From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from panther.cherry.relay.mailchannels.net (panther.cherry.relay.mailchannels.net [23.83.223.141]) by sourceware.org (Postfix) with ESMTPS id 1BA85384DEC2 for ; Fri, 30 Aug 2024 15:29:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1BA85384DEC2 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1BA85384DEC2 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.223.141 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1725031765; cv=pass; b=ityVgqagowEqd5pr6LiewgqG8wlYx7pcwSRBESkAdwsb973Lr2soMAX+WKPydXDbN0zQkZZGsghNNRJ863u4YHlV0fRrtPWeOGfdtgwBidGzECxG40wrK1y+a9jGwC2BBtCvHd5GN1/eVNEY1u4HIIqdXnZ+tmM+SGSOe+Sx2qw= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1725031765; c=relaxed/simple; bh=cBs2kTU2SaHhEZ8IW6VML/oNa4ElOfM72LCUEKK892E=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=pLjG3vUt0gDvLpnRsE4Isw3SqC/JmpRIynVUuW64ii1FadQGqOY0/dcNwe8dkxRq9zdk2zdlnlO2xvO0tEzr0pcRnWt0WVmBQvmx/tdySIE9EPQxGcDn7J6NmhsB7c8Z+Q0tBCVoCJ5CYNKDJ5PFiygoNp1XE3d28JfmDZhdCpc= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 416776A2A2E; Fri, 30 Aug 2024 15:29:21 +0000 (UTC) Received: from pdx1-sub0-mail-a312.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id DFA466A1FD4; Fri, 30 Aug 2024 15:29:20 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1725031760; a=rsa-sha256; cv=none; b=qXxDBHTwhLn3joq3EY8iYw45WXkOUjmUjJasBRzOBPME3vsjPNFC/HSJeZOU98hslYjHUO k1t5H/edJvZRwCJDydZItZfwkxFptaoaMoI3kQnnvBosQB50WpSoOrJeRpXLkIL65qWk2T tnfJDosIHZln5YF8LCeVueiXp3yhq+QrgHC/5XubdY/vk9JZyEAJPzYvn3KGcW6fUlMYIU UP/ziQ4RslTDEZ+fJcQi5lpmS4O3yXj3QF1JgIpthwx4NcAPY5iY89la46x74Es/ukfitH mrAogbrphk5QPoFuQx+6W/EJ2d82W5Abp8XV6CnGPGtmtu1HxlVqK66JzFaf3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1725031760; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9glYVGOYnYumHukDDsyFrbiFeip7RsXgUn5TxR9nnlw=; b=vVeXtyqljjUfc4QLZgAiMyYofivqGWI4c+lTVq2HDpScZBAHhzIvKkroU4AAgPrYQ729Uk WGzMxqU0iSiFTUQdB0XSIZseHhMxjIER6EXNXHc84vhnGwlfRdmb1Xn1w7kdwZ0zrF15Q8 ty6Sqbkws/TalvVBntj3zN4rJTPtwHL0I9sLhjyIxQtBkiNqkhn2golwo2vRRXjuyMH/gF TQPq+cjAghORr7yj/LnPozWLgUsOym5qjKK0vV7RqeUlD10AK+v1RAhufRsiL5EZPQdNE5 bEBdpXOiJIuqQ6Fb3eZHHvgJcoaxPbZ8W/WTyPY4HS9JoYhdsFrecMaMAdT7Kg== ARC-Authentication-Results: i=1; rspamd-6b9c67f469-5658b; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Spill-Interest: 05aae2234f3ef240_1725031761175_848464641 X-MC-Loop-Signature: 1725031761175:3669332528 X-MC-Ingress-Time: 1725031761175 Received: from pdx1-sub0-mail-a312.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.111.179.142 (trex/7.0.2); Fri, 30 Aug 2024 15:29:21 +0000 Received: from fedora.. (bras-base-toroon4859w-grc-66-76-71-1-128.dsl.bell.ca [76.71.1.128]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a312.dreamhost.com (Postfix) with ESMTPSA id 4WwMWh42Tjz6t; Fri, 30 Aug 2024 08:29:20 -0700 (PDT) From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Carlos O'Donell Subject: [committed 2.39 4/5] ungetc: Fix uninitialized read when putting into unused streams [BZ #27821] Date: Fri, 30 Aug 2024 11:29:15 -0400 Message-ID: <20240830152916.545779-5-siddhesh@sourceware.org> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240830152916.545779-1-siddhesh@sourceware.org> References: <20240830152916.545779-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1172.3 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_NONE,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: When ungetc is called on an unused stream, the backup buffer is allocated without the main get area being present. This results in every subsequent ungetc (as the stream remains in the backup area) checking uninitialized memory in the backup buffer when trying to put a character back into the stream. Avoid comparing the input character with buffer contents when in backup to avoid this uninitialized read. The uninitialized read is harmless in this context since the location is promptly overwritten with the input character, thus fulfilling ungetc functionality. Also adjust wording in the manual to drop the paragraph that says glibc cannot do multiple ungetc back to back since with this change, ungetc can actually do this. Signed-off-by: Siddhesh Poyarekar Reviewed-by: Carlos O'Donell (cherry picked from commit cdf0f88f97b0aaceb894cc02b21159d148d7065c) --- libio/genops.c | 2 +- manual/stdio.texi | 8 +++----- stdio-common/tst-ungetc.c | 2 ++ 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libio/genops.c b/libio/genops.c index bc45e60a09..4f5c6136f3 100644 --- a/libio/genops.c +++ b/libio/genops.c @@ -635,7 +635,7 @@ _IO_sputbackc (FILE *fp, int c) { int result; - if (fp->_IO_read_ptr > fp->_IO_read_base + if (fp->_IO_read_ptr > fp->_IO_read_base && !_IO_in_backup (fp) && (unsigned char)fp->_IO_read_ptr[-1] == (unsigned char)c) { fp->_IO_read_ptr--; diff --git a/manual/stdio.texi b/manual/stdio.texi index 0b31aeff95..393ed9c665 100644 --- a/manual/stdio.texi +++ b/manual/stdio.texi @@ -1467,11 +1467,9 @@ program; usually @code{ungetc} is used only to unread a character that was just read from the same stream. @Theglibc{} supports this even on files opened in binary mode, but other systems might not. -@Theglibc{} only supports one character of pushback---in other -words, it does not work to call @code{ungetc} twice without doing input -in between. Other systems might let you push back multiple characters; -then reading from the stream retrieves the characters in the reverse -order that they were pushed. +@Theglibc{} supports pushing back multiple characters; subsequently +reading from the stream retrieves the characters in the reverse order +that they were pushed. Pushing back characters doesn't alter the file; only the internal buffering for the stream is affected. If a file positioning function diff --git a/stdio-common/tst-ungetc.c b/stdio-common/tst-ungetc.c index 5c808f0734..388b202493 100644 --- a/stdio-common/tst-ungetc.c +++ b/stdio-common/tst-ungetc.c @@ -48,6 +48,8 @@ do_test (void) TEST_VERIFY_EXIT (getc (fp) == 'b'); TEST_VERIFY_EXIT (getc (fp) == 'l'); TEST_VERIFY_EXIT (ungetc ('m', fp) == 'm'); + TEST_VERIFY_EXIT (ungetc ('n', fp) == 'n'); + TEST_VERIFY_EXIT (getc (fp) == 'n'); TEST_VERIFY_EXIT (getc (fp) == 'm'); TEST_VERIFY_EXIT ((c = getc (fp)) == 'a'); TEST_VERIFY_EXIT (getc (fp) == EOF); -- 2.45.1