1 |
vapier 15/08/29 22:21:52 |
2 |
|
3 |
Modified: README.history |
4 |
Added: |
5 |
00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch |
6 |
Log: |
7 |
upstream fix for memory corruption when using getmntent #558946 by Michael Weiser |
8 |
|
9 |
Revision Changes Path |
10 |
1.7 src/patchsets/glibc/2.22/README.history |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?rev=1.7&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?rev=1.7&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/README.history?r1=1.6&r2=1.7 |
15 |
|
16 |
Index: README.history |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo/src/patchsets/glibc/2.22/README.history,v |
19 |
retrieving revision 1.6 |
20 |
retrieving revision 1.7 |
21 |
diff -u -r1.6 -r1.7 |
22 |
--- README.history 21 Aug 2015 21:15:49 -0000 1.6 |
23 |
+++ README.history 29 Aug 2015 22:21:52 -0000 1.7 |
24 |
@@ -1,3 +1,6 @@ |
25 |
+7 29 Aug 2015 |
26 |
+ + 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch |
27 |
+ |
28 |
6 21 Aug 2015 |
29 |
+ 00_all_0020-manual-skip-build-when-perl-is-unavailable.patch |
30 |
|
31 |
|
32 |
|
33 |
|
34 |
1.1 src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch |
35 |
|
36 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch?rev=1.1&view=markup |
37 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.22/00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch?rev=1.1&content-type=text/plain |
38 |
|
39 |
Index: 00_all_0021-getmntent-fix-memory-corruption-w-blank-lines-BZ-188.patch |
40 |
=================================================================== |
41 |
https://bugs.gentoo.org/558946 |
42 |
https://sourceware.org/bugzilla/show_bug.cgi?id=18887 |
43 |
|
44 |
From ca6a9ce6151759981cc2efd58e053148c7db2fea Mon Sep 17 00:00:00 2001 |
45 |
From: Mike Frysinger <vapier@g.o> |
46 |
Date: Fri, 28 Aug 2015 17:08:49 -0400 |
47 |
Subject: [PATCH] getmntent: fix memory corruption w/blank lines [BZ #18887] |
48 |
|
49 |
The fix for BZ #17273 introduced a single byte of memory corruption when |
50 |
the line is entirely blank. It would walk back past the start of the |
51 |
buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte. |
52 |
buffer = '\n'; |
53 |
end_ptr = buffer; |
54 |
while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') |
55 |
end_ptr--; |
56 |
*end_ptr = '\0'; |
57 |
|
58 |
Fix that and rework the tests. Adding the testcase for BZ #17273 to the |
59 |
existing \040 parser does not really make sense as it's unrelated, and |
60 |
leads to confusing behavior: it implicitly relies on the new entry being |
61 |
longer than the previous entry (since it just rewinds the FILE*). Split |
62 |
it out into its own dedicated testcase instead. |
63 |
|
64 |
(cherry picked from commit b0e805fa0d6fea33745952df7b7f5442ca4c374f) |
65 |
(cherry picked from commit 3007f797a1a596e954f44879a5a7267966186ba4) |
66 |
--- |
67 |
misc/Makefile | 3 ++- |
68 |
misc/mntent_r.c | 4 +++- |
69 |
misc/tst-mntent-blank-corrupt.c | 45 ++++++++++++++++++++++++++++++++++ |
70 |
misc/tst-mntent-blank-passno.c | 53 +++++++++++++++++++++++++++++++++++++++++ |
71 |
misc/tst-mntent.c | 20 ---------------- |
72 |
5 files changed, 103 insertions(+), 22 deletions(-) |
73 |
create mode 100644 misc/tst-mntent-blank-corrupt.c |
74 |
create mode 100644 misc/tst-mntent-blank-passno.c |
75 |
|
76 |
diff --git a/misc/Makefile b/misc/Makefile |
77 |
index aecb0da..2f5edf6 100644 |
78 |
--- a/misc/Makefile |
79 |
+++ b/misc/Makefile |
80 |
@@ -76,7 +76,8 @@ install-lib := libg.a |
81 |
gpl2lgpl := error.c error.h |
82 |
|
83 |
tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ |
84 |
- tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 |
85 |
+ tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ |
86 |
+ tst-mntent-blank-corrupt tst-mntent-blank-passno |
87 |
ifeq ($(run-built-tests),yes) |
88 |
tests-special += $(objpfx)tst-error1-mem.out |
89 |
endif |
90 |
diff --git a/misc/mntent_r.c b/misc/mntent_r.c |
91 |
index 6159873..4f26998 100644 |
92 |
--- a/misc/mntent_r.c |
93 |
+++ b/misc/mntent_r.c |
94 |
@@ -136,7 +136,9 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) |
95 |
end_ptr = strchr (buffer, '\n'); |
96 |
if (end_ptr != NULL) /* chop newline */ |
97 |
{ |
98 |
- while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') |
99 |
+ /* Do not walk past the start of buffer if it's all whitespace. */ |
100 |
+ while (end_ptr != buffer |
101 |
+ && (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')) |
102 |
end_ptr--; |
103 |
*end_ptr = '\0'; |
104 |
} |
105 |
diff --git a/misc/tst-mntent-blank-corrupt.c b/misc/tst-mntent-blank-corrupt.c |
106 |
new file mode 100644 |
107 |
index 0000000..92266a3 |
108 |
--- /dev/null |
109 |
+++ b/misc/tst-mntent-blank-corrupt.c |
110 |
@@ -0,0 +1,45 @@ |
111 |
+/* Make sure blank lines does not cause memory corruption BZ #18887. |
112 |
+ |
113 |
+ Copyright (C) 2009-2015 Free Software Foundation, Inc. |
114 |
+ This file is part of the GNU C Library. |
115 |
+ |
116 |
+ The GNU C Library is free software; you can redistribute it and/or |
117 |
+ modify it under the terms of the GNU Lesser General Public |
118 |
+ License as published by the Free Software Foundation; either |
119 |
+ version 2.1 of the License, or (at your option) any later version. |
120 |
+ |
121 |
+ The GNU C Library is distributed in the hope that it will be useful, |
122 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of |
123 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
124 |
+ Lesser General Public License for more details. |
125 |
+ |
126 |
+ You should have received a copy of the GNU Lesser General Public |
127 |
+ License along with the GNU C Library; if not, see |
128 |
+ <http://www.gnu.org/licenses/>. */ |
129 |
+ |
130 |
+#include <mntent.h> |
131 |
+#include <stdio.h> |
132 |
+#include <string.h> |
133 |
+ |
134 |
+/* Make sure blank lines don't trigger memory corruption. This doesn't happen |
135 |
+ for all targets though, so it's a best effort test BZ #18887. */ |
136 |
+static int |
137 |
+do_test (void) |
138 |
+{ |
139 |
+ FILE *fp; |
140 |
+ |
141 |
+ fp = tmpfile (); |
142 |
+ fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp); |
143 |
+ rewind (fp); |
144 |
+ |
145 |
+ /* The corruption happens here ... */ |
146 |
+ getmntent (fp); |
147 |
+ /* ... but trigers here. */ |
148 |
+ endmntent (fp); |
149 |
+ |
150 |
+ /* If the test failed, we would crash, and not hit this point. */ |
151 |
+ return 0; |
152 |
+} |
153 |
+ |
154 |
+#define TEST_FUNCTION do_test () |
155 |
+#include "../test-skeleton.c" |
156 |
diff --git a/misc/tst-mntent-blank-passno.c b/misc/tst-mntent-blank-passno.c |
157 |
new file mode 100644 |
158 |
index 0000000..fc04291 |
159 |
--- /dev/null |
160 |
+++ b/misc/tst-mntent-blank-passno.c |
161 |
@@ -0,0 +1,53 @@ |
162 |
+/* Make sure trailing whitespace is handled properly BZ #17273. |
163 |
+ |
164 |
+ Copyright (C) 2009-2015 Free Software Foundation, Inc. |
165 |
+ This file is part of the GNU C Library. |
166 |
+ |
167 |
+ The GNU C Library is free software; you can redistribute it and/or |
168 |
+ modify it under the terms of the GNU Lesser General Public |
169 |
+ License as published by the Free Software Foundation; either |
170 |
+ version 2.1 of the License, or (at your option) any later version. |
171 |
+ |
172 |
+ The GNU C Library is distributed in the hope that it will be useful, |
173 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of |
174 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
175 |
+ Lesser General Public License for more details. |
176 |
+ |
177 |
+ You should have received a copy of the GNU Lesser General Public |
178 |
+ License along with the GNU C Library; if not, see |
179 |
+ <http://www.gnu.org/licenses/>. */ |
180 |
+ |
181 |
+#include <mntent.h> |
182 |
+#include <stdio.h> |
183 |
+#include <string.h> |
184 |
+ |
185 |
+/* Check entries to make sure trailing whitespace is ignored and we return the |
186 |
+ correct passno value BZ #17273. */ |
187 |
+static int |
188 |
+do_test (void) |
189 |
+{ |
190 |
+ int result = 0; |
191 |
+ FILE *fp; |
192 |
+ struct mntent *mnt; |
193 |
+ |
194 |
+ fp = tmpfile (); |
195 |
+ fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp); |
196 |
+ rewind (fp); |
197 |
+ |
198 |
+ mnt = getmntent (fp); |
199 |
+ if (strcmp (mnt->mnt_fsname, "/foo dir") != 0 |
200 |
+ || strcmp (mnt->mnt_dir, "/bar dir") != 0 |
201 |
+ || strcmp (mnt->mnt_type, "auto") != 0 |
202 |
+ || strcmp (mnt->mnt_opts, "bind") != 0 |
203 |
+ || mnt->mnt_freq != 0 |
204 |
+ || mnt->mnt_passno != 0) |
205 |
+ { |
206 |
+ puts ("Error while reading entry with trailing whitespaces"); |
207 |
+ result = 1; |
208 |
+ } |
209 |
+ |
210 |
+ return result; |
211 |
+} |
212 |
+ |
213 |
+#define TEST_FUNCTION do_test () |
214 |
+#include "../test-skeleton.c" |
215 |
diff --git a/misc/tst-mntent.c b/misc/tst-mntent.c |
216 |
index 876c89f..820b354 100644 |
217 |
--- a/misc/tst-mntent.c |
218 |
+++ b/misc/tst-mntent.c |
219 |
@@ -73,26 +73,6 @@ main (int argc, char *argv[]) |
220 |
puts ("Error while reading written entry back in"); |
221 |
result = 1; |
222 |
} |
223 |
- |
224 |
- /* Part III: Entry with whitespaces at the end of a line. */ |
225 |
- rewind (fp); |
226 |
- |
227 |
- fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp); |
228 |
- |
229 |
- rewind (fp); |
230 |
- |
231 |
- mnt = getmntent (fp); |
232 |
- |
233 |
- if (strcmp (mnt->mnt_fsname, "/foo dir") != 0 |
234 |
- || strcmp (mnt->mnt_dir, "/bar dir") != 0 |
235 |
- || strcmp (mnt->mnt_type, "auto") != 0 |
236 |
- || strcmp (mnt->mnt_opts, "bind") != 0 |
237 |
- || mnt->mnt_freq != 0 |
238 |
- || mnt->mnt_passno != 0) |
239 |
- { |
240 |
- puts ("Error while reading entry with trailing whitespaces"); |
241 |
- result = 1; |
242 |
- } |
243 |
} |
244 |
|
245 |
return result; |
246 |
-- |
247 |
2.5.0 |