Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Jun 2015 20:40:41 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] Implement glibc *_chk interfaces for ABI
 compatibility.

On Wed, Jun 17, 2015 at 02:07:08PM -0500, Josiah Worcester wrote:
> >> +size_t __wcrtomb_chk(char *restrict s, wchar_t wc, mbstate_t *restrict st, size_t slen)
> >> +{
> >> +     if (slen < MB_CUR_MAX) a_crash();
> >> +     return wcrtomb(s, wc, st);
> >> +}
> >
> > i think this can cause a false positive crash
> > but glibc seems to do the same..
> >
> > (eg some api passes wchar_t* and the exact mb encoded length of
> > a string so the output s can be safely shorter than max mb length)
> >
> I'm not sure if we should match glibc here or do a better check.
> 
> Thanks for the input. I'm going to wait a bit before posting a new
> patch, though, in hopes that more comments are forthcoming.

This code is definitely wrong as-is; for example:

	char c;
	wcrtomb(&c, L'0', st)

is perfectly valid (albeit useless) code. Other examples are possible
too. I think a decent check would be:

	size_t r = wcrtomb(s, wc, st);
	if (r+1 > slen+1) a_crash();
	return r;

This allows an overflow of up to 3 bytes to occur before the trap, but
there's no way a valid dest buffer could be within 3 bytes of this
function's or wcrtomb's stack, so you should safely reach the a_crash
even on overflow.

The alternative would be using a temp buffer of size MB_LEN_MAX and
then performing memcpy to the caller's buffer if the result fits or
a_crash if not.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.