diff options
author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-02-18 01:56:34 +0000 |
---|---|---|
committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-02-18 01:56:34 +0000 |
commit | 8185891e28635bdb83fdf4ba4391030912dae596 (patch) | |
tree | 66a946535bdd228514750233b2cc99dd1866ff64 /cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch | |
parent | 60a11f87366fdfbd114cdc91ff813518858e5f8d (diff) |
Tue Feb 18 01:56:27 UTC 2014
Diffstat (limited to 'cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch')
-rw-r--r-- | cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch b/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch new file mode 100644 index 000000000..f8dde53f5 --- /dev/null +++ b/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch @@ -0,0 +1,180 @@ +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index a847b28..080badc 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ + tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \ + tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \ + bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ +- scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 ++ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ ++ bug-vfprintf-nargs + + test-srcs = tst-unbputc tst-printf + +diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c +new file mode 100644 +index 0000000..13c66c0 +--- /dev/null ++++ b/stdio-common/bug-vfprintf-nargs.c +@@ -0,0 +1,78 @@ ++/* Test for vfprintf nargs allocation overflow (BZ #13656). ++ Copyright (C) 2012 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ Contributed by Kees Cook <keescook@chromium.org>, 2012. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, write to the Free ++ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ 02111-1307 USA. */ ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <stdint.h> ++#include <unistd.h> ++#include <inttypes.h> ++#include <string.h> ++#include <signal.h> ++ ++static int ++format_failed (const char *fmt, const char *expected) ++{ ++ char output[80]; ++ ++ printf ("%s : ", fmt); ++ ++ memset (output, 0, sizeof output); ++ /* Having sprintf itself detect a failure is good. */ ++ if (sprintf (output, fmt, 1, 2, 3, "test") > 0 ++ && strcmp (output, expected) != 0) ++ { ++ printf ("FAIL (output '%s' != expected '%s')\n", output, expected); ++ return 1; ++ } ++ puts ("ok"); ++ return 0; ++} ++ ++static int ++do_test (void) ++{ ++ int rc = 0; ++ char buf[64]; ++ ++ /* Regular positionals work. */ ++ if (format_failed ("%1$d", "1") != 0) ++ rc = 1; ++ ++ /* Regular width positionals work. */ ++ if (format_failed ("%1$*2$d", " 1") != 0) ++ rc = 1; ++ ++ /* Positional arguments are constructed via read_int, so nargs can only ++ overflow on 32-bit systems. On 64-bit systems, it will attempt to ++ allocate a giant amount of memory and possibly crash, which is the ++ expected situation. Since the 64-bit behavior is arch-specific, only ++ test this on 32-bit systems. */ ++ if (sizeof (long int) == 4) ++ { ++ sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int)); ++ if (format_failed (buf, "1 %$d") != 0) ++ rc = 1; ++ } ++ ++ return rc; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c +index 863cd5d..c802e46 100644 +--- a/stdio-common/vfprintf.c ++++ b/stdio-common/vfprintf.c +@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) + 0 if unknown. */ + int readonly_format = 0; + ++ /* For the argument descriptions, which may be allocated on the heap. */ ++ void *args_malloced = NULL; ++ + /* This table maps a character into a number representing a + class. In each step there is a destination label for each + class. */ +@@ -1647,9 +1650,10 @@ do_positional: + determine the size of the array needed to store the argument + attributes. */ + size_t nargs = 0; +- int *args_type; +- union printf_arg *args_value = NULL; ++ size_t bytes_per_arg; ++ union printf_arg *args_value; + int *args_size; ++ int *args_type; + + /* Positional parameters refer to arguments directly. This could + also determine the maximum number of arguments. Track the +@@ -1698,13 +1702,38 @@ do_positional: + + /* Determine the number of arguments the format string consumes. */ + nargs = MAX (nargs, max_ref_arg); ++ /* Calculate total size needed to represent a single argument across ++ all three argument-related arrays. */ ++ bytes_per_arg = sizeof (*args_value) + sizeof (*args_size) ++ + sizeof (*args_type); ++ ++ /* Check for potential integer overflow. */ ++ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0)) ++ { ++ __set_errno (ERANGE); ++ done = -1; ++ goto all_done; ++ } + +- /* Allocate memory for the argument descriptions. */ +- args_type = alloca (nargs * sizeof (int)); ++ /* Allocate memory for all three argument arrays. */ ++ if (__libc_use_alloca (nargs * bytes_per_arg)) ++ args_value = alloca (nargs * bytes_per_arg); ++ else ++ { ++ args_value = args_malloced = malloc (nargs * bytes_per_arg); ++ if (args_value == NULL) ++ { ++ done = -1; ++ goto all_done; ++ } ++ } ++ ++ /* Set up the remaining two arrays to each point past the end of the ++ prior array, since space for all three has been allocated now. */ ++ args_size = &args_value[nargs].pa_int; ++ args_type = &args_size[nargs]; + memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0', +- nargs * sizeof (int)); +- args_value = alloca (nargs * sizeof (union printf_arg)); +- args_size = alloca (nargs * sizeof (int)); ++ nargs * sizeof (*args_type)); + + /* XXX Could do sanity check here: If any element in ARGS_TYPE is + still zero after this loop, format is invalid. For now we +@@ -1973,8 +2002,8 @@ do_positional: + } + + all_done: +- if (__builtin_expect (workstart != NULL, 0)) +- free (workstart); ++ free (args_malloced); ++ free (workstart); + /* Unlock the stream. */ + _IO_funlockfile (s); + _IO_cleanup_region_end (0); |