From patchwork Tue Jul 14 16:05:38 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 495165 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id EA18D140770 for ; Wed, 15 Jul 2015 02:06:19 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=FAS+9oXP; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; q=dns; s=default; b=CWEi TtPcAyFrDoRMh/044BzAps0Ru1m01FQUHv9SS7bp3VLQAuvKDlAWaqdKl/jcp8mL 31nS6B8h4qZypk/Yaoco7CgEGFz2kJhsBfXgKFkjmYSRi3ZxCtEwNUIcZ7zpsDcs iF1USRRnYMx+svwEJkKbcG1l+4VAFv2AIMalxWA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; s=default; bh=bvSoLk9/gP 6RaIhI/Gs+t4hqPLQ=; b=FAS+9oXP2P8h7CZTsZPAtB4esrYOgzYq0o3v9/zaZh XYiqA6tyw4tnmUTRkfiM4V4XnKJ3L0gRFya42bt1AEF1uo+h23DyqZaeBBk1cR/o ssOAE7PEz7C7iGGQElzICBQ283uVY1br8bVyiff6B5UBYHXn4QVT9tAUNnI8NzX+ U= Received: (qmail 120444 invoked by alias); 14 Jul 2015 16:06:13 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 120425 invoked by uid 89); 14 Jul 2015 16:06:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-vn0-f52.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=tF6KHE1JV+3FSlTJ2L7xur26382EuvSeJKWHEEen+jQ=; b=SwPE0D7+8ic2ovDOtVnMIzQt5K7vIMYR2SZ83DadfDSa+Rt5dU2mrAj3qge1JNyCqk aB2blKe4Sl2KqtphUcMjWSpmSvRcIgsPkVQDKmjlkypi9Y1sN5pqdLZEBJGaUlyq+3sN Tth3lz2wR+ijHfyzmR2LBISW3fd0qjcMxHxrodXgg+Hf/b9QjaykP+o0cQMPFpXIoguI 8F7tZWylRaCC/E2UKg+cSq0QF8SPBvy0itmyt7LFDU41gh+GKjqpl+Isq6GJHL9D3aEY CX4bFgWljC/oPe+7K0TwLTgmnGI+RLt5wjkiCaZawUy0/mlErzhrxxTrWiIjT9GDAsc4 jr8g== X-Gm-Message-State: ALoCoQkJIfLOm4vg3OLxA6CrrLiApfw17JA0jvKty0+4gr8fVSqMoRoZPGicNHF7Rb12lxZC4LZZ X-Received: by 10.52.244.40 with SMTP id xd8mr36275030vdc.2.1436889968038; Tue, 14 Jul 2015 09:06:08 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20150713065411.GA4079@domone> References: <20150713065411.GA4079@domone> From: Paul Pluzhnikov Date: Tue, 14 Jul 2015 09:05:38 -0700 Message-ID: Subject: Re: [patch] Fix for BZ 17905 -- unbounded alloca in catopen To: =?UTF-8?B?T25kxZllaiBCw61sa2E=?= Cc: GLIBC Devel On Sun, Jul 12, 2015 at 11:54 PM, Ondřej Bílka wrote: > check if result is null. Thanks for review. Revised patch attached. 2015-07-12 Paul Pluzhnikov [BZ #17905] * catgets/Makefile (tst-catgets-mem): New test. * catgets/catgets.c (catopen): Don't use unbounded alloca. * catgets/open_catalog.c (__open_catalog): Likewise. * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. diff --git a/catgets/Makefile b/catgets/Makefile index 4624a88..56de38b 100644 --- a/catgets/Makefile +++ b/catgets/Makefile @@ -34,6 +34,7 @@ test-srcs = test-gencat ifeq ($(run-built-tests),yes) tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out +tests-special += $(objpfx)tst-catgets-mem.out endif gencat-modules = xmalloc @@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/% generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ test-gencat.h +generated += tst-catgets.mtrace tst-catgets-mem.out + generated-dirs += de -tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de +tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace ifeq ($(run-built-tests),yes) # This test just checks whether the program produces any error or not. @@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ $(evaluate-test) + +$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ + $(evaluate-test) endif diff --git a/catgets/catgets.c b/catgets/catgets.c index cf93d56..7098628 100644 --- a/catgets/catgets.c +++ b/catgets/catgets.c @@ -16,7 +16,6 @@ License along with the GNU C Library; if not, see . */ -#include #include #include #include @@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) __nl_catd result; const char *env_var = NULL; const char *nlspath = NULL; + char *tmp = NULL; if (strchr (cat_name, '/') == NULL) { @@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) { /* Append the system dependent directory. */ size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; - char *tmp = alloca (len); + tmp = malloc (len); + + if (__glibc_unlikely (tmp == NULL)) + return (nl_catd) -1; __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); nlspath = tmp; @@ -64,17 +67,15 @@ catopen (const char *cat_name, int flag) } result = (__nl_catd) malloc (sizeof (*result)); - if (result == NULL) - /* We cannot get enough memory. */ - return (nl_catd) -1; - - if (__open_catalog (cat_name, nlspath, env_var, result) != 0) + if (result == NULL + || __open_catalog (cat_name, nlspath, env_var, result) != 0) { - /* Couldn't open the file. */ + /* We cannot get enough memory. */ free ((void *) result); - return (nl_catd) -1; + result = (nl_catd) -1; } + free (tmp); return (nl_catd) result; } diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c index e069416..3e772f1 100644 --- a/catgets/open_catalog.c +++ b/catgets/open_catalog.c @@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, size_t tab_size; const char *lastp; int result = -1; + char *buf = NULL; if (strchr (cat_name, '/') != NULL || nlspath == NULL) fd = open_not_cancel_2 (cat_name, O_RDONLY); @@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, if (__glibc_unlikely (bufact + (n) >= bufmax)) \ { \ char *old_buf = buf; \ - bufmax += 256 + (n); \ - buf = (char *) alloca (bufmax); \ - memcpy (buf, old_buf, bufact); \ + bufmax += (bufmax == 0) ? 256 + (n) : bufmax; \ + buf = realloc (buf, bufmax); \ + if (__glibc_unlikely (buf == NULL)) \ + { \ + free (old_buf); \ + return -1; \ + } \ } /* The RUN_NLSPATH variable contains a colon separated list of descriptions where we expect to find catalogs. We have to recognize certain % substitutions and stop when we found the first existing file. */ - char *buf; size_t bufact; - size_t bufmax; + size_t bufmax = 0; size_t len; - buf = NULL; - bufmax = 0; - fd = -1; while (*run_nlspath != '\0') { @@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, /* Avoid dealing with directories and block devices */ if (__builtin_expect (fd, 0) < 0) - return -1; + { + free (buf); + return -1; + } if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) goto close_unlock_return; @@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, /* Release the lock again. */ close_unlock_return: close_not_cancel_no_status (fd); + free (buf); return result; } diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c index a0a4089..140de72 100644 --- a/catgets/tst-catgets.c +++ b/catgets/tst-catgets.c @@ -1,7 +1,10 @@ +#include #include #include #include +#include #include +#include static const char *msgs[] = @@ -12,6 +15,33 @@ static const char *msgs[] = }; #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) + +/* Test for unbounded alloca. */ +static int +do_bz17905 (void) +{ + char *buf; + struct rlimit rl; + nl_catd result; + + const int sz = 1024 * 1024; + + getrlimit (RLIMIT_STACK, &rl); + rl.rlim_cur = sz; + setrlimit (RLIMIT_STACK, &rl); + + buf = malloc (sz + 1); + memset (buf, 'A', sz); + buf[sz] = '\0'; + setenv ("NLSPATH", buf, 1); + + result = catopen (buf, NL_CAT_LOCALE); + assert (result == (nl_catd) -1); + + free (buf); + return 0; +} + #define ROUNDS 5 static int @@ -62,6 +92,7 @@ do_test (void) } } + result += do_bz17905 (); return result; }