[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Aug 2018 16:41:24 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Open conformance issues & plans
(Found by Adelie Linux's efforts to meet POSIX conformance)
1. O_SEARCH/O_EXEC issues
Linux does not actually implement these at all; we approximate them
with O_PATH. They actually should be redefined as O_PATH|3 so that we
can distinguish them from O_PATH, because there's at least one
important difference: with O_SEARCH or O_EXEC, O_NOFOLLOW is supposed
to cause failure rather than producing an fd for the symlink like
O_PATH does. This issue is one I've known about for a long time, not
from the Adelie testing.
The issues that did arise from testing are that open needs to fail
when the file lacks +x permission if O_SEARCH or O_EXEC is used. I'm
not sure how to achieve this; access uses the wrong permissions (real
rather than effective) and stat can't reflect ACLs or anything like
that.
Also reported was that fdopendir needs to fail if the fd was opened
with O_SEARCH rather than O_RDONLY. It should be possible to make
fdopendir probe this with fcntl but I haven't tested.
2. O_TTY_INIT
Also a known issue (that it's missing). We can't define this because
Linux failed to reserve a value for it. Not sure what to do.
3. fnmatch and glob corner cases
fnmatch spuriously succeeds when there's an escape character (\) at
the end of the pattern. This probably should be an error.
glob wrongly handles unreadable-but-searchable directory components. I
don't yet understand what it does vs what it's supposed to do.
Reported as:
glob("unreadable_but_searchable_dir/a", GLOB_ERR, errfunc, pglob)
returns GLOB_NOMATCH and calls errfunc (it should do neither of
these things) [Kernel?]
4. regcomp
Several wrong error cases I don't yet understand, reported as:
1. regcomp(preg, "xyab\\{3,\\}jk\\{", 0) (unbalanced \{\}) returns
REG_BADBR instead of REG_EBRACE or REG_BADPAT
2. regcomp(preg, "^?xyz", REG_EXTENDED) (? not proceeded by valid
regex) succeeds instead of returning REG_BADRPT or REG_BADPAT
3. regcomp(preg, "[][.-.]-0]", <any>) returns REG_ECOLLATE instead
of succeeding (] represents itself in a bracket expression when it
appears as the first character)
5. psiginfo
Wrongly affecting wide/byte orientation of stderr. Needs to take the
stdio lock itself so it can save and restore the orientation around
the call to fprintf.
6. fileno & non-fd FILEs
fileno is reportedly returning 0 for memory streams. This seems
implausible (they all set f->fd=-1) but it definitely is failing to
set errno to EBADF when f->fd is negative, which it's required to do
for FILEs without an underlying fd.
7. fmemopen & open_[w]memstream
fmemopen mode w+ reportedly doesn't truncate buffer.
open_[w]memstream don't pre-set the stream orientation to byte/wide as
they're supposed to (this is a stupid requirement; conceptually
there's no reason you couldn't have a wide memstream being written via
byte operations, or vice versa, but it's a requirement anyway...).
I think there are other known conformance problems here and in
open_[w]memstream that weren't reported.
8. Linux EISDIR bugs
Linux wrongly fails open with EISDIR when the pathname passed to it
ends in a / but the last component before the / is not a directory.
This affects open and fopen, maybe other things too. Not sure how to
work around it in libc.
9. freopen
Supposedly freopen has to assign fds as if it first closes the old fd
then opens (assigning lowest-free) the new file. If true this makes it
largely useless; right now musl is intentionally preserving the old fd
so that it can be used for replacing the standard streams. This needs
clarification from the Austin Group I think.
10. getdelim
The text of the standard seems to allow malloc/realloc only when the
buffer passed in is not already sufficiently large to hold the result.
The current loop logic we use will force resizing one byte early in
most cases, but can't be trivially changed not to do this without
creating overflows in certain cases (depending on buffering). I will
revisit this after the next release and refactor the loop, but it will
need careful attention to ensure we don't introduce new
bugs/overflows.
11. rename and ./..
Linux wrongly accepts . and .. as final component to rename. Maybe we
can just work around this as strings.
12. strtof/d/ld and ERANGE
Apparently they don't always set ERANGE on underflow like they're
supposed to. Need to investigate whether we're trying and failing or
what.
13. wordexp issues
Reported as:
1. When WRDE_SHOWERR flag is not set, output is still written to
stderr
2. '|', '&', ';', '<', '>', '{ }', and '( )' are accepted in
wordexp input instead of returning WRDE_BADCHAR [CVE?]
3. WRDE_UNDEF is ignored [CVE?]
4. wordexp("`for i in \ndone`", ...) succeeded instead of
returning WRDE_SYNTAX
I don't think any of the [CVE?] issues are security-relevant; they're
all in the case where WRDE_NOCMD was omitted, in which case command
execution is assumed to be possible.
At some point wordexp probably needs a fairly significant overhaul so
I'm not too keen on spending time on the individual issues here, but
will look at fixes anyone wants to propose.
14. abort
The abort function needs to cause process termination as if by SIGABRT
in the case where a SIGABRT handler was installed but returns. Linux
provides no easy mechanism to do this, and we probably need to
emulate it in userspace by preventing reinstallation of a SIGABRT
handler after the first raise(SIGABRT) in abort() returns. I have an
idea for a design but it's a fair bit of work, and I'll probably
return to it after release.
There are also several math issues and small details I didn't mention
which came up in the Adelie testing, which I've omitted here because
this is getting too long.
Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
