all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
blob e9d51359c4b6b334423dfd028257170206ec3c8d 4718 bytes (raw)
name: gnu/packages/patches/elfutils-libdwfl-string-overflow.patch 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
from https://sourceware.org/cgit/elfutils/patch/?id=0873ae782d14e672e8344775e76b7fca0a8b41bf

Adjust the changelog so it can be applied on elfutils 0.187.

From 0873ae782d14e672e8344775e76b7fca0a8b41bf Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Thu, 28 Jul 2022 15:31:12 +0200
Subject: libdwfl: Rewrite reading of ar_size in elf_begin_rand
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With GCC 12.1.1, glibc 2.35, -fsanitize=undefined and
-D_FORTIFY_SOURCE=3 we get the following error message:

In file included from /usr/include/ar.h:22,
                 from ../libelf/libelfP.h:33,
                 from core-file.c:31:
In function ‘pread’,
    inlined from ‘pread_retry’ at ../lib/system.h:188:21,
    inlined from ‘elf_begin_rand’ at core-file.c:86:16,
    inlined from ‘core_file_read_eagerly’ at core-file.c:205:15:
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 58 or more bytes into a region of size 10 overflows the destination [-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~
/usr/include/ar.h: In function ‘core_file_read_eagerly’:
/usr/include/ar.h:41:10: note: destination object ‘ar_size’ of size 10
   41 |     char ar_size[10];           /* File size, in ASCII decimal.  */
      |          ^~~~~~~
/usr/include/bits/unistd.h:50:16: note: in a call to function ‘__pread_alias’ declared with attribute ‘access (write_only, 2, 3)’
   50 | extern ssize_t __REDIRECT (__pread_alias,
      |                ^~~~~~~~~~
cc1: all warnings being treated as errors

The warning disappears when dropping either -fsanitize=undefined
or when using -D_FORTIFY_SOURCE=2. It looks like a false positive.
But I haven't figured out how/why it happens.

The code is a little tricky to proof correct though. The ar_size
field is a not-zero terminated string ASCII decimal, right-padded
with spaces. Which is then converted with strtoll. Relying on the
fact that the struct ar_hdr is zero initialized, so there will be
a zero byte after the ar_size field.

Rewrite the code to just use a zero byte terminated char array.
Which is much easier to reason about. As a bonus the error disappears.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdwfl/ChangeLog   |  5 +++++
 libdwfl/core-file.c | 26 ++++++++++++++++----------
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 75c53948d..acdaa0138 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,0 +1,5 @@
+2022-07-28  Mark Wielaard  <mark@klomp.org>
+
+	* core-file.c (elf_begin_rand): Replace struct ar_hdr h with
+	a char ar_size[AR_SIZE_CHARS + 1] array to read size.
+
2022-04-22  Mark Wielaard  <mark@klomp.org>

	* debuginfod-client.c (init_control): New static pthread_once_t.
diff --git a/libdwfl/core-file.c b/libdwfl/core-file.c
index cefc3db0f..4418ef338 100644
--- a/libdwfl/core-file.c
+++ b/libdwfl/core-file.c
@@ -75,26 +75,32 @@ elf_begin_rand (Elf *parent, off_t offset, off_t size, off_t *next)
      from the archive header to override SIZE.  */
   if (parent->kind == ELF_K_AR)
     {
-      struct ar_hdr h = { .ar_size = "" };
-
-      if (unlikely (parent->maximum_size - offset < sizeof h))
+      /* File size, in ASCII decimal, right-padded with ASCII spaces.
+         Max 10 characters. Not zero terminated. So make this ar_size
+         array one larger and explicitly zero terminate it.  As needed
+         for strtoll.  */
+      #define AR_SIZE_CHARS 10
+      char ar_size[AR_SIZE_CHARS + 1];
+      ar_size[AR_SIZE_CHARS] = '\0';
+
+      if (unlikely (parent->maximum_size - offset < sizeof (struct ar_hdr)))
 	return fail (ELF_E_RANGE);
 
       if (parent->map_address != NULL)
-	memcpy (h.ar_size, parent->map_address + parent->start_offset + offset,
-		sizeof h.ar_size);
+	memcpy (ar_size, parent->map_address + parent->start_offset + offset,
+		AR_SIZE_CHARS);
       else if (unlikely (pread_retry (parent->fildes,
-				      h.ar_size, sizeof (h.ar_size),
+				      ar_size, AR_SIZE_CHARS,
 				      parent->start_offset + offset
 				      + offsetof (struct ar_hdr, ar_size))
-			 != sizeof (h.ar_size)))
+			 != AR_SIZE_CHARS))
 	return fail (ELF_E_READ_ERROR);
 
-      offset += sizeof h;
+      offset += sizeof (struct ar_hdr);
 
       char *endp;
-      size = strtoll (h.ar_size, &endp, 10);
-      if (unlikely (endp == h.ar_size)
+      size = strtoll (ar_size, &endp, 10);
+      if (unlikely (endp == ar_size)
 	  || unlikely ((off_t) parent->maximum_size - offset < size))
 	return fail (ELF_E_INVALID_ARCHIVE);
     }
-- 
cgit 


debug log:

solving e9d51359c4 ...
found e9d51359c4 in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.