{"id":2224763,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2224763/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/patch/20260418101742.3355742-1-marocketbd@gmail.com/","project":{"id":41,"url":"http://patchwork.ozlabs.org/api/1.1/projects/41/?format=json","name":"GNU C Library","link_name":"glibc","list_id":"libc-alpha.sourceware.org","list_email":"libc-alpha@sourceware.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260418101742.3355742-1-marocketbd@gmail.com>","date":"2026-04-18T10:17:42","name":"[v4] libio: Fix ungetwc operating on byte stream [BZ #33998]","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"e5c04278a7a9effc929648cc1f2322150ba95366","submitter":{"id":92898,"url":"http://patchwork.ozlabs.org/api/1.1/people/92898/?format=json","name":"Rocket Ma","email":"marocketbd@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/glibc/patch/20260418101742.3355742-1-marocketbd@gmail.com/mbox/","series":[{"id":500434,"url":"http://patchwork.ozlabs.org/api/1.1/series/500434/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/list/?series=500434","date":"2026-04-18T10:17:42","name":"[v4] libio: Fix ungetwc operating on byte stream [BZ #33998]","version":4,"mbox":"http://patchwork.ozlabs.org/series/500434/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224763/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224763/checks/","tags":{},"headers":{"Return-Path":"<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=YGj5iF1Q;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=YGj5iF1Q","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","sourceware.org; spf=pass smtp.mailfrom=gmail.com","server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::1334"],"Received":["from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fySPl18sXz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 20:18:18 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 9DBA04CCCA18\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Apr 2026 10:18:16 +0000 (GMT)","from mail-dy1-x1334.google.com (mail-dy1-x1334.google.com\n [IPv6:2607:f8b0:4864:20::1334])\n by sourceware.org (Postfix) with ESMTPS id 5F4C04AA394F\n for <libc-alpha@sourceware.org>; Sat, 18 Apr 2026 10:17:55 +0000 (GMT)","by mail-dy1-x1334.google.com with SMTP id\n 5a478bee46e88-2d9916deb14so2869480eec.0\n for <libc-alpha@sourceware.org>; Sat, 18 Apr 2026 03:17:55 -0700 (PDT)","from localhost ([23.94.240.252]) by smtp.gmail.com with UTF8SMTPSA\n id\n 5a478bee46e88-2e53dcb487bsm6080302eec.31.2026.04.18.03.17.53\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sat, 18 Apr 2026 03:17:53 -0700 (PDT)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 9DBA04CCCA18","OpenDKIM Filter v2.11.0 sourceware.org 5F4C04AA394F"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org 5F4C04AA394F","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org 5F4C04AA394F","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776507475; cv=none;\n b=F4vXDgDHH23ZL8U06Rij5H+eypuSwfW6mXR3hD3zEN9yK30kqFgBw26OHn1g5LHHAtHbOyPghDosYawE3F0y6pzdvSqxq4yDhKkugIHDbea9fEoRKRNskUJHvV4BZebo0dPG3v9EPiOQqJEaZV0UhqoNtOTIz+sInUlFbPlZcq0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776507475; c=relaxed/simple;\n bh=ReHf3RPRNiiS3//R1OGUve8kWoM5nSMm8T0FgtyiVQY=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=mRdVuu1oXCBXC3MZDT/iYlF4IIGIzd3RMXndkz9nZdtxRx1j3KTCjffVvjuZZzxujR9jWowH86VzQ5IHqSBe3n5N1x+HZmpE1wbqCDpspr8fiHzY1ndebBMNcxB8dRJZBdcFGjDWXQMZHwirTOcW3yDeE9oFq3Ji+qMC42nNxJM=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776507474; x=1777112274; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=P2CBrNKX2qyrvZCJTl4waNNMhHlycX6glTRbzfFyZa0=;\n b=YGj5iF1QEoQIltBYu9MmmaUyEoMWaQjHEIn8NRszTKez4nlS9eM1jUsVqkiXdm/HDb\n 8qhABozRfOknYeF2YpusJMqYQl0ZAh368UPoKDMDVzjreChKBpVnueV6YWC5m7GIO8d0\n p/fJPl8XcY9nQ/22WDCQdmQ77wK8MuC5m4M/0VT+wvSrp60Ke24Evonb0kvlBy78QLOM\n fq4cQJb6nkNvE/kXMXWA9tLc840SPVlQA1yJr7kWOC1/WUsKIAtfBBjIxzZs9FoNp9HH\n 4IhSYGzM63XxEqXkt4TReVvNGd0I9+KdbRB4ngtD/u9RIR2IpaqlGERC3hJd0npSLEqH\n hfpQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776507474; x=1777112274;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=P2CBrNKX2qyrvZCJTl4waNNMhHlycX6glTRbzfFyZa0=;\n b=i4MRdPiOu0c7yNVw69aXV0Z3WR/vwby955VGmyJD0Qg+vNz8w8xbg6sx7kXPoEBgwv\n es9vJpY933COeNLhKIXS/5/dUPs+d3gCBD9G7ErfCva7dJ9U3ohqcxht9jjRmNQ+aeAD\n Xl6C5nOf+7zHZstQmL0uXNZdnvBpvD5mvmSWkO/VZWcUPxVHikt37oXqoMuTjh+Qhnp/\n ioSTn0tI4WWhMdPl6zA/y+bG2MveSbQLrTlW5zIgZuqIfQ+yd+vIwFUJsFHmmpQkzXUV\n /seFzcFI5BUqB76Nvl8++maN955wfyO16x+ksU4IdWs+nFMD5m/czOWTguR4zyIlUKqc\n Tm9w==","X-Gm-Message-State":"AOJu0YxDgqQLcTIr43cSfWCO92+AkEV++Ax1GBhuTylr8/0GQpw04hFs\n 7uG29fLiqxeRiPwrp3eofYjw9RHipb30blLiWGI37M3nCch/9EdgsgGq","X-Gm-Gg":"AeBDiesq4+lT8F+woCR+S/hget1BfNFACJHIb+y9tKEaVKODwzDAvWBof2u15Nwfpz3\n Jeamp6+uOx9Wu7+uBRCbptBFbvKgE45mIjZhquZqiMm7OmYpcNBm9FqglN7JJn1ro+SCWwlaQhK\n pf/zAejOVdoK7tT7ihwmUhFjaGr34FuA1BDOQt4LxzI8cdxzVhp/US3cDcbL4iKEr6Epv+18pnm\n wLo7VWDXntLZiWr91ews0JlnOXbs1f9Y2cSCQaAcEmWgTGVG6NC3+OCIJPDzmD8eZULTAe5i1eL\n TkTLE6UrEQ6VpT1A6S8f3346rDGygBIPS2lqMZ1bm+oUmq1PBUH2RAAV01dkah0pdMfWEGVeS0K\n pTpHN4mwr5OJzP/MiVy4/GlTQ4nelfJ1bVwpeOxCrgao3AbsQlSo+TsPbBntDImXe7lRW86q578\n Pn/buQ0BcP7X3j0XvFcVjyvC/17bPsJZQ4YSq06voGNURGAy2UaLi7zfph/7RL2yaGt35XQXkB9\n 2qbhKo3hwcrsCbKlSLkCXeaHpiaYgYE8t+tA+SPSi/oJvz3cGdhBCTOJjvCFpLSyf7HOgdfM2Lx\n XsVUwQTaXQ==","X-Received":"by 2002:a05:7300:7491:b0:2df:7b88:a1b0 with SMTP id\n 5a478bee46e88-2e4873f31a7mr3704739eec.27.1776507473989;\n Sat, 18 Apr 2026 03:17:53 -0700 (PDT)","From":"Rocket Ma <marocketbd@gmail.com>","To":"Carlos O'Donell <carlos@redhat.com>","Cc":"libc-alpha@sourceware.org","Subject":"[PATCH v4] libio: Fix ungetwc operating on byte stream [BZ #33998]","Date":"Sat, 18 Apr 2026 03:17:42 -0700","Message-ID":"<20260418101742.3355742-1-marocketbd@gmail.com>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<3b0b72f7-7c84-406c-b8ad-b030fe606038@redhat.com>","References":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list <libc-alpha.sourceware.org>","List-Unsubscribe":"<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>","List-Archive":"<https://sourceware.org/pipermail/libc-alpha/>","List-Post":"<mailto:libc-alpha@sourceware.org>","List-Help":"<mailto:libc-alpha-request@sourceware.org?subject=help>","List-Subscribe":"<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"},"content":"* libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one\ncharacter, it accidently compare the wchar to push back with the last\nchar from byte stream, instead of wide stream. Under specific coding,\nattacker may exploit this to leak information. This commit fix bug\n33998, or CVE-2026-5928.\n\nSigned-off-by: Rocket Ma <marocketbd@gmail.com>\n---\nRemoved redundant macro from previous patch.\n---\n libio/Makefile              |  1 +\n libio/bug-wgenops-bz33998.c | 44 +++++++++++++++++++++++++++++++++++++\n libio/wgenops.c             |  4 ++--\n 3 files changed, 47 insertions(+), 2 deletions(-)\n create mode 100644 libio/bug-wgenops-bz33998.c","diff":"diff --git a/libio/Makefile b/libio/Makefile\nindex 93656466df..6e0627bb88 100644\n--- a/libio/Makefile\n+++ b/libio/Makefile\n@@ -84,6 +84,7 @@ tests = \\\n   bug-ungetwc1 \\\n   bug-ungetwc2 \\\n   bug-wfflush \\\n+  bug-wgenops-bz33998 \\\n   bug-wmemstream1 \\\n   bug-wsetpos \\\n   test-fmemopen \\\ndiff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c\nnew file mode 100644\nindex 0000000000..b3f750a753\n--- /dev/null\n+++ b/libio/bug-wgenops-bz33998.c\n@@ -0,0 +1,44 @@\n+/* Regression test for ungetwc operating on byte stream (BZ #33998)\n+   Copyright (C) 2026 The GNU Toolchain Authors.\n+   This file is part of the GNU C Library.\n+\n+   The GNU C Library is free software; you can redistribute it and/or\n+   modify it under the terms of the GNU Lesser General Public\n+   License as published by the Free Software Foundation; either\n+   version 2.1 of the License, or (at your option) any later version.\n+\n+   The GNU C Library is distributed in the hope that it will be useful,\n+   but WITHOUT ANY WARRANTY; without even the implied warranty of\n+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n+   Lesser General Public License for more details.\n+\n+   You should have received a copy of the GNU Lesser General Public\n+   License along with the GNU C Library; if not, see\n+   <https://www.gnu.org/licenses/>.  */\n+\n+#include <unistd.h>\n+#include <sys/mman.h>\n+#include <stdio.h>\n+#include <wchar.h>\n+#include <support/check.h>\n+\n+static int\n+do_test (void)\n+{\n+  int fd = memfd_create (\"test\", MFD_CLOEXEC);\n+  TEST_VERIFY (fd != -1);\n+  TEST_COMPARE (write (fd, (unsigned char[]){ 'A', 0, 0, 0 }, 4), 4);\n+  TEST_COMPARE (lseek (fd, 0, SEEK_SET), 0);\n+  FILE *fp = fdopen (fd, \"r+\");\n+  TEST_VERIFY (fp != NULL);\n+  TEST_COMPARE (getwc (fp), L'A');\n+\n+  /* if the bug is fixed, then ungetwc should not touch byte stream. */\n+  char *old_read_ptr = fp->_IO_read_ptr;\n+  TEST_COMPARE (ungetwc (0, fp), L'\\0');\n+  TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr);\n+\n+  return 0;\n+}\n+\n+#include <support/test-driver.c>\ndiff --git a/libio/wgenops.c b/libio/wgenops.c\nindex 6829477e0c..5f36bc49a1 100644\n--- a/libio/wgenops.c\n+++ b/libio/wgenops.c\n@@ -110,8 +110,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c)\n {\n   if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base\n       && !_IO_in_backup (fp)\n-      && (wint_t) fp->_IO_read_ptr[-1] == c)\n-    --fp->_IO_read_ptr;\n+      && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c)\n+    --fp->_wide_data->_IO_read_ptr;\n   else\n     {\n       /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/\n","prefixes":["v4"]}