This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH][BZ 15362] Fix fwrite() reading beyond end of buffer in error path
- From: Eric Biggers <ebiggers3 at gmail dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Cc: Siddhesh Poyarekar <siddhesh at redhat dot com>
- Date: Tue, 16 Apr 2013 23:31:14 -0500
- Subject: [PATCH][BZ 15362] Fix fwrite() reading beyond end of buffer in error path
This is a revised patch for BZ#15362.
The previous discussion on this bug was at
http://sourceware.org/ml/libc-alpha/2013-04/msg00379.html. Note: in this
previous thread I also brought up several other problems with libio that have
apparently been there for years, such as line buffering semantics not always
being respected. This patch does not attempt to fix these other problems and
only provides a fix for #BZ11741 and BZ#15362.
I have not been able to run the full test suite because an unrelated test
(math/test-ldouble) fails even without my patch. Also, I did not add a test
specifically for BZ#15362, as it seemed too specific. I would think that if
such a test were to be added, then, for consistency, many other glibc tests
would have to be added or modified to make sure that glibc does not access
memory it is not supposed to.
I do not have a FSF copyright assignment in place yet. I may be interested in
making future contributions to glibc, and unless I am supposed to do something
else, I will request the FSF copyright assignment form using the
request-assign.future template.
-----
Partially revert commits 2b766585f9b4ffabeef2f36200c275976b93f2c7 and
de2fd463b1c0310d75084b6d774fb974075a4ad9, which were intended to fix BZ#11741
but caused another, likely worse bug, namely that fwrite() and fputs() could,
in an error path, read data beyond the end of the specified buffer, and
potentially even write this data to the file.
Fix BZ#11741 properly by checking the return value from _IO_padn() in
stdio-common/vfprintf.c.
diff --git a/ChangeLog b/ChangeLog
index 90d6d47..e978ee2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2013-04-16 Eric Biggers <ebiggers3@gmail.com>
+
+ [BZ #15362]
+ * libio/fileops.c: Revert problematic fixes for [BZ #11741]
+ * libio/iofwrite.c: Likewise.
+ * libio/iofwrite_u.c: Likewise.
+ * libio/iopadn.c: Likewise.
+ * libio/iowpadn.c: Likewise.
+ * stdio-common/vfprintf.c: Fix [BZ #11741] properly by checking whether
+ _IO_padn() returned the full count written.
+
2013-04-16 Roland McGrath <roland@hack.frob.com>
* rt/tst-aio7.c (do_test): Don't test O_RDONLY fd case, which is now
diff --git a/libio/fileops.c b/libio/fileops.c
index 61b61b3..90d5e88 100644
--- a/libio/fileops.c
+++ b/libio/fileops.c
@@ -1245,13 +1245,12 @@ _IO_new_file_write (f, data, n)
_IO_ssize_t n;
{
_IO_ssize_t to_do = n;
- _IO_ssize_t count = 0;
while (to_do > 0)
{
- count = (__builtin_expect (f->_flags2
- & _IO_FLAGS2_NOTCANCEL, 0)
- ? write_not_cancel (f->_fileno, data, to_do)
- : write (f->_fileno, data, to_do));
+ _IO_ssize_t count = (__builtin_expect (f->_flags2
+ & _IO_FLAGS2_NOTCANCEL, 0)
+ ? write_not_cancel (f->_fileno, data, to_do)
+ : write (f->_fileno, data, to_do));
if (count < 0)
{
f->_flags |= _IO_ERR_SEEN;
@@ -1263,7 +1262,7 @@ _IO_new_file_write (f, data, n)
n -= to_do;
if (f->_offset >= 0)
f->_offset += n;
- return count < 0 ? count : n;
+ return n;
}
_IO_size_t
@@ -1323,13 +1322,11 @@ _IO_new_file_xsputn (f, data, n)
_IO_size_t block_size, do_write;
/* Next flush the (full) buffer. */
if (_IO_OVERFLOW (f, EOF) == EOF)
- /* If nothing else has to be written or nothing has been written, we
- must not signal the caller that the call was even partially
- successful. */
- return (to_do == 0 || to_do == n) ? EOF : n - to_do;
+ /* If nothing else has to be written we must not signal the
+ caller that everything has been written. */
+ return to_do == 0 ? EOF : n - to_do;
- /* Try to maintain alignment: write a whole number of blocks.
- dont_write is what gets left over. */
+ /* Try to maintain alignment: write a whole number of blocks. */
block_size = f->_IO_buf_end - f->_IO_buf_base;
do_write = to_do - (block_size >= 128 ? to_do % block_size : 0);
diff --git a/libio/iofwrite.c b/libio/iofwrite.c
index 81596a6..66542ea 100644
--- a/libio/iofwrite.c
+++ b/libio/iofwrite.c
@@ -42,12 +42,12 @@ _IO_fwrite (buf, size, count, fp)
if (_IO_vtable_offset (fp) != 0 || _IO_fwide (fp, -1) == -1)
written = _IO_sputn (fp, (const char *) buf, request);
_IO_release_lock (fp);
- /* We are guaranteed to have written all of the input, none of it, or
- some of it. */
- if (written == request)
+ /* We have written all of the input in case the return value indicates
+ this or EOF is returned. The latter is a special case where we
+ simply did not manage to flush the buffer. But the data is in the
+ buffer and therefore written as far as fwrite is concerned. */
+ if (written == request || written == EOF)
return count;
- else if (written == EOF)
- return 0;
else
return written / size;
}
diff --git a/libio/iofwrite_u.c b/libio/iofwrite_u.c
index 4a9d6ca..18dc6d0 100644
--- a/libio/iofwrite_u.c
+++ b/libio/iofwrite_u.c
@@ -44,12 +44,12 @@ fwrite_unlocked (buf, size, count, fp)
if (_IO_fwide (fp, -1) == -1)
{
written = _IO_sputn (fp, (const char *) buf, request);
- /* We are guaranteed to have written all of the input, none of it, or
- some of it. */
- if (written == request)
+ /* We have written all of the input in case the return value indicates
+ this or EOF is returned. The latter is a special case where we
+ simply did not manage to flush the buffer. But the data is in the
+ buffer and therefore written as far as fwrite is concerned. */
+ if (written == request || written == EOF)
return count;
- else if (written == EOF)
- return 0;
}
return written / size;
diff --git a/libio/iopadn.c b/libio/iopadn.c
index cc93c0f..5ebbcf4 100644
--- a/libio/iopadn.c
+++ b/libio/iopadn.c
@@ -59,7 +59,7 @@ _IO_padn (fp, pad, count)
w = _IO_sputn (fp, padptr, PADSIZE);
written += w;
if (w != PADSIZE)
- return w == EOF ? w : written;
+ return written;
}
if (i > 0)
diff --git a/libio/iowpadn.c b/libio/iowpadn.c
index d94db71..5600f37 100644
--- a/libio/iowpadn.c
+++ b/libio/iowpadn.c
@@ -65,7 +65,7 @@ _IO_wpadn (fp, pad, count)
w = _IO_sputn (fp, (char *) padptr, PADSIZE);
written += w;
if (w != PADSIZE)
- return w == EOF ? w : written;
+ return written;
}
if (i > 0)
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index c8bcf5a..61d9dc2 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -90,13 +90,13 @@
do { \
if (width > 0) \
{ \
- unsigned int d = _IO_padn (s, (Padchar), width); \
- if (__glibc_unlikely (d == EOF)) \
+ _IO_ssize_t written = _IO_padn (s, (Padchar), width); \
+ if (__glibc_unlikely (written != width)) \
{ \
done = -1; \
goto all_done; \
} \
- done_add (d); \
+ done_add (written); \
} \
} while (0)
# define PUTC(C, F) _IO_putc_unlocked (C, F)
@@ -119,13 +119,13 @@
do { \
if (width > 0) \
{ \
- unsigned int d = _IO_wpadn (s, (Padchar), width); \
- if (__glibc_unlikely (d == EOF)) \
+ _IO_ssize_t written = _IO_wpadn (s, (Padchar), width); \
+ if (__glibc_unlikely (written != width)) \
{ \
done = -1; \
goto all_done; \
} \
- done_add (d); \
+ done_add (written); \
} \
} while (0)
# define PUTC(C, F) _IO_putwc_unlocked (C, F)