From patchwork Wed Aug 7 20:35:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1970253 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=GosUPq9N; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WfMQP5BqKz1ydt for ; Thu, 8 Aug 2024 06:36:13 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 2637E385828B for ; Wed, 7 Aug 2024 20:36:10 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) by sourceware.org (Postfix) with ESMTPS id 3EF4D3858C41 for ; Wed, 7 Aug 2024 20:35:50 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3EF4D3858C41 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3EF4D3858C41 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::331 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723062952; cv=none; b=IwoVc9CMLhLurth6GnDWZXOzxzdvurkgjoxdqKurE/2e8wYQZmULmmaZBR+9PIbaGojOBsDYyB0/mpeHM24v9Wt11h4PAwaPiYHayWr9LhZYuCTlD8kIg4nObGhft2DEFyz2KdAV079hHIQ4cks6pL2Tjvqo41GrulSiLsnSsZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723062952; c=relaxed/simple; bh=5vp01qJDXdwqtB0lN+xSpJidEI4vivr6Bu4sf9oAUXs=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=JU6jBzsEeWoXLO7pohF9SehhE1VjKEJRiXL/Q5ouilVZrtW6isB9mfhO4spLorVPQGiR5IaB09ROBjw016CHdLxyQYfJJOD/YDDrTPgQ43Lm7C373p3mh4KASXGJLaWNzI+qJ9chrJhMxmJUJP+ogHZw7R6S7Zv3JKf70nehlSo= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-ot1-x331.google.com with SMTP id 46e09a7af769-7093d565310so155927a34.2 for ; Wed, 07 Aug 2024 13:35:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1723062949; x=1723667749; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=M++FwQK83aI+Bk4qRmOA1QY2BX6/pVS3YNValKf53SY=; b=GosUPq9NvmF2RytXRoKKHy8Dyp1Bax/SiyyKOiw3vomKZSB6HKaJegZgp7y4XOBXd9 K0x0Eg6sR5B2JadjEKBKVLsEyHSnXtgA9DIFx82y5a2hE3eTd013bvwWvDUbB4DnlPL9 gdBvwbexOM33zIQDt6hLCVC/aw/AXGN3jDXhVwRmUCYxfWJ6AvoLUZKy0anU9B3A0tcM ipaMG7SeKxU5JjfgbX++UeNLvP1oJ9ba+evgQj+Tnbmf+UqmjolCqfdH1bcDQvGyJexn z28aY6nHgdjPpS5OKyriJOyxyOxn4nJWYOdM6r8Sus4mEZ/wici4Dimq1s7sX/CKFUur Q9Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723062949; x=1723667749; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=M++FwQK83aI+Bk4qRmOA1QY2BX6/pVS3YNValKf53SY=; b=rE+FyrurbWWNdVBw0UlYEyq6aRqL+i74FxKZuu40no+qjeaU3oYZZuAq99wMG/c0na I0TohpW4nT6BMiIM09JQ0K71NKCod6NzCoFFHo8RqQAHCwZ75H38m3GBZqxrD4D7uDMJ oTJSgUJjDCiDOVUomu3BU53mJfLZ4WdDaBC2yug5MeJxahpwu6ZtGdnKEoCNogySOje1 b4AY2e9lCGtB8zeBJ5arulckaaHefyjzWI04WGBQ4e/PP2JYl0J+0Jw3mIu/vFqCifG8 RM7hOJuNvhYkVPF1Kxh+otOSbQM65/vptZaEAT0OqV57zy5C4NAC/KR3VC0Qn+M9SfXO Rfdg== X-Gm-Message-State: AOJu0Ywgw4x8BnRhw3qMazs/1RsulWs2vE//wqpJX0eaJq8Ppk8G3idc w/ACy3lICoWKFFc0yydHvSL/EkjlVupAgQpUl40acUxXaH/VlqDyJ+OtbYuMrunk97VJQQW6yBC / X-Google-Smtp-Source: AGHT+IFSdYRLe63gT6bIToVsQ5cKFTd/jSmtyhiuq5BhSYBk1YQineu6xvt3mTKg4lnqC+K6wMmdAg== X-Received: by 2002:a05:6358:8a5:b0:1ac:625f:9d4d with SMTP id e5c5f4694b2df-1af3baa0ca0mr2360094655d.23.1723062948721; Wed, 07 Aug 2024 13:35:48 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:a5f6:164d:db11:5812:d8e3]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7b7639447b8sm8726179a12.46.2024.08.07.13.35.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Aug 2024 13:35:48 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: =?utf-8?b?TMOpbsOhcmQgU3pvbG5va2k=?= Subject: [PATCH] stdlib: Fix qsort memory leak if callback throws (BZ 32058) Date: Wed, 7 Aug 2024 17:35:34 -0300 Message-ID: <20240807203544.1720167-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-12.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org If the input buffer exceeds the stack allocated one, qsort will malloc a temporary buffer to call mergesort. Since C++ standard does allow the callback comparison function to throw [1], the glibc implementation can potentially leak memory. The fixes uses a cleanup handler (__libc_cleanup_push / __libc_cleanup_pop), where recent gcc put in cold code path. Checked on x86_64-linux-gnu. [1] https://timsong-cpp.github.io/cppwp/n4950/alg.c.library#4 --- stdlib/Makefile | 28 ++++++++++++++++- stdlib/qsort.c | 36 ++++++++++++++++----- stdlib/tst-qsort4.c | 4 +++ stdlib/tst-qsort7.cc | 74 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+), 9 deletions(-) create mode 100644 stdlib/tst-qsort7.cc diff --git a/stdlib/Makefile b/stdlib/Makefile index 347491de53..96a0f39436 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -354,6 +354,12 @@ tests := \ tst-xpg-basename \ # tests +tests-cxx = \ + tst-qsort7 \ + # tests-cxx + +tests += $(if $(CXX),$(tests-cxx)) + tests-internal := \ tst-qsort4 \ tst-strtod1i \ @@ -539,7 +545,17 @@ tests-special += $(objpfx)isomac.out ifeq ($(run-built-tests),yes) tests-special += $(objpfx)tst-fmtmsg.out -endif +ifeq ($(build-shared),yes) +ifneq ($(PERL),no) +generated += \ + tst-qsort7.mtrace \ + # generated +tests-special += \ + $(objpfx)tst-qsort7-mem.out \ + # tests-special +endif # $(build-shared) == yes +endif # $(PERL) == yes +endif # $(run-built-tests) == yes include ../Rules @@ -627,3 +643,13 @@ $(objpfx)tst-setcontext3.out: tst-setcontext3.sh $(objpfx)tst-setcontext3 $(objpfx)tst-qsort5: $(libm) $(objpfx)tst-concurrent-exit: $(shared-thread-library) $(objpfx)tst-concurrent-quick_exit: $(shared-thread-library) + +CFLAGS-tst-qsort7.o = -std=c++11 +LDLIBS-tst-qsort7 = -lstdc++ + +tst-qsort7-ENV = MALLOC_TRACE=$(objpfx)tst-qsort7.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so + +$(objpfx)tst-qsort7-mem.out: $(objpfx)tst-qsort7.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-qsort7.mtrace > $@; \ + $(evaluate-test) diff --git a/stdlib/qsort.c b/stdlib/qsort.c index be47aebbe0..c64540eb91 100644 --- a/stdlib/qsort.c +++ b/stdlib/qsort.c @@ -25,6 +25,7 @@ #include #include #include +#include /* Swap SIZE bytes between addresses A and B. These helpers are provided along the generic one as an optimization. */ @@ -338,6 +339,21 @@ indirect_msort_with_tmp (const struct msort_param *p, void *b, size_t n, } } +struct cleanup_arg +{ + char *tmp; + char *buf; +}; + +static void +cancel_handler (void *ptr) +{ + /* Restore the old signal handler. */ + struct cleanup_arg *clarg = (struct cleanup_arg *) ptr; + if (clarg->tmp != clarg->buf) + free (clarg->buf); +} + void __qsort_r (void *const pbase, size_t total_elems, size_t size, __compar_d_fn_t cmp, void *arg) @@ -348,19 +364,21 @@ __qsort_r (void *const pbase, size_t total_elems, size_t size, /* Align to the maximum size used by the swap optimization. */ _Alignas (uint64_t) char tmp[QSORT_STACK_SIZE]; size_t total_size = total_elems * size; - char *buf; + + struct cleanup_arg clarg = { tmp, NULL }; + __libc_cleanup_push (cancel_handler, &clarg); if (size > INDIRECT_SORT_SIZE_THRES) total_size = 2 * total_elems * sizeof (void *) + size; if (total_size <= sizeof tmp) - buf = tmp; + clarg.buf = tmp; else { int save = errno; - buf = malloc (total_size); + clarg.buf = malloc (total_size); __set_errno (save); - if (buf == NULL) + if (clarg.buf == NULL) { /* Fallback to heapsort in case of memory failure. */ heapsort_r (pbase, total_elems - 1, size, cmp, arg); @@ -376,7 +394,7 @@ __qsort_r (void *const pbase, size_t total_elems, size_t size, .cmp = cmp, .arg = arg, .var = SWAP_VOID_ARG, - .t = buf, + .t = clarg.buf, }; indirect_msort_with_tmp (&msort_param, pbase, total_elems, size); } @@ -388,13 +406,15 @@ __qsort_r (void *const pbase, size_t total_elems, size_t size, .cmp = cmp, .arg = arg, .var = get_swap_type (pbase, size), - .t = buf, + .t = clarg.buf, }; msort_with_tmp (&msort_param, pbase, total_elems); } - if (buf != tmp) - free (buf); + __libc_cleanup_pop (0); + + if (clarg.tmp != clarg.buf) + free (clarg.buf); } libc_hidden_def (__qsort_r) weak_alias (__qsort_r, qsort_r) diff --git a/stdlib/tst-qsort4.c b/stdlib/tst-qsort4.c index 247917b454..12f1357609 100644 --- a/stdlib/tst-qsort4.c +++ b/stdlib/tst-qsort4.c @@ -16,6 +16,10 @@ License along with the GNU C Library; if not, see . */ +#include + +#define __libc_cleanup_push(a, b) pthread_cleanup_push (a, b) +#define __libc_cleanup_pop(a) pthread_cleanup_pop (a) #include "qsort.c" #include diff --git a/stdlib/tst-qsort7.cc b/stdlib/tst-qsort7.cc new file mode 100644 index 0000000000..51a0b7d733 --- /dev/null +++ b/stdlib/tst-qsort7.cc @@ -0,0 +1,74 @@ +/* Test if qsort cleanup memory allocation if the comparison function + throws (BZ 32058) + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +compar_func (const void *a1, const void *a2) +{ + throw std::logic_error (__func__); +} + +static int +do_test (void) +{ + mtrace (); + + { + /* An array smaller than QSORT_STACK_SIZE, check if cleanup handler + handles the stack buffer correctly. */ + typedef std::array input_t; + input_t input = { 0 }; + + try + { + qsort (input.data(), + input.size(), + sizeof (input_t::value_type), + compar_func); + } + catch (...) + { + } + } + + { + /* An array larger than QSORT_STACK_SIZE to force memory allocation. */ + typedef std::array input_t; + input_t input = { 0 }; + + try + { + qsort (input.data(), + input.size(), + sizeof (input_t::value_type), + compar_func); + } + catch (...) + { + } + } + + return 0; +} + +#include