The resolv/res_debug.c function p_secstodate does: struct tm timebuf; time = __gmtime_r(&clock, &timebuf); time->tm_year += 1900; time->tm_mon += 1; sprintf(output, "%04d%02d%02d%02d%02d%02d", time->tm_year, time->tm_mon, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec); If __gmtime_r returns NULL (because the year overflows the range of int), this will dereference a null pointer. Otherwise, if the computed year does not fit in four characters, this will cause a buffer overrun of the fixed-size 15-byte buffer. With current GCC mainline, there is a compilation failure (the estimate of possible output size is excessive because GCC doesn't know the range limits on most of the fields - putting checks on the ranges that call __builtin_unreachable or abort on failure would probably suffice to tell GCC the possible size of output for fields other than tm_year - but for tm_year there is a genuine buffer overrun bug if called for times that involve large years): res_debug.c:1069:23: error: '%02d' directive writing between 2 and 11 bytes into a region of size between 4 and 11 [-Werror=format-overflow=] sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~ res_debug.c:1069:18: note: directive argument in the range [-2147483647, 2147483647] sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~~~~~~~~~~~~~~~~~~~~~~~ res_debug.c:1069:2: note: 'sprintf' output between 15 and 67 bytes into a destination of size 15 sprintf(output, "%04d%02d%02d%02d%02d%02d", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ time->tm_year, time->tm_mon, time->tm_mday, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ time->tm_hour, time->tm_min, time->tm_sec); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via f120cda6072d830df92656dad0c89967547b97dc (commit) from a90d1ac2d2f7b20a9df676ac9bd0aa512ab5b708 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f120cda6072d830df92656dad0c89967547b97dc commit f120cda6072d830df92656dad0c89967547b97dc Author: Joseph Myers <joseph@codesourcery.com> Date: Wed Nov 22 22:12:07 2017 +0000 Fix p_secstodate overflow handling (bug 22463). The resolv/res_debug.c function p_secstodate (which is a public function exported from libresolv, taking an unsigned long argument) does: struct tm timebuf; time = __gmtime_r(&clock, &timebuf); time->tm_year += 1900; time->tm_mon += 1; sprintf(output, "%04d%02d%02d%02d%02d%02d", time->tm_year, time->tm_mon, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec); If __gmtime_r returns NULL (because the year overflows the range of int), this will dereference a null pointer. Otherwise, if the computed year does not fit in four characters, this will cause a buffer overrun of the fixed-size 15-byte buffer. With current GCC mainline, there is a compilation failure because of the possible buffer overrun. I couldn't find a specification for how this function is meant to behave, but Paul pointed to RFC 4034 as relevant to the cases where this function is called from within glibc. The function's interface is inherently problematic when dates beyond Y2038 might be involved, because of the ambiguity in how to interpret 32-bit timestamps as such dates (the RFC suggests interpreting times as being within 68 years of the present date, which would mean some kind of interface whose behavior depends on the present date). This patch works on the basis of making a minimal fix in preparation for obsoleting the function. The function is made to handle times in the interval [0, 0x7fffffff] only, on all platforms, with <overflow> used as the output string in other cases (and errno set to EOVERFLOW in such cases). This seems to be a reasonable state for the function to be in when made a compat symbol by a future patch, being compatible with any existing uses for existing timestamps without trying to work for later timestamps. Results independent of the range of time_t also simplify the testcase. I couldn't persuade GCC to recognize the ranges of the struct tm fields by adding explicit range checks with a call to __builtin_unreachable if outside the range (this looks similar to <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added a range check on the input, this patch then disables the -Wformat-overflow= warning for the sprintf call (I prefer that to the use of strftime, as being more transparently correct without knowing what each of %m and %M etc. is). I do not know why this build failure should be new with mainline GCC (that is, I don't know what GCC change might have introduced it, when the basic functionality for such warnings was already in GCC 7). I do not know if this is a security issue (that is, if there are plausible ways in which a date before -999 or after 9999 from an untrusted source might end up in this function). The system clock is arguably an untrusted source (in that e.g. NTP is insecure), but probably not to that extent (NTP can't communicate such wild timestamps), and uses from within glibc are limited to 32-bit inputs. Tested with build-many-glibcs.py that this restores the build for arm with yesterday's mainline GCC. Also tested for x86_64 and x86. [BZ #22463] * resolv/res_debug.c: Include <libc-diag.h>. (p_secstodate): Assert time_t at least as wide as u_long. On overflow, use integer seconds since the epoch as output, or use "<overflow>" as output and set errno to EOVERFLOW if integer seconds since the epoch would be 14 or more characters. (p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow= for sprintf call. * resolv/tst-p_secstodate.c: New file. * resolv/Makefile (tests): Add tst-p_secstodate. ($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 12 ++++++++ resolv/Makefile | 2 + resolv/res_debug.c | 24 +++++++++++++++- resolv/tst-p_secstodate.c | 67 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 104 insertions(+), 1 deletions(-) create mode 100644 resolv/tst-p_secstodate.c
Fixed for 2.27.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.26/master has been updated via 33f5de7a79b27b9dce30a46d6681974653a85004 (commit) via 6ae2ca620a955f1e3465e58b5180c5a7fd596dd0 (commit) via fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff (commit) via 70e810a30cb15d0b54118f8eb92aa656b945b984 (commit) via dd03d15e283de6c2fff8f5204b092e9d9d127cc6 (commit) via 935cecfe9a4c9bf0396766f5e2b24570f92317ae (commit) via 3fb525c1033c70693d78010d01472bd0ed96e25f (commit) via 636f49ba925d5fe677212bb94b20f2c5e67d4a4f (commit) via d161b294e1267ca275352c26850255c5efc998de (commit) via e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f (commit) via 27611fd05b444042de4a718c2f21e9efae755825 (commit) from 48bef587bfd4b6c11ae227075eb1492b10a395a8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=33f5de7a79b27b9dce30a46d6681974653a85004 commit 33f5de7a79b27b9dce30a46d6681974653a85004 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Dec 18 22:55:28 2017 +0000 Disable -Wrestrict for two nptl/tst-attr3.c tests. nptl/tst-attr3 fails to build with GCC mainline because of (deliberate) aliasing between the second (attributes) and fourth (argument to thread start routine) arguments to pthread_create. Although both those arguments are restrict-qualified in POSIX, pthread_create does not actually dereference its fourth argument; it's an opaque pointer passed to the thread start routine. Thus, the aliasing is actually valid in this case, and it's deliberate in the test. So this patch makes the test disable -Wrestrict for the two pthread_create calls in question. (-Wrestrict was added in GCC 7, hence the __GNUC_PREREQ conditions, but the particular warning in question is new in GCC 8.) Tested compilation with build-many-glibcs.py for aarch64-linux-gnu. * nptl/tst-attr3.c: Include <libc-diag.h>. (do_test) [__GNUC_PREREQ (7, 0)]: Ignore -Wrestrict for two tests. (cherry picked from commit 40c4162df6766fb1e8ede875ca8df25d8075d3a5) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ae2ca620a955f1e3465e58b5180c5a7fd596dd0 commit 6ae2ca620a955f1e3465e58b5180c5a7fd596dd0 Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Nov 14 17:50:36 2017 +0000 Fix string/bug-strncat1.c build with GCC 8. GCC 8 warns about strncat calls with truncated output. string/bug-strncat1.c tests such a call; this patch disables the warning for it. Tested (compilation) with GCC 8 for x86_64-linux-gnu with build-many-glibcs.py (in conjunction with Martin's patch to allow glibc to build). * string/bug-strncat1.c: Include <libc-diag.h>. (main): Disable -Wstringop-truncation for strncat call for GCC 8. (cherry picked from commit ec72135e5f1d061cb5cf7cd1b855fd6290be10d9) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff commit fe5978e1a5d7419de3a779823fb5ed0d1dcee8ff Author: Joseph Myers <joseph@codesourcery.com> Date: Thu Jun 14 14:20:00 2018 +0000 Ignore -Wrestrict for one strncat test. With current GCC mainline, one strncat test involving a size close to SIZE_MAX results in a -Wrestrict warning that that buffer size would imply that the two buffers must overlap. This patch fixes the build by adding disabling of -Wrestrict (for GCC versions supporting that option) to the already-present disabling of -Wstringop-overflow= and -Warray-bounds for this test. Tested with build-many-glibcs.py that this restores the testsuite build with GCC mainline for aarch64-linux-gnu. * string/tester.c (test_strncat) [__GNUC_PREREQ (7, 0)]: Also ignore -Wrestrict for one test. (cherry picked from commit 35ebb6b0c48bc671d9c54e089884f9bf6fca540e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=70e810a30cb15d0b54118f8eb92aa656b945b984 commit 70e810a30cb15d0b54118f8eb92aa656b945b984 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Dec 18 22:52:41 2017 +0000 Disable strncat test array-bounds warnings for GCC 8. Some strncat tests fail to build with GCC 8 because of -Warray-bounds warnings. These tests are deliberately test over-large size arguments passed to strncat, and already disable -Wstringop-overflow warnings, but now the warnings for these tests come under -Warray-bounds so that option needs disabling for them as well, which this patch does (with an update on the comments; the DIAG_IGNORE_NEEDS_COMMENT call for -Warray-bounds doesn't need to be conditional itself, because that option is supported by all versions of GCC that can build glibc). Tested compilation with build-many-glibcs.py for aarch64-linux-gnu. * string/tester.c (test_strncat): Also disable -Warray-bounds warnings for two tests. (cherry picked from commit 1421f39b7eadd3b5fbd2a3f2da1fc006b69fbc42) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dd03d15e283de6c2fff8f5204b092e9d9d127cc6 commit dd03d15e283de6c2fff8f5204b092e9d9d127cc6 Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Nov 14 17:52:26 2017 +0000 Fix string/tester.c build with GCC 8. GCC 8 warns about more cases of string functions truncating their output or not copying a trailing NUL byte. This patch fixes testsuite build failures caused by such warnings in string/tester.c. In general, the warnings are disabled around the relevant calls using DIAG_* macros, since the relevant cases are being deliberately tested. In one case, the warning is with -Wstringop-overflow= instead of -Wstringop-truncation; in that case, the conditional is __GNUC_PREREQ (7, 0) (being the version where -Wstringop-overflow= was introduced), to allow the conditional to be removed sooner, since it's harmless to disable the warning for a GCC version where it doesn't actually occur. In the case of warnings for strncpy calls in test_memcmp, the calls in question are changed to use memcpy, as they don't copy a trailing NUL and the point of that code is to test memcmp rather than strncpy. Tested (compilation) with GCC 8 for x86_64-linux-gnu with build-many-glibcs.py (in conjunction with Martin's patch to allow glibc to build). * string/tester.c (test_stpncpy): Disable -Wstringop-truncation for stpncpy calls for GCC 8. (test_strncat): Disable -Wstringop-truncation warning for strncat calls for GCC 8. Disable -Wstringop-overflow= warning for one strncat call for GCC 7. (test_strncpy): Disable -Wstringop-truncation warning for strncpy calls for GCC 8. (test_memcmp): Use memcpy instead of strncpy for calls not copying trailing NUL. (cherry picked from commit 2e64ec9c9eac3aeb70f7cfa2392846c87c28068e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=935cecfe9a4c9bf0396766f5e2b24570f92317ae commit 935cecfe9a4c9bf0396766f5e2b24570f92317ae Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Oct 22 14:08:12 2018 +0200 Fix nscd readlink argument aliasing (bug 22446). Current GCC mainline detects that nscd calls readlink with the same buffer for both input and output, which is not valid (those arguments are both restrict-qualified in POSIX). This patch makes it use a separate buffer for readlink's input (with a size that is sufficient to avoid truncation, so there should be no problems with warnings about possible truncation, though not strictly minimal, but much smaller than the buffer for output) to avoid this problem. Tested compilation for aarch64-linux-gnu with build-many-glibcs.py. [BZ #22446] * nscd/connections.c (handle_request) [SO_PEERCRED]: Use separate buffers for readlink input and output. (cherry picked from commit 49b036bce9f021ae994a85aee8b410d20b29c8b7) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3fb525c1033c70693d78010d01472bd0ed96e25f commit 3fb525c1033c70693d78010d01472bd0ed96e25f Author: Steve Ellcey <sellcey@caviumnetworks.com> Date: Fri Dec 15 09:08:23 2017 -0800 Increase buffer size due to warning from ToT GCC * nscd/dbg_log.c (dbg_log): Increase msg buffer size. (cherry picked from commit a7e3edf4f252fb72afeb8ecca946a2d8294bb577) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=636f49ba925d5fe677212bb94b20f2c5e67d4a4f commit 636f49ba925d5fe677212bb94b20f2c5e67d4a4f Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Oct 22 13:58:06 2018 +0200 Fix p_secstodate overflow handling (bug 22463). The resolv/res_debug.c function p_secstodate (which is a public function exported from libresolv, taking an unsigned long argument) does: struct tm timebuf; time = __gmtime_r(&clock, &timebuf); time->tm_year += 1900; time->tm_mon += 1; sprintf(output, "%04d%02d%02d%02d%02d%02d", time->tm_year, time->tm_mon, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec); If __gmtime_r returns NULL (because the year overflows the range of int), this will dereference a null pointer. Otherwise, if the computed year does not fit in four characters, this will cause a buffer overrun of the fixed-size 15-byte buffer. With current GCC mainline, there is a compilation failure because of the possible buffer overrun. I couldn't find a specification for how this function is meant to behave, but Paul pointed to RFC 4034 as relevant to the cases where this function is called from within glibc. The function's interface is inherently problematic when dates beyond Y2038 might be involved, because of the ambiguity in how to interpret 32-bit timestamps as such dates (the RFC suggests interpreting times as being within 68 years of the present date, which would mean some kind of interface whose behavior depends on the present date). This patch works on the basis of making a minimal fix in preparation for obsoleting the function. The function is made to handle times in the interval [0, 0x7fffffff] only, on all platforms, with <overflow> used as the output string in other cases (and errno set to EOVERFLOW in such cases). This seems to be a reasonable state for the function to be in when made a compat symbol by a future patch, being compatible with any existing uses for existing timestamps without trying to work for later timestamps. Results independent of the range of time_t also simplify the testcase. I couldn't persuade GCC to recognize the ranges of the struct tm fields by adding explicit range checks with a call to __builtin_unreachable if outside the range (this looks similar to <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added a range check on the input, this patch then disables the -Wformat-overflow= warning for the sprintf call (I prefer that to the use of strftime, as being more transparently correct without knowing what each of %m and %M etc. is). I do not know why this build failure should be new with mainline GCC (that is, I don't know what GCC change might have introduced it, when the basic functionality for such warnings was already in GCC 7). I do not know if this is a security issue (that is, if there are plausible ways in which a date before -999 or after 9999 from an untrusted source might end up in this function). The system clock is arguably an untrusted source (in that e.g. NTP is insecure), but probably not to that extent (NTP can't communicate such wild timestamps), and uses from within glibc are limited to 32-bit inputs. Tested with build-many-glibcs.py that this restores the build for arm with yesterday's mainline GCC. Also tested for x86_64 and x86. [BZ #22463] * resolv/res_debug.c: Include <libc-diag.h>. (p_secstodate): Assert time_t at least as wide as u_long. On overflow, use integer seconds since the epoch as output, or use "<overflow>" as output and set errno to EOVERFLOW if integer seconds since the epoch would be 14 or more characters. (p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow= for sprintf call. * resolv/tst-p_secstodate.c: New file. * resolv/Makefile (tests): Add tst-p_secstodate. ($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so. (cherry picked from commit f120cda6072d830df92656dad0c89967547b97dc) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d161b294e1267ca275352c26850255c5efc998de commit d161b294e1267ca275352c26850255c5efc998de Author: Paul Eggert <eggert@cs.ucla.edu> Date: Sun Nov 12 22:00:28 2017 -0800 timezone: pacify GCC -Wstringop-truncation Problem reported by Martin Sebor in: https://sourceware.org/ml/libc-alpha/2017-11/msg00336.html * timezone/zic.c (writezone): Use memcpy, not strncpy. (cherry picked from commit e69897bf202e18034cbef26f363bae64de70a196) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f commit e37ec9c813de3faeabc31d9ffc896ba45b4dfd5f Author: Martin Sebor <msebor@redhat.com> Date: Wed Nov 15 17:39:59 2017 -0700 utmp: Avoid -Wstringop-truncation warning The -Wstringop-truncation option new in GCC 8 detects common misuses of the strncat and strncpy function that may result in truncating the copied string before the terminating NUL. To avoid false positive warnings for correct code that intentionally creates sequences of characters that aren't guaranteed to be NUL-terminated, arrays that are intended to store such sequences should be decorated with a new nonstring attribute. This change add this attribute to Glibc and uses it to suppress such false positives. ChangeLog: * misc/sys/cdefs.h (__attribute_nonstring__): New macro. * sysdeps/gnu/bits/utmp.h (struct utmp): Use it. * sysdeps/unix/sysv/linux/s390/bits/utmp.h (struct utmp): Same. (cherry picked from commit 7532837d7b03b3ca5b9a63d77a5bd81dd23f3d9c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=27611fd05b444042de4a718c2f21e9efae755825 commit 27611fd05b444042de4a718c2f21e9efae755825 Author: Joseph Myers <joseph@codesourcery.com> Date: Wed Nov 22 18:44:23 2017 +0000 Avoid use of strlen in getlogin_r (bug 22447). Building glibc with current mainline GCC fails, among other reasons, because of an error for use of strlen on the nonstring ut_user field. This patch changes the problem code in getlogin_r to use __strnlen instead. It also needs to set the trailing NUL byte of the result explicitly, because of the case where ut_user does not have such a trailing NUL byte (but the result should always have one). Tested for x86_64. Also tested that, in conjunction with <https://sourceware.org/ml/libc-alpha/2017-11/msg00797.html>, it fixes the build for arm with mainline GCC. [BZ #22447] * sysdeps/unix/getlogin_r.c (__getlogin_r): Use __strnlen not strlen to compute length of ut_user and set trailing NUL byte of result explicitly. (cherry picked from commit 4bae615022cb5a5da79ccda83cc6c9ba9f2d479c) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 76 ++++++++++++++++++++++++++++++ NEWS | 3 + misc/sys/cdefs.h | 9 ++++ nptl/tst-attr3.c | 19 +++++++ nscd/connections.c | 5 +- nscd/dbg_log.c | 2 +- resolv/Makefile | 3 +- resolv/res_debug.c | 24 +++++++++- resolv/tst-p_secstodate.c | 67 ++++++++++++++++++++++++++ string/bug-strncat1.c | 8 +++ string/tester.c | 58 +++++++++++++++++++++-- sysdeps/gnu/bits/utmp.h | 9 ++- sysdeps/unix/getlogin_r.c | 5 +- sysdeps/unix/sysv/linux/s390/bits/utmp.h | 9 ++- timezone/zic.c | 2 +- 15 files changed, 281 insertions(+), 18 deletions(-) create mode 100644 resolv/tst-p_secstodate.c