This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [patch] Fix BZ 19165 -- overflow in fread / fwrite

On Thu, Dec 10, 2015 at 11:53:04AM -0800, Paul Pluzhnikov wrote:
> On Thu, Dec 10, 2015 at 11:49 AM, Florian Weimer <> wrote:
> > On 12/10/2015 08:43 PM, Paul Pluzhnikov wrote:
> >> I'll un-assign BZ19165 from myself instead.
> >
> > Do you mind if I try to move this forward?
> Not at all (I thought that's exactly what un-assigning myself means:
> let someone else take a stab ;-)

I think the problem may be even worse than we all expected. I've been
trying to fix the corresponding issue in musl, and it looks like the
_kernel_ is spuriously failing these reads with EFAULT by pre-checking
the validity of the potential destination address range rather than
only checking if there would actually be data to copy. I haven't yet
dug into the kernel sources to figure out why this is happening but
read(2), readv(2), pread(2), etc. are probably all affected and I'm
skeptical of whether it makes sense to try to work around this in
libc. We should probably seek clarificatin from the Austin Group on
whether those interfaces are intended to have well-defined behavior
when the nbytes argument is greater than the size of the buffer. For
fread it's WG14's domain and getting a good answer from them on
whether invalid size yields UB is probably going to be difficult...


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]