Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Frysinger (vapier)" <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in src/patchsets/glibc/2.22: 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch README.history
Date: Sat, 29 Aug 2015 22:22:00
Message-Id: 20150829222152.79830177@oystercatcher.gentoo.org
1 vapier 15/08/29 22:21:52
2
3 Modified: README.history
4 Added:
5 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch
6 Log:
7 upstream fix for memory corruption when using getmntent #558946 by Michael Weiser
8
9 Revision Changes Path
10 1.7 src/patchsets/glibc/2.22/README.history
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?rev=1.7&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?rev=1.7&content-type=text/plain
14 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?r1=1.6&r2=1.7
15
16 Index: README.history
17 ===================================================================
18 RCS file: /var/cvsroot/gentoo/src/patchsets/glibc/2.22/README.history,v
19 retrieving revision 1.6
20 retrieving revision 1.7
21 diff -u -r1.6 -r1.7
22 --- README.history 21 Aug 2015 21:15:49 -0000 1.6
23 +++ README.history 29 Aug 2015 22:21:52 -0000 1.7
24 @@ -1,3 +1,6 @@
25 +7 29 Aug 2015
26 + + 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch
27 +
28 6 21 Aug 2015
29 + 00_all_0020-manual-skip-build-when-perl-is-unavailable.patch
30
31
32
33
34 1.1 src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch
35
36 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch?rev=1.1&view=markup
37 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch?rev=1.1&content-type=text/plain
38
39 Index: 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch
40 ===================================================================
41 https://bugs.gentoo.org/558946
42 https://sourceware.org/bugzilla/show_bug.cgi?id=18887
43
44 From ca6a9ce6151759981cc2efd58e053148c7db2fea Mon Sep 17 00:00:00 2001
45 From: Mike Frysinger <vapier@g.o>
46 Date: Fri, 28 Aug 2015 17:08:49 -0400
47 Subject: [PATCH] getmntent: fix memory corruption w/blank lines [BZ #18887]
48
49 The fix for BZ #17273 introduced a single byte of memory corruption when
50 the line is entirely blank. It would walk back past the start of the
51 buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte.
52 buffer = '\n';
53 end_ptr = buffer;
54 while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
55 end_ptr--;
56 *end_ptr = '\0';
57
58 Fix that and rework the tests. Adding the testcase for BZ #17273 to the
59 existing \040 parser does not really make sense as it's unrelated, and
60 leads to confusing behavior: it implicitly relies on the new entry being
61 longer than the previous entry (since it just rewinds the FILE*). Split
62 it out into its own dedicated testcase instead.
63
64 (cherry picked from commit b0e805fa0d6fea33745952df7b7f5442ca4c374f)
65 (cherry picked from commit 3007f797a1a596e954f44879a5a7267966186ba4)
66 ---
67 misc/Makefile | 3 ++-
68 misc/mntent_r.c | 4 +++-
69 misc/tst-mntent-blank-corrupt.c | 45 ++++++++++++++++++++++++++++++++++
70 misc/tst-mntent-blank-passno.c | 53 +++++++++++++++++++++++++++++++++++++++++
71 misc/tst-mntent.c | 20 ----------------
72 5 files changed, 103 insertions(+), 22 deletions(-)
73 create mode 100644 misc/tst-mntent-blank-corrupt.c
74 create mode 100644 misc/tst-mntent-blank-passno.c
75
76 diff --git a/misc/Makefile b/misc/Makefile
77 index aecb0da..2f5edf6 100644
78 --- a/misc/Makefile
79 +++ b/misc/Makefile
80 @@ -76,7 +76,8 @@ install-lib := libg.a
81 gpl2lgpl := error.c error.h
82
83 tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \
84 - tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1
85 + tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
86 + tst-mntent-blank-corrupt tst-mntent-blank-passno
87 ifeq ($(run-built-tests),yes)
88 tests-special += $(objpfx)tst-error1-mem.out
89 endif
90 diff --git a/misc/mntent_r.c b/misc/mntent_r.c
91 index 6159873..4f26998 100644
92 --- a/misc/mntent_r.c
93 +++ b/misc/mntent_r.c
94 @@ -136,7 +136,9 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz)
95 end_ptr = strchr (buffer, '\n');
96 if (end_ptr != NULL) /* chop newline */
97 {
98 - while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
99 + /* Do not walk past the start of buffer if it's all whitespace. */
100 + while (end_ptr != buffer
101 + && (end_ptr[-1] == ' ' || end_ptr[-1] == '\t'))
102 end_ptr--;
103 *end_ptr = '\0';
104 }
105 diff --git a/misc/tst-mntent-blank-corrupt.c b/misc/tst-mntent-blank-corrupt.c
106 new file mode 100644
107 index 0000000..92266a3
108 --- /dev/null
109 +++ b/misc/tst-mntent-blank-corrupt.c
110 @@ -0,0 +1,45 @@
111 +/* Make sure blank lines does not cause memory corruption BZ #18887.
112 +
113 + Copyright (C) 2009-2015 Free Software Foundation, Inc.
114 + This file is part of the GNU C Library.
115 +
116 + The GNU C Library is free software; you can redistribute it and/or
117 + modify it under the terms of the GNU Lesser General Public
118 + License as published by the Free Software Foundation; either
119 + version 2.1 of the License, or (at your option) any later version.
120 +
121 + The GNU C Library is distributed in the hope that it will be useful,
122 + but WITHOUT ANY WARRANTY; without even the implied warranty of
123 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
124 + Lesser General Public License for more details.
125 +
126 + You should have received a copy of the GNU Lesser General Public
127 + License along with the GNU C Library; if not, see
128 + <http://www.gnu.org/licenses/>. */
129 +
130 +#include <mntent.h>
131 +#include <stdio.h>
132 +#include <string.h>
133 +
134 +/* Make sure blank lines don't trigger memory corruption. This doesn't happen
135 + for all targets though, so it's a best effort test BZ #18887. */
136 +static int
137 +do_test (void)
138 +{
139 + FILE *fp;
140 +
141 + fp = tmpfile ();
142 + fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp);
143 + rewind (fp);
144 +
145 + /* The corruption happens here ... */
146 + getmntent (fp);
147 + /* ... but trigers here. */
148 + endmntent (fp);
149 +
150 + /* If the test failed, we would crash, and not hit this point. */
151 + return 0;
152 +}
153 +
154 +#define TEST_FUNCTION do_test ()
155 +#include "../test-skeleton.c"
156 diff --git a/misc/tst-mntent-blank-passno.c b/misc/tst-mntent-blank-passno.c
157 new file mode 100644
158 index 0000000..fc04291
159 --- /dev/null
160 +++ b/misc/tst-mntent-blank-passno.c
161 @@ -0,0 +1,53 @@
162 +/* Make sure trailing whitespace is handled properly BZ #17273.
163 +
164 + Copyright (C) 2009-2015 Free Software Foundation, Inc.
165 + This file is part of the GNU C Library.
166 +
167 + The GNU C Library is free software; you can redistribute it and/or
168 + modify it under the terms of the GNU Lesser General Public
169 + License as published by the Free Software Foundation; either
170 + version 2.1 of the License, or (at your option) any later version.
171 +
172 + The GNU C Library is distributed in the hope that it will be useful,
173 + but WITHOUT ANY WARRANTY; without even the implied warranty of
174 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
175 + Lesser General Public License for more details.
176 +
177 + You should have received a copy of the GNU Lesser General Public
178 + License along with the GNU C Library; if not, see
179 + <http://www.gnu.org/licenses/>. */
180 +
181 +#include <mntent.h>
182 +#include <stdio.h>
183 +#include <string.h>
184 +
185 +/* Check entries to make sure trailing whitespace is ignored and we return the
186 + correct passno value BZ #17273. */
187 +static int
188 +do_test (void)
189 +{
190 + int result = 0;
191 + FILE *fp;
192 + struct mntent *mnt;
193 +
194 + fp = tmpfile ();
195 + fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);
196 + rewind (fp);
197 +
198 + mnt = getmntent (fp);
199 + if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
200 + || strcmp (mnt->mnt_dir, "/bar dir") != 0
201 + || strcmp (mnt->mnt_type, "auto") != 0
202 + || strcmp (mnt->mnt_opts, "bind") != 0
203 + || mnt->mnt_freq != 0
204 + || mnt->mnt_passno != 0)
205 + {
206 + puts ("Error while reading entry with trailing whitespaces");
207 + result = 1;
208 + }
209 +
210 + return result;
211 +}
212 +
213 +#define TEST_FUNCTION do_test ()
214 +#include "../test-skeleton.c"
215 diff --git a/misc/tst-mntent.c b/misc/tst-mntent.c
216 index 876c89f..820b354 100644
217 --- a/misc/tst-mntent.c
218 +++ b/misc/tst-mntent.c
219 @@ -73,26 +73,6 @@ main (int argc, char *argv[])
220 puts ("Error while reading written entry back in");
221 result = 1;
222 }
223 -
224 - /* Part III: Entry with whitespaces at the end of a line. */
225 - rewind (fp);
226 -
227 - fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);
228 -
229 - rewind (fp);
230 -
231 - mnt = getmntent (fp);
232 -
233 - if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
234 - || strcmp (mnt->mnt_dir, "/bar dir") != 0
235 - || strcmp (mnt->mnt_type, "auto") != 0
236 - || strcmp (mnt->mnt_opts, "bind") != 0
237 - || mnt->mnt_freq != 0
238 - || mnt->mnt_passno != 0)
239 - {
240 - puts ("Error while reading entry with trailing whitespaces");
241 - result = 1;
242 - }
243 }
244
245 return result;
246 --
247 2.5.0
Report Message
Find on MARC Find on Google Groups