This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug time/16346] mktime: potentially unsafe use of localtime_offset
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 03 Oct 2018 18:02:37 +0000
- Subject: [Bug time/16346] mktime: potentially unsafe use of localtime_offset
- Auto-submitted: auto-generated
- References: <bug-16346-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=16346
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, aaribaud/make-check has been created
at 38bf3363a7e8942ea1ec02009e3cba4cccae3cfd (commit)
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=38bf3363a7e8942ea1ec02009e3cba4cccae3cfd
commit 38bf3363a7e8942ea1ec02009e3cba4cccae3cfd
Author: Albert ARIBAUD (3ADEV) <albert.aribaud@3adev.fr>
Date: Mon Jun 18 21:14:43 2018 +0200
Y2038: make __tz_convert compatible with 64-bit-time
Now that __time_64_t exists, we can switch internal function
__tz_convert from 32-bit to 64-bit time. This involves switching
some other internal functions and turning some implementations
which use these into wrappers between public 32-bit and internal
64-bit time.
* __tz_compute: Pass timer as a __time64_t rather than time_t.
* __offtime: Pass __timer as a __time64_t value rather than
a const time_t pointer.
* __tz_convert: Likewise.
* localtime: provide a 64-bit time version and make the 32-bit
time version a wrapper of it.
* localtime_r: Likewise.
* ctime: Likewise.
* ctime_r: Likewise.
* gmtime: Likewise.
* gmtime_r: Likewise.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0437f3bdb78dc7a0ed6df337d95ab24dbc1c664c
commit 0437f3bdb78dc7a0ed6df337d95ab24dbc1c664c
Author: Albert ARIBAUD (3ADEV) <albert.aribaud@3adev.fr>
Date: Mon Jun 18 21:14:42 2018 +0200
Y2038: Add 64-bit time for all architectures
glibc support for 64-bit time_t on 32-bit architectures
will involve:
- Using 64-bit times inside glibc, with conversions
to and from 32-bit times taking place as necessary
for interfaces using such times.
- Adding 64-bit-time support in the glibc public API.
This support should be dynamic, i.e. iglibc should
provide both 32-bit and 64-bit implementations and
let user code choose at compile time whether to use
the 32-bit or 64-bit interfaces.
This requires a glibc-internal name for a type for times
that are always 64-bit.
To determine whether the default time_t interfaces are 32-bit
and so need conversions, or are 64-bit and so are compatible
with the internal 64-bit type without conversions, a macro
giving the size of the default time_t is also required.
This macro is called __TIMESIZE.
Based on __TIMESIZE, a new macro is defined, __TIME64_T_TYPE,
which is always the right __*_T_TYPE to hold a 64-bit-time.
__TIME64_T_TYPE equals __TIME_T_TYPE if __TIMESIZE equals 64
and equals __SQUAD_T_TYPE otherwise.
__time64_t can then replace uses of internal_time_t.
* bit/time64.h: New file.
* bits/timesize: (__TIMESIZE): New macro.
* include/time.h: replace internal_time_t with __time64_t.
* posix/bits/types (__time64_t): Add.
* stdlib/Makefile: Add bits/time64.h to includes.
* stdlib/Makefile: Add bits/timesize.h to includes.
* sysdeps/unix/sysv/linux/x86/bits/time64.h: New file.
* sysdeps/unix/sysv/linux/x86/bits/timesize.h (__TIMESIZE): New macro.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ec94d7c17a496fcd5a8f9107e91df5ce64ed2bbf
commit ec94d7c17a496fcd5a8f9107e91df5ce64ed2bbf
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun Sep 9 09:06:25 2018 -0700
Fix mktime localtime offset confusion
[BZ #23603]
* include/time.h (__mktime_internal): The localtime offset is now
of type long int instead of time_t. This is the longstanding type
in glibc, and it is more than enough to represent difference
between localtime and gmtime even if it is 32 bits and time_t is
64. Changing it now will let us avoid an unnecessary change when
time_t is widened to 64 bits on 32-bit platforms.
* time/mktime-internal.h (mktime_offset_t): Now long int.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a4a170153979bcdcd827590aa249e8c63949b6e
commit 4a4a170153979bcdcd827590aa249e8c63949b6e
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun Sep 9 09:06:24 2018 -0700
Merge mktime, timegm from upstream Gnulib
[BZ #23603][BZ #16346]
This fixes some obscure problems with integer overflow.
Although it looks scary, it is almost all a byte-for-byte copy
from Gnulib, and the Gnulib code has been tested reasonably well.
* include/intprops.h: New file, copied from Gnulib.
* include/verify.h, time/mktime-internal.h:
New tiny files, simplified from Gnulib.
* time/mktime.c: Copy from Gnulib. This has the following changes:
Do not include config.h if DEBUG_MKTIME is nonzero.
Include stdbool.h, intprops.h, verify.h.
Include string.h only if needed.
Include stdlib.h on MS-Windows.
Include mktime-internal.h.
(DEBUG_MKTIME): Default to 0, and simplify later uses.
(NEED_MKTIME_INTERNAL, NEED_MKTIME_WINDOWS)
(NEED_MKTIME_WORKING): Give default values to pacify -Wundef,
which glibc uses. Default NEED_MKTIME_WORKING to DEBUG_MKTIME, to
simplify later conditionals; default the others to zero. Use
these conditionals to express only the code needed on the current
platform. In uses of these conditionals, explicitly spell out how
_LIBC affects things, so it’s easier to review from a glibc
viewpoint.
(WRAPV): Remove; no longer needed now that we have
systematic overflow checking.
(my_tzset, __tzset) [!_LIBC]: New function and macro, to better
compartmentalize tzset issues. Move system-dependent tzsettish
code here from mktime.
(verify): Remove; now done by verify.h. All uses changed.
(long_int): Use a more-conservative definition, to avoid
integer overflow.
(SHR): Remove, replacing with ...
(shr): New function, which means we needn’t worry about side
effects in args, and conversion analysis is simpler.
(TYPE_IS_INTEGER, TYPE_TWOS_COMPLEMENT, TYPE_SIGNED, TYPE_MINIMUM)
(TYPE_MAXIMUM, TIME_T_MIN, TIME_T_MAX, TIME_T_MIDPOINT)
(time_t_avg, time_t_add_ok): Remove.
(mktime_min, mktime_max): New constants.
(leapyear, isdst_differ): Use bool for booleans.
(ydhms_diff, guess_time_tm, ranged_convert, __mktime_internal):
Use long_int, not time_t, for mktime differences.
(long_int_avg): New function, replacing time_t_avg.
INT_ADD_WRAPV replaces time_t_add_ok.
(guess_time_tm): 6th arg is now long_int, not time_t const *.
All uses changed.
(convert_time): New function.
(ranged_convert): Use it.
(__mktime_internal): Last arg now points to mktime_offset_t, not
time_t. All uses changed. This is a no-op on glibc, where
mktime_offset_t is always time_t. Use int, not time_t, for UTC
offset guess. Directly check for integer overflow instead of
using a heuristic that works only 99.9...% of the time.
Access *OFFSET only once, to avoid an unlikely race if the
compiler delays a load and if this cascades into a signed integer
overflow.
(mktime): Move tzsettish code to my_tzset, and move
localtime_offset to within mktime so that it doesn’t
need a separate ifdef.
(main) [DEBUG_MKTIME]: Speed up by using localtime_r
instead of localtime.
* time/timegm.c: Copy from Gnulib. This has the following changes:
Include mktime-internal.h.
[!_LIBC]: Include config.h and time.h. Do not include
timegm.h or time_r.h. Make __mktime_internal a macro,
and include mktime-internal.h to get its declaration.
(timegm): Temporary is now mktime_offset_t, not time_t.
This affects only Gnulib.
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.