28846 – CMSG_NXTHDR may trigger -Wstrict-overflow warning

Bug 28846 - CMSG_NXTHDR may trigger -Wstrict-overflow warning

Summary: CMSG_NXTHDR may trigger -Wstrict-overflow warning

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	network (show other bugs)
Version:	2.37

Importance:	P2 normal
Target Milestone:	2.37
Assignee:	Arjun Shankar

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-02-01 14:55 UTC by Florian Weimer
Modified:	2022-08-23 10:53 UTC (History)
CC List:	4 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=2047022
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Weimer 2022-02-01 14:55:19 UTC

Downstream bug report from Andreas Schneider:

“
This is actually a bug in /usr/include/bits/socket.h with -Werror=strict-overflow.


The compiler complains about the CMSG_NXTHDR() macro.


In file included from /usr/include/sys/socket.h:33,
                 from /builddir/build/BUILD/socket_wrapper-1.3.3/src/socket_wrapper.c:50:
In function '__cmsg_nxthdr',
    inlined from 'test_sendmsg_cmsg' at /builddir/build/BUILD/socket_wrapper-1.3.3/tests/test_swrap_unit.c:73:9:
/usr/include/bits/socket.h:322:6: error: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Werror=strict-overflow]
  322 |   if ((unsigned char *) (__cmsg + 1) > ((unsigned char *) __mhdr->msg_control
      |      ^


The line in test_swrap_unit.c:73 is:

73  »·······cmsg = CMSG_NXTHDR(&msg, cmsg);
”


This also impacts the out-of-line internal implementation in sysdeps/unix/sysv/linux/cmsg_nxthdr.c.

Comment 1 Sam James 2022-08-03 23:11:37 UTC

From 9c443ac4559a47ed99859bd80d14dc4b6dd220a1 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun@redhat.com>
Date: Tue, 2 Aug 2022 11:10:25 +0200
Subject: [PATCH] socket: Check lengths before advancing pointer in CMSG_NXTHDR

The inline and library functions that the CMSG_NXTHDR macro may expand
to increment the pointer to the header before checking the stride of
the increment against available space.  Since C only allows incrementing
pointers to one past the end of an array, the increment must be done
after a length check.  This commit fixes that and includes a regression
test for CMSG_FIRSTHDR and CMSG_NXTHDR.

The Linux, Hurd, and generic headers are all changed.

Tested on Linux on armv7hl, i686, x86_64, aarch64, ppc64le, and s390x.

[BZ #28846]

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

(https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=9c443ac4559a47ed99859bd80d14dc4b6dd220a1)

Comment 2 Sam James 2022-08-03 23:11:51 UTC

Fixed for 2.37.

Comment 3 Sourceware Commits 2022-08-22 16:23:55 UTC

The release/2.36/master branch has been updated by Arjun Shankar <arjun@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5c62874f423af93e97b51bc9a57af228a546156f

commit 5c62874f423af93e97b51bc9a57af228a546156f
Author: Arjun Shankar <arjun@redhat.com>
Date:   Mon Aug 22 18:21:14 2022 +0200

    NEWS: Add entry for bug 28846

Comment 4 Sourceware Commits 2022-08-22 16:27:39 UTC

The release/2.35/master branch has been updated by Arjun Shankar <arjun@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=83f1d9851e0b143991448d41ff50744d9972cb6e

commit 83f1d9851e0b143991448d41ff50744d9972cb6e
Author: Arjun Shankar <arjun@redhat.com>
Date:   Mon Aug 22 18:26:29 2022 +0200

    NEWS: Add entry for bug 28846

Comment 5 Arjun Shankar 2022-08-23 10:53:14 UTC

I have also backported the fixes to 2.36, 2.35, and 2.34.