Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Apr 2020 09:40:15 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Re: Invalid pointer subtractions in __shlim and __shgetc

Hello,

Rich Felker <dalias@...c.org> wrote:
> The attached should fix it, I think.

The patch sets f.rpos and f.rend to buf+4, but it also leaves
f.buf containing 0 from “FILE f = {0};”:
--- a/src/stdlib/wcstol.c
+++ b/src/stdlib/wcstol.c
@@ -35,8 +35,7 @@ static unsigned long long wcstox(const wchar_t *s, wchar_t **p, int base, unsign
 	unsigned char buf[64];
 	FILE f = {0};
 	f.flags = 0;
-	f.rpos = f.rend = 0;
-	f.buf = buf + 4;
+	f.rpos = f.rend = buf + 4;
 	f.buf_size = sizeof buf - 4;
 	f.lock = -1;
 	f.read = do_read;

Unfortunately, the function __shlim also subtracts f.rpos from f.buf, at this line:

  f->shcnt = f->buf - f->rpos;

(https://git.musl-libc.org/cgit/musl/tree/src/internal/shgetc.c?id=33338ebc853d37c80f0f236cc7a92cb0acc6aace#n11 )

So that is now where the invalid subtraction happens.

For what it's worth, we have tested the patch consisting in
initializing all three of f.rpos, f.rend and f.buf to buf+4, and that
does not cause UB in this test. But we can't tell if if provides the
correct functional behavior for this test and for other inputs.

Pascal

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.