Bump to 1.1

getgroups: do not trap on non-positive gidsetsize
First, we should never check the size of __s if __l == 0 since the array is not going to be modified in that case. Second, negative __l is a well-defined error case (EINVAL) and we should never trap on a conforming code like this: r = getgroups(-1, NULL); if (r == -1) ... An example of non-desired behaviour for negative __l is the gnulib configure script which checks for getgroups(-1, ...) to catch some ancient FreeBSD kernel bug. The conftest binary traps even on good system (e.g. linux/musl) and the unnecessary getgroups wrapper is enforced for any project that uses gnulib. This patch also changes the size_t cast to avoid the explicit zero extension on systems where size_t differs from unsigned int.
2019-04-14 09:25:54 +01:00 · 2019-03-13 17:47:50 +00:00 · 2019-03-07 00:05:34 +00:00 · 2019-03-07 00:05:30 +00:00 · 2019-02-25 13:22:33 +00:00 · 2019-02-25 13:17:08 +00:00
6 changed files with 14 additions and 17 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (C) 2015-2016 Dimitris Papastamos <sin@2f30.org>
+Copyright (C) 2015-2019 Dimitris Papastamos <sin@2f30.org>

 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted.
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-VERSION = 1.0
+VERSION = 1.1
 PREFIX = /usr/local

 install:
--- a/include/stdlib.h
+++ b/include/stdlib.h
@ -39,12 +39,10 @@ extern "C" {
 #undef realpath
 _FORTIFY_FN(realpath) char *realpath(const char *__p, char *__r)
 {
-	size_t __b = __builtin_object_size(__r, 0);
-
-	if (__r) {
 #ifndef PATH_MAX
 #error PATH_MAX unset. A fortified realpath will not work.
 #else
+	if (__r && PATH_MAX > __builtin_object_size(__r, 2)) {
 		char __buf[PATH_MAX], *__ret;
 		size_t __l;

@ -52,13 +50,13 @@ _FORTIFY_FN(realpath) char *realpath(const char *__p, char *__r)
 		if (!__ret)
 			return NULL;
 		__l = __builtin_strlen(__ret) + 1;
-		if (__l > __b)
+		if (__l > __builtin_object_size(__r, 0))
 			__builtin_trap();
 		__builtin_memcpy(__r, __ret, __l);
 		return __r;
-#endif
 	}
 	return __orig_realpath(__p, __r);
+#endif
 }
 #endif

--- a/include/string.h
+++ b/include/string.h
@ -50,7 +50,7 @@ _FORTIFY_FN(memcpy) void *memcpy(void *__od, const void *__os, size_t __n)
 		__builtin_trap();
 	if (__n > __bd || __n > __bs)
 		__builtin_trap();
-	return __orig_memcpy(__od, __os, __n);
+	return __builtin_memcpy(__od, __os, __n);
 }

 _FORTIFY_FN(memmove) void *memmove(void *__d, const void *__s, size_t __n)
@ -69,7 +69,7 @@ _FORTIFY_FN(memset) void *memset(void *__d, int __c, size_t __n)

 	if (__n > __b)
 		__builtin_trap();
-	return __orig_memset(__d, __c, __n);
+	return __builtin_memset(__d, __c, __n);
 }

 #if defined(_POSIX_SOURCE) || defined(_POSIX_C_SOURCE) \
--- a/include/unistd.h
+++ b/include/unistd.h
@ -75,7 +75,7 @@ _FORTIFY_FN(getgroups) int getgroups(int __l, gid_t *__s)
 {
 	size_t __b = __builtin_object_size(__s, 0);

-	if (__l < 0 || (size_t)__l > __b / sizeof(gid_t))
+	if (__l > 0 && (unsigned)__l > __b / sizeof(gid_t))
 		__builtin_trap();
 	return __orig_getgroups(__l, __s);
 }
--- a/include/wchar.h
+++ b/include/wchar.h
@ -111,17 +111,16 @@ _FORTIFY_FN(mbstowcs) size_t mbstowcs(wchar_t *__ws, const char *__s, size_t __w

 _FORTIFY_FN(wcrtomb) size_t wcrtomb(char *__s, wchar_t __w, mbstate_t *__st)
 {
-	char __buf[MB_LEN_MAX];
-	size_t __b = __builtin_object_size(__s, 0);
-	size_t __r;
+	if (__s && MB_LEN_MAX > __builtin_object_size(__s, 2)) {
+		char __buf[MB_LEN_MAX];
+		size_t __r;

-	if (__s) {
 		__r = __orig_wcrtomb(__buf, __w, __st);
 		if (__r == (size_t)-1)
 			return __r;
-		if (__r > __b)
+		if (__r > __builtin_object_size(__s, 0))
 			__builtin_trap();
-		memcpy(__s, __buf, __r);
+		__builtin_memcpy(__s, __buf, __r);
 		return __r;
 	}
 	return __orig_wcrtomb(__s, __w, __st);
@ -218,7 +217,7 @@ _FORTIFY_FN(wctomb) int wctomb(char *__s, wchar_t __w)
 {
 	size_t __b = __builtin_object_size(__s, 0);

-	if (__s && MB_CUR_MAX > __b)
+	if (__s && MB_LEN_MAX > __b && MB_CUR_MAX > __b)
 		__builtin_trap();
 	return __orig_wctomb(__s, __w);
 }
Author	SHA1	Message	Date
sin	e3fee64643	Bump to 1.1	2019-04-14 09:25:54 +01:00
info@mobile-stream.com	9e65ae387c	getgroups: do not trap on non-positive gidsetsize First, we should never check the size of __s if __l == 0 since the array is not going to be modified in that case. Second, negative __l is a well-defined error case (EINVAL) and we should never trap on a conforming code like this: r = getgroups(-1, NULL); if (r == -1) ... An example of non-desired behaviour for negative __l is the gnulib configure script which checks for getgroups(-1, ...) to catch some ancient FreeBSD kernel bug. The conftest binary traps even on good system (e.g. linux/musl) and the unnecessary getgroups wrapper is enforced for any project that uses gnulib. This patch also changes the size_t cast to avoid the explicit zero extension on systems where size_t differs from unsigned int.	2019-03-13 17:47:50 +00:00
info@mobile-stream.com	9b796691eb	wctomb, wcrtomb: guard slow/trap path with MB_LEN_MAX This allows the compiler to optimize out the slow/trap path at all for the typical correct code: char buf[MB_LEN_MAX]; r = wctomb(buf, c); The change tries to keep the "unknown object size" case handling in wcrtomb() as is even if it seems redundant and not helping (we copy __buf to possibly undersized __s in any case) and inconsistent with wctomb() (where we let the original library method itself overwrite the possibly undersized __s).	2019-03-07 00:05:34 +00:00
info@mobile-stream.com	ff82ffbc74	realpath: guard slow/trap path with PATH_MAX This allows the compiler to optimize out the slow/trap path at all for the typical correct code: char buf[PATH_MAX]; r = realpath(path, buf); The change keeps the "unknown object size" case handling intact.	2019-03-07 00:05:30 +00:00
sin	1435d8186b	Bump copyright	2019-02-25 13:22:33 +00:00
sin	5aabc7e6aa	Make use of builtins whenever possible	2019-02-25 13:17:08 +00:00