Resolves BZ #15618.
pthread_attr_getaffinity_np may write beyond bounds of the input
cpuset buffer if the size of the input buffer is smaller than the
buffer present in the input pthread attributes. Fix is to copy to the
extent of the minimum of the source and the destination.
15380, 15381, 15394, 15395, 15405, 15406, 15409, 15416, 15418, 15419,
15423, 15424, 15426, 15429, 15431, 15432, 15441, 15442, 15448, 15465,
15480, 15485, 15488, 15490, 15493, 15497, 15506, 15529, 15536, 15553,
- 15577, 15583.
+ 15577, 15583, 15618.
* CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
#15078).
+2013-06-13 Siddhesh Poyarekar <siddhesh@redhat.com>
+ Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15618]
+ * tst-pthread-attr-affinity: New test case.
+ * Makefile (tests): Add it.
+ * sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
+ (__pthread_attr_getaffinity_new): Copy minimum of source and
+ destination sizes to avoid a buffer overrun.
+
2013-06-10 Carlos O'Donell <carlos@redhat.com>
* sysdeps/unix/sysv/linux/i386/lowlevellock.h
tst-exit1 tst-exit2 tst-exit3 \
tst-stdio1 tst-stdio2 \
tst-stack1 tst-stack2 tst-stack3 tst-pthread-getattr \
+ tst-pthread-attr-affinity \
tst-unload \
tst-dlsym1 \
tst-sysconf \
if (((char *) iattr->cpuset)[cnt] != 0)
return EINVAL;
- void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
+ /* Copy over the cpuset from the thread attribute object. Limit the copy
+ to the minimum of the source and destination sizes to prevent a buffer
+ overrun. If the destination is larger, fill the remaining space with
+ zeroes. */
+ void *p = mempcpy (cpuset, iattr->cpuset,
+ MIN (iattr->cpusetsize, cpusetsize));
if (cpusetsize > iattr->cpusetsize)
memset (p, '\0', cpusetsize - iattr->cpusetsize);
}
--- /dev/null
+/* Make sure that pthread_attr_getaffinity_np does not crash when the input
+ cpuset size is smaller than that in the attribute structure.
+
+ Copyright (C) 2013 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <pthread.h>
+#include <stdio.h>
+#include <sched.h>
+#include <errno.h>
+#include <sys/param.h>
+
+
+#define RETURN_IF_FAIL(f, ...) \
+ ({ \
+ int ret = f (__VA_ARGS__); \
+ if (ret != 0) \
+ { \
+ printf ("%s:%d: %s returned %d (errno = %d)\n", __FILE__, __LINE__, \
+ #f, ret, errno); \
+ return ret; \
+ } \
+ })
+
+static int
+do_test (void)
+{
+ for (int i = 0; i < 10; i++)
+ {
+ pthread_attr_t attr;
+ cpu_set_t *cpuset = CPU_ALLOC (512);
+ size_t cpusetsize = CPU_ALLOC_SIZE (512);
+ CPU_ZERO_S (cpusetsize, cpuset);
+
+ RETURN_IF_FAIL (pthread_attr_init, &attr);
+ RETURN_IF_FAIL (pthread_attr_setaffinity_np, &attr, cpusetsize, cpuset);
+ CPU_FREE (cpuset);
+
+ cpuset = CPU_ALLOC (1);
+ cpusetsize = CPU_ALLOC_SIZE (1);
+ RETURN_IF_FAIL (pthread_attr_getaffinity_np, &attr, cpusetsize, cpuset);
+ CPU_FREE (cpuset);
+ }
+ return 0;
+}
+
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"