From patchwork Tue Dec 10 03:49:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sam James <sam@gentoo.org>
X-Patchwork-Id: 2020441
Return-Path: <libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org;
 envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=patchwork.ozlabs.org)
Received: from server2.sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Y6lC90S8Gz1yR6
	for <incoming@patchwork.ozlabs.org>; Tue, 10 Dec 2024 14:51:16 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 23137385843F
	for <incoming@patchwork.ozlabs.org>; Tue, 10 Dec 2024 03:51:15 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 23137385843F
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
 by sourceware.org (Postfix) with ESMTP id C935D3858D33
 for <libc-alpha@sourceware.org>; Tue, 10 Dec 2024 03:50:45 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C935D3858D33
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=gentoo.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C935D3858D33
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=140.211.166.183
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1733802645; cv=none;
 b=YQ574dT/tRNxZI6y7sdRlXHMX432U7IyL0f55SaoDDQ/JClNkciLtKetdYbIz4Xl5/tW7f2/hJayp1bbJapGF/+Du58nTNCqxnxcRaZEi6T2nxrJxUaVwBZLAIV7Bvts6LNYBSK7Ekta4+mucNYz+6nREw9QepvTGXqhhjgWF78=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1733802645; c=relaxed/simple;
 bh=leAE/UfRFhn8EtW/mg8HbQI413a1308ITXnGcwtx/5w=;
 h=From:To:Subject:Date:Message-ID:MIME-Version;
 b=MbBaUH81uYhqcjGbCEEzlMyJ6bmohZlm2dZSsIuf19pJSQIzlCKzHAeVRT9TEhLUUuyQkJ+Oaxi5vaiz5mZyua16zPPeLczYXKoUDMp+dxnUeEbP+6s2qcKj27UfcVUIV+uCspSxCKsZRcWJm5CgQnyFoo5C8palTNsVW8Bi+KE=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C935D3858D33
From: Sam James <sam@gentoo.org>
To: libc-alpha@sourceware.org
Cc: Sam James <sam@gentoo.org>,
 Adhemerval Zanella <adhemerval.zanella@linaro.org>
Subject: [PATCH] stdlib: random_r: fix unaligned access in initstate and
 initstate_r [BZ #30584]
Date: Tue, 10 Dec 2024 03:49:52 +0000
Message-ID: 
 <6180a8251d3f8d714ff13d27ccce48e44845661b.1733802592.git.sam@gentoo.org>
X-Mailer: git-send-email 2.47.1
MIME-Version: 1.0
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org

The initstate{,_r} interfaces are documented in BSD as needing an aligned
array of 32-bit values, but neither POSIX nor glibc's own documentation
require it to be aligned. glibc's documentation says it "should" be a power
of 2, but not must.

Use memcpy to read and write to `state` to handle such an unaligned
argument.

Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
---
Tested on x86_64-pc-linux-gnu and sparc64-unknown-linux-gnu.

 stdlib/Makefile             |  1 +
 stdlib/random_r.c           | 39 ++++++++++++++++++++++++++-----------
 stdlib/tst-random-bz30584.c | 39 +++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 11 deletions(-)
 create mode 100644 stdlib/tst-random-bz30584.c

diff --git a/stdlib/Makefile b/stdlib/Makefile
index 370cfa57aa..715446970f 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -299,6 +299,7 @@ tests := \
   tst-rand48-2 \
   tst-random \
   tst-random2 \
+  tst-random-bz30584 \
   tst-realpath \
   tst-realpath-toolong \
   tst-secure-getenv \
diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index b6297fe099..dee3bc9535 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -55,6 +55,7 @@
 #include <limits.h>
 #include <stddef.h>
 #include <stdlib.h>
+#include <string.h>
 
 
 /* An improved random number generation package.  In addition to the standard
@@ -146,7 +147,19 @@ static const struct random_poly_info random_poly_info =
   { DEG_0, DEG_1, DEG_2, DEG_3, DEG_4 }
 };
 
+static inline int32_t
+read_state (int32_t *b, size_t idx)
+{
+  int32_t r;
+  memcpy (&r, &b[idx], sizeof (int32_t));
+  return r;
+}
 
+static inline void
+write_state (int32_t *b, size_t idx, int32_t v)
+{
+  memcpy (&b[idx], &v, sizeof (int32_t));
+}
 
 
 /* Initialize the random number generator based on the given seed.  If the
@@ -177,7 +190,7 @@ __srandom_r (unsigned int seed, struct random_data *buf)
   /* We must make sure the seed is not 0.  Take arbitrarily 1 in this case.  */
   if (seed == 0)
     seed = 1;
-  state[0] = seed;
+  write_state (state, 0, seed);
   if (type == TYPE_0)
     goto done;
 
@@ -194,7 +207,7 @@ __srandom_r (unsigned int seed, struct random_data *buf)
       word = 16807 * lo - 2836 * hi;
       if (word < 0)
 	word += 2147483647;
-      *++dst = word;
+      write_state (++dst, 0, word);
     }
 
   buf->fptr = &state[buf->rand_sep];
@@ -238,9 +251,10 @@ __initstate_r (unsigned int seed, char *arg_state, size_t n,
     {
       int old_type = buf->rand_type;
       if (old_type == TYPE_0)
-	old_state[-1] = TYPE_0;
+	write_state (old_state, -1, TYPE_0);
       else
-	old_state[-1] = (MAX_TYPES * (buf->rptr - old_state)) + old_type;
+	write_state (old_state, -1, (MAX_TYPES * (buf->rptr - old_state))
+				    + old_type);
     }
 
   int type;
@@ -270,9 +284,9 @@ __initstate_r (unsigned int seed, char *arg_state, size_t n,
 
   __srandom_r (seed, buf);
 
-  state[-1] = TYPE_0;
+  write_state (state, -1, TYPE_0);
   if (type != TYPE_0)
-    state[-1] = (buf->rptr - state) * MAX_TYPES + type;
+    write_state (state, -1, (buf->rptr - state) * MAX_TYPES + type);
 
   return 0;
 
@@ -307,9 +321,10 @@ __setstate_r (char *arg_state, struct random_data *buf)
   old_type = buf->rand_type;
   old_state = buf->state;
   if (old_type == TYPE_0)
-    old_state[-1] = TYPE_0;
+    write_state (old_state, -1, TYPE_0);
   else
-    old_state[-1] = (MAX_TYPES * (buf->rptr - old_state)) + old_type;
+    write_state (old_state, -1, (MAX_TYPES * (buf->rptr - old_state))
+				+ old_type);
 
   type = new_state[-1] % MAX_TYPES;
   if (type < TYPE_0 || type > TYPE_4)
@@ -361,8 +376,8 @@ __random_r (struct random_data *buf, int32_t *result)
 
   if (buf->rand_type == TYPE_0)
     {
-      int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
-      state[0] = val;
+      int32_t val = ((read_state(state, 0) * 1103515245U) + 12345U) & 0x7fffffff;
+      write_state (state, 0, val);
       *result = val;
     }
   else
@@ -372,7 +387,9 @@ __random_r (struct random_data *buf, int32_t *result)
       int32_t *end_ptr = buf->end_ptr;
       uint32_t val;
 
-      val = *fptr += (uint32_t) *rptr;
+      val = read_state (rptr, 0);
+      int32_t t = read_state (fptr, 0);
+      write_state (fptr, 0, t + val);
       /* Chucking least random bit.  */
       *result = val >> 1;
       ++fptr;
diff --git a/stdlib/tst-random-bz30584.c b/stdlib/tst-random-bz30584.c
new file mode 100644
index 0000000000..2e82dabaf3
--- /dev/null
+++ b/stdlib/tst-random-bz30584.c
@@ -0,0 +1,39 @@
+/* Test program for initstate(), initstate_r() for BZ #30584.
+   Copyright (C) 2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public License as
+   published by the Free Software Foundation; either version 2.1 of the
+   License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; see the file COPYING.LIB.  If
+   not, see <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include <time.h>
+
+static int
+do_test (void)
+{
+  struct random_data rand_state;
+  char buf[128 + sizeof (int32_t)];
+  rand_state.state = NULL;
+
+  /* Test initstate_r with an unaligned `state` array. */
+  initstate_r (time (NULL), buf + 1, sizeof buf - 1, &rand_state);
+
+  /* Ditto initstate. */
+  initstate (time (NULL), buf + 1, sizeof buf - 1);
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"