP6dZBiwJRjUqQE=;
 b=uCXx+NkrPmD48k1XHHSyXO8TO8CgxVke5ILCEy9S6rCBLIq6CSKPH39VDSdrhS1rWndVx0
 a+Y3lcaCxO3LT1pao0GLQbk9Sao6i2vEuLb+9d3uTBeKx0yKnNMGK77Z8pg3Vp7C1jKGLI
 cSblGpkRxc6ZUoCU4Ymda5M5R8yN4nNF05frQmY3Mgf8c6vjyceQxl1aM2+JLN5HSGnaGy
 zIsI9BcY31sf0GO/aYNHsedMOpAyVu8GZrLCu74QhYneyCaWZaer/DasLrlIeXzGtvLZOV
 BnjHbTGYD40KEabbMSYrosmLYsLFVG1qexxKSZFBCc0HkrBHNgNdc6GTLtE/mQ==
ARC-Authentication-Results: i=1; rspamd-6dfbdcb948-z5fnt;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Oafish-Illegal: 2f04251e68e3f176_1650903088494_2244406297
X-MC-Loop-Signature: 1650903088494:1769957752
X-MC-Ingress-Time: 1650903088494
Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.116.106.102 (trex/6.7.1); Mon, 25 Apr 2022 16:11:28 +0000
Received: from rhbox.redhat.com (unknown [1.186.121.46])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Kn94C3S1xz33; 
 Mon, 25 Apr 2022 09:11:23 -0700 (PDT)
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-stable@sourceware.org
Cc: Joan Bruguera <joanbrugueram@gmail.com>
Subject: [committed 2.34] misc: Fix rare fortify crash on wchar funcs. [BZ
 29030]
Date: Mon, 25 Apr 2022 21:41:08 +0530
Message-Id: <20220425161108.3588051-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3495.8 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
 RCVD_IN_SBL, SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 16:11:33 -0000

From: Joan Bruguera <joanbrugueram@gmail.com>

If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
checks should pass, and `__whatever_alias` should be called.

Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`.

A comment says the -1 case should work as: "The -1 check is redundant because
since it implies that __glibc_safe_len_cond is true.". But this fails when:
* `__s > 1`
* `__osz == -1` (i.e. unknown size at compile time)
* `__l` is big enough
* `__l * __s <= __osz` can be folded to a constant
(I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)

In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.

This commit adds the explicit `__osz == -1` check again.
moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041

Minimal test case (test.c):
    #include <wchar.h>

    int main (void)
    {
        const char *hw = "HelloWorld";
        mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
        return 0;
    }

Build with:
    gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test

Output:
    *** buffer overflow detected ***: terminated

Fixes: BZ #29030
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 33e03f9cd2be4f2cd62f93fda539cc07d9c8130e)
---
 debug/tst-fortify.c |  5 +++++
 misc/sys/cdefs.h    | 12 ++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
index d65a2fe6e1..03c9867714 100644
--- a/debug/tst-fortify.c
+++ b/debug/tst-fortify.c
@@ -1504,6 +1504,11 @@ do_test (void)
       CHK_FAIL_END
 #endif
 
+      /* Bug 29030 regresion check */
+      cp = "HelloWorld";
+      if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10)
+        FAIL ();
+
       cp = "A";
       if (mbstowcs (wenough, cp, 10) != 1
 	  || wcscmp (wenough, L"A") != 0)
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 44d3826bca..f1faf8292c 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -162,13 +162,13 @@
    || (__builtin_constant_p (__l) && (__l) > 0))
 
 /* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
-   condition can be folded to a constant and if it is true.  The -1 check is
-   redundant because since it implies that __glibc_safe_len_cond is true.  */
+   condition can be folded to a constant and if it is true, or unknown (-1) */
 #define __glibc_safe_or_unknown_len(__l, __s, __osz) \
-  (__glibc_unsigned_or_positive (__l)					      \
-   && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l),     \
-						   __s, __osz))		      \
-   && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
+  ((__osz) == (__SIZE_TYPE__) -1					      \
+   || (__glibc_unsigned_or_positive (__l)				      \
+       && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
+						       (__s), (__osz)))	      \
+       && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
 
 /* Conversely, we know at compile time that the length is unsafe if the
    __L * __S <= __OBJSZ condition can be folded to a constant and if it is
-- 
2.35.1