about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2017-08-29 17:33:58 +0200
committerFlorian Weimer <fweimer@redhat.com>2017-08-29 17:33:58 +0200
commit251bccfa1fcb3568e43546b0df33e052889406c1 (patch)
tree29c7966c2fc0ee4fba8cbf1ddf42123a71b0716e
parente7c18b9d0aacb02f9d6edffdf4d1e26a54fbfb84 (diff)
downloadglibc-251bccfa1fcb3568e43546b0df33e052889406c1.tar.gz
glibc-251bccfa1fcb3568e43546b0df33e052889406c1.tar.xz
glibc-251bccfa1fcb3568e43546b0df33e052889406c1.zip
iconv_open: Fix heap corruption on gconv_init failure [BZ #22026]
Also mangle the __end_fct function pointer on the error handling
path.
-rw-r--r--ChangeLog16
-rw-r--r--iconv/Makefile14
-rw-r--r--iconv/gconv_db.c9
-rw-r--r--iconv/test-gconv-modules23
-rw-r--r--iconv/tst-gconv-init-failure-mod.c49
-rw-r--r--iconv/tst-gconv-init-failure.c58
6 files changed, 167 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 1efd7f5a4c..bf89b59a55 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,21 @@
 2017-08-29  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #22026]
+	* iconv/gconv_db.c (gen_steps): Decrement step_cnt after resetting
+	__end_fct.  Mangle __end_fct after setting it to NULL.
+	* iconv/Makefile (tests): Add tst-gconv-init-failure.
+	(modules-names, modules-names-tests): Add
+	tst-gconv-init-failure-mod.
+	(gconv-modules): New target.
+	(tst-gconv-init-failure-mod.so): Link against libsupport.
+	(tst-gconv-init-failure): Depend on gconv-modules,
+	tst-gconv-init-failure-mod.so.
+	* iconv/tst-gconv-init-failure-mod.c: New file.
+	* iconv/tst-gconv-init-failure.c: Likewise.
+	* iconv/test-gconv-modules: Likewise.
+
+2017-08-29  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #22025]
 	* iconv/gconv_db.c (free_derivation): Remove redundant
 	parentheses.
diff --git a/iconv/Makefile b/iconv/Makefile
index b2fead0479..fd3575178e 100644
--- a/iconv/Makefile
+++ b/iconv/Makefile
@@ -61,6 +61,20 @@ ifeq ($(run-built-tests),yes)
 xtests-special += $(objpfx)test-iconvconfig.out
 endif
 
+# Make a copy of the file because gconv module names are constructed
+# relative to the path of the configuration file.
+$(objpfx)gconv-modules: test-gconv-modules
+	cp $< $@
+
+ifeq (yes,$(build-shared))
+tests += tst-gconv-init-failure
+modules-names += tst-gconv-init-failure-mod
+modules-names-tests += tst-gconv-init-failure-mod
+$(objpfx)tst-gconv-init-failure-mod.so: $(libsupport)
+$(objpfx)tst-gconv-init-failure.out: \
+ $(objpfx)gconv-modules $(objpfx)tst-gconv-init-failure-mod.so
+endif
+
 include ../Rules
 
 $(inst_bindir)/iconv: $(objpfx)iconv_prog $(+force)
diff --git a/iconv/gconv_db.c b/iconv/gconv_db.c
index 7a95aeaeac..96f087192e 100644
--- a/iconv/gconv_db.c
+++ b/iconv/gconv_db.c
@@ -318,9 +318,14 @@ gen_steps (struct derivation_step *best, const char *toset,
 		  if (__builtin_expect (status, __GCONV_OK) != __GCONV_OK)
 		    {
 		      failed = 1;
-		      /* Make sure we unload this modules.  */
-		      --step_cnt;
+		      /* Do not call the end function because the init
+			 function has failed.  */
 		      result[step_cnt].__end_fct = NULL;
+# ifdef PTR_MANGLE
+		      PTR_MANGLE (result[step_cnt].__end_fct);
+# endif
+		      /* Make sure we unload this module.  */
+		      --step_cnt;
 		      break;
 		    }
 		}
diff --git a/iconv/test-gconv-modules b/iconv/test-gconv-modules
new file mode 100644
index 0000000000..edacd8cb1d
--- /dev/null
+++ b/iconv/test-gconv-modules
@@ -0,0 +1,23 @@
+# Test modules for gconv.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This file is part of the GNU C Library.
+
+# The GNU C Library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# The GNU C Library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with the GNU C Library; if not, see
+# <http://www.gnu.org/licenses/>.
+
+# To activate these modules, tests need to put a directory with the
+# modules and a copy of this file (under the name gconv-modules) on
+# GCONV_PATH.
+
+module	TST-GCONV-INIT-FAILURE//	UTF-8//	tst-gconv-init-failure-mod
diff --git a/iconv/tst-gconv-init-failure-mod.c b/iconv/tst-gconv-init-failure-mod.c
new file mode 100644
index 0000000000..7e7d1b9a15
--- /dev/null
+++ b/iconv/tst-gconv-init-failure-mod.c
@@ -0,0 +1,49 @@
+/* Test gconv module for tst-gconv-init-failure.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <gconv.h>
+#include <support/check.h>
+#include <support/support.h>
+
+int
+gconv (struct __gconv_step *step,
+       struct __gconv_step_data *data,
+       const unsigned char **inptrp,
+       const unsigned char *inend,
+       unsigned char **outbufstart, size_t *irreversible,
+       int do_flush, int consume_incomplete)
+{
+  FAIL_EXIT1 ("gconv called");
+  return __GCONV_INTERNAL_ERROR;
+}
+
+int
+gconv_init (struct __gconv_step *ignored)
+{
+  write_message ("info: gconv_init called, returning error\n");
+  errno = ENOMEM;
+  return __GCONV_NOMEM;
+}
+
+int
+gconv_end (struct __gconv_step *ignored)
+{
+  FAIL_EXIT1 ("gconv_end called");
+  return __GCONV_INTERNAL_ERROR;
+}
diff --git a/iconv/tst-gconv-init-failure.c b/iconv/tst-gconv-init-failure.c
new file mode 100644
index 0000000000..92dfbd4ccd
--- /dev/null
+++ b/iconv/tst-gconv-init-failure.c
@@ -0,0 +1,58 @@
+/* Check that module __end_fct is not invoked when the init function fails.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <iconv.h>
+#include <libgen.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/test-driver.h>
+#include <sys/auxv.h>
+
+/* Test GCONV_PATH to the directory containing the program
+   executable.  */
+static void
+activate_test_gconv_modules (void)
+{
+  unsigned long ptr = getauxval (AT_EXECFN);
+  if (ptr == 0)
+    {
+      printf ("warning: AT_EXECFN not support, cannot run test\n");
+      exit (EXIT_UNSUPPORTED);
+    }
+  char *test_program_directory = dirname (xstrdup ((const char *) ptr));
+  TEST_VERIFY (setenv ("GCONV_PATH", test_program_directory, 1) == 0);
+  free (test_program_directory);
+}
+
+static int
+do_test (void)
+{
+  activate_test_gconv_modules ();
+
+  TEST_VERIFY (iconv_open ("UTF-8", "tst-gconv-init-failure//")
+               == (iconv_t) -1);
+  if (errno != ENOMEM)
+    FAIL_EXIT1 ("unexpected iconv_open error: %m");
+
+  return 0;
+}
+
+#include <support/test-driver.c>