From patchwork Tue Feb 24 05:00:10 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 442792 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 39376140159 for ; Tue, 24 Feb 2015 16:00:52 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; q=dns; s=default; b=OkI8 CqE5Vb+tQQxsQciiR+/IW6Flm7SLG+YvHqX0Q82h/kyS9h7IlgMCFFUEQN2LaIiq CNptIBGahOulQqzqtMd41NRwBRyWzZPOXMdTBGHiohW+/wl9b30xx+CzBCQ9FZz+ 7CN96qLWd11p1CEEdeX1fYCScA9vtmoOqG3s2vY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; s=default; bh=QuzBJm8QlA DmAx7kz4SOuuSrXmk=; b=EI4fk+DQtPSutc7MAh9OAW6HZGVAHtMRVNhMChY+b7 FDGwwz9GF5qemmb+Ry4zP2tg2L/2jdapLZLogkesSwNkUCVKmPqRD+QN1OqQM6Ac eqc5OEF1aqcGgrcALD+mLRkVYUXJqo/DwQcjFQacG+g1bK/LgCvXKNQYtIV6QjVZ A= Received: (qmail 120881 invoked by alias); 24 Feb 2015 05:00:45 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 120858 invoked by uid 89); 24 Feb 2015 05:00:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL, BAYES_20, RCVD_IN_DNSWL_LOW, SPF_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mail-ob0-f181.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=DMvPk38LogG/WzpOZz5y0jpkPgzhz2ZVb/TviVrAeho=; b=g0IlbDiIk7dIGpRbTWN1v5ArXmXf9NrEZlNdIjCKHyaYqMoo42nDerXEAz15mnmlxX 00nERf9CE6iYidgPQ3hrkZoUAuXOQ1a12dvbCM2g6gnl6g60EcGTFCn6s7dTmuoOzI6N Y6tErA1PzunvYrHKgl89Hud/ZpJI9pfZHugaITWYhEQNZ70Bg+W339ulEvhGn/e6f7QL 8ghgQUc0uWpSSuGNSmfaKDzhq70CSAWeIWrYkdRWpryl9hx9qhQB5ZRw1P98Q9kUr0Ab bvtqlF6+jn9Atw0tp5SDGPpRXlOF1ktAVc6mlNpXOJ5oUJx+gJY1Et/r94QJPYv+AcCk ONLg== X-Gm-Message-State: ALoCoQlLLS3rD9Q2zI5+WYlSU95fiu+VAcADOuL2B0qLUbUT4cgGc3uN2UUVOQihrYmifqQokv3m X-Received: by 10.182.230.165 with SMTP id sz5mr1120149obc.59.1424754040422; Mon, 23 Feb 2015 21:00:40 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <874mqdbr1w.fsf@mid.deneb.enyo.de> From: Paul Pluzhnikov Date: Mon, 23 Feb 2015 21:00:10 -0800 Message-ID: Subject: Re: [patch] Fix BZ #17916 fopen unbounded stack usage for ccs= modes To: Joseph Myers Cc: Florian Weimer , GLIBC Devel On Mon, Feb 23, 2015 at 8:33 AM, Joseph Myers wrote: > Typically such tests use setrlimit to set a stack limit lower than the > amount of stack space the code used before the fix. Thanks. I've updated the test and verified that it fails with stack overflow if I revert the fix. On Mon, Feb 23, 2015 at 5:47 AM, Florian Weimer wrote: > I think you have to call _IO_file_close_it (fp) here, otherwise there's > a resource leak. Thanks. Fixed. 2015-02-22 Paul Pluzhnikov [BZ #17916] * libio/fileops.c (_IO_new_file_fopen): Limit stack use * libio/tst-fopenloc.c (do_test, do_bz17916): Add a large ccs= test diff --git a/libio/fileops.c b/libio/fileops.c index 297b478..2427320 100644 --- a/libio/fileops.c +++ b/libio/fileops.c @@ -353,7 +353,15 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, struct gconv_fcts fcts; struct _IO_codecvt *cc; char *endp = __strchrnul (cs + 5, ','); - char ccs[endp - (cs + 5) + 3]; + char *ccs = malloc (endp - (cs + 5) + 3); + + if (ccs == NULL) + { + int malloc_err = errno; /* Whatever malloc failed with. */ + (void) _IO_file_close_it (fp); + __set_errno (malloc_err); + return NULL; + } *((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0'; strip (ccs, ccs); @@ -365,10 +373,13 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, This means we cannot proceed since the user explicitly asked for these. */ (void) _IO_file_close_it (fp); + free (ccs); __set_errno (EINVAL); return NULL; } + free (ccs); + assert (fcts.towc_nsteps == 1); assert (fcts.tomb_nsteps == 1); diff --git a/libio/tst-fopenloc.c b/libio/tst-fopenloc.c index 1336023..48c2d3b 100644 --- a/libio/tst-fopenloc.c +++ b/libio/tst-fopenloc.c @@ -24,10 +24,36 @@ #include #include #include +#include static const char inputfile[] = "../iconvdata/testdata/ISO-8859-1"; +static +int do_bz17916 (void) +{ + /* BZ #17916 -- check invalid large ccs= case. */ + struct rlimit rl; + getrlimit (RLIMIT_STACK, &rl); + rl.rlim_cur = 1024 * 1024; + setrlimit (RLIMIT_STACK, &rl); + + const size_t sz = 2 * 1024 * 1024; + char *ccs = malloc (sz); + strcpy (ccs, "r,ccs="); + memset (ccs + 6, 'A', sz - 6 - 1); + ccs[sz - 1] = '\0'; + + FILE *fp = fopen (inputfile, ccs); + if (fp != NULL) + { + printf ("unxpected success\n"); + return 1; + } + free (ccs); + + return 0; +} static int do_test (void) @@ -57,7 +83,7 @@ do_test (void) fclose (fp); - return 0; + return do_bz17916 (); } #define TEST_FUNCTION do_test ()