From 251bccfa1fcb3568e43546b0df33e052889406c1 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 29 Aug 2017 17:33:58 +0200 Subject: iconv_open: Fix heap corruption on gconv_init failure [BZ #22026] Also mangle the __end_fct function pointer on the error handling path. --- iconv/Makefile | 14 +++++++++ iconv/gconv_db.c | 9 ++++-- iconv/test-gconv-modules | 23 +++++++++++++++ iconv/tst-gconv-init-failure-mod.c | 49 ++++++++++++++++++++++++++++++++ iconv/tst-gconv-init-failure.c | 58 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 151 insertions(+), 2 deletions(-) create mode 100644 iconv/test-gconv-modules create mode 100644 iconv/tst-gconv-init-failure-mod.c create mode 100644 iconv/tst-gconv-init-failure.c (limited to 'iconv') diff --git a/iconv/Makefile b/iconv/Makefile index b2fead0..fd35751 100644 --- a/iconv/Makefile +++ b/iconv/Makefile @@ -61,6 +61,20 @@ ifeq ($(run-built-tests),yes) xtests-special += $(objpfx)test-iconvconfig.out endif +# Make a copy of the file because gconv module names are constructed +# relative to the path of the configuration file. +$(objpfx)gconv-modules: test-gconv-modules + cp $< $@ + +ifeq (yes,$(build-shared)) +tests += tst-gconv-init-failure +modules-names += tst-gconv-init-failure-mod +modules-names-tests += tst-gconv-init-failure-mod +$(objpfx)tst-gconv-init-failure-mod.so: $(libsupport) +$(objpfx)tst-gconv-init-failure.out: \ + $(objpfx)gconv-modules $(objpfx)tst-gconv-init-failure-mod.so +endif + include ../Rules $(inst_bindir)/iconv: $(objpfx)iconv_prog $(+force) diff --git a/iconv/gconv_db.c b/iconv/gconv_db.c index 7a95aea..96f0871 100644 --- a/iconv/gconv_db.c +++ b/iconv/gconv_db.c @@ -318,9 +318,14 @@ gen_steps (struct derivation_step *best, const char *toset, if (__builtin_expect (status, __GCONV_OK) != __GCONV_OK) { failed = 1; - /* Make sure we unload this modules. */ - --step_cnt; + /* Do not call the end function because the init + function has failed. */ result[step_cnt].__end_fct = NULL; +# ifdef PTR_MANGLE + PTR_MANGLE (result[step_cnt].__end_fct); +# endif + /* Make sure we unload this module. */ + --step_cnt; break; } } diff --git a/iconv/test-gconv-modules b/iconv/test-gconv-modules new file mode 100644 index 0000000..edacd8c --- /dev/null +++ b/iconv/test-gconv-modules @@ -0,0 +1,23 @@ +# Test modules for gconv. +# Copyright (C) 2017 Free Software Foundation, Inc. +# This file is part of the GNU C Library. + +# The GNU C Library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# The GNU C Library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with the GNU C Library; if not, see +# . + +# To activate these modules, tests need to put a directory with the +# modules and a copy of this file (under the name gconv-modules) on +# GCONV_PATH. + +module TST-GCONV-INIT-FAILURE// UTF-8// tst-gconv-init-failure-mod diff --git a/iconv/tst-gconv-init-failure-mod.c b/iconv/tst-gconv-init-failure-mod.c new file mode 100644 index 0000000..7e7d1b9 --- /dev/null +++ b/iconv/tst-gconv-init-failure-mod.c @@ -0,0 +1,49 @@ +/* Test gconv module for tst-gconv-init-failure. + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +int +gconv (struct __gconv_step *step, + struct __gconv_step_data *data, + const unsigned char **inptrp, + const unsigned char *inend, + unsigned char **outbufstart, size_t *irreversible, + int do_flush, int consume_incomplete) +{ + FAIL_EXIT1 ("gconv called"); + return __GCONV_INTERNAL_ERROR; +} + +int +gconv_init (struct __gconv_step *ignored) +{ + write_message ("info: gconv_init called, returning error\n"); + errno = ENOMEM; + return __GCONV_NOMEM; +} + +int +gconv_end (struct __gconv_step *ignored) +{ + FAIL_EXIT1 ("gconv_end called"); + return __GCONV_INTERNAL_ERROR; +} diff --git a/iconv/tst-gconv-init-failure.c b/iconv/tst-gconv-init-failure.c new file mode 100644 index 0000000..92dfbd4 --- /dev/null +++ b/iconv/tst-gconv-init-failure.c @@ -0,0 +1,58 @@ +/* Check that module __end_fct is not invoked when the init function fails. + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Test GCONV_PATH to the directory containing the program + executable. */ +static void +activate_test_gconv_modules (void) +{ + unsigned long ptr = getauxval (AT_EXECFN); + if (ptr == 0) + { + printf ("warning: AT_EXECFN not support, cannot run test\n"); + exit (EXIT_UNSUPPORTED); + } + char *test_program_directory = dirname (xstrdup ((const char *) ptr)); + TEST_VERIFY (setenv ("GCONV_PATH", test_program_directory, 1) == 0); + free (test_program_directory); +} + +static int +do_test (void) +{ + activate_test_gconv_modules (); + + TEST_VERIFY (iconv_open ("UTF-8", "tst-gconv-init-failure//") + == (iconv_t) -1); + if (errno != ENOMEM) + FAIL_EXIT1 ("unexpected iconv_open error: %m"); + + return 0; +} + +#include -- cgit v1.1