Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Feb 2018 14:21:31 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: stdio review

On Tue, Feb 13, 2018 at 11:59:53AM -0500, Rich Felker wrote:
> __fopen_rb_ca.c:
>     __fopen_rb_ca:
>                                                               [question]
>         Is it possible for this function to be called with a length less
>         than UNGET?

No. Perhaps it should be checked, or perhaps we should just drop this
function. Obviously it doesn't give new no-fail guarantees since open
itself can fail for resource reasons. I think the original intent was
just to make it possible to do DNS lookups without linking free; if
that still works maybe it's worth keeping.

>                                                                [comment]
>         I was unsure what the ca meant until finding a reference in a
>         deeply nested internal header that it was "caller allocated",
>         maybe emphasis that in the source file to make review easier.

Yes, sounds good.

> __lockfile.c:
>     __lockfile:                                                [nothing]
>     __unlockfile:                                              [nothing]
> 
> __overflow.c:
>     __overflow:                                               [question]
>         The interface contract of this function is it takes int and
>         returns int, yet the passed in character is truncated through
>         narrowing conversion to unsigned char for the purposes of
>         stdio, should that same narrowed conversion be returned or
>         should the unnarrowed result be returned?

This function is actually part of glibc ABI-compat; using it
internally too was probably a mistake, and will probably be changed in
the future -- I think we can make getc/putc slightly more efficient by
doing things in a different way. In any case since the argument _c is
being used as a character unconditionally (not special-casing EOF or
anything) I think it's clear that returning the value interpreted as a
character (unsigned char) is the right thing.

> __stdio_exit.c:
>     close_file:                                               [question]
>         Function acquires lock on FILE but never unlocks it, this looks
>         intended since we're exiting stdio? If that's the case this
>         should probably be commented.

It's documented by the macro name FFINALLOCK() instead of FLOCK().

>     __stdio_exit:                                             [question]
>     __stdio_exit_needed:                                      [question]
>                                                                [comment]
>         Function acquires lock via __ofl_lock but never calls
>         __ofl_unlock, this looks intended since we're exiting stdio?
>         If that's the case this should probably be commented.

Yes it's intended, but I'm not sure why it's unclear. Of course if you
ever unlock it the state could become inconsistent (new files needing
flushing) after you already finished flushing, resulting in
nonconforming behavior (their not being flushed).

> __stdio_read.c:
>     __stdio_read:                                                [style]
>         Tricky expression involving F_EOF/F_ERR and xor masks.

Yes that's silly.

> __stdio_write.c:
>     __stdio_write:                                            [question]
>         Is it possible for len to be less than f->wpos-f->wbase?
> 
> __stdout_write.c:
>     __stdout_write:                                           [question]
>         Is it possible for len to be less than f->wpos-f->wbase?

This question isn't meaningful; they're not comparable. I think this
was a misunderstanding you raised on irc before due to overlooking the
iov++.

> __toread.c:
>     __toread:                                                  [comment]
>         It's sister function __towrite comments its' intent, maybe
>         this should as well for consistency.
> 
> __towrite.c:
>     __towrite:                                                   [style]
>         What is the purpose of parenthesis around F_NOWR? does it imply
>         a missing flag in the list, looks suspicious.

Good question. I think it comes from commit
e3cd6c5c265cd481db6e0c5b529855d99f0bda30 where this code was derived
from old code in __overflow that did:

	if (f->flags & (F_ERR|F_NOWR)) return EOF;

> clearerr.c:
>     clearerr:                                                  [nothing]
>     clearerr_unlocked:                                        [question]
>         An alias for clearerr but clearerr locks, is this correct?
>         or should clearerr_unlocked just remove EOF/ERR flags, and
>         clearerr hold a lock calling clearerr_unlocked?

It's intentional; the nonstandard *_unlocked functions are just
provided for compat purposes, and there is no reason that they have to
omit locking to behave as specified.

> dprintf.c:
>     dprintf:                                                   [nothing]
> 
> ext.c:
>     __flushlbf:                                                [nothing]
>     __fsetlocking:                                             [nothing]
>     __fwriting:                                                [nothing]
>     __freading:                                                [nothing]
>     __freadable:                                               [nothing]
>     __fwritable:                                               [nothing]
>     __flbf:                                                    [nothing]
>     __fbufsize:                                                [nothing]
>     __fpending:                                                [nothing]
>     __fpurge:                                                      [bug]
>     fpurge:                                                        [bug]
>         The interface contract for this function is that it returns void
>         and not int, whereas fpurge returns int, the latter does not
>         even appear to be part of Linux yet musl aliases them to the
>         same. Should musl's return void?

I'm not sure why we even have fpurge. I agree that these are mistakes
but I'm not sure whether fixing them or leaving them is better. They
don't seem to hurt anything as-is.

> fclose.c:
>     fclose:                                                      [style]
>         Checking for null pointer before calling free for f->getln_buf

Agree, the free should be unconditional.

> feof.c:                                                          [style]
>     There's two instances of feof involved, one provided by stdio_impl
>     that just checks flags without a lock held and this one which means
>     this file has to #undef. That just seems tricky to me, you could see
>     an feof somewhere that is using the macro definition where others
>     could be using a function (depending on includes and include order.)

Include order is not an issue (stdio_impl.h includes stdio.h so there
is only one possible order) but I agree this is problematic and could
introduce bugs into files where stdio_impl.h has been included for an
unrelated reason and a libc function calls feof() without the FILE
lock already being held.

It should be researched whether there are places that actually rely on
having the macros to get reasonable/efficient code. If so we should
probably rename the macros to feof_unlocked() and ferror_unlocked().

>     feof:                                                      [nothing]
>     feof_unlocked:                                            [question]
>     _IO_feof_unlocked:                                        [question]
>         Similar to clearerr_unlocked, is this correct? The unlocked
>         variants are actually locked.

Yes, same reason. If this one actually affects performance somewhere
that matters we could change it. clearerr certainly should not.

> ferror.c:                                                        [style]
>     There's two instances of ferror involved, one provided by stdio_impl
>     that just checks flags without a lock held and this one which means
>     this file has to #undef. That just seems tricky to me, you could see
>     an ferror somewhere that is using the macro definition where others
>     could be using a function (depending on includes and include oder.)

Likewise.

>     ferror:                                                    [nothing]
>     ferror_unlocked:                                          [question]
>     _IO_ferror_unlocked:                                      [question]
>         Similar to clearerr_unlocked and feof_unlocked, is this correct?
>         The unlocked variants are actually locked.

Likewise.

> fgetpos.c:
>     fgetpos:                                                       [bug]
>         using *(off_t*) to write _Int64 data into fpos_t structure when
>         memcpy should be used, this breaks strict aliasing. Maybe add
>         an off_t to the fpos_t union?

My leaning would be to add the off_t, but the type might not be
exposed and thus we would need to find a matching type that is
exposed. memcpy would be the nicest solution, but only if we had a way
of allowing the compiler to use builtin memcpy; otherwise it's a
gratuitous call.

>                                                                [comment]
>         POSIX states this function shall fail if the data cannot be
>         stored in the fpos_t structure but the structure is 16-byte in
>         size and this is a narrowing conversion. Maybe just comment that
>         it can never fail. This came up in the test harness several
>         times.

This is purely a matter of implementations that support 32-bit-off_t
environments where a 32-bit process's fpos_t might be too small to
store a large file offset. musl always uses 64-bit offsets and never
has that type of error condition.

> fgetwc.c:
>     __fgetwc_unlocked_internal:                               [question]
>         I don't understand the conditional if (l+1 >= 1), is that not
>         the same as just if (l) since the only time when l+1 >=1 is

I don't see how you think it's the same as l, since 0 is false but
0+1>=1 is clearly true. But the real point is that l could be
(size_t)-1, in which case l+1>=1 is false. It would be equivalent to
if(l+1) or if(l!=(size_t)-1), though.

>         if l==0, even for overflow. In which case the l += !l part
>         in the body is even more concerning because !l will always
>         be false?

No, l==0 is a true case; see above.

Also see commit 4000b0107ddd7fe733fa31d4f078c6fcd35851d6. The old code
used mbrtowc where both (size_t)-2 and (size_t)-1 were possibilities,
so the unsigned change check here made more sense. Now there's only
one possible exceptional value, not two, so it's not really needed.

> fgetws.c:
>     fgetws:                                                    [nothing]
>     __fgetws_unlocked:                                        [question]
>         Similar to clearerr_unlocked, feof_unlocked and ferror_unlocked
>         is this correct? The unlocked variants are actually locked.

Again, it's intentional. In the past we got burned by factoring
unlocked versions of complex functions -- see commits
c002668eb0352e619ea7064e4940b397b4a6e68d and
670d6d01f53b4e85be6b333bf8a137e2be6d3fc3. So I've tried to avoid
actually making separate unlocked entry points except for the
functions where it could actually matter.

> fileno.c:
>     fileno:                                                    [nothing]
>     fileno_unlocked:                                          [question]
>         Similar to clearerr_unlocked, feof_unlocked, ferror_unlocked
>         and __fetws_unlocked is this correct? The unlocked variants are
>         actually locked.

Similar.

> fmemopen.c:
>     mseek:                                                       [style]
>         It does goto upwards.

I guess you could call it that, but it's into a block with no path
out, so I don't think I would.

>         Compound literal table to reference whence as a lookup table
>         as a single expression.

I thought this was cute.

>     mread:                                                     [nothing]
>     mwrite:                                                    [nothing]
>     fmemopen:                                                      [bug]
>         The size check for fmemopen cookie to report ENOMEM is incorrect
>         with the calloc below.

Yes, already fixed in a commit pending push.

>                                                                  [style]
>         The cookie allocation handling can be greatly simplified with a
>         nother structure that embeds everything and using the sizeof
>         that structure instead.

Agreed. I want to convert it to that style later.

> fopencookie.c:
>     fopencookie:                                                   [bug]
>         Several other functions which utilize __ofl_add do the following
>         if (!libc.threaded) f->lock = -1; However this one does not.

This was discussed when it was implemented. I think I might have
requested a comment added there that got overlooked. The issue is that
it's not clear that was can safely omit locks for "cookie" FILEs in a
single-threaded process, since it's not clear that the process will
still be single-threaded when the cookie callback returns.

> freopen.c:
>     freopen:                                                       [bug]
>         In the case of no filename and the F_SETFL system call failing,
>         and also __dup3 failing, the file is still locked.

On failure, freopen closes the FILE. Yes this an awful design flaw
that makes freopen essentially always-unsafe to use, and especially
unsafe if there may be concurrent operations from other threads.
Anyway, yes, the file is still locked going into fclose, and then its
lifetime ends in fclose.

> fsetpos.c:
>     fsetpos:                                                       [bug]
>         off_t is written into here incorrectly and also read incorrectly
>         as this breaks strict aliasing. Maybe consider putting off_t in
>         the fpos_t union and referencing it that way to avoid memcpy?

Yes this needs to be fixed. Not sure of the best way; see above with
fgetpos.

> ftell.c:
>     __ftello_unlocked:                                           [style]
>         The whole thing is formatted in a confusing to read manner.

Would you have preferred the whence expression be written out in a
temp var? Or something else?

> fwrite.c:
>     fwrite:                                                   [question]
>         Should there be a check for size*nmemb overflow?

This is actually a complicated topic. Formally, I think the C standard
reads such that it would be valid for size*nmemb to exceed the size of
the data object to be written if you somehow know you'll hit a write
error before that happens. However real world implementations don't
work like that. In particular, the kernel will error out with EFAULT
if the buffer length extends past the valid userspace address range,
even if the writes would never happen; the only way to avoid this
would be to break longer-than-page writes down into separate
page-sized writes. So I think for practical purposes, we have to
interpret the standard as requiring that size*nmemb actually reflect
the size of the object passed in, and in that case, the multiplication
necessarily does not overflow. If there's an interpretation from WG14
contrary to this, we'll have to revisit it.

See also https://sourceware.org/bugzilla/show_bug.cgi?id=19165

> getdelim.c:                                                      [style]
>     The MIN macro is never used in this translation unit.

Good catch. It was actually never used, even in old revisions, so its
use must predate the original check-in...

> gets.c:
>     gets:                                                     [optimize]
>         The length of the string is calculated twice to strip the
>         newline character off it. Why not rewrite it as:
>         if (ret) { size_t i = strlen(s)-1; if (s[i] == '\n') s[i] = 0; }

Seriously, this is gets. It's always unsafe, deprecated, removed from
the current C standard. If it's gratuitously slow too, great. :-)

> open_memstream.c:
>     ms_seek:                                                     [style]
>         It does goto upwards.
> 
>         Compound literal table to reference whence as a lookup table
>         as a single expression.
> 
>         The function would be less tricky if just rewritten.

See replies on fmemopen.

>     ms_write:                                                  [nothing]
>     ms_close:                                                  [nothing]
>     open_memstream:                                           [question]
>         Why does this allocate a 1 byte buffer? That seems small.

This?

	if (!(buf=malloc(sizeof *buf))) {

It needs to be at least 1 to be valid. The way size tracking is done,
I'm not sure it would help to allocate larger now, since realloc will
get called anyway on the first write.

>                                                                  [style]
>         This is also doing the weird arithmetic as well for the cookie
>         This function can be rewritten much nicer.

There are a lot of awful requirements on open_memstream, and we meet
most but not all of them. It probably does need to be rewritten, but
I'm doubtful that the result will be very simple.

> setvbuf.c:
>     setvbuf:                                                       [bug]
>         No locks are ever held on the file when changing fields of it.

	"The setvbuf function may be used only after the stream
	pointed to by stream has been associated with an open file and
	before any other operation (other than an unsuccessful call to
	setvbuf) is performed on the stream." (7.21.5.6, ΒΆ 2)

If there are other concurrent calls on the FILE possible, the above
requirement has been violated and the program has undefined behavior.

> ungetwc.c:
>     ungetwc:                                                     [style]
>         Ignoring the overly long if statement, the non-ascii route below
>         does memcpy(f->rpos -= l, mbc, l) and that is just odd since I
>         read that as f->rpos - l initially which almost looks correct
>         but failing to update rpos which is when I noticed it actually
>         does -=.

It's analogous to the *-- in the line immediately above.

> vfprintf.c:
>     out:                                                       [nothing]
>     pad:                                                       [nothing]
>     fmt_x:                                                     [nothing]
>     fmt_o:                                                     [nothing]
>     fmt_u:                                                     [nothing]
>     fmt_fp:                                                   [question]
>     getint:                                                        [bug]
>         This function overflows on INT_MIN for the else case.

I don't understand. Where does INT_MIN come from? It's reading
nonnegative values.

>     printf_core:                                                 [style]
>         if (0) cutting into switch statements specified in a very smart
>         order to make for really tiny code. This whole function is
>         impossible to audit. I tried, I really did. Things like this:
>         *(a=z-(p=1))=arg.i; are really tricky.
>     vfprintf:                                                  [nothing]

Yes. It's known that there's a good deal of ugly style, but also that
simple changes to it just make the code gratuitously larger without
making it perform better or have any other better properties aside
from "less ugly". So it's hard to justify spending effort making and
testing changes that end up outwardly looking like "pure size
regressions".

> vfscanf.c:
>     store_int:                                                 [nothing]
>     arg_n:                                                     [nothing]
>     vfscanf:                                                       [bug]
>     __isoc99_vfscanf:
>         Calculating width using the same 10*n+*c-'0' trick can overflow
>         on INT_MIN.

I don't understand this either.

>                                                                  [style]
>         This function gets really difficult to audit further down. It's
>         just very dense and should be split up somehow.

Yes, maybe so. Similar issues to printf.

> vswprintf.c:
>     sw_write:                                                  [nothing]
>     vswprintf:                                                   [style]
>         sizeof(FILE) should be sizeof f

Rather memset shouldn't be used here anyway.

>         compound initializer should be used for file instead of what
>         ever is done here, every other function that creates local FILE
>         struct does it as FILE f = { .member = value, ... }, is this
>         different because of the memset? is the memset even needed?

Exactly.

> ========================================================================
>     src/internal
> ========================================================================
> 
> stdio_impl.h:                                                    [style]
>     FUNLOCK macro has a trailing else which prompted me to look at every
>     single instance of FUNLOCK to make sure all of them contained a
>     semicolon. This is just dangerous, why not use the more common
>     idiom of do { } while (0).

Indeed that should be fine.

>                                                                [comment]
>     The _IO_FILE is ABI compat with glibc but this isn't documented any
>     where in the header which makes members like mustbezero_{1,2} really
>     confusion and the layout of members within the structure as well,
>     since the size of a FILE can be made much smaller just by sorting
>     the members which is something someone may want to do.

I don't see how it would be smaller by sorting. There are only a few
gaps. int fields come in pairs (relevant on 64-bit) and the signed
char fields have some padding around them but not much. Of course it
still would be nice to add a comment that the layout is ABI if glibc
compat is desired.

>                                                                  [style]
>     feof/ferror macros which are unlocked, this requires that code
>     inside src/stdio actually #undef them when implementing and anything
>     inside there that requires these _must_ avoid including stdio.h over
>     this to ensure it uses the right ones. I would just call these
>     something else like __feof_ui/__ferror_ui (unlocked internal) then
>     no weird #undef is needed and the intent is clear.

See comments on them above.

> shgetc.h:                                                      [comment]
>     Maybe document this is the "scan helper" interface because it was
>     not obvious what the naming was.

Agreed.

> intscan.h:                                                       [style]
>     It isn't apparent for why <stdio.h> needs to be included. Should
>     just forward declare struct FILE; here instead.

That would not work, because it's *not* struct FILE, it's FILE, which
happens to be defined as "struct _IO_FILE", but that's an
implementation detail. Including <stdio.h> is the clean way to have
that.

> floatscan.h:                                                     [style]
>     It isn't apparent for why <stdio.h> needs to be included. Should
>     just forward declare struct FILE; here instead.

Same.

I think that covers almost everything; I omitted all the [nothing]
findings to make this email less dense. Some of the above are things I
can start improving right away after getting a release out; others
require more thought on how to do them without making things worse in
some aspect or another.

Thanks for taking the time to do this and posting your findings.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.