From patchwork Fri Oct 20 11:24:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 828560
Return-Path: 
 <libc-alpha-return-86181-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=sourceware.org
	(client-ip=209.132.180.131; helo=sourceware.org;
	envelope-from=libc-alpha-return-86181-incoming=patchwork.ozlabs.org@sourceware.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b="YP10YnBw"; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yJNkK6NDgz9t5q
	for <incoming@patchwork.ozlabs.org>;
	Fri, 20 Oct 2017 22:24:57 +1100 (AEDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:to:subject:mime-version:content-type
	:content-transfer-encoding:message-id:from; q=dns; s=default; b=
	iTfx8/DtqGUKLls8iBaLHYE/+qQNF8fl/36KUgZvWJze3uT8rX9AVYK1IpEEHDDP
	Q+9YDH7LiJKJTMlstqSBEVSdHdE+hIjnl3lspsukcpAYfnCDXS/kTY7ulpuGpoAj
	iMRovyUaUJqW+KBpu3jM1sHOpxNA2dWaAETiRvA05mU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:to:subject:mime-version:content-type
	:content-transfer-encoding:message-id:from; s=default; bh=fNRyRL
	PNk5nd+/WWBRQYBWQOErU=; b=YP10YnBwsDqfhdp+7yKpugSiZiDEZUE4lU0tSA
	tvKiy40xMRBe32fMrAIyffQfIVPddfM1AfwMc3IawF6FgRTWGjDGIbOA+ALyKfSo
	ZTOpbkMtTSVwX/wcqajMHl8SsyzAt1Pip/YlM8fBD5gfjCYpPe+C8neOGpBlJEcD
	+ySHI=
Received: (qmail 28801 invoked by alias); 20 Oct 2017 11:24:37 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 28731 invoked by uid 89); 20 Oct 2017 11:24:27 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RP_MATCHES_RCVD,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=500000,
	UD:pwd.h, pwd.h, pwdh
X-HELO: mx1.redhat.com
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0AED368CD
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=fweimer@redhat.com
Date: Fri, 20 Oct 2017 13:24:22 +0200
To: libc-alpha@sourceware.org
Subject: [PATCH] glob: Add new test tst-glob-tilde
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Message-Id: <20171020112422.7271541AC3DA0@oldenburg.str.redhat.com>
From: fweimer@redhat.com (Florian Weimer)

The new test checks for memory leaks (see bug 22325) and attempts
to trigger the buffer overflow in bug 22320.

2017-10-20  Florian Weimer  <fweimer@redhat.com>

	* posix/Makefile (tests): Add tst-glob-tilde.
	(tests-special): Add tst-glob-tilde-mem.out
	(tst-glob-tilde-ENV): Set MALLOC_TRACE.
	(tst-glob-tilde-mem.out): Add mtrace check.
	* posix/tst-glob-tilde.c: New file.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/posix/Makefile b/posix/Makefile
index b5894425ae..d4a5299a52 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -94,7 +94,8 @@ tests		:= test-errno tstgetopt testfnm runtests runptests \
 		   tst-fnmatch3 bug-regex36 tst-getaddrinfo5 \
 		   tst-posix_spawn-fd tst-posix_spawn-setsid \
 		   tst-posix_fadvise tst-posix_fadvise64 \
-		   tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve
+		   tst-sysconf-empty-chroot tst-glob_symlinks tst-fexecve \
+		   tst-glob-tilde
 tests-internal	:= bug-regex5 bug-regex20 bug-regex33 \
 		   tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3 \
 		   tst-glob_lstat_compat
@@ -143,7 +144,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
 		 $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \
 		 $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
 		 $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
-		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out
+		 $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
+		 $(objpfx)tst-glob-tilde-mem.out
 xtests-special += $(objpfx)bug-ga2-mem.out
 endif
 
@@ -352,6 +354,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug-glob2.out
 	$(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \
 	$(evaluate-test)
 
+tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace
+
+$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out
+	$(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \
+	$(evaluate-test)
+
 $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \
 			    $(objpfx)getconf.speclist FORCE
 	$(addprefix $(..)./scripts/mkinstalldirs ,\
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
new file mode 100644
index 0000000000..b12d09cf8a
--- /dev/null
+++ b/posix/tst-glob-tilde.c
@@ -0,0 +1,132 @@
+/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <glob.h>
+#include <mcheck.h>
+#include <nss.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/support.h>
+
+/* Flag which indicates whether to pass the GLOB_ONLYDIR flag.  */
+static int do_onlydir;
+
+/* Flag which indicates whether to pass the GLOB_NOCHECK flag.  */
+static int do_nocheck;
+
+/* Flag which indicates whether to pass the GLOB_MARK flag.  */
+static int do_mark;
+
+static void
+one_test (const char *prefix, const char *middle, const char *suffix)
+{
+  char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix);
+  int flags = GLOB_TILDE;
+  if (do_onlydir)
+    flags |= GLOB_ONLYDIR;
+  if (do_nocheck)
+    flags |= GLOB_NOCHECK;
+  if (do_mark)
+    flags |= GLOB_MARK;
+  glob_t gl;
+  /* This glob call might result in crashes or memory leaks.  */
+  if (glob (pattern, flags, NULL, &gl) == 0)
+    globfree (&gl);
+  free (pattern);
+}
+
+enum
+  {
+    /* The largest base being tested.  */
+    largest_base_size = 500000,
+
+    /* The actual size is the base size plus a variable whose absolute
+       value is not greater than this.  This helps malloc to trigger
+       overflows.  */
+    max_size_skew = 16,
+
+    /* The maximum string length supported by repeating_string
+       below.  */
+    repeat_size = largest_base_size + max_size_skew,
+  };
+
+/* Used to construct strings which repeat a single character 'x'.  */
+static char *repeat;
+
+/* Return a string of SIZE characters.  */
+const char *
+repeating_string (int size)
+{
+  TEST_VERIFY (size >= 0);
+  TEST_VERIFY (size <= repeat_size);
+  const char *repeated_shifted = repeat + repeat_size - size;
+  TEST_VERIFY (strlen (repeated_shifted) == size);
+  return repeated_shifted;
+}
+
+static int
+do_test (void)
+{
+  /* Avoid network-based NSS modules and initialize nss_files with a
+     dummy lookup.  This has to come before mtrace because NSS does
+     not free all memory.  */
+  __nss_configure_lookup ("passwd", "files");
+  (void) getpwnam ("root");
+
+  mtrace ();
+
+  repeat = xmalloc (repeat_size + 1);
+  memset (repeat, 'x', repeat_size);
+  repeat[repeat_size] = '\0';
+
+  static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 };
+
+  for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
+    for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
+      for (do_mark = 0; do_mark < 2; ++do_mark)
+        for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+          {
+            for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+                 ++size_skew)
+              {
+                int size = base_sizes[base_idx] + size_skew;
+                if (size < 0)
+                  continue;
+
+                const char *user_name = repeating_string (size);
+                one_test ("~", user_name, "/a/b");
+              }
+
+            const char *user_name = repeating_string (base_sizes[base_idx]);
+            one_test ("~", user_name, "");
+            one_test ("~", user_name, "/");
+            one_test ("~", user_name, "/a");
+            one_test ("~", user_name, "/*/*");
+            one_test ("~", user_name, "\\/");
+            one_test ("/~", user_name, "");
+            one_test ("*/~", user_name, "/a/b");
+          }
+
+  free (repeat);
+
+  return 0;
+}
+
+#include <support/test-driver.c>