diff options
author | Florian Weimer <fweimer@redhat.com> | 2017-08-29 17:33:58 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2017-08-29 17:33:58 +0200 |
commit | 251bccfa1fcb3568e43546b0df33e052889406c1 (patch) | |
tree | 29c7966c2fc0ee4fba8cbf1ddf42123a71b0716e | |
parent | e7c18b9d0aacb02f9d6edffdf4d1e26a54fbfb84 (diff) | |
download | glibc-251bccfa1fcb3568e43546b0df33e052889406c1.tar.gz glibc-251bccfa1fcb3568e43546b0df33e052889406c1.tar.xz glibc-251bccfa1fcb3568e43546b0df33e052889406c1.zip |
iconv_open: Fix heap corruption on gconv_init failure [BZ #22026]
Also mangle the __end_fct function pointer on the error handling path.
-rw-r--r-- | ChangeLog | 16 | ||||
-rw-r--r-- | iconv/Makefile | 14 | ||||
-rw-r--r-- | iconv/gconv_db.c | 9 | ||||
-rw-r--r-- | iconv/test-gconv-modules | 23 | ||||
-rw-r--r-- | iconv/tst-gconv-init-failure-mod.c | 49 | ||||
-rw-r--r-- | iconv/tst-gconv-init-failure.c | 58 |
6 files changed, 167 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog index 1efd7f5a4c..bf89b59a55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,21 @@ 2017-08-29 Florian Weimer <fweimer@redhat.com> + [BZ #22026] + * iconv/gconv_db.c (gen_steps): Decrement step_cnt after resetting + __end_fct. Mangle __end_fct after setting it to NULL. + * iconv/Makefile (tests): Add tst-gconv-init-failure. + (modules-names, modules-names-tests): Add + tst-gconv-init-failure-mod. + (gconv-modules): New target. + (tst-gconv-init-failure-mod.so): Link against libsupport. + (tst-gconv-init-failure): Depend on gconv-modules, + tst-gconv-init-failure-mod.so. + * iconv/tst-gconv-init-failure-mod.c: New file. + * iconv/tst-gconv-init-failure.c: Likewise. + * iconv/test-gconv-modules: Likewise. + +2017-08-29 Florian Weimer <fweimer@redhat.com> + [BZ #22025] * iconv/gconv_db.c (free_derivation): Remove redundant parentheses. diff --git a/iconv/Makefile b/iconv/Makefile index b2fead0479..fd3575178e 100644 --- a/iconv/Makefile +++ b/iconv/Makefile @@ -61,6 +61,20 @@ ifeq ($(run-built-tests),yes) xtests-special += $(objpfx)test-iconvconfig.out endif +# Make a copy of the file because gconv module names are constructed +# relative to the path of the configuration file. +$(objpfx)gconv-modules: test-gconv-modules + cp $< $@ + +ifeq (yes,$(build-shared)) +tests += tst-gconv-init-failure +modules-names += tst-gconv-init-failure-mod +modules-names-tests += tst-gconv-init-failure-mod +$(objpfx)tst-gconv-init-failure-mod.so: $(libsupport) +$(objpfx)tst-gconv-init-failure.out: \ + $(objpfx)gconv-modules $(objpfx)tst-gconv-init-failure-mod.so +endif + include ../Rules $(inst_bindir)/iconv: $(objpfx)iconv_prog $(+force) diff --git a/iconv/gconv_db.c b/iconv/gconv_db.c index 7a95aeaeac..96f087192e 100644 --- a/iconv/gconv_db.c +++ b/iconv/gconv_db.c @@ -318,9 +318,14 @@ gen_steps (struct derivation_step *best, const char *toset, if (__builtin_expect (status, __GCONV_OK) != __GCONV_OK) { failed = 1; - /* Make sure we unload this modules. */ - --step_cnt; + /* Do not call the end function because the init + function has failed. */ result[step_cnt].__end_fct = NULL; +# ifdef PTR_MANGLE + PTR_MANGLE (result[step_cnt].__end_fct); +# endif + /* Make sure we unload this module. */ + --step_cnt; break; } } diff --git a/iconv/test-gconv-modules b/iconv/test-gconv-modules new file mode 100644 index 0000000000..edacd8cb1d --- /dev/null +++ b/iconv/test-gconv-modules @@ -0,0 +1,23 @@ +# Test modules for gconv. +# Copyright (C) 2017 Free Software Foundation, Inc. +# This file is part of the GNU C Library. + +# The GNU C Library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# The GNU C Library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with the GNU C Library; if not, see +# <http://www.gnu.org/licenses/>. + +# To activate these modules, tests need to put a directory with the +# modules and a copy of this file (under the name gconv-modules) on +# GCONV_PATH. + +module TST-GCONV-INIT-FAILURE// UTF-8// tst-gconv-init-failure-mod diff --git a/iconv/tst-gconv-init-failure-mod.c b/iconv/tst-gconv-init-failure-mod.c new file mode 100644 index 0000000000..7e7d1b9a15 --- /dev/null +++ b/iconv/tst-gconv-init-failure-mod.c @@ -0,0 +1,49 @@ +/* Test gconv module for tst-gconv-init-failure. + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <gconv.h> +#include <support/check.h> +#include <support/support.h> + +int +gconv (struct __gconv_step *step, + struct __gconv_step_data *data, + const unsigned char **inptrp, + const unsigned char *inend, + unsigned char **outbufstart, size_t *irreversible, + int do_flush, int consume_incomplete) +{ + FAIL_EXIT1 ("gconv called"); + return __GCONV_INTERNAL_ERROR; +} + +int +gconv_init (struct __gconv_step *ignored) +{ + write_message ("info: gconv_init called, returning error\n"); + errno = ENOMEM; + return __GCONV_NOMEM; +} + +int +gconv_end (struct __gconv_step *ignored) +{ + FAIL_EXIT1 ("gconv_end called"); + return __GCONV_INTERNAL_ERROR; +} diff --git a/iconv/tst-gconv-init-failure.c b/iconv/tst-gconv-init-failure.c new file mode 100644 index 0000000000..92dfbd4ccd --- /dev/null +++ b/iconv/tst-gconv-init-failure.c @@ -0,0 +1,58 @@ +/* Check that module __end_fct is not invoked when the init function fails. + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <iconv.h> +#include <libgen.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/check.h> +#include <support/support.h> +#include <support/test-driver.h> +#include <sys/auxv.h> + +/* Test GCONV_PATH to the directory containing the program + executable. */ +static void +activate_test_gconv_modules (void) +{ + unsigned long ptr = getauxval (AT_EXECFN); + if (ptr == 0) + { + printf ("warning: AT_EXECFN not support, cannot run test\n"); + exit (EXIT_UNSUPPORTED); + } + char *test_program_directory = dirname (xstrdup ((const char *) ptr)); + TEST_VERIFY (setenv ("GCONV_PATH", test_program_directory, 1) == 0); + free (test_program_directory); +} + +static int +do_test (void) +{ + activate_test_gconv_modules (); + + TEST_VERIFY (iconv_open ("UTF-8", "tst-gconv-init-failure//") + == (iconv_t) -1); + if (errno != ENOMEM) + FAIL_EXIT1 ("unexpected iconv_open error: %m"); + + return 0; +} + +#include <support/test-driver.c> |