aboutsummaryrefslogtreecommitdiff
path: root/misc
diff options
context:
space:
mode:
authorJoan Bruguera <joanbrugueram@gmail.com>2022-04-11 19:49:56 +0200
committerSiddhesh Poyarekar <siddhesh@sourceware.org>2022-04-25 17:32:30 +0530
commit33e03f9cd2be4f2cd62f93fda539cc07d9c8130e (patch)
treebd58ea330df9eab5caac54b3ebcfe65e94c79954 /misc
parent693517b92293e7ee817acf38f227f483248d33af (diff)
downloadglibc-33e03f9cd2be4f2cd62f93fda539cc07d9c8130e.zip
glibc-33e03f9cd2be4f2cd62f93fda539cc07d9c8130e.tar.gz
glibc-33e03f9cd2be4f2cd62f93fda539cc07d9c8130e.tar.bz2
misc: Fix rare fortify crash on wchar funcs. [BZ 29030]
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify checks should pass, and `__whatever_alias` should be called. Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`. A comment says the -1 case should work as: "The -1 check is redundant because since it implies that __glibc_safe_len_cond is true.". But this fails when: * `__s > 1` * `__osz == -1` (i.e. unknown size at compile time) * `__l` is big enough * `__l * __s <= __osz` can be folded to a constant (I only found this to be true for `mbsrtowcs` and other functions in wchar2.h) In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program. This commit adds the explicit `__osz == -1` check again. moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041 Minimal test case (test.c): #include <wchar.h> int main (void) { const char *hw = "HelloWorld"; mbsrtowcs (NULL, &hw, (size_t)-1, NULL); return 0; } Build with: gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test Output: *** buffer overflow detected ***: terminated Fixes: BZ #29030 Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'misc')
-rw-r--r--misc/sys/cdefs.h12
1 files changed, 6 insertions, 6 deletions
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 44d3826..f1faf82 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -162,13 +162,13 @@
|| (__builtin_constant_p (__l) && (__l) > 0))
/* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
- condition can be folded to a constant and if it is true. The -1 check is
- redundant because since it implies that __glibc_safe_len_cond is true. */
+ condition can be folded to a constant and if it is true, or unknown (-1) */
#define __glibc_safe_or_unknown_len(__l, __s, __osz) \
- (__glibc_unsigned_or_positive (__l) \
- && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
- __s, __osz)) \
- && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
+ ((__osz) == (__SIZE_TYPE__) -1 \
+ || (__glibc_unsigned_or_positive (__l) \
+ && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
+ (__s), (__osz))) \
+ && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
/* Conversely, we know at compile time that the length is unsafe if the
__L * __S <= __OBJSZ condition can be folded to a constant and if it is