Cover Letter Detail

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2230321,
    "url": "http://patchwork.ozlabs.org/api/1.1/covers/2230321/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/glibc/cover/20260429145934.278803-1-fberat@redhat.com/",
    "project": {
        "id": 41,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/41/?format=api",
        "name": "GNU C Library",
        "link_name": "glibc",
        "list_id": "libc-alpha.sourceware.org",
        "list_email": "libc-alpha@sourceware.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260429145934.278803-1-fberat@redhat.com>",
    "date": "2026-04-29T14:59:32",
    "name": "[0/2] Fix gconv reference count overflow in swscanf",
    "submitter": {
        "id": 84672,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/84672/?format=api",
        "name": "Frédéric Bérat",
        "email": "fberat@redhat.com"
    },
    "mbox": "http://patchwork.ozlabs.org/project/glibc/cover/20260429145934.278803-1-fberat@redhat.com/mbox/",
    "series": [
        {
            "id": 502092,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/502092/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=502092",
            "date": "2026-04-29T14:59:33",
            "name": "Fix gconv reference count overflow in swscanf",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/502092/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/covers/2230321/comments/",
    "headers": {
        "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Delivered-To": [
            "patchwork-incoming@legolas.ozlabs.org",
            "libc-alpha@sourceware.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=JjR3+N4l;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=38.145.34.32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)",
            "sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=JjR3+N4l",
            "sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com",
            "sourceware.org; spf=pass smtp.mailfrom=redhat.com",
            "server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.129.124"
        ],
        "Received": [
            "from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5L8D4v9fz1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 01:00:28 +1000 (AEST)",
            "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id D77654BB3BEF\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 15:00:26 +0000 (GMT)",
            "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by sourceware.org (Postfix) with ESMTP id 434964BA2E0F\n for <libc-alpha@sourceware.org>; Wed, 29 Apr 2026 14:59:48 +0000 (GMT)",
            "from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-115-4aZMgj2DPuWJnkOJoOo8pw-1; Wed,\n 29 Apr 2026 10:59:43 -0400",
            "from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 26E1819560BB; Wed, 29 Apr 2026 14:59:42 +0000 (UTC)",
            "from Nymeria-redhat.redhat.com (unknown [10.44.32.149])\n by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 7772F1800480; Wed, 29 Apr 2026 14:59:39 +0000 (UTC)"
        ],
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 sourceware.org D77654BB3BEF",
            "OpenDKIM Filter v2.11.0 sourceware.org 434964BA2E0F"
        ],
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org 434964BA2E0F",
        "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org 434964BA2E0F",
        "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777474788; cv=none;\n b=QK4HqoI8WiKiYa6woxZUc8EzMzrulo+Q0XGqbbrUL+SDC/4fU0Hx2QLmiw4SE2jK4Z8na/sFl8f+wQ426hNcBKiLTsfpHRd+kcdJjmLCwqQQnAcy50ijCQolTHrlgAYGxAGFj8PJZuG1aGdxGSeLp6gnOIbM2WiNxFxbTWGmC6I=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1777474788; c=relaxed/simple;\n bh=mOTbPak3GadKvyEht7KH5NBIaz3UIakzwLUvacXVWKg=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=XzI4qK+AG5zuehqbwWl4BzBo63f4oXA4uEI+FsnbsEz4T+VoyEXgRAgUqZkI6QRfWKp399kxgin6BUxekh0kChbXA3zCVPveOPaa4eznXM5wZk01+xN3cRdGztFS/z4WtbUQRQOwMEDKlPlVlRZjY67DN9XzAj+/geajs5YsMqM=",
        "ARC-Authentication-Results": "i=1; server2.sourceware.org",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1777474787;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=dGzYIC179wlM1YEQ+c/hS44VNTn1MsHI5VhdjfXW6dY=;\n b=JjR3+N4lzujudUGUOfE+VSOi6cPMGadTGf7Otf11DewnkSyXn2iuiAi1GReTHg1g/ljDip\n 1BJ3HWE2PVRrx5swAdT7qdU8OZUfZza0FZ8S+Z5cSNJ6Q6JPgdvvIZ0GFqlrJKKzRLsNvE\n gE4SMJ9UlZ8YuCUqm9RT2LSQ7gj+eWA=",
        "X-MC-Unique": "4aZMgj2DPuWJnkOJoOo8pw-1",
        "X-Mimecast-MFC-AGG-ID": "4aZMgj2DPuWJnkOJoOo8pw_1777474782",
        "From": "=?utf-8?b?RnLDqWTDqXJpYyBCw6lyYXQ=?= <fberat@redhat.com>",
        "To": "libc-alpha@sourceware.org, dj@redhat.com, fweimer@redhat.com,\n adhemerval.zanella@linaro.org",
        "Subject": "[PATCH 0/2] Fix gconv reference count overflow in swscanf",
        "Date": "Wed, 29 Apr 2026 16:59:32 +0200",
        "Message-ID": "<20260429145934.278803-1-fberat@redhat.com>",
        "MIME-Version": "1.0",
        "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.93",
        "X-Mimecast-Spam-Score": "0",
        "X-Mimecast-MFC-PROC-ID": "zSOcrDUHzbZV3y-irHknZB0fEqyQWxUdtjj3cZYXqBc_1777474782",
        "X-Mimecast-Originator": "redhat.com",
        "Content-Type": "text/plain; charset=UTF-8",
        "Content-Transfer-Encoding": "8bit",
        "X-BeenThere": "libc-alpha@sourceware.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>",
        "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>",
        "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>",
        "List-Post": "<mailto:libc-alpha@sourceware.org>",
        "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>",
        "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>",
        "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"
    },
    "content": "This series addresses a gconv module reference counter overflow\ntriggered by the `swscanf` family of functions.\n\nThe issue, originally reported by DJ Delorie, occurs because `swscanf`\nutilizes a wide-oriented `FILE` stream allocated on the stack via\n`_IO_strfile_readw`. When initialized, `_IO_fwide` implicitly clones the\nglobal locale's gconv configuration and increments the gconv module's\nreference counter (`__counter`). Because the stream is on the stack, it\ncannot be cleaned up via `fclose()` (which would attempt to `free` the\nstack pointer). Consequently, `__gconv_release_step` is never called,\nleaking the reference counts. Over enough iterations, the 32-bit counter\noverflows, resulting in a fatal abort.\n\nFlorian Weimer correctly pointed out that if we open the gconv modules\nwith `RTLD_NODELETE`, we wouldn't need to track references for\n`dlclose`. However, upon further investigation of the codebase, removing\nthe `__counter` tracking entirely is not viable without introducing\ncatastrophic memory bugs.\n\nThe `__counter` member dictates the execution of `gconv_end()`. Several\ncomplex encodings (such as `UTF-16`) dynamically allocate memory during\n`gconv_init()` and attach it to `step->__data`. If we remove\n`__counter`, we face an unsolvable dilemma during stream teardown: 1. If\nwe never call `gconv_end()`, we permanently leak `step->__data` memory\nevery time a dynamic step array is freed (e.g., from the mmap cache). 2.\nIf we unconditionally call `gconv_end()`, the stack stream destroys the\n`step->__data` state that the global locale (and other concurrent\nthreads) still rely on, leading to immediate use-after-free conditions.\n\nTherefore, reference counting must be maintained to safely manage the\n`step->__data` lifecycle.\n\nThis patch series follows Adhemerval Zanella Netto's suggestion to\nintroduce a targeted internal `fclose` equivalent. We introduce\n`_IO_wstrfile_fclose_stack()`, which safely releases the gconv reference\ncounters and finishes the stream without attempting to deallocate the\n`FILE` struct. This new function is then hooked into all 13\nimplementations of `swscanf` across the tree.\n\nFred.\n\n--\n\nFrédéric Bérat (2):\n  libio: Fix gconv module reference counter overflow in swscanf\n  wcsmbs: Add gconv module ref counter overflow test\n\n libio/iofwide.c                               | 15 ++++++\n libio/iovswscanf.c                            |  4 +-\n libio/libioP.h                                |  1 +\n libio/swscanf.c                               |  2 +-\n .../ieee128-isoc23_swscanf.c                  |  2 +-\n .../ieee128-isoc23_vswscanf.c                 |  4 +-\n .../ieee128-isoc99_swscanf.c                  |  2 +-\n .../ieee128-isoc99_vswscanf.c                 |  4 +-\n .../ldbl-128ibm-compat/ieee128-swscanf.c      |  2 +-\n .../ldbl-128ibm-compat/ieee128-vswscanf.c     |  4 +-\n sysdeps/ieee754/ldbl-opt/nldbl-compat.c       | 12 +++--\n wcsmbs/Makefile                               |  3 +-\n wcsmbs/isoc23_swscanf.c                       |  2 +-\n wcsmbs/isoc23_vswscanf.c                      |  4 +-\n wcsmbs/isoc99_swscanf.c                       |  2 +-\n wcsmbs/isoc99_vswscanf.c                      |  4 +-\n wcsmbs/tst-wcsmbs-clone-overflow.c            | 50 +++++++++++++++++++\n 17 files changed, 101 insertions(+), 16 deletions(-)\n create mode 100644 wcsmbs/tst-wcsmbs-clone-overflow.c"
}