This is the mail archive of the
mailing list for the glibc project.
Re: [patch] Fix BZ 19165 -- overflow in fread / fwrite
- From: Rich Felker <dalias at libc dot org>
- To: Paul Pluzhnikov <ppluzhnikov at google dot com>
- Cc: Florian Weimer <fweimer at redhat dot com>, Paul Eggert <eggert at cs dot ucla dot edu>, Alexander Cherepanov <ch3root at openwall dot com>, GLIBC Devel <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>
- Date: Wed, 10 Feb 2016 21:26:24 -0500
- Subject: Re: [patch] Fix BZ 19165 -- overflow in fread / fwrite
- Authentication-results: sourceware.org; auth=none
- References: <CALoOobOpSFwNOqD2RbsSQ95+16=xWN=fTpDJZqgPGJPSXCDmEA at mail dot gmail dot com> <20151026200605 dot GI8645 at brightrain dot aerifal dot cx> <CALoOobPxCPN_Lwvc98CevgCJMwHa_9cURZsALsLeG+SPDSF+Xw at mail dot gmail dot com> <CALoOobOn9ni8FXK3W4ZGAEHSnYAEVUn10agEyC8NO62TyWg0ig at mail dot gmail dot com> <562FC0A8 dot 1080603 at openwall dot com> <CALoOobOxcxieyrfNf9Eg=wmymDyKUPZ_F+atPP+Af8dyYjez_w at mail dot gmail dot com> <5665D571 dot 3090504 at cs dot ucla dot edu> <CALoOobOm6waSvc+pS0DeNFDUq11MNL3xn0XeRNp2vVyOw7=pBA at mail dot gmail dot com> <5669D744 dot 5030307 at redhat dot com> <CALoOobNKxTg29=U_V00wTub5u_GdC3-LiEK-zEFgoW8r_s4RXw at mail dot gmail dot com>
On Thu, Dec 10, 2015 at 11:53:04AM -0800, Paul Pluzhnikov wrote:
> On Thu, Dec 10, 2015 at 11:49 AM, Florian Weimer <email@example.com> wrote:
> > On 12/10/2015 08:43 PM, Paul Pluzhnikov wrote:
> >> I'll un-assign BZ19165 from myself instead.
> > Do you mind if I try to move this forward?
> Not at all (I thought that's exactly what un-assigning myself means:
> let someone else take a stab ;-)
I think the problem may be even worse than we all expected. I've been
trying to fix the corresponding issue in musl, and it looks like the
_kernel_ is spuriously failing these reads with EFAULT by pre-checking
the validity of the potential destination address range rather than
only checking if there would actually be data to copy. I haven't yet
dug into the kernel sources to figure out why this is happening but
read(2), readv(2), pread(2), etc. are probably all affected and I'm
skeptical of whether it makes sense to try to work around this in
libc. We should probably seek clarificatin from the Austin Group on
whether those interfaces are intended to have well-defined behavior
when the nbytes argument is greater than the size of the buffer. For
fread it's WG14's domain and getting a good answer from them on
whether invalid size yields UB is probably going to be difficult...