From 2930c79afaf31158f990949cbb7cd6c03d9c0d74 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Thu, 9 Oct 2014 22:11:30 +1000 Subject: Update French translation (cherry picked from commit b6dcfe8c2408958be246dd61f1c5415ed7667a2a) --- ChangeLog | 4 ++++ po/fr.po | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 890c3c64a6..81641a9eda 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2014-10-09 Allan McRae + + * po/fr.po: Update French translation from translation project. + 2014-09-16 Siddhesh Poyarekar [BZ #17370] diff --git a/po/fr.po b/po/fr.po index fbf564a69d..bb7a9240c9 100644 --- a/po/fr.po +++ b/po/fr.po @@ -6673,11 +6673,11 @@ msgstr "Erreur d'entrée/sortie sur l'hôte cible" #: sysdeps/gnu/errlist.c:1399 msgid "No medium found" -msgstr "Aucun medium trouvé" +msgstr "Aucun médium trouvé" #: sysdeps/gnu/errlist.c:1407 msgid "Wrong medium type" -msgstr "Mauvais type de medium" +msgstr "Mauvais type de médium" #: sysdeps/gnu/errlist.c:1415 msgid "Required key not available" -- cgit 1.4.1 From 1b198b7fc764c013d41d1bd7b83fed0ad3dee038 Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Wed, 8 Oct 2014 15:36:12 -0700 Subject: BZ#17460: Fix buffer overrun in nscd --help. (cherry picked from commit c763c5d27112be055920c46f3be8d05bc8b669da) Conflicts: NEWS --- ChangeLog | 8 ++++++++ NEWS | 2 +- nscd/nscd.c | 45 ++++++++++++++++++++++++--------------------- nscd/nscd_conf.c | 3 --- 4 files changed, 33 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 81641a9eda..0f9a3e1507 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2014-10-08 Roland McGrath + + [BZ #17460] + * nscd/nscd.c (more_help): Rewrite list of tables collection + using xstrdup and asprintf. + + * nscd/nscd_conf.c: Remove local xstrdup declaration. + 2014-10-09 Allan McRae * po/fr.po: Update French translation from translation project. diff --git a/NEWS b/NEWS index c555f7591c..a1d3053ef8 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371. + 17266, 17370, 17371, 17460. Version 2.20 diff --git a/nscd/nscd.c b/nscd/nscd.c index 7131ead8cb..b7704b37f8 100644 --- a/nscd/nscd.c +++ b/nscd/nscd.c @@ -451,33 +451,36 @@ parse_opt (int key, char *arg, struct argp_state *state) static char * more_help (int key, const char *text, void *input) { - char *tables, *tp = NULL; - switch (key) { case ARGP_KEY_HELP_EXTRA: { - dbtype cnt; + /* We print some extra information. */ - tables = xmalloc (sizeof (dbnames) + 1); - for (cnt = 0; cnt < lastdb; cnt++) + char *tables = xstrdup (dbnames[0]); + for (dbtype i = 1; i < lastdb; ++i) { - strcat (tables, dbnames[cnt]); - strcat (tables, " "); + char *more_tables; + if (asprintf (&more_tables, "%s %s", tables, dbnames[i]) < 0) + more_tables = NULL; + free (tables); + if (more_tables == NULL) + return NULL; + tables = more_tables; } - } - /* We print some extra information. */ - if (asprintf (&tp, gettext ("\ + char *tp; + if (asprintf (&tp, gettext ("\ Supported tables:\n\ %s\n\ \n\ For bug reporting instructions, please see:\n\ %s.\n\ "), tables, REPORT_BUGS_TO) < 0) - tp = NULL; - free (tables); - return tp; + tp = NULL; + free (tables); + return tp; + } default: break; @@ -622,15 +625,15 @@ monitor_child (int fd) } if (WIFEXITED (status)) - { - child_ret = WEXITSTATUS (status); - fprintf (stderr, _("child exited with status %d\n"), child_ret); - } + { + child_ret = WEXITSTATUS (status); + fprintf (stderr, _("child exited with status %d\n"), child_ret); + } if (WIFSIGNALED (status)) - { - child_ret = WTERMSIG (status); - fprintf (stderr, _("child terminated by signal %d\n"), child_ret); - } + { + child_ret = WTERMSIG (status); + fprintf (stderr, _("child terminated by signal %d\n"), child_ret); + } } /* We have the child status, so exit with that code. */ diff --git a/nscd/nscd_conf.c b/nscd/nscd_conf.c index 7856ed9b5a..c8e194d3e2 100644 --- a/nscd/nscd_conf.c +++ b/nscd/nscd_conf.c @@ -32,9 +32,6 @@ #include "dbg_log.h" #include "nscd.h" -/* Wrapper functions with error checking for standard functions. */ -extern char *xstrdup (const char *s); - /* Names of the databases. */ const char *const dbnames[lastdb] = -- cgit 1.4.1 From c14e752fc73d34c75d4f84f37fea8e0b1734cf98 Mon Sep 17 00:00:00 2001 From: "Maciej W. Rozycki" Date: Wed, 22 Oct 2014 15:20:37 +0100 Subject: MIPS: Avoid a dangling `vfork@GLIBC_2.0' reference This satisfies a symbol reference created with: .symver __libc_vfork, vfork@GLIBC_2.0 where `__libc_vfork' has not been defined or referenced. In this case the `vfork@GLIBC_2.0' reference is supposed to be discarded, however a bug present in GAS since forever causes an undefined symbol table entry to be created. This in turn triggers a problem in the linker that can manifest itself by link errors such as: ld: libpthread.so: invalid string offset 2765592330 >= 5154 for section `.dynstr' The GAS and linker bugs need to be resolved, but we can avoid them too by providing a `__libc_vfork' definition just like our other platforms. [BZ #17485] * sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define. (cherry picked from commit b5af9297d51a43f96c5be1bafab032184690dd6f) Conflicts: NEWS --- ChangeLog | 5 +++++ NEWS | 2 +- sysdeps/unix/sysv/linux/mips/vfork.S | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0f9a3e1507..26ef072353 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-10-22 Maciej W. Rozycki + + [BZ #17485] + * sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define. + 2014-10-08 Roland McGrath [BZ #17460] diff --git a/NEWS b/NEWS index a1d3053ef8..29229d74ff 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371, 17460. + 17266, 17370, 17371, 17460, 17485. Version 2.20 diff --git a/sysdeps/unix/sysv/linux/mips/vfork.S b/sysdeps/unix/sysv/linux/mips/vfork.S index 80c362d6eb..2c1a747db3 100644 --- a/sysdeps/unix/sysv/linux/mips/vfork.S +++ b/sysdeps/unix/sysv/linux/mips/vfork.S @@ -108,3 +108,4 @@ L(error): libc_hidden_def(__vfork) weak_alias (__vfork, vfork) +strong_alias (__vfork, __libc_vfork) -- cgit 1.4.1 From e42643491c47dcd1c226b4f00f716023e9bcc5ca Mon Sep 17 00:00:00 2001 From: Renlin Li Date: Tue, 11 Nov 2014 15:18:04 +0000 Subject: [AArch64] End frame record chain correctly. --- ChangeLog | 5 +++++ NEWS | 2 +- sysdeps/aarch64/start.S | 1 - 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 26ef072353..31139c1743 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-11-10 Renlin Li + + [BZ #17555] + * sysdeps/aarch64/start.S (_start): Delete x29 overwritten assignment. + 2014-10-22 Maciej W. Rozycki [BZ #17485] diff --git a/NEWS b/NEWS index 29229d74ff..1df7f5e600 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371, 17460, 17485. + 17266, 17370, 17371, 17460, 17485, 17555. Version 2.20 diff --git a/sysdeps/aarch64/start.S b/sysdeps/aarch64/start.S index 35d603ae9e..69b45eac44 100644 --- a/sysdeps/aarch64/start.S +++ b/sysdeps/aarch64/start.S @@ -47,7 +47,6 @@ _start: /* Create an initial frame with 0 LR and FP */ mov x29, #0 mov x30, #0 - mov x29, sp /* Setup rtld_fini in argument register */ mov x5, x0 -- cgit 1.4.1 From 33ceaf6187b31ea15284ac65131749e1cb68d2ae Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Wed, 19 Nov 2014 11:44:12 -0500 Subject: CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ``))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed. We expand the testsuite and add 3 new regression tests of roughly the same form but with a couple of nested levels. On top of the 3 new tests we add fork validation to the WRDE_NOCMD testing. If any forks are detected during the execution of a wordexp() call with WRDE_NOCMD, the test is marked as failed. This is slightly heuristic since vfork might be used in the future, but it provides a higher level of assurance that no shells were executed as part of command substitution with WRDE_NOCMD in effect. In addition it doesn't require libpthread or libdl, instead we use the public implementation namespace function __register_atfork (already part of the public ABI for libpthread). Tested on x86_64 with no regressions. (cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c) --- ChangeLog | 22 ++++++++++++++++++++++ NEWS | 9 ++++++++- posix/wordexp-test.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ posix/wordexp.c | 16 ++++------------ 4 files changed, 78 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 31139c1743..f9f3407f88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +2014-11-19 Carlos O'Donell + Florian Weimer + Joseph Myers + Adam Conrad + Andreas Schwab + Brooks + + [BZ #17625] + * wordexp-test.c (__dso_handle): Add prototype. + (__register_atfork): Likewise. + (__app_register_atfork): New function. + (registered_forks): New global. + (register_fork): New function. + (test_case): Add 3 new tests for WRDE_CMDSUB. + (main): Call __app_register_atfork. + (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if + fork count is non-zero fail the test. + * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag + is set. + (parse_dollars): Remove check for WRDE_NOCMD. + (parse_dquote): Likewise. + 2014-11-10 Renlin Li [BZ #17555] diff --git a/NEWS b/NEWS index 1df7f5e600..3de92cdd81 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,14 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371, 17460, 17485, 17555. + 17266, 17370, 17371, 17460, 17485, 17555, 17625. + +* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag + under certain input conditions resulting in the execution of a shell for + command substitution when the applicaiton did not request it. The + implementation now checks WRDE_NOCMD immediately before executing the + shell and returns the error WRDE_CMDSUB as expected. + Version 2.20 diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c index 4957006da7..bdd65e439f 100644 --- a/posix/wordexp-test.c +++ b/posix/wordexp-test.c @@ -27,6 +27,25 @@ #define IFS " \n\t" +extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden"))); +extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *); + +static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void)) +{ + return __register_atfork (prepare, parent, child, + &__dso_handle == NULL ? NULL : __dso_handle); +} + +/* Number of forks seen. */ +static int registered_forks; + +/* For each fork increment the fork count. */ +static void +register_fork (void) +{ + registered_forks++; +} + struct test_case_struct { int retval; @@ -206,6 +225,12 @@ struct test_case_struct { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS }, { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS }, + /* Test for CVE-2014-7817. We test 3 combinations of command + substitution inside an arithmetic expression to make sure that + no commands are executed and error is returned. */ + { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, + { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, + { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, }; @@ -258,6 +283,15 @@ main (int argc, char *argv[]) return -1; } + /* If we are not allowed to do command substitution, we install + fork handlers to verify that no forks happened. No forks should + happen at all if command substitution is disabled. */ + if (__app_register_atfork (register_fork, NULL, NULL) != 0) + { + printf ("Failed to register fork handler.\n"); + return -1; + } + for (test = 0; test_case[test].retval != -1; test++) if (testit (&test_case[test])) ++fail; @@ -367,6 +401,9 @@ testit (struct test_case_struct *tc) printf ("Test %d (%s): ", ++tests, tc->words); + if (tc->flags & WRDE_NOCMD) + registered_forks = 0; + if (tc->flags & WRDE_APPEND) { /* initial wordexp() call, to be appended to */ @@ -378,6 +415,13 @@ testit (struct test_case_struct *tc) } retval = wordexp (tc->words, &we, tc->flags); + if ((tc->flags & WRDE_NOCMD) + && (registered_forks > 0)) + { + printf ("FAILED fork called for WRDE_NOCMD\n"); + return 1; + } + if (tc->flags & WRDE_DOOFFS) start_offs = sav_we.we_offs; diff --git a/posix/wordexp.c b/posix/wordexp.c index b6b65dd993..26f3a2653f 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length, pid_t pid; int noexec = 0; + /* Do nothing if command substitution should not succeed. */ + if (flags & WRDE_NOCMD) + return WRDE_CMDSUB; + /* Don't fork() unless necessary */ if (!comm || !*comm) return 0; @@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length, } } - if (flags & WRDE_NOCMD) - return WRDE_CMDSUB; - (*offset) += 2; return parse_comm (word, word_length, max_length, words, offset, flags, quoted? NULL : pwordexp, ifs, ifs_white); @@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length, break; case '`': - if (flags & WRDE_NOCMD) - return WRDE_CMDSUB; - ++(*offset); error = parse_backtick (word, word_length, max_length, words, offset, flags, NULL, NULL, NULL); @@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) break; case '`': - if (flags & WRDE_NOCMD) - { - error = WRDE_CMDSUB; - goto do_error; - } - ++words_offset; error = parse_backtick (&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, -- cgit 1.4.1 From d73ac1bb436cf1adb62335f53b4fc91a02f40a3b Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Mon, 24 Nov 2014 17:25:56 +0530 Subject: Make __extern_always_inline usable on clang++ again The fix for BZ #17266 (884ddc5081278f488ef8cd49951f41cfdbb480ce) removed changes that had gone into cdefs.h to make __extern_always_inline usable with clang++. This patch adds back support for clang to detect if GNU inlining semantics are available, this time without breaking the gcc use case. The check put here is based on the earlier patch and assertion[1] that checking if __GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE__ is defined is sufficient to determine that clang++ suports GNU inlining semantics. Tested with a simple program that builds with __extern_always_inline with the patch and fails compilation without it. #include #include extern void foo_alias (void) __asm ("foo"); __extern_always_inline void foo (void) { puts ("hi oh world!"); return foo_alias (); } void foo_alias (void) { puts ("hell oh world"); } int main () { foo (); } [1] https://sourceware.org/ml/libc-alpha/2012-12/msg00306.html [BZ #17266] * misc/sys/cdefs.h: Define __extern_always_inline for clang 4.2 and newer. (cherry picked from commit 602f80ec8b966cfad3b61914cbe14ee606cedf6e) --- ChangeLog | 6 ++++++ misc/sys/cdefs.h | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f9f3407f88..ac7d980d88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2014-11-24 Siddhesh Poyarekar + + [BZ #17266] + * misc/sys/cdefs.h: Define __extern_always_inline for clang + 4.2 and newer. + 2014-11-19 Carlos O'Donell Florian Weimer Joseph Myers diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index 01e81ba9f1..711ac1d912 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -321,8 +321,14 @@ inline semantics, unless -fgnu89-inline is used. Using __GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE is not a good enough check for gcc because gcc versions older than 4.3 may define these macros and still not guarantee GNU inlining - semantics. */ -#if !defined __cplusplus || __GNUC_PREREQ (4,3) + semantics. + + clang++ identifies itself as gcc-4.2, but has support for GNU inlining + semantics, that can be checked fot by using the __GNUC_STDC_INLINE_ and + __GNUC_GNU_INLINE__ macro definitions. */ +#if (!defined __cplusplus || __GNUC_PREREQ (4,3) \ + || (defined __clang__ && (defined __GNUC_STDC_INLINE__ \ + || defined __GNUC_GNU_INLINE__))) # if defined __GNUC_STDC_INLINE__ || defined __cplusplus # define __extern_inline extern __inline __attribute__ ((__gnu_inline__)) # define __extern_always_inline \ -- cgit 1.4.1 From a3a1f4163c4d0f9a36056c8640661a88674ae8a2 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 15 Dec 2014 10:09:32 +0100 Subject: CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] A larger number of format specifiers coudld cause a stack overflow, potentially allowing to bypass _FORTIFY_SOURCE format string protection. (cherry picked from commit a5357b7ce2a2982c5778435704bcdb55ce3667a0) (cherry picked from commit ae61fc7b33d9d99d2763c16de8275227dc9748ba) Conflicts: NEWS --- ChangeLog | 9 +++++++ NEWS | 4 ++- stdio-common/Makefile | 2 +- stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++ stdio-common/bug23-4.c | 31 ++++++++++++++++++++++ stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++-- 7 files changed, 202 insertions(+), 4 deletions(-) create mode 100644 stdio-common/bug23-2.c create mode 100644 stdio-common/bug23-3.c create mode 100644 stdio-common/bug23-4.c diff --git a/ChangeLog b/ChangeLog index ac7d980d88..88d2f1edde 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2014-12-15 Jeff Law + + [BZ #16617] + * stdio-common/vfprintf.c (vfprintf): Allocate large specs array + on the heap. (CVE-2012-3406) + * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file. + * stdio-common/bug23-4.c: New file. Test case by Joseph Myers. + * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4. + 2014-11-24 Siddhesh Poyarekar [BZ #17266] diff --git a/NEWS b/NEWS index 3de92cdd81..f6cdb66142 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 17266, 17370, 17371, 17460, 17485, 17555, 17625. + 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for @@ -17,6 +17,8 @@ Version 2.20.1 implementation now checks WRDE_NOCMD immediately before executing the shell and returns the error WRDE_CMDSUB as expected. +* CVE-2012-3406 printf-style functions could run into a stack overflow when + processing format strings with a large number of format specifiers.a Version 2.20 diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 5f8e5341a5..e5e45b6135 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \ - bug25 tst-printf-round bug26 + bug25 tst-printf-round bug23-2 bug23-3 bug23-4 bug26 test-srcs = tst-unbputc tst-printf diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c new file mode 100644 index 0000000000..9e0cfe6860 --- /dev/null +++ b/stdio-common/bug23-2.c @@ -0,0 +1,70 @@ +#include +#include +#include + +static const char expected[] = "\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; + +static int +do_test (void) +{ + char *buf = malloc (strlen (expected) + 1); + snprintf (buf, strlen (expected) + 1, + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", + "a", "b", "c", "d", 5); + return strcmp (buf, expected) != 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c new file mode 100644 index 0000000000..57c8cef195 --- /dev/null +++ b/stdio-common/bug23-3.c @@ -0,0 +1,50 @@ +#include +#include +#include + +int +do_test (void) +{ + size_t instances = 16384; +#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + const char *item = "\na\nabbcd55"; +#define X3 X0 X0 X0 X0 X0 X0 X0 X0 +#define X6 X3 X3 X3 X3 X3 X3 X3 X3 +#define X9 X6 X6 X6 X6 X6 X6 X6 X6 +#define X12 X9 X9 X9 X9 X9 X9 X9 X9 +#define X14 X12 X12 X12 X12 +#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%" +#define TRAILER2 TRAILER TRAILER + size_t length = instances * strlen (item) + strlen (TRAILER) + 1; + + char *buf = malloc (length + 1); + snprintf (buf, length + 1, + X14 TRAILER2 "\n", + "a", "b", "c", "d", 5); + + const char *p = buf; + size_t i; + for (i = 0; i < instances; ++i) + { + const char *expected; + for (expected = item; *expected; ++expected) + { + if (*p != *expected) + { + printf ("mismatch at offset %zu (%zu): expected %d, got %d\n", + (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF); + return 1; + } + ++p; + } + } + if (strcmp (p, TRAILER "\n") != 0) + { + printf ("mismatch at trailer: [%s]\n", p); + return 1; + } + free (buf); + return 0; +} +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c new file mode 100644 index 0000000000..a4785640de --- /dev/null +++ b/stdio-common/bug23-4.c @@ -0,0 +1,31 @@ +#include +#include +#include +#include + +#define LIMIT 1000000 + +int +main (void) +{ + struct rlimit lim; + getrlimit (RLIMIT_STACK, &lim); + lim.rlim_cur = 1048576; + setrlimit (RLIMIT_STACK, &lim); + char *fmtstr = malloc (4 * LIMIT + 1); + if (fmtstr == NULL) + abort (); + char *output = malloc (LIMIT + 1); + if (output == NULL) + abort (); + for (size_t i = 0; i < LIMIT; i++) + memcpy (fmtstr + 4 * i, "%1$d", 4); + fmtstr[4 * LIMIT] = '\0'; + int ret = snprintf (output, LIMIT + 1, fmtstr, 0); + if (ret != LIMIT) + abort (); + for (size_t i = 0; i < LIMIT; i++) + if (output[i] != '0') + abort (); + return 0; +} diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index c4ff8334b2..429a3d1a83 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) /* For the argument descriptions, which may be allocated on the heap. */ void *args_malloced = NULL; + /* For positional argument handling. */ + struct printf_spec *specs; + + /* Track if we malloced the SPECS array and thus must free it. */ + bool specs_malloced = false; + /* This table maps a character into a number representing a class. In each step there is a destination label for each class. */ @@ -1679,8 +1685,8 @@ do_positional: size_t nspecs = 0; /* A more or less arbitrary start value. */ size_t nspecs_size = 32 * sizeof (struct printf_spec); - struct printf_spec *specs = alloca (nspecs_size); + specs = alloca (nspecs_size); /* The number of arguments the format string requests. This will determine the size of the array needed to store the argument attributes. */ @@ -1721,11 +1727,39 @@ do_positional: if (nspecs * sizeof (*specs) >= nspecs_size) { /* Extend the array of format specifiers. */ + if (nspecs_size * 2 < nspecs_size) + { + __set_errno (ENOMEM); + done = -1; + goto all_done; + } struct printf_spec *old = specs; - specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); + if (__libc_use_alloca (2 * nspecs_size)) + specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); + else + { + nspecs_size *= 2; + specs = malloc (nspecs_size); + if (specs == NULL) + { + __set_errno (ENOMEM); + specs = old; + done = -1; + goto all_done; + } + } /* Copy the old array's elements to the new space. */ memmove (specs, old, nspecs * sizeof (*specs)); + + /* If we had previously malloc'd space for SPECS, then + release it after the copy is complete. */ + if (specs_malloced) + free (old); + + /* Now set SPECS_MALLOCED if needed. */ + if (!__libc_use_alloca (nspecs_size)) + specs_malloced = true; } /* Parse the format specifier. */ @@ -2046,6 +2080,8 @@ do_positional: } all_done: + if (specs_malloced) + free (specs); if (__glibc_unlikely (args_malloced != NULL)) free (args_malloced); if (__glibc_unlikely (workstart != NULL)) -- cgit 1.4.1 From f80af76648ed97a76745fad6caa3315a79cb1c7c Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 15 Dec 2014 17:41:13 +0100 Subject: Avoid infinite loop in nss_dns getnetbyname [BZ #17630] (cherry picked from commit 11e3417af6e354f1942c68a271ae51e892b2814d) (cherry picked from commit e54db0ea6a49affac43fa305fd134f3020c41382) Conflicts: NEWS --- ChangeLog | 6 ++++++ NEWS | 8 ++++++-- resolv/nss_dns/dns-network.c | 4 ++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 88d2f1edde..e416cd0e62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2014-12-16 Florian Weimer + + [BZ #17630] + * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias + names. + 2014-12-15 Jeff Law [BZ #16617] diff --git a/NEWS b/NEWS index f6cdb66142..9bc835c4d1 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625. + 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for @@ -18,7 +18,11 @@ Version 2.20.1 shell and returns the error WRDE_CMDSUB as expected. * CVE-2012-3406 printf-style functions could run into a stack overflow when - processing format strings with a large number of format specifiers.a + processing format strings with a large number of format specifiers. + +* CVE-2014-9402 The nss_dns implementation of getnetbyname could run into an + infinite loopif the DNS response contained a PTR record of an unexpected + format. Version 2.20 diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c index 0a77c8bc48..08cf0a6462 100644 --- a/resolv/nss_dns/dns-network.c +++ b/resolv/nss_dns/dns-network.c @@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result, case BYNAME: { - char **ap = result->n_aliases++; - while (*ap != NULL) + char **ap; + for (ap = result->n_aliases; *ap != NULL; ++ap) { /* Check each alias name for being of the forms: 4.3.2.1.in-addr.arpa = net 1.2.3.4 -- cgit 1.4.1 From b0694b9e98ee64cb25490de0921ce307f3872749 Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Thu, 11 Sep 2014 16:02:17 -0700 Subject: Move findidx nested functions to top-level. Needed in order to backport strxfrm_l security fix cleanly. (cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8) Conflicts: ChangeLog --- ChangeLog | 35 +++++++++++++++++++++++++++++++++++ locale/weight.h | 13 ++++++++++--- locale/weightwc.h | 13 ++++++++++--- posix/fnmatch.c | 8 ++++++++ posix/fnmatch_loop.c | 17 ++++++----------- posix/regcomp.c | 10 ++++++---- posix/regex_internal.h | 7 +++++-- posix/regexec.c | 8 +++++--- string/strcoll_l.c | 9 ++++----- string/strxfrm_l.c | 5 ++--- 10 files changed, 91 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index e416cd0e62..dbf7e86950 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,38 @@ +2015-02-16 Kostya Serebryany + Roland McGrath + + * locale/weight.h: Add include guard. + (findidx): Make static rather than auto; take new parameters + TABLE, INDIRECT, and EXTRA instead of getting them as outer locals. + * locale/weightwc.h: Likewise. + * posix/fnmatch_loop.c + (FCT): Change type of EXTRA from int32_t to wint_t. + Don't include either header inside the function. + Call FINDIDX rather than findidx, and pass new arguments. + #undef FINDIDX at the end of the file. + * posix/fnmatch.c [_LIBC]: #include and define + FINDIDX before including fnmatch_loop.c for the non-wide version. + [_LIBC] [HANDLE_MULTIBYTE]: #define findidx to findidxwc around + #include , and define FINDIDX to findidxwc + for the wide version. + * posix/regcomp.c [_LIBC]: #include . + (build_equiv_class) [_LIBC]: Don't #include it inside the function. + Pass new arguments to findidx. + * posix/regexec.c [RE_ENABLE_I18N] [_LIBC]: #include . + [RE_ENABLE_I18N] (check_node_accept_bytes) [_LIBC]: + Don't #include it inside the function. Pass new arguments to findidx. + * posix/regex_internal.h + [!NOT_IN_libc] [_LIBC]: #include . + (re_string_elem_size_at): Don't #include it inside the function. + Pass new arguments to findidx. + * string/strcoll_l.c: #include WEIGHT_H at top level. + (get_next_seq): Don't #include it inside the function. + Pass new arguments to findidx. + (get_next_seq_nocache): Likewise. + * string/strxfrm_l.c: #include WEIGHT_H at top level. + (STRXFRM): Don't #include it inside the function. + Pass new arguments to findidx. + 2014-12-16 Florian Weimer [BZ #17630] diff --git a/locale/weight.h b/locale/weight.h index 9eb8ac666a..9d93fdc5c4 100644 --- a/locale/weight.h +++ b/locale/weight.h @@ -16,10 +16,15 @@ License along with the GNU C Library; if not, see . */ +#ifndef _WEIGHT_H_ +#define _WEIGHT_H_ 1 + /* Find index of weight. */ -auto inline int32_t -__attribute ((always_inline)) -findidx (const unsigned char **cpp, size_t len) +static inline int32_t __attribute__ ((always_inline)) +findidx (const int32_t *table, + const int32_t *indirect, + const unsigned char *extra, + const unsigned char **cpp, size_t len) { int_fast32_t i = table[*(*cpp)++]; const unsigned char *cp; @@ -130,3 +135,5 @@ findidx (const unsigned char **cpp, size_t len) /* NOTREACHED */ return 0x43219876; } + +#endif /* weight.h */ diff --git a/locale/weightwc.h b/locale/weightwc.h index 8f047e3ba7..0f70b00658 100644 --- a/locale/weightwc.h +++ b/locale/weightwc.h @@ -16,10 +16,15 @@ License along with the GNU C Library; if not, see . */ +#ifndef _WEIGHTWC_H_ +#define _WEIGHTWC_H_ 1 + /* Find index of weight. */ -auto inline int32_t -__attribute ((always_inline)) -findidx (const wint_t **cpp, size_t len) +static inline int32_t __attribute__ ((always_inline)) +findidx (const int32_t *table, + const int32_t *indirect, + const wint_t *extra, + const wint_t **cpp, size_t len) { wint_t ch = *(*cpp)++; int32_t i = __collidx_table_lookup ((const char *) table, ch); @@ -109,3 +114,5 @@ findidx (const wint_t **cpp, size_t len) /* NOTREACHED */ return 0x43219876; } + +#endif /* weightwc.h */ diff --git a/posix/fnmatch.c b/posix/fnmatch.c index c330a122ab..85a6ec2263 100644 --- a/posix/fnmatch.c +++ b/posix/fnmatch.c @@ -221,6 +221,8 @@ __wcschrnul (s, c) # define MEMCHR(S, C, N) memchr (S, C, N) # define STRCOLL(S1, S2) strcoll (S1, S2) # define WIDE_CHAR_VERSION 0 +# include +# define FINDIDX findidx # include "fnmatch_loop.c" @@ -246,6 +248,12 @@ __wcschrnul (s, c) # define MEMCHR(S, C, N) wmemchr (S, C, N) # define STRCOLL(S1, S2) wcscoll (S1, S2) # define WIDE_CHAR_VERSION 1 +/* Change the name the header defines so it doesn't conflict with + the version included above. */ +# define findidx findidxwc +# include +# undef findidx +# define FINDIDX findidxwc # undef IS_CHAR_CLASS /* We have to convert the wide character string in a multibyte string. But diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c index 1957397d24..db6d9d7c56 100644 --- a/posix/fnmatch_loop.c +++ b/posix/fnmatch_loop.c @@ -376,7 +376,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) const int32_t *table; # if WIDE_CHAR_VERSION const int32_t *weights; - const int32_t *extra; + const wint_t *extra; # else const unsigned char *weights; const unsigned char *extra; @@ -385,19 +385,12 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) int32_t idx; const UCHAR *cp = (const UCHAR *) str; - /* This #include defines a local function! */ -# if WIDE_CHAR_VERSION -# include -# else -# include -# endif - # if WIDE_CHAR_VERSION table = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_TABLEWC); weights = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_WEIGHTWC); - extra = (const int32_t *) + extra = (const wint_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAWC); indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTWC); @@ -412,7 +405,7 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); # endif - idx = findidx (&cp, 1); + idx = FINDIDX (table, indirect, extra, &cp, 1); if (idx != 0) { /* We found a table entry. Now see whether the @@ -422,7 +415,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) int32_t idx2; const UCHAR *np = (const UCHAR *) n; - idx2 = findidx (&np, string_end - n); + idx2 = FINDIDX (table, indirect, extra, + &np, string_end - n); if (idx2 != 0 && (idx >> 24) == (idx2 >> 24) && len == weights[idx2 & 0xffffff]) @@ -1277,3 +1271,4 @@ EXT (INT opt, const CHAR *pattern, const CHAR *string, const CHAR *string_end, #undef L #undef BTOWC #undef WIDE_CHAR_VERSION +#undef FINDIDX diff --git a/posix/regcomp.c b/posix/regcomp.c index 8f2747b3c9..897fe276a3 100644 --- a/posix/regcomp.c +++ b/posix/regcomp.c @@ -19,6 +19,10 @@ #include +#ifdef _LIBC +# include +#endif + static reg_errcode_t re_compile_internal (regex_t *preg, const char * pattern, size_t length, reg_syntax_t syntax); static void re_compile_fastmap_iter (regex_t *bufp, @@ -3426,8 +3430,6 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name) int32_t idx1, idx2; unsigned int ch; size_t len; - /* This #include defines a local function! */ -# include /* Calculate the index for equivalence class. */ cp = name; table = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_TABLEMB); @@ -3437,7 +3439,7 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name) _NL_COLLATE_EXTRAMB); indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); - idx1 = findidx (&cp, -1); + idx1 = findidx (table, indirect, extra, &cp, -1); if (BE (idx1 == 0 || *cp != '\0', 0)) /* This isn't a valid character. */ return REG_ECOLLATE; @@ -3448,7 +3450,7 @@ build_equiv_class (bitset_t sbcset, const unsigned char *name) { char_buf[0] = ch; cp = char_buf; - idx2 = findidx (&cp, 1); + idx2 = findidx (table, indirect, extra, &cp, 1); /* idx2 = table[ch]; */ diff --git a/posix/regex_internal.h b/posix/regex_internal.h index 4bbf6a8276..d1ed3dc46a 100644 --- a/posix/regex_internal.h +++ b/posix/regex_internal.h @@ -733,6 +733,10 @@ re_string_wchar_at (const re_string_t *pstr, int idx) } # ifndef NOT_IN_libc +# ifdef _LIBC +# include +# endif + static int internal_function __attribute__ ((pure, unused)) re_string_elem_size_at (const re_string_t *pstr, int idx) @@ -740,7 +744,6 @@ re_string_elem_size_at (const re_string_t *pstr, int idx) # ifdef _LIBC const unsigned char *p, *extra; const int32_t *table, *indirect; -# include uint_fast32_t nrules = _NL_CURRENT_WORD (LC_COLLATE, _NL_COLLATE_NRULES); if (nrules != 0) @@ -751,7 +754,7 @@ re_string_elem_size_at (const re_string_t *pstr, int idx) indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); p = pstr->mbs + idx; - findidx (&p, pstr->len - idx); + findidx (table, indirect, extra, &p, pstr->len - idx); return p - pstr->mbs - idx; } else diff --git a/posix/regexec.c b/posix/regexec.c index 7032da75aa..c840b38fc3 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -3749,6 +3749,10 @@ group_nodes_into_DFAstates (const re_dfa_t *dfa, const re_dfastate_t *state, one collating element like '.', '[a-z]', opposite to the other nodes can only accept one byte. */ +# ifdef _LIBC +# include +# endif + static int internal_function check_node_accept_bytes (const re_dfa_t *dfa, int node_idx, @@ -3868,8 +3872,6 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx, const int32_t *table, *indirect; const unsigned char *weights, *extra; const char *collseqwc; - /* This #include defines a local function! */ -# include /* match with collating_symbol? */ if (cset->ncoll_syms) @@ -3925,7 +3927,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int node_idx, _NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB); indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB); - int32_t idx = findidx (&cp, elem_len); + int32_t idx = findidx (table, indirect, extra, &cp, elem_len); if (idx > 0) for (i = 0; i < cset->nequiv_classes; ++i) { diff --git a/string/strcoll_l.c b/string/strcoll_l.c index 10ce4a67ce..d4f42a32e5 100644 --- a/string/strcoll_l.c +++ b/string/strcoll_l.c @@ -41,6 +41,7 @@ #define CONCAT1(a,b) a##b #include "../locale/localeinfo.h" +#include WEIGHT_H /* Track status while looking for sequences in a string. */ typedef struct @@ -152,7 +153,6 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, const USTRING_TYPE *weights, const int32_t *table, const USTRING_TYPE *extra, const int32_t *indirect) { -#include WEIGHT_H size_t val = seq->val = 0; int len = seq->len; size_t backw_stop = seq->backw_stop; @@ -194,7 +194,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, while (*us != L('\0')) { - int32_t tmp = findidx (&us, -1); + int32_t tmp = findidx (table, indirect, extra, &us, -1); rulearr[idxmax] = tmp >> 24; idxarr[idxmax] = tmp & 0xffffff; idxcnt = idxmax++; @@ -242,7 +242,6 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, const USTRING_TYPE *extra, const int32_t *indirect, int pass) { -#include WEIGHT_H size_t val = seq->val = 0; int len = seq->len; size_t backw_stop = seq->backw_stop; @@ -285,7 +284,7 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, us = seq->back_us; while (i < backw) { - int32_t tmp = findidx (&us, -1); + int32_t tmp = findidx (table, indirect, extra, &us, -1); idx = tmp & 0xffffff; i++; } @@ -300,7 +299,7 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, while (*us != L('\0')) { - int32_t tmp = findidx (&us, -1); + int32_t tmp = findidx (table, indirect, extra, &us, -1); unsigned char rule = tmp >> 24; prev_idx = idx; idx = tmp & 0xffffff; diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c index 04b9338f05..2d3f1bd5fc 100644 --- a/string/strxfrm_l.c +++ b/string/strxfrm_l.c @@ -41,6 +41,7 @@ #define CONCAT1(a,b) a##b #include "../locale/localeinfo.h" +#include WEIGHT_H #ifndef WIDE_CHAR_VERSION @@ -104,8 +105,6 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) size_t idxcnt; int use_malloc; -#include WEIGHT_H - if (nrules == 0) { if (n != 0) @@ -174,7 +173,7 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) idxmax = 0; do { - int32_t tmp = findidx (&usrc, -1); + int32_t tmp = findidx (table, indirect, extra, &usrc, -1); rulearr[idxmax] = tmp >> 24; idxarr[idxmax] = tmp & 0xffffff; -- cgit 1.4.1 From f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 Mon Sep 17 00:00:00 2001 From: Leonhard Holz Date: Tue, 13 Jan 2015 11:33:56 +0530 Subject: Fix memory handling in strxfrm_l [BZ #16009] [Modified from the original email by Siddhesh Poyarekar] This patch solves bug #16009 by implementing an additional path in strxfrm that does not depend on caching the weight and rule indices. In detail the following changed: * The old main loop was factored out of strxfrm_l into the function do_xfrm_cached to be able to alternativly use the non-caching version do_xfrm. * strxfrm_l allocates a a fixed size array on the stack. If this is not sufficiant to store the weight and rule indices, the non-caching path is taken. As the cache size is not dependent on the input there can be no problems with integer overflows or stack allocations greater than __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the definition of strxfrm does not allow an oom errorhandling. * The uncached path determines the weight and rule index for every char and for every pass again. * Passing all the locale data array by array resulted in very long parameter lists, so I introduced a structure that holds them. * Checking for zero src string has been moved a bit upwards, it is before the locale data initialization now. * To verify that the non-caching path works correct I added a test run to localedata/sort-test.sh & localedata/xfrm-test.c where all strings are patched up with spaces so that they are too large for the caching path. (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa) Conflicts: ChangeLog NEWS --- ChangeLog | 16 ++ NEWS | 2 +- localedata/sort-test.sh | 7 + localedata/xfrm-test.c | 52 +++++- string/strxfrm_l.c | 488 ++++++++++++++++++++++++++++++++++++++---------- 5 files changed, 464 insertions(+), 101 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbf7e86950..7a2e6c9884 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2015-02-16 Leonhard Holz + + [BZ #16009] + * string/strxfrm_l.c (STRXFRM): Allocate fixed size cache for + weights and rules. Use do_xfrm_cached if data fits in cache, + do_xfrm otherwise. Moved former main loop to... + * (do_xfrm_cached): New function. + * (do_xfrm): Non-caching version of do_xfrm_cached. Uses + find_idx, find_position and stack_push. + * (find_idx): New function. + * (find_position): Likewise. + * localedata/sort-test.sh: Added test run for do_xfrm. + * localedata/xfrm-test.c (main): Added command line option + -nocache to run the test with strings that are too large for + the STRXFRM cache. + 2015-02-16 Kostya Serebryany Roland McGrath diff --git a/NEWS b/NEWS index 9bc835c4d1..f5788058bd 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630. + 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/localedata/sort-test.sh b/localedata/sort-test.sh index e37129a032..3cb57fb45c 100644 --- a/localedata/sort-test.sh +++ b/localedata/sort-test.sh @@ -53,11 +53,18 @@ for l in $lang; do ${common_objpfx}localedata/xfrm-test $id < $cns.in \ > ${common_objpfx}localedata/$cns.xout || here=1 cmp -s $cns.in ${common_objpfx}localedata/$cns.xout || here=1 + ${test_program_prefix_before_env} \ + ${run_program_env} \ + LC_ALL=$l ${test_program_prefix_after_env} \ + ${common_objpfx}localedata/xfrm-test $id -nocache < $cns.in \ + > ${common_objpfx}localedata/$cns.nocache.xout || here=1 + cmp -s $cns.in ${common_objpfx}localedata/$cns.nocache.xout || here=1 if test $here -eq 0; then echo "$l xfrm-test OK" else echo "$l xfrm-test FAIL" diff -u $cns.in ${common_objpfx}localedata/$cns.xout | sed 's/^/ /' + diff -u $cns.in ${common_objpfx}localedata/$cns.nocache.xout | sed 's/^/ /' status=1 fi done diff --git a/localedata/xfrm-test.c b/localedata/xfrm-test.c index d2aba7d26e..5cf29f60c9 100644 --- a/localedata/xfrm-test.c +++ b/localedata/xfrm-test.c @@ -23,7 +23,10 @@ #include #include #include +#include +/* Keep in sync with string/strxfrm_l.c. */ +#define SMALL_STR_SIZE 4095 struct lines { @@ -37,6 +40,7 @@ int main (int argc, char *argv[]) { int result = 0; + bool nocache = false; size_t nstrings, nstrings_max; struct lines *strings; char *line = NULL; @@ -44,7 +48,18 @@ main (int argc, char *argv[]) size_t n; if (argc < 2) - error (1, 0, "usage: %s ", argv[0]); + error (1, 0, "usage: %s [-nocache]", argv[0]); + + if (argc == 3) + { + if (strcmp (argv[2], "-nocache") == 0) + nocache = true; + else + { + printf ("Unknown option %s!\n", argv[2]); + exit (1); + } + } setlocale (LC_ALL, ""); @@ -59,9 +74,9 @@ main (int argc, char *argv[]) while (1) { - char saved, *newp; - int needed; - int l; + char saved, *word, *newp; + size_t l, line_len, needed; + if (getline (&line, &len, stdin) < 0) break; @@ -83,10 +98,35 @@ main (int argc, char *argv[]) saved = line[l]; line[l] = '\0'; - needed = strxfrm (NULL, line, 0); + + if (nocache) + { + line_len = strlen (line); + word = malloc (line_len + SMALL_STR_SIZE + 1); + if (word == NULL) + { + printf ("malloc failed: %m\n"); + exit (1); + } + memset (word, ' ', SMALL_STR_SIZE); + memcpy (word + SMALL_STR_SIZE, line, line_len); + word[line_len + SMALL_STR_SIZE] = '\0'; + } + else + word = line; + + needed = strxfrm (NULL, word, 0); newp = malloc (needed + 1); - strxfrm (newp, line, needed + 1); + if (newp == NULL) + { + printf ("malloc failed: %m\n"); + exit (1); + } + strxfrm (newp, word, needed + 1); strings[nstrings].xfrm = newp; + + if (nocache) + free (word); line[l] = saved; ++nstrings; } diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c index 2d3f1bd5fc..95ffd6fdf1 100644 --- a/string/strxfrm_l.c +++ b/string/strxfrm_l.c @@ -40,9 +40,24 @@ #define CONCAT(a,b) CONCAT1(a,b) #define CONCAT1(a,b) a##b +/* Maximum string size that is calculated with cached indices. Right now this + is an arbitrary value open to optimizations. SMALL_STR_SIZE * 4 has to be + lower than __MAX_ALLOCA_CUTOFF. Keep localedata/xfrm-test.c in sync. */ +#define SMALL_STR_SIZE 4095 + #include "../locale/localeinfo.h" #include WEIGHT_H +/* Group locale data for shorter parameter lists. */ +typedef struct +{ + uint_fast32_t nrules; + unsigned char *rulesets; + USTRING_TYPE *weights; + int32_t *table; + USTRING_TYPE *extra; + int32_t *indirect; +} locale_data_t; #ifndef WIDE_CHAR_VERSION @@ -81,113 +96,325 @@ utf8_encode (char *buf, int val) } #endif +/* Find next weight and rule index. Inlined since called for every char. */ +static __always_inline size_t +find_idx (const USTRING_TYPE **us, int32_t *weight_idx, + unsigned char *rule_idx, const locale_data_t *l_data, const int pass) +{ + int32_t tmp = findidx (l_data->table, l_data->indirect, l_data->extra, us, + -1); + *rule_idx = tmp >> 24; + int32_t idx = tmp & 0xffffff; + size_t len = l_data->weights[idx++]; + + /* Skip over indices of previous levels. */ + for (int i = 0; i < pass; i++) + { + idx += len; + len = l_data->weights[idx++]; + } -size_t -STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) + *weight_idx = idx; + return len; +} + +static int +find_position (const USTRING_TYPE *us, const locale_data_t *l_data, + const int pass) { - struct __locale_data *current = l->__locales[LC_COLLATE]; - uint_fast32_t nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word; - /* We don't assign the following values right away since it might be - unnecessary in case there are no rules. */ - const unsigned char *rulesets; - const int32_t *table; - const USTRING_TYPE *weights; - const USTRING_TYPE *extra; - const int32_t *indirect; + int32_t weight_idx; + unsigned char rule_idx; + const USTRING_TYPE *usrc = us; + + find_idx (&usrc, &weight_idx, &rule_idx, l_data, pass); + return l_data->rulesets[rule_idx * l_data->nrules + pass] & sort_position; +} + +/* Do the transformation. */ +static size_t +do_xfrm (const USTRING_TYPE *usrc, STRING_TYPE *dest, size_t n, + const locale_data_t *l_data) +{ + int32_t weight_idx; + unsigned char rule_idx; uint_fast32_t pass; - size_t needed; + size_t needed = 0; size_t last_needed; - const USTRING_TYPE *usrc; - size_t srclen = STRLEN (src); - int32_t *idxarr; - unsigned char *rulearr; - size_t idxmax; - size_t idxcnt; - int use_malloc; - if (nrules == 0) + /* Now the passes over the weights. */ + for (pass = 0; pass < l_data->nrules; ++pass) { - if (n != 0) - STPNCPY (dest, src, MIN (srclen + 1, n)); + size_t backw_len = 0; + last_needed = needed; + const USTRING_TYPE *cur = usrc; + const USTRING_TYPE *backw_start = NULL; - return srclen; - } + /* We assume that if a rule has defined `position' in one section + this is true for all of them. */ + int position = find_position (cur, l_data, pass); - rulesets = (const unsigned char *) - current->values[_NL_ITEM_INDEX (_NL_COLLATE_RULESETS)].string; - table = (const int32_t *) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_TABLE,SUFFIX))].string; - weights = (const USTRING_TYPE *) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_WEIGHT,SUFFIX))].string; - extra = (const USTRING_TYPE *) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string; - indirect = (const int32_t *) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string; - use_malloc = 0; + if (position == 0) + { + while (*cur != L('\0')) + { + const USTRING_TYPE *pos = cur; + size_t len = find_idx (&cur, &weight_idx, &rule_idx, l_data, + pass); + int rule = l_data->rulesets[rule_idx * l_data->nrules + pass]; - assert (((uintptr_t) table) % __alignof__ (table[0]) == 0); - assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0); - assert (((uintptr_t) extra) % __alignof__ (extra[0]) == 0); - assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0); + if ((rule & sort_forward) != 0) + { + /* Handle the pushed backward sequence. */ + if (backw_start != NULL) + { + for (size_t i = backw_len; i > 0; ) + { + int32_t weight_idx; + unsigned char rule_idx; + size_t len = find_idx (&backw_start, &weight_idx, + &rule_idx, l_data, pass); + if (needed + i < n) + for (size_t j = len; j > 0; j--) + dest[needed + i - j] = + l_data->weights[weight_idx++]; + + i -= len; + } - /* Handle an empty string as a special case. */ - if (srclen == 0) - { - if (n != 0) - *dest = L('\0'); - return 0; - } + needed += backw_len; + backw_start = NULL; + backw_len = 0; + } - /* We need the elements of the string as unsigned values since they - are used as indeces. */ - usrc = (const USTRING_TYPE *) src; - - /* Perform the first pass over the string and while doing this find - and store the weights for each character. Since we want this to - be as fast as possible we are using `alloca' to store the temporary - values. But since there is no limit on the length of the string - we have to use `malloc' if the string is too long. We should be - very conservative here. */ - if (! __libc_use_alloca ((srclen + 1) * (sizeof (int32_t) + 1))) - { - idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1)); - rulearr = (unsigned char *) &idxarr[srclen]; - - if (idxarr == NULL) - /* No memory. Well, go with the stack then. - - XXX Once this implementation is stable we will handle this - differently. Instead of precomputing the indeces we will - do this in time. This means, though, that this happens for - every pass again. */ - goto try_stack; - use_malloc = 1; - } - else - { - try_stack: - idxarr = (int32_t *) alloca (srclen * sizeof (int32_t)); - rulearr = (unsigned char *) alloca (srclen + 1); + /* Now handle the forward element. */ + if (needed + len < n) + while (len-- > 0) + dest[needed++] = l_data->weights[weight_idx++]; + else + /* No more characters fit into the buffer. */ + needed += len; + } + else + { + /* Remember start of the backward sequence & track length. */ + if (backw_start == NULL) + backw_start = pos; + backw_len += len; + } + } + + + /* Handle the pushed backward sequence. */ + if (backw_start != NULL) + { + for (size_t i = backw_len; i > 0; ) + { + size_t len = find_idx (&backw_start, &weight_idx, &rule_idx, + l_data, pass); + if (needed + i < n) + for (size_t j = len; j > 0; j--) + dest[needed + i - j] = + l_data->weights[weight_idx++]; + + i -= len; + } + + needed += backw_len; + } + } + else + { + int val = 1; +#ifndef WIDE_CHAR_VERSION + char buf[7]; + size_t buflen; +#endif + size_t i; + + while (*cur != L('\0')) + { + const USTRING_TYPE *pos = cur; + size_t len = find_idx (&cur, &weight_idx, &rule_idx, l_data, + pass); + int rule = l_data->rulesets[rule_idx * l_data->nrules + pass]; + + if ((rule & sort_forward) != 0) + { + /* Handle the pushed backward sequence. */ + if (backw_start != NULL) + { + for (size_t p = backw_len; p > 0; p--) + { + size_t len; + int32_t weight_idx; + unsigned char rule_idx; + const USTRING_TYPE *backw_cur = backw_start; + + /* To prevent a warning init the used vars. */ + len = find_idx (&backw_cur, &weight_idx, + &rule_idx, l_data, pass); + + for (i = 1; i < p; i++) + len = find_idx (&backw_cur, &weight_idx, + &rule_idx, l_data, pass); + + if (len != 0) + { +#ifdef WIDE_CHAR_VERSION + if (needed + 1 + len < n) + { + dest[needed] = val; + for (i = 0; i < len; ++i) + dest[needed + 1 + i] = + l_data->weights[weight_idx + i]; + } + needed += 1 + len; +#else + buflen = utf8_encode (buf, val); + if (needed + buflen + len < n) + { + for (i = 0; i < buflen; ++i) + dest[needed + i] = buf[i]; + for (i = 0; i < len; ++i) + dest[needed + buflen + i] = + l_data->weights[weight_idx + i]; + } + needed += buflen + len; +#endif + val = 1; + } + else + ++val; + } + + backw_start = NULL; + backw_len = 0; + } + + /* Now handle the forward element. */ + if (len != 0) + { +#ifdef WIDE_CHAR_VERSION + if (needed + 1 + len < n) + { + dest[needed] = val; + for (i = 0; i < len; ++i) + dest[needed + 1 + i] = + l_data->weights[weight_idx + i]; + } + needed += 1 + len; +#else + buflen = utf8_encode (buf, val); + if (needed + buflen + len < n) + { + for (i = 0; i < buflen; ++i) + dest[needed + i] = buf[i]; + for (i = 0; i < len; ++i) + dest[needed + buflen + i] = + l_data->weights[weight_idx + i]; + } + needed += buflen + len; +#endif + val = 1; + } + else + ++val; + } + else + { + /* Remember start of the backward sequence & track length. */ + if (backw_start == NULL) + backw_start = pos; + backw_len++; + } + } + + /* Handle the pushed backward sequence. */ + if (backw_start != NULL) + { + for (size_t p = backw_len; p > 0; p--) + { + size_t len; + int32_t weight_idx; + unsigned char rule_idx; + const USTRING_TYPE *backw_cur = backw_start; + + /* To prevent a warning init the used vars. */ + len = find_idx (&backw_cur, &weight_idx, + &rule_idx, l_data, pass); + + for (i = 1; i < p; i++) + len = find_idx (&backw_cur, &weight_idx, + &rule_idx, l_data, pass); + + if (len != 0) + { +#ifdef WIDE_CHAR_VERSION + if (needed + 1 + len < n) + { + dest[needed] = val; + for (i = 0; i < len; ++i) + dest[needed + 1 + i] = + l_data->weights[weight_idx + i]; + } + needed += 1 + len; +#else + buflen = utf8_encode (buf, val); + if (needed + buflen + len < n) + { + for (i = 0; i < buflen; ++i) + dest[needed + i] = buf[i]; + for (i = 0; i < len; ++i) + dest[needed + buflen + i] = + l_data->weights[weight_idx + i]; + } + needed += buflen + len; +#endif + val = 1; + } + else + ++val; + } + } + } + + /* Finally store the byte to separate the passes or terminate + the string. */ + if (needed < n) + dest[needed] = pass + 1 < l_data->nrules ? L('\1') : L('\0'); + ++needed; } - idxmax = 0; - do + /* This is a little optimization: many collation specifications have + a `position' rule at the end and if no non-ignored character + is found the last \1 byte is immediately followed by a \0 byte + signalling this. We can avoid the \1 byte(s). */ + if (needed > 2 && needed == last_needed + 1) { - int32_t tmp = findidx (table, indirect, extra, &usrc, -1); - rulearr[idxmax] = tmp >> 24; - idxarr[idxmax] = tmp & 0xffffff; - - ++idxmax; + /* Remove the \1 byte. */ + if (--needed <= n) + dest[needed - 1] = L('\0'); } - while (*usrc != L('\0')); - /* This element is only read, the value never used but to determine - another value which then is ignored. */ - rulearr[idxmax] = '\0'; + /* Return the number of bytes/words we need, but don't count the NUL + byte/word at the end. */ + return needed - 1; +} + +/* Do the transformation using weight-index and rule cache. */ +static size_t +do_xfrm_cached (STRING_TYPE *dest, size_t n, const locale_data_t *l_data, + size_t idxmax, int32_t *idxarr, const unsigned char *rulearr) +{ + uint_fast32_t nrules = l_data->nrules; + unsigned char *rulesets = l_data->rulesets; + USTRING_TYPE *weights = l_data->weights; + uint_fast32_t pass; + size_t needed = 0; + size_t last_needed; + size_t idxcnt; - /* Now the passes over the weights. We now use the indeces we found - before. */ - needed = 0; + /* Now the passes over the weights. */ for (pass = 0; pass < nrules; ++pass) { size_t backw_stop = ~0ul; @@ -433,14 +660,87 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) dest[needed - 1] = L('\0'); } - /* Free the memory if needed. */ - if (use_malloc) - free (idxarr); - /* Return the number of bytes/words we need, but don't count the NUL byte/word at the end. */ return needed - 1; } + +size_t +STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l) +{ + locale_data_t l_data; + struct __locale_data *current = l->__locales[LC_COLLATE]; + l_data.nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word; + + /* Handle byte comparison case. */ + if (l_data.nrules == 0) + { + size_t srclen = STRLEN (src); + + if (n != 0) + STPNCPY (dest, src, MIN (srclen + 1, n)); + + return srclen; + } + + /* Handle an empty string, code hereafter relies on strlen (src) > 0. */ + if (*src == L('\0')) + { + if (n != 0) + *dest = L('\0'); + return 0; + } + + /* Get the locale data. */ + l_data.rulesets = (unsigned char *) + current->values[_NL_ITEM_INDEX (_NL_COLLATE_RULESETS)].string; + l_data.table = (int32_t *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_TABLE,SUFFIX))].string; + l_data.weights = (USTRING_TYPE *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_WEIGHT,SUFFIX))].string; + l_data.extra = (USTRING_TYPE *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string; + l_data.indirect = (int32_t *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string; + + assert (((uintptr_t) l_data.table) % __alignof__ (l_data.table[0]) == 0); + assert (((uintptr_t) l_data.weights) % __alignof__ (l_data.weights[0]) == 0); + assert (((uintptr_t) l_data.extra) % __alignof__ (l_data.extra[0]) == 0); + assert (((uintptr_t) l_data.indirect) % __alignof__ (l_data.indirect[0]) == 0); + + /* We need the elements of the string as unsigned values since they + are used as indeces. */ + const USTRING_TYPE *usrc = (const USTRING_TYPE *) src; + + /* Allocate cache for small strings on the stack and fill it with weight and + rule indices. If the cache size is not sufficient, continue with the + uncached xfrm version. */ + size_t idxmax = 0; + const USTRING_TYPE *cur = usrc; + int32_t *idxarr = alloca (SMALL_STR_SIZE * sizeof (int32_t)); + unsigned char *rulearr = alloca (SMALL_STR_SIZE + 1); + + do + { + int32_t tmp = findidx (l_data.table, l_data.indirect, l_data.extra, &cur, + -1); + rulearr[idxmax] = tmp >> 24; + idxarr[idxmax] = tmp & 0xffffff; + + ++idxmax; + } + while (*cur != L('\0') && idxmax < SMALL_STR_SIZE); + + /* This element is only read, the value never used but to determine + another value which then is ignored. */ + rulearr[idxmax] = '\0'; + + /* Do the transformation. */ + if (*cur == L('\0')) + return do_xfrm_cached (dest, n, &l_data, idxmax, idxarr, rulearr); + else + return do_xfrm (usrc, dest, n, &l_data); +} libc_hidden_def (STRXFRM) #ifndef WIDE_CHAR_VERSION -- cgit 1.4.1 From 1bf9d48aec087062e2a14b77cb5ee1fa81be334c Mon Sep 17 00:00:00 2001 From: "H.J. Lu" Date: Fri, 30 Jan 2015 06:50:20 -0800 Subject: Use AVX unaligned memcpy only if AVX2 is available memcpy with unaligned 256-bit AVX register loads/stores are slow on older processorsl like Sandy Bridge. This patch adds bit_AVX_Fast_Unaligned_Load and sets it only when AVX2 is available. [BZ #17801] * sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features): Set the bit_AVX_Fast_Unaligned_Load bit for AVX2. * sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load): New. (index_AVX_Fast_Unaligned_Load): Likewise. (HAS_AVX_FAST_UNALIGNED_LOAD): Likewise. * sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit. * sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise. * sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise. * sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise. * sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD. * sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise. (cherry picked from commit 5f3d0b78e011d2a72f9e88b0e9ef5bc081d18f97) Conflicts: ChangeLog NEWS --- ChangeLog | 18 ++++++++++++++++++ NEWS | 3 ++- sysdeps/x86_64/multiarch/init-arch.c | 9 +++++++-- sysdeps/x86_64/multiarch/init-arch.h | 4 ++++ sysdeps/x86_64/multiarch/memcpy.S | 2 +- sysdeps/x86_64/multiarch/memcpy_chk.S | 2 +- sysdeps/x86_64/multiarch/memmove.c | 2 +- sysdeps/x86_64/multiarch/memmove_chk.c | 2 +- sysdeps/x86_64/multiarch/mempcpy.S | 2 +- sysdeps/x86_64/multiarch/mempcpy_chk.S | 2 +- 10 files changed, 37 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7a2e6c9884..a6461e6821 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +2015-02-16 H.J. Lu + + [BZ #17801] + * sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features): + Set the bit_AVX_Fast_Unaligned_Load bit for AVX2. + * sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load): + New. + (index_AVX_Fast_Unaligned_Load): Likewise. + (HAS_AVX_FAST_UNALIGNED_LOAD): Likewise. + * sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the + bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit. + * sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise. + * sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise. + * sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise. + * sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace + HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD. + * sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise. + 2015-02-16 Leonhard Holz [BZ #16009] diff --git a/NEWS b/NEWS index f5788058bd..0eb3fb3e7f 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,8 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630. + 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630, + 17801. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/sysdeps/x86_64/multiarch/init-arch.c b/sysdeps/x86_64/multiarch/init-arch.c index 2a6dcb78d8..f7c1bbe0db 100644 --- a/sysdeps/x86_64/multiarch/init-arch.c +++ b/sysdeps/x86_64/multiarch/init-arch.c @@ -167,9 +167,14 @@ __init_cpu_features (void) /* Determine if AVX is usable. */ if (CPUID_AVX) __cpu_features.feature[index_AVX_Usable] |= bit_AVX_Usable; - /* Determine if AVX2 is usable. */ +#if index_AVX2_Usable != index_AVX_Fast_Unaligned_Load +# error index_AVX2_Usable != index_AVX_Fast_Unaligned_Load +#endif + /* Determine if AVX2 is usable. Unaligned load with 256-bit + AVX registers are faster on processors with AVX2. */ if (CPUID_AVX2) - __cpu_features.feature[index_AVX2_Usable] |= bit_AVX2_Usable; + __cpu_features.feature[index_AVX2_Usable] + |= bit_AVX2_Usable | bit_AVX_Fast_Unaligned_Load; /* Determine if FMA is usable. */ if (CPUID_FMA) __cpu_features.feature[index_FMA_Usable] |= bit_FMA_Usable; diff --git a/sysdeps/x86_64/multiarch/init-arch.h b/sysdeps/x86_64/multiarch/init-arch.h index ef0abbd226..2fc7c7ceec 100644 --- a/sysdeps/x86_64/multiarch/init-arch.h +++ b/sysdeps/x86_64/multiarch/init-arch.h @@ -25,6 +25,7 @@ #define bit_FMA4_Usable (1 << 8) #define bit_Slow_SSE4_2 (1 << 9) #define bit_AVX2_Usable (1 << 10) +#define bit_AVX_Fast_Unaligned_Load (1 << 11) /* CPUID Feature flags. */ @@ -74,6 +75,7 @@ # define index_FMA4_Usable FEATURE_INDEX_1*FEATURE_SIZE # define index_Slow_SSE4_2 FEATURE_INDEX_1*FEATURE_SIZE # define index_AVX2_Usable FEATURE_INDEX_1*FEATURE_SIZE +# define index_AVX_Fast_Unaligned_Load FEATURE_INDEX_1*FEATURE_SIZE #else /* __ASSEMBLER__ */ @@ -169,6 +171,7 @@ extern const struct cpu_features *__get_cpu_features (void) # define index_FMA4_Usable FEATURE_INDEX_1 # define index_Slow_SSE4_2 FEATURE_INDEX_1 # define index_AVX2_Usable FEATURE_INDEX_1 +# define index_AVX_Fast_Unaligned_Load FEATURE_INDEX_1 # define HAS_ARCH_FEATURE(name) \ ((__get_cpu_features ()->feature[index_##name] & (bit_##name)) != 0) @@ -181,5 +184,6 @@ extern const struct cpu_features *__get_cpu_features (void) # define HAS_AVX2 HAS_ARCH_FEATURE (AVX2_Usable) # define HAS_FMA HAS_ARCH_FEATURE (FMA_Usable) # define HAS_FMA4 HAS_ARCH_FEATURE (FMA4_Usable) +# define HAS_AVX_FAST_UNALIGNED_LOAD HAS_ARCH_FEATURE (AVX_Fast_Unaligned_Load) #endif /* __ASSEMBLER__ */ diff --git a/sysdeps/x86_64/multiarch/memcpy.S b/sysdeps/x86_64/multiarch/memcpy.S index e666695407..10bbd39631 100644 --- a/sysdeps/x86_64/multiarch/memcpy.S +++ b/sysdeps/x86_64/multiarch/memcpy.S @@ -33,7 +33,7 @@ ENTRY(__new_memcpy) jne 1f call __init_cpu_features 1: leaq __memcpy_avx_unaligned(%rip), %rax - testl $bit_AVX_Usable, __cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip) + testl $bit_AVX_Fast_Unaligned_Load, __cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip) jz 1f ret 1: leaq __memcpy_sse2(%rip), %rax diff --git a/sysdeps/x86_64/multiarch/memcpy_chk.S b/sysdeps/x86_64/multiarch/memcpy_chk.S index 076b19a9ea..30cca20330 100644 --- a/sysdeps/x86_64/multiarch/memcpy_chk.S +++ b/sysdeps/x86_64/multiarch/memcpy_chk.S @@ -39,7 +39,7 @@ ENTRY(__memcpy_chk) testl $bit_Fast_Copy_Backward, __cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip) jz 2f leaq __memcpy_chk_ssse3_back(%rip), %rax - testl $bit_AVX_Usable, __cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip) + testl $bit_AVX_Fast_Unaligned_Load, __cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip) jz 2f leaq __memcpy_chk_avx_unaligned(%rip), %rax 2: ret diff --git a/sysdeps/x86_64/multiarch/memmove.c b/sysdeps/x86_64/multiarch/memmove.c index 0c9af7e4df..2c86a4a476 100644 --- a/sysdeps/x86_64/multiarch/memmove.c +++ b/sysdeps/x86_64/multiarch/memmove.c @@ -49,7 +49,7 @@ extern __typeof (__redirect_memmove) __memmove_avx_unaligned attribute_hidden; ifunc symbol properly. */ extern __typeof (__redirect_memmove) __libc_memmove; libc_ifunc (__libc_memmove, - HAS_AVX + HAS_AVX_FAST_UNALIGNED_LOAD ? __memmove_avx_unaligned : (HAS_SSSE3 ? (HAS_FAST_COPY_BACKWARD diff --git a/sysdeps/x86_64/multiarch/memmove_chk.c b/sysdeps/x86_64/multiarch/memmove_chk.c index 44344f2820..5ffcaecce4 100644 --- a/sysdeps/x86_64/multiarch/memmove_chk.c +++ b/sysdeps/x86_64/multiarch/memmove_chk.c @@ -30,7 +30,7 @@ extern __typeof (__memmove_chk) __memmove_chk_avx_unaligned attribute_hidden; #include "debug/memmove_chk.c" libc_ifunc (__memmove_chk, - HAS_AVX ? __memmove_chk_avx_unaligned : + HAS_AVX_FAST_UNALIGNED_LOAD ? __memmove_chk_avx_unaligned : (HAS_SSSE3 ? (HAS_FAST_COPY_BACKWARD ? __memmove_chk_ssse3_back : __memmove_chk_ssse3) diff --git a/sysdeps/x86_64/multiarch/mempcpy.S b/sysdeps/x86_64/multiarch/mempcpy.S index 7589d8c1ec..e205ef5557 100644 --- a/sysdeps/x86_64/multiarch/mempcpy.S +++ b/sysdeps/x86_64/multiarch/mempcpy.S @@ -37,7 +37,7 @@ ENTRY(__mempcpy) testl $bit_Fast_Copy_Backward, __cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip) jz 2f leaq __mempcpy_ssse3_back(%rip), %rax - testl $bit_AVX_Usable, __cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip) + testl $bit_AVX_Fast_Unaligned_Load, __cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip) jz 2f leaq __mempcpy_avx_unaligned(%rip), %rax 2: ret diff --git a/sysdeps/x86_64/multiarch/mempcpy_chk.S b/sysdeps/x86_64/multiarch/mempcpy_chk.S index 88e0b74e83..dd777dfa48 100644 --- a/sysdeps/x86_64/multiarch/mempcpy_chk.S +++ b/sysdeps/x86_64/multiarch/mempcpy_chk.S @@ -39,7 +39,7 @@ ENTRY(__mempcpy_chk) testl $bit_Fast_Copy_Backward, __cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip) jz 2f leaq __mempcpy_chk_ssse3_back(%rip), %rax - testl $bit_AVX_Usable, __cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip) + testl $bit_AVX_Fast_Unaligned_Load, __cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip) jz 2f leaq __mempcpy_chk_avx_unaligned(%rip), %rax 2: ret -- cgit 1.4.1 From 4d54424420c6300efbf57a7b9aa8635a8b8c1942 Mon Sep 17 00:00:00 2001 From: Paul Pluzhnikov Date: Fri, 6 Feb 2015 00:30:42 -0500 Subject: CVE-2015-1472: wscanf allocates too little memory BZ #16618 Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. The implementation now correctly computes the required buffer size when using malloc. A regression test was added to tst-sscanf. (cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06) Conflicts: ChangeLog NEWS --- ChangeLog | 8 ++++++++ NEWS | 9 +++++++-- stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++ stdio-common/vfscanf.c | 12 ++++++------ 4 files changed, 54 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index a6461e6821..ccce486c9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2015-02-16 Paul Pluzhnikov + + [BZ #16618] + * stdio-common/tst-sscanf.c (main): Test for buffer overflow. + * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed + size in bytes. Store needed elements in wpmax. Use needed size + in bytes for extend_alloca. + 2015-02-16 H.J. Lu [BZ #17801] diff --git a/NEWS b/NEWS index 0eb3fb3e7f..976f2ea023 100644 --- a/NEWS +++ b/NEWS @@ -9,8 +9,13 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630, - 17801. + 16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625, + 17630, 17801. + +* CVE-2015-1472 Under certain conditions wscanf can allocate too little + memory for the to-be-scanned arguments and overflow the allocated + buffer. The implementation now correctly computes the required buffer + size when using malloc. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c index 9fef93a535..6394fe1ccc 100644 --- a/stdio-common/tst-sscanf.c +++ b/stdio-common/tst-sscanf.c @@ -233,5 +233,38 @@ main (void) } } + /* BZ #16618 + The test will segfault during SSCANF if the buffer overflow + is not fixed. The size of `s` is such that it forces the use + of malloc internally and this triggers the incorrect computation. + Thus the value for SIZE is arbitrariy high enough that malloc + is used. */ + { +#define SIZE 131072 + CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); + if (s == NULL) + abort (); + for (size_t i = 0; i < SIZE; i++) + s[i] = L('0'); + s[SIZE] = L('\0'); + int i = 42; + /* Scan multi-digit zero into `i`. */ + if (SSCANF (s, L("%d"), &i) != 1) + { + printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); + result = 1; + } + if (i != 0) + { + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); + result = 1; + } + free (s); + if (result != 1) + printf ("PASS: bug16618: Did not crash.\n"); +#undef SIZE + } + + return result; } diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c index e0d224530c..a4f06b44e5 100644 --- a/stdio-common/vfscanf.c +++ b/stdio-common/vfscanf.c @@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, if (__glibc_unlikely (wpsize == wpmax)) \ { \ CHAR_T *old = wp; \ - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ - ? UCHAR_MAX + 1 : 2 * wpmax); \ - if (use_malloc || !__libc_use_alloca (newsize)) \ + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ + if (!__libc_use_alloca (newsize)) \ { \ wp = realloc (use_malloc ? wp : NULL, newsize); \ if (wp == NULL) \ @@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, } \ if (! use_malloc) \ MEMCPY (wp, old, wpsize); \ - wpmax = newsize; \ + wpmax = wpneed; \ use_malloc = true; \ } \ else \ { \ size_t s = wpmax * sizeof (CHAR_T); \ - wp = (CHAR_T *) extend_alloca (wp, s, \ - newsize * sizeof (CHAR_T)); \ + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ wpmax = s / sizeof (CHAR_T); \ if (old != NULL) \ MEMCPY (wp, old, wpsize); \ -- cgit 1.4.1