| Summary: | p_secstodate overflow handling | ||
|---|---|---|---|
| Product: | glibc | Reporter: | Joseph Myers <jsm28> |
| Component: | network | Assignee: | Not yet assigned to anyone <unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | fweimer |
| Priority: | P2 | Flags: | fweimer:
security-
|
| Version: | 2.26 | ||
| Target Milestone: | 2.27 | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via f120cda6072d830df92656dad0c89967547b97dc (commit)
from a90d1ac2d2f7b20a9df676ac9bd0aa512ab5b708 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f120cda6072d830df92656dad0c89967547b97dc
commit f120cda6072d830df92656dad0c89967547b97dc
Author: Joseph Myers <joseph@codesourcery.com>
Date: Wed Nov 22 22:12:07 2017 +0000
Fix p_secstodate overflow handling (bug 22463).
The resolv/res_debug.c function p_secstodate (which is a public
function exported from libresolv, taking an unsigned long argument)
does:
struct tm timebuf;
time = __gmtime_r(&clock, &timebuf);
time->tm_year += 1900;
time->tm_mon += 1;
sprintf(output, "%04d%02d%02d%02d%02d%02d",
time->tm_year, time->tm_mon, time->tm_mday,
time->tm_hour, time->tm_min, time->tm_sec);
If __gmtime_r returns NULL (because the year overflows the range of
int), this will dereference a null pointer. Otherwise, if the
computed year does not fit in four characters, this will cause a
buffer overrun of the fixed-size 15-byte buffer. With current GCC
mainline, there is a compilation failure because of the possible
buffer overrun.
I couldn't find a specification for how this function is meant to
behave, but Paul pointed to RFC 4034 as relevant to the cases where
this function is called from within glibc. The function's interface
is inherently problematic when dates beyond Y2038 might be involved,
because of the ambiguity in how to interpret 32-bit timestamps as such
dates (the RFC suggests interpreting times as being within 68 years of
the present date, which would mean some kind of interface whose
behavior depends on the present date).
This patch works on the basis of making a minimal fix in preparation
for obsoleting the function. The function is made to handle times in
the interval [0, 0x7fffffff] only, on all platforms, with <overflow>
used as the output string in other cases (and errno set to EOVERFLOW
in such cases). This seems to be a reasonable state for the function
to be in when made a compat symbol by a future patch, being compatible
with any existing uses for existing timestamps without trying to work
for later timestamps. Results independent of the range of time_t also
simplify the testcase.
I couldn't persuade GCC to recognize the ranges of the struct tm
fields by adding explicit range checks with a call to
__builtin_unreachable if outside the range (this looks similar to
<https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added
a range check on the input, this patch then disables the
-Wformat-overflow= warning for the sprintf call (I prefer that to the
use of strftime, as being more transparently correct without knowing
what each of %m and %M etc. is).
I do not know why this build failure should be new with mainline GCC
(that is, I don't know what GCC change might have introduced it, when
the basic functionality for such warnings was already in GCC 7).
I do not know if this is a security issue (that is, if there are
plausible ways in which a date before -999 or after 9999 from an
untrusted source might end up in this function). The system clock is
arguably an untrusted source (in that e.g. NTP is insecure), but
probably not to that extent (NTP can't communicate such wild
timestamps), and uses from within glibc are limited to 32-bit inputs.
Tested with build-many-glibcs.py that this restores the build for arm
with yesterday's mainline GCC. Also tested for x86_64 and x86.
[BZ #22463]
* resolv/res_debug.c: Include <libc-diag.h>.
(p_secstodate): Assert time_t at least as wide as u_long. On
overflow, use integer seconds since the epoch as output, or use
"<overflow>" as output and set errno to EOVERFLOW if integer
seconds since the epoch would be 14 or more characters.
(p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow=
for sprintf call.
* resolv/tst-p_secstodate.c: New file.
* resolv/Makefile (tests): Add tst-p_secstodate.
($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 12 ++++++++
resolv/Makefile | 2 +
resolv/res_debug.c | 24 +++++++++++++++-
resolv/tst-p_secstodate.c | 67 +++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 104 insertions(+), 1 deletions(-)
create mode 100644 resolv/tst-p_secstodate.c
Fixed for 2.27. This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.26/master has been updated
via 33f5de7a79b27b9dce30a46d6681974653a85004 (commit)
via 6ae2ca620a955f1e3465e58b5180c5a7fd596dd0 (commit)
via fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff (commit)
via 70e810a30cb15d0b54118f8eb92aa656b945b984 (commit)
via dd03d15e283de6c2fff8f5204b092e9d9d127cc6 (commit)
via 935cecfe9a4c9bf0396766f5e2b24570f92317ae (commit)
via 3fb525c1033c70693d78010d01472bd0ed96e25f (commit)
via 636f49ba925d5fe677212bb94b20f2c5e67d4a4f (commit)
via d161b294e1267ca275352c26850255c5efc998de (commit)
via e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f (commit)
via 27611fd05b444042de4a718c2f21e9efae755825 (commit)
from 48bef587bfd4b6c11ae227075eb1492b10a395a8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=33f5de7a79b27b9dce30a46d6681974653a85004
commit 33f5de7a79b27b9dce30a46d6681974653a85004
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Dec 18 22:55:28 2017 +0000
Disable -Wrestrict for two nptl/tst-attr3.c tests.
nptl/tst-attr3 fails to build with GCC mainline because of
(deliberate) aliasing between the second (attributes) and fourth
(argument to thread start routine) arguments to pthread_create.
Although both those arguments are restrict-qualified in POSIX,
pthread_create does not actually dereference its fourth argument; it's
an opaque pointer passed to the thread start routine. Thus, the
aliasing is actually valid in this case, and it's deliberate in the
test. So this patch makes the test disable -Wrestrict for the two
pthread_create calls in question. (-Wrestrict was added in GCC 7,
hence the __GNUC_PREREQ conditions, but the particular warning in
question is new in GCC 8.)
Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
* nptl/tst-attr3.c: Include <libc-diag.h>.
(do_test) [__GNUC_PREREQ (7, 0)]: Ignore -Wrestrict for two tests.
(cherry picked from commit 40c4162df6766fb1e8ede875ca8df25d8075d3a5)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ae2ca620a955f1e3465e58b5180c5a7fd596dd0
commit 6ae2ca620a955f1e3465e58b5180c5a7fd596dd0
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 14 17:50:36 2017 +0000
Fix string/bug-strncat1.c build with GCC 8.
GCC 8 warns about strncat calls with truncated output.
string/bug-strncat1.c tests such a call; this patch disables the
warning for it.
Tested (compilation) with GCC 8 for x86_64-linux-gnu with
build-many-glibcs.py (in conjunction with Martin's patch to allow
glibc to build).
* string/bug-strncat1.c: Include <libc-diag.h>.
(main): Disable -Wstringop-truncation for strncat call for GCC 8.
(cherry picked from commit ec72135e5f1d061cb5cf7cd1b855fd6290be10d9)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff
commit fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff
Author: Joseph Myers <joseph@codesourcery.com>
Date: Thu Jun 14 14:20:00 2018 +0000
Ignore -Wrestrict for one strncat test.
With current GCC mainline, one strncat test involving a size close to
SIZE_MAX results in a -Wrestrict warning that that buffer size would
imply that the two buffers must overlap. This patch fixes the build
by adding disabling of -Wrestrict (for GCC versions supporting that
option) to the already-present disabling of -Wstringop-overflow= and
-Warray-bounds for this test.
Tested with build-many-glibcs.py that this restores the testsuite
build with GCC mainline for aarch64-linux-gnu.
* string/tester.c (test_strncat) [__GNUC_PREREQ (7, 0)]: Also
ignore -Wrestrict for one test.
(cherry picked from commit 35ebb6b0c48bc671d9c54e089884f9bf6fca540e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=70e810a30cb15d0b54118f8eb92aa656b945b984
commit 70e810a30cb15d0b54118f8eb92aa656b945b984
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Dec 18 22:52:41 2017 +0000
Disable strncat test array-bounds warnings for GCC 8.
Some strncat tests fail to build with GCC 8 because of -Warray-bounds
warnings. These tests are deliberately test over-large size arguments
passed to strncat, and already disable -Wstringop-overflow warnings,
but now the warnings for these tests come under -Warray-bounds so that
option needs disabling for them as well, which this patch does (with
an update on the comments; the DIAG_IGNORE_NEEDS_COMMENT call for
-Warray-bounds doesn't need to be conditional itself, because that
option is supported by all versions of GCC that can build glibc).
Tested compilation with build-many-glibcs.py for aarch64-linux-gnu.
* string/tester.c (test_strncat): Also disable -Warray-bounds
warnings for two tests.
(cherry picked from commit 1421f39b7eadd3b5fbd2a3f2da1fc006b69fbc42)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dd03d15e283de6c2fff8f5204b092e9d9d127cc6
commit dd03d15e283de6c2fff8f5204b092e9d9d127cc6
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 14 17:52:26 2017 +0000
Fix string/tester.c build with GCC 8.
GCC 8 warns about more cases of string functions truncating their
output or not copying a trailing NUL byte.
This patch fixes testsuite build failures caused by such warnings in
string/tester.c. In general, the warnings are disabled around the
relevant calls using DIAG_* macros, since the relevant cases are being
deliberately tested. In one case, the warning is with
-Wstringop-overflow= instead of -Wstringop-truncation; in that case,
the conditional is __GNUC_PREREQ (7, 0) (being the version where
-Wstringop-overflow= was introduced), to allow the conditional to be
removed sooner, since it's harmless to disable the warning for a
GCC version where it doesn't actually occur. In the case of warnings
for strncpy calls in test_memcmp, the calls in question are changed to
use memcpy, as they don't copy a trailing NUL and the point of that
code is to test memcmp rather than strncpy.
Tested (compilation) with GCC 8 for x86_64-linux-gnu with
build-many-glibcs.py (in conjunction with Martin's patch to allow
glibc to build).
* string/tester.c (test_stpncpy): Disable -Wstringop-truncation
for stpncpy calls for GCC 8.
(test_strncat): Disable -Wstringop-truncation warning for strncat
calls for GCC 8. Disable -Wstringop-overflow= warning for one
strncat call for GCC 7.
(test_strncpy): Disable -Wstringop-truncation warning for strncpy
calls for GCC 8.
(test_memcmp): Use memcpy instead of strncpy for calls not copying
trailing NUL.
(cherry picked from commit 2e64ec9c9eac3aeb70f7cfa2392846c87c28068e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=935cecfe9a4c9bf0396766f5e2b24570f92317ae
commit 935cecfe9a4c9bf0396766f5e2b24570f92317ae
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Oct 22 14:08:12 2018 +0200
Fix nscd readlink argument aliasing (bug 22446).
Current GCC mainline detects that nscd calls readlink with the same
buffer for both input and output, which is not valid (those arguments
are both restrict-qualified in POSIX). This patch makes it use a
separate buffer for readlink's input (with a size that is sufficient
to avoid truncation, so there should be no problems with warnings
about possible truncation, though not strictly minimal, but much
smaller than the buffer for output) to avoid this problem.
Tested compilation for aarch64-linux-gnu with build-many-glibcs.py.
[BZ #22446]
* nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate
buffers for readlink input and output.
(cherry picked from commit 49b036bce9f021ae994a85aee8b410d20b29c8b7)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3fb525c1033c70693d78010d01472bd0ed96e25f
commit 3fb525c1033c70693d78010d01472bd0ed96e25f
Author: Steve Ellcey <sellcey@caviumnetworks.com>
Date: Fri Dec 15 09:08:23 2017 -0800
Increase buffer size due to warning from ToT GCC
* nscd/dbg_log.c (dbg_log): Increase msg buffer size.
(cherry picked from commit a7e3edf4f252fb72afeb8ecca946a2d8294bb577)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=636f49ba925d5fe677212bb94b20f2c5e67d4a4f
commit 636f49ba925d5fe677212bb94b20f2c5e67d4a4f
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Oct 22 13:58:06 2018 +0200
Fix p_secstodate overflow handling (bug 22463).
The resolv/res_debug.c function p_secstodate (which is a public
function exported from libresolv, taking an unsigned long argument)
does:
struct tm timebuf;
time = __gmtime_r(&clock, &timebuf);
time->tm_year += 1900;
time->tm_mon += 1;
sprintf(output, "%04d%02d%02d%02d%02d%02d",
time->tm_year, time->tm_mon, time->tm_mday,
time->tm_hour, time->tm_min, time->tm_sec);
If __gmtime_r returns NULL (because the year overflows the range of
int), this will dereference a null pointer. Otherwise, if the
computed year does not fit in four characters, this will cause a
buffer overrun of the fixed-size 15-byte buffer. With current GCC
mainline, there is a compilation failure because of the possible
buffer overrun.
I couldn't find a specification for how this function is meant to
behave, but Paul pointed to RFC 4034 as relevant to the cases where
this function is called from within glibc. The function's interface
is inherently problematic when dates beyond Y2038 might be involved,
because of the ambiguity in how to interpret 32-bit timestamps as such
dates (the RFC suggests interpreting times as being within 68 years of
the present date, which would mean some kind of interface whose
behavior depends on the present date).
This patch works on the basis of making a minimal fix in preparation
for obsoleting the function. The function is made to handle times in
the interval [0, 0x7fffffff] only, on all platforms, with <overflow>
used as the output string in other cases (and errno set to EOVERFLOW
in such cases). This seems to be a reasonable state for the function
to be in when made a compat symbol by a future patch, being compatible
with any existing uses for existing timestamps without trying to work
for later timestamps. Results independent of the range of time_t also
simplify the testcase.
I couldn't persuade GCC to recognize the ranges of the struct tm
fields by adding explicit range checks with a call to
__builtin_unreachable if outside the range (this looks similar to
<https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added
a range check on the input, this patch then disables the
-Wformat-overflow= warning for the sprintf call (I prefer that to the
use of strftime, as being more transparently correct without knowing
what each of %m and %M etc. is).
I do not know why this build failure should be new with mainline GCC
(that is, I don't know what GCC change might have introduced it, when
the basic functionality for such warnings was already in GCC 7).
I do not know if this is a security issue (that is, if there are
plausible ways in which a date before -999 or after 9999 from an
untrusted source might end up in this function). The system clock is
arguably an untrusted source (in that e.g. NTP is insecure), but
probably not to that extent (NTP can't communicate such wild
timestamps), and uses from within glibc are limited to 32-bit inputs.
Tested with build-many-glibcs.py that this restores the build for arm
with yesterday's mainline GCC. Also tested for x86_64 and x86.
[BZ #22463]
* resolv/res_debug.c: Include <libc-diag.h>.
(p_secstodate): Assert time_t at least as wide as u_long. On
overflow, use integer seconds since the epoch as output, or use
"<overflow>" as output and set errno to EOVERFLOW if integer
seconds since the epoch would be 14 or more characters.
(p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow=
for sprintf call.
* resolv/tst-p_secstodate.c: New file.
* resolv/Makefile (tests): Add tst-p_secstodate.
($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so.
(cherry picked from commit f120cda6072d830df92656dad0c89967547b97dc)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d161b294e1267ca275352c26850255c5efc998de
commit d161b294e1267ca275352c26850255c5efc998de
Author: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun Nov 12 22:00:28 2017 -0800
timezone: pacify GCC -Wstringop-truncation
Problem reported by Martin Sebor in:
https://sourceware.org/ml/libc-alpha/2017-11/msg00336.html
* timezone/zic.c (writezone): Use memcpy, not strncpy.
(cherry picked from commit e69897bf202e18034cbef26f363bae64de70a196)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f
commit e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f
Author: Martin Sebor <msebor@redhat.com>
Date: Wed Nov 15 17:39:59 2017 -0700
utmp: Avoid -Wstringop-truncation warning
The -Wstringop-truncation option new in GCC 8 detects common misuses
of the strncat and strncpy function that may result in truncating
the copied string before the terminating NUL. To avoid false positive
warnings for correct code that intentionally creates sequences of
characters that aren't guaranteed to be NUL-terminated, arrays that
are intended to store such sequences should be decorated with a new
nonstring attribute. This change add this attribute to Glibc and
uses it to suppress such false positives.
ChangeLog:
* misc/sys/cdefs.h (__attribute_nonstring__): New macro.
* sysdeps/gnu/bits/utmp.h (struct utmp): Use it.
* sysdeps/unix/sysv/linux/s390/bits/utmp.h (struct utmp): Same.
(cherry picked from commit 7532837d7b03b3ca5b9a63d77a5bd81dd23f3d9c)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=27611fd05b444042de4a718c2f21e9efae755825
commit 27611fd05b444042de4a718c2f21e9efae755825
Author: Joseph Myers <joseph@codesourcery.com>
Date: Wed Nov 22 18:44:23 2017 +0000
Avoid use of strlen in getlogin_r (bug 22447).
Building glibc with current mainline GCC fails, among other reasons,
because of an error for use of strlen on the nonstring ut_user field.
This patch changes the problem code in getlogin_r to use __strnlen
instead. It also needs to set the trailing NUL byte of the result
explicitly, because of the case where ut_user does not have such a
trailing NUL byte (but the result should always have one).
Tested for x86_64. Also tested that, in conjunction with
<https://sourceware.org/ml/libc-alpha/2017-11/msg00797.html>, it fixes
the build for arm with mainline GCC.
[BZ #22447]
* sysdeps/unix/getlogin_r.c (__getlogin_r): Use __strnlen not
strlen to compute length of ut_user and set trailing NUL byte of
result explicitly.
(cherry picked from commit 4bae615022cb5a5da79ccda83cc6c9ba9f2d479c)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 76 ++++++++++++++++++++++++++++++
NEWS | 3 +
misc/sys/cdefs.h | 9 ++++
nptl/tst-attr3.c | 19 +++++++
nscd/connections.c | 5 +-
nscd/dbg_log.c | 2 +-
resolv/Makefile | 3 +-
resolv/res_debug.c | 24 +++++++++-
resolv/tst-p_secstodate.c | 67 ++++++++++++++++++++++++++
string/bug-strncat1.c | 8 +++
string/tester.c | 58 +++++++++++++++++++++--
sysdeps/gnu/bits/utmp.h | 9 ++-
sysdeps/unix/getlogin_r.c | 5 +-
sysdeps/unix/sysv/linux/s390/bits/utmp.h | 9 ++-
timezone/zic.c | 2 +-
15 files changed, 281 insertions(+), 18 deletions(-)
create mode 100644 resolv/tst-p_secstodate.c
|
The resolv/res_debug.c function p_secstodate does: struct tm timebuf; time = __gmtime_r(&clock, &timebuf); time->tm_year += 1900; time->tm_mon += 1; sprintf(output, "%04d%02d%02d%02d%02d%02d", time->tm_year, time->tm_mon, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec); If __gmtime_r returns NULL (because the year overflows the range of int), this will dereference a null pointer. Otherwise, if the computed year does not fit in four characters, this will cause a buffer overrun of the fixed-size 15-byte buffer. With current GCC mainline, there is a compilation failure (the estimate of possible output size is excessive because GCC doesn't know the range limits on most of the fields - putting checks on the ranges that call __builtin_unreachable or abort on failure would probably suffice to tell GCC the possible size of output for fields other than tm_year - but for tm_year there is a genuine buffer overrun bug if called for times that involve large years): res_debug.c:1069:23: error: '%02d' directive writing between 2 and 11 bytes into a region of size between 4 and 11 [-Werror=format-overflow=] sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~ res_debug.c:1069:18: note: directive argument in the range [-2147483647, 2147483647] sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~~~~~~~~~~~~~~~~~~~~~~~ res_debug.c:1069:2: note: 'sprintf' output between 15 and 67 bytes into a destination of size 15 sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ time->tm_year, time->tm_mon, time->tm_mday, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ time->tm_hour, time->tm_min, time->tm_sec); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~