From patchwork Tue May  6 14:04:09 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aurelien Jarno <aurelien@aurel32.net>
X-Patchwork-Id: 346210
Return-Path: 
 <libc-alpha-return-49618-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4A66E14012D
	for <incoming@patchwork.ozlabs.org>;
	Wed,  7 May 2014 00:04:34 +1000 (EST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id; q=dns; s=
	default; b=ixJ1H9uuzvqlLEro5xheYGVYML5IKMfvfaPbl4aunEFq6oy74T+zB
	6RmkBEHOunNNI24yMvMNLXZD6ymnJW5eP/e8RVL1FS9WgPKxq+fi4YYGNideIggX
	99LiAPawwZsg2bEe51zqQzZ93taadppoT4CuHjEfjAbGTBzD44HcNY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id; s=default;
	bh=9SgF4odRxCLJ1kHwR8YGQK1r5BA=; b=c4xolAZw0m7WxtRfXu151kbDOblx
	HUKcqE/ZuBb1mwvQd9NhJyKP6T6IL6q7do/nimxY17teMiWlPPRA7FFaLQNDVt8j
	fsJkXefORS/iRzxcmytcRQ71UUidkLM6LquKoVStKKJC+oiQCrfQICX3sjcsdfyV
	PiM6YRxQCxfC9xU=
Received: (qmail 17784 invoked by alias); 6 May 2014 14:04:27 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 17773 invoked by uid 89); 6 May 2014 14:04:26 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,
	RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: hall.aurel32.net
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH v2] ptsname_r: don't leak uninitialized memory
Date: Tue,  6 May 2014 16:04:09 +0200
Message-Id: <1399385049-5550-1-git-send-email-aurelien@aurel32.net>

If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.

Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).

Also add tests to the ptsname_r function (and ptsname at the same time).

Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
---
 ChangeLog                         |   8 +++
 login/Makefile                    |   2 +-
 login/tst-ptsname.c               | 138 ++++++++++++++++++++++++++++++++++++++
 sysdeps/unix/sysv/linux/ptsname.c |   4 +-
 4 files changed, 150 insertions(+), 2 deletions(-)
 create mode 100644 login/tst-ptsname.c

v1 -> v2: add tests.

diff --git a/ChangeLog b/ChangeLog
index d352ed9..e7ad09a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2014-05-06  Aurelien Jarno  <aurelien@aurel32.net>
+
+	* sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): return
+	errno if the TIOCGPTN ioctl fails with an error different than
+	EINVAL.
+	* login/tst-ptsname.c: New file.
+	* login/Makefile (tests): Add tst-ptsname.
+
 2014-05-05  Aurelien Jarno  <aurelien@aurel32.net>
 
 	* po/fr.po: Fix French translation of inappropriate.
diff --git a/login/Makefile b/login/Makefile
index ca55808..d758ac5 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -43,7 +43,7 @@ endif
 subdir-dirs = programs
 vpath %.c programs
 
-tests := tst-utmp tst-utmpx tst-grantpt
+tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname
 
 # Build the -lutil library with these extra functions.
 extra-libs      := libutil
diff --git a/login/tst-ptsname.c b/login/tst-ptsname.c
new file mode 100644
index 0000000..a803863
--- /dev/null
+++ b/login/tst-ptsname.c
@@ -0,0 +1,138 @@
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static int
+test_ok (int fd)
+{
+  int ret, err;
+  char buf[512];
+
+  ret = ptsname_r (fd, buf, sizeof (buf));
+  err = errno;
+
+  if (ret != 0)
+    {
+      printf ("ptsname_r(): expected: return = %d\n", 0);
+      printf ("             got: return = %d, errno = %d (%s)\n",
+	      ret, err, strerror (err));
+      return 1;
+    }
+
+  return 0;
+}
+
+static int
+test_einval (int fd)
+{
+  int ret, err;
+  char *buf = NULL;
+
+  ret = ptsname_r (fd, buf, 1);
+  err = errno;
+
+  if (ret == 0 || errno != EINVAL)
+    {
+      printf ("ptsname_r(): expected: return = %d, errno = %d\n", -1, EINVAL);
+      printf ("             got: return = %d, errno = %d (%s)\n",
+	      ret, err, strerror (err));
+      return 1;
+    }
+
+  return 0;
+}
+
+static int
+test_erange (int fd)
+{
+  int ret, err;
+  char buf[512];
+
+  /* We assume that the PTS name will always be more than one character. */
+  ret = ptsname_r (fd, buf, 1);
+  err = errno;
+
+  if (ret == 0 || errno != ERANGE)
+    {
+      printf ("ptsname_r(): expected: return = %d, errno = %d\n", -1, ERANGE);
+      printf ("             got: return = %d, errno = %d (%s)\n",
+	      ret, err, strerror (err));
+      return 1;
+    }
+
+  return 0;
+}
+
+static int
+test_enotty (void)
+{
+  int fd, ret, err;
+  const char file[] = "./ptsname-einval";
+  char buf[512];
+
+  /* First try with a normal file. */
+  fd = open (file, O_RDWR | O_CREAT, 0600);
+  if (fd == -1)
+    {
+      printf ("open(\"%s\", O_RDWR) failed\nerrno %d (%s)\n",
+	      file, errno, strerror (errno));
+      return 0;
+    }
+  unlink (file);
+
+  ret = ptsname_r (fd, buf, sizeof (buf));
+  err = errno;
+  close (fd);
+
+  if (ret == 0 || errno != ENOTTY)
+    {
+      printf ("ptsname_r(): expected: return = %d, errno = %d\n", -1, ENOTTY);
+      printf ("             got: return = %d, errno = %d (%s)\n",
+	      ret, err, strerror (err));
+      return 1;
+    }
+
+  /* Then try with a terminal device which is not a master. */
+  ret = ptsname_r (0, buf, sizeof (buf));
+  err = errno;
+
+  if (ret == 0 || errno != ENOTTY)
+    {
+      printf ("ptsname_r(): expected: return = %d, errno = %d\n", -1, ENOTTY);
+      printf ("             got: return = %d, errno = %d (%s)\n",
+	      ret, err, strerror (err));
+      return 1;
+    }
+
+  return 0;
+}
+
+int
+main (void)
+{
+  int result = 0;
+  int fd;
+
+  fd = posix_openpt (O_RDWR);
+  if (fd != -1)
+    {
+      result |= test_ok (fd);
+      result |= test_einval (fd);
+      result |= test_erange (fd);
+      close(fd);
+    }
+  else
+    {
+      printf ("posix_openpt(O_RDWR) failed\nerrno %d (%s)\n",
+	      errno, strerror (errno));
+      /* We don't fail because of this; maybe the system does not have
+	 SUS pseudo terminals.  */
+    }
+
+  result |= test_enotty ();
+
+  return result;
+}
diff --git a/sysdeps/unix/sysv/linux/ptsname.c b/sysdeps/unix/sysv/linux/ptsname.c
index ed39f8f..3fc14a7 100644
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
 
       memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
     }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
     {
       char *p;