From patchwork Mon Aug 12 09:57:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 1971490 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=PNNRpwzJ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wj91f0Jb3z1yXl for ; Mon, 12 Aug 2024 19:57:58 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4095B3858C56 for ; Mon, 12 Aug 2024 09:57:56 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTP id 24B463858C66 for ; Mon, 12 Aug 2024 09:57:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 24B463858C66 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 24B463858C66 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723456659; cv=none; b=Ndu56b3mxNm0i7B9O5wcnmQPtZNlhvWDAwR2KK3TrswcjMNwHfinAQZB35CgjQbarM6Lx7ZXFZu+yaxn9zPJcXz0rEyMuHyn8aljI3xLOrgJm7xZffnjDdf257/c+hek61CKMTDubo+Oo/veK+Wg7f76yb3q2X7Io0jCO8heAQE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723456659; c=relaxed/simple; bh=nM9zXwXsjq99Bti2SW97OAsuL0LpJtoAznGpLgU/1Bo=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=JIhXqvbOj0+x6hTZdSsqExI++gJV6kdLqRWy7CKyce7O0cI1/obC2A/i0jD6i9YpWKT65O9za8NkTbiY831pLXvm+rZX+s9Trlc1teByw34wPtBqEbMYJXOx8ao3dHcg9WkUk/jb4Et4+f6W3hM/hd/CjVbXQEPzBGnXvej4qmc= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723456656; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=i/R1frhWtwIYKUanVKuR7fPt2kYkYt0/zg5G+B5rcqI=; b=PNNRpwzJ6T/N0uo6YH5lDnTSmawtYqEqGt9qy2kKjR55N1jIqIbDTUjBnzFtqxdQ0ymTVx gFXRVO8WbSxkLIAASL/NMUvpJHXqTfMtqJr/5W+CYhJFjSZZWbHHCiRkVm2gJxk+5WWYYc 5OXJ+4l58ox4m+RZsbWByoQsYQ3FkXI= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-505-yjw8gWKLNYm4I108MxiQJQ-1; Mon, 12 Aug 2024 05:57:33 -0400 X-MC-Unique: yjw8gWKLNYm4I108MxiQJQ-1 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C6C1B1954B12; Mon, 12 Aug 2024 09:57:31 +0000 (UTC) Received: from oldenburg3.str.redhat.com (unknown [10.39.193.102]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DC02619373D7; Mon, 12 Aug 2024 09:57:28 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Cc: Solar Designer , "Dmitry V. Levin" , Archie Cobbs , Sam James , Andreas Schwab , Alan Coopersmith Subject: [PATCH v4] libio: asprintf should write NULL upon failure Date: Mon, 12 Aug 2024 11:57:25 +0200 Message-ID: <871q2udpx6.fsf@oldenburg3.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org This was suggested most recently by Solar Designer, noting that code replacing vsprintf with vasprintf in a security fix was subtly wrong: Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Previous libc-alpha discussions: I: [PATCH] asprintf error handling fix asprintf() issue I don't think we need a compatibility symbol for this. As the most recent GStreamer example shows, this change is much more likely to fix bugs than cause compatibility issues. Suggested-by: Dmitry V. Levin Suggested-by: Archie Cobbs Suggested-by: Solar Designer --- v4: Try to find a middle-ground in the manual description of the failure casae between actually encountered behavior and specified behavior. libio/Makefile | 1 + libio/tst-asprintf-null.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++ libio/vasprintf.c | 17 ++++++++-------- manual/stdio.texi | 9 ++++++++- 4 files changed, 68 insertions(+), 10 deletions(-) base-commit: c2a474f4617ede7a8bf56b7257acb37dc757b2d1 diff --git a/libio/Makefile b/libio/Makefile index 6a507b67ea..a2d1cde955 100644 --- a/libio/Makefile +++ b/libio/Makefile @@ -86,6 +86,7 @@ tests = \ bug-wmemstream1 \ bug-wsetpos \ test-fmemopen \ + tst-asprintf-null \ tst-atime \ tst-bz22415 \ tst-bz24051 \ diff --git a/libio/tst-asprintf-null.c b/libio/tst-asprintf-null.c new file mode 100644 index 0000000000..1eebeb200f --- /dev/null +++ b/libio/tst-asprintf-null.c @@ -0,0 +1,51 @@ +/* Test that asprintf sets the buffer pointer to NULL on failure. + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +do_test (void) +{ + static const char sentinel[] = "sentinel"; + char *buf = (char *) sentinel; + { + /* Avoid -Wformat-overflow warning. */ + const char *volatile format = "%2000000000d %2000000000d"; + TEST_COMPARE (asprintf (&buf, format, 1, 2), -1); + } + if (errno != ENOMEM) + TEST_COMPARE (errno, EOVERFLOW); + TEST_VERIFY (buf == NULL); + + /* Force ENOMEM in the test below. */ + struct rlimit rl; + TEST_COMPARE (getrlimit (RLIMIT_AS, &rl), 0); + rl.rlim_cur = 10 * 1024 * 1024; + TEST_COMPARE (setrlimit (RLIMIT_AS, &rl), 0); + + buf = (char *) sentinel; + TEST_COMPARE (asprintf (&buf, "%20000000d", 1), -1); + TEST_COMPARE (errno, ENOMEM); + TEST_VERIFY (buf == NULL); + return 0; +} + +#include diff --git a/libio/vasprintf.c b/libio/vasprintf.c index 999ae526f4..24f2a2e175 100644 --- a/libio/vasprintf.c +++ b/libio/vasprintf.c @@ -92,7 +92,7 @@ __printf_buffer_flush_asprintf (struct __printf_buffer_asprintf *buf) int -__vasprintf_internal (char **result_ptr, const char *format, va_list args, +__vasprintf_internal (char **result, const char *format, va_list args, unsigned int mode_flags) { struct __printf_buffer_asprintf buf; @@ -105,23 +105,23 @@ __vasprintf_internal (char **result_ptr, const char *format, va_list args, { if (buf.base.write_base != buf.direct) free (buf.base.write_base); + *result = NULL; return done; } /* Transfer to the final buffer. */ - char *result; size_t size = buf.base.write_ptr - buf.base.write_base; if (buf.base.write_base == buf.direct) { - result = malloc (size + 1); - if (result == NULL) + *result = malloc (size + 1); + if (*result == NULL) return -1; - memcpy (result, buf.direct, size); + memcpy (*result, buf.direct, size); } else { - result = realloc (buf.base.write_base, size + 1); - if (result == NULL) + *result = realloc (buf.base.write_base, size + 1); + if (*result == NULL) { free (buf.base.write_base); return -1; @@ -129,8 +129,7 @@ __vasprintf_internal (char **result_ptr, const char *format, va_list args, } /* Add NUL termination. */ - result[size] = '\0'; - *result_ptr = result; + (*result)[size] = '\0'; return done; } diff --git a/manual/stdio.texi b/manual/stdio.texi index 8517653507..5ba6dfcf7a 100644 --- a/manual/stdio.texi +++ b/manual/stdio.texi @@ -2517,7 +2517,14 @@ Allocation}) to hold the output, instead of putting the output in a buffer you allocate in advance. The @var{ptr} argument should be the address of a @code{char *} object, and a successful call to @code{asprintf} stores a pointer to the newly allocated string at that -location. +location. Current and future versions of @theglibc{} write a null +pointer to @samp{*@var{ptr}} upon failure. To achieve similar +behavior with previous versions, initialize @samp{*@var{ptr}} to a +null pointer before calling @code{asprintf}. (Specifications for +@code{asprintf} only require a valid pointer value in +@samp{*@var{ptr}} if @code{asprintf} succeeds, but no implementations +are known which overwrite a null pointer with a pointer that cannot be +freed on failure.) The return value is the number of characters allocated for the buffer, or less than zero if an error occurred. Usually this means that the buffer