AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-22 13:00:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
f120cda607
glibc/resolv/Makefile
Joseph Myers f120cda607 Fix p_secstodate overflow handling (bug 22463). 
The resolv/res_debug.c function p_secstodate (which is a public
function exported from libresolv, taking an unsigned long argument)
does:

        struct tm timebuf;
        time = __gmtime_r(&clock, &timebuf);
        time->tm_year += 1900;
        time->tm_mon += 1;
        sprintf(output, "%04d%02d%02d%02d%02d%02d",
                time->tm_year, time->tm_mon, time->tm_mday,
                time->tm_hour, time->tm_min, time->tm_sec);

If __gmtime_r returns NULL (because the year overflows the range of
int), this will dereference a null pointer.  Otherwise, if the
computed year does not fit in four characters, this will cause a
buffer overrun of the fixed-size 15-byte buffer.  With current GCC
mainline, there is a compilation failure because of the possible
buffer overrun.

I couldn't find a specification for how this function is meant to
behave, but Paul pointed to RFC 4034 as relevant to the cases where
this function is called from within glibc.  The function's interface
is inherently problematic when dates beyond Y2038 might be involved,
because of the ambiguity in how to interpret 32-bit timestamps as such
dates (the RFC suggests interpreting times as being within 68 years of
the present date, which would mean some kind of interface whose
behavior depends on the present date).

This patch works on the basis of making a minimal fix in preparation
for obsoleting the function.  The function is made to handle times in
the interval [0, 0x7fffffff] only, on all platforms, with <overflow>
used as the output string in other cases (and errno set to EOVERFLOW
in such cases).  This seems to be a reasonable state for the function
to be in when made a compat symbol by a future patch, being compatible
with any existing uses for existing timestamps without trying to work
for later timestamps.  Results independent of the range of time_t also
simplify the testcase.

I couldn't persuade GCC to recognize the ranges of the struct tm
fields by adding explicit range checks with a call to
__builtin_unreachable if outside the range (this looks similar to
<https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80776>), so having added
a range check on the input, this patch then disables the
-Wformat-overflow= warning for the sprintf call (I prefer that to the
use of strftime, as being more transparently correct without knowing
what each of %m and %M etc. is).

I do not know why this build failure should be new with mainline GCC
(that is, I don't know what GCC change might have introduced it, when
the basic functionality for such warnings was already in GCC 7).

I do not know if this is a security issue (that is, if there are
plausible ways in which a date before -999 or after 9999 from an
untrusted source might end up in this function).  The system clock is
arguably an untrusted source (in that e.g. NTP is insecure), but
probably not to that extent (NTP can't communicate such wild
timestamps), and uses from within glibc are limited to 32-bit inputs.

Tested with build-many-glibcs.py that this restores the build for arm
with yesterday's mainline GCC.  Also tested for x86_64 and x86.

	[BZ #22463]
	* resolv/res_debug.c: Include <libc-diag.h>.
	(p_secstodate): Assert time_t at least as wide as u_long.  On
	overflow, use integer seconds since the epoch as output, or use
	"<overflow>" as output and set errno to EOVERFLOW if integer
	seconds since the epoch would be 14 or more characters.
	(p_secstodate) [__GNUC_PREREQ (7, 0)]: Disable -Wformat-overflow=
	for sprintf call.
	* resolv/tst-p_secstodate.c: New file.
	* resolv/Makefile (tests): Add tst-p_secstodate.
	($(objpfx)tst-p_secstodate): Depend on $(objpfx)libresolv.so.
2017-11-22 22:12:07 +00:00

185 lines
6.1 KiB
Makefile
Raw Blame History

# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# This file is part of the GNU C Library.
# The GNU C Library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# The GNU C Library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with the GNU C Library; if not, see
# <http://www.gnu.org/licenses/>.
#
# Sub-makefile for resolv portion of the library.
#
subdir := resolv
include ../Makeconfig
headers := resolv.h bits/types/res_state.h \
netdb.h bits/netdb.h \
arpa/nameser.h arpa/nameser_compat.h \
sys/bitypes.h
routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
res_hconf res_libc res-state res_randomid res-close \
resolv_context resolv_conf
tests = tst-aton tst-leaks tst-inet_ntop
xtests = tst-leaks2
generate := mtrace-tst-leaks.out tst-leaks.mtrace tst-leaks2.mtrace
extra-libs := libresolv libnss_dns
ifeq ($(have-thread-library),yes)
extra-libs += libanl
routines += gai_sigqueue
tests += \
tst-bug18665 \
tst-bug18665-tcp \
tst-ns_name \
tst-ns_name_compress \
tst-ns_name_pton \
tst-res_hconf_reorder \
tst-res_hnok \
tst-res_use_inet6 \
tst-resolv-basic \
tst-resolv-edns \
tst-resolv-network \
tst-resolv-res_init-multi \
tst-resolv-search \
tst-p_secstodate \
# These tests need libdl.
ifeq (yes,$(build-shared))
tests += \
tst-resolv-canonname \
# uses DEPRECATED_RES_USE_INET6 from <resolv-internal.h>.
tests-internal += \
tst-resolv-res_init \
tst-resolv-res_init-thread \
# Needs resolv_context.
tests-internal += \
tst-resolv-res_ninit \
tst-resolv-threads \
endif
# This test accesses __inet_ntop_length, an internal libc function.
tests-internal += tst-inet_pton
# This test sends millions of packets and is rather slow.
xtests += tst-resolv-qtypes
# This test has dropped packet tests and runs for a long time.
xtests += tst-resolv-rotate
endif
extra-libs-others = $(extra-libs)
libresolv-routines := res_comp res_debug \
res_data res_mkquery res_query res_send \
inet_net_ntop inet_net_pton inet_neta base64 \
ns_parse ns_name ns_netint ns_ttl ns_print \
ns_samedomain ns_date \
compat-hooks compat-gethnamaddr
libanl-routines := gai_cancel gai_error gai_misc gai_notify gai_suspend \
getaddrinfo_a
subdir-dirs = nss_dns
vpath %.c nss_dns
libnss_dns-routines := dns-host dns-network dns-canon
libnss_dns-inhibit-o = $(filter-out .os,$(object-suffixes))
ifeq ($(build-static-nss),yes)
routines += $(libnss_dns-routines) $(libresolv-routines)
static-only-routines += $(libnss_dns-routines) $(libresolv-routines)
endif
ifeq ($(run-built-tests),yes)
ifneq (no,$(PERL))
tests-special += $(objpfx)mtrace-tst-leaks.out
xtests-special += $(objpfx)mtrace-tst-leaks2.out
tests-special += $(objpfx)mtrace-tst-resolv-res_ninit.out
endif
endif
ifeq (,$(filter sunrpc,$(subdirs)))
# The netdb.h we install does '#include <rpc/netdb.h>', so one must exist.
# If sunrpc/ is built in this configuration, it installs a real <rpc/netdb.h>.
# If that's not going to happen, install our dummy file.
headers += rpc/netdb.h
endif
generated += mtrace-tst-leaks.out tst-leaks.mtrace \
mtrace-tst-leaks2.out tst-leaks2.mtrace \
mtrace-tst-resolv-res_ninit.out tst-resolv-res_ninit.mtrace \
include ../Rules
CFLAGS-res_hconf.c = -fexceptions
# The DNS NSS modules needs the resolver.
$(objpfx)libnss_dns.so: $(objpfx)libresolv.so
# The asynchronous name lookup code needs the thread library.
$(objpfx)libanl.so: $(shared-thread-library)
$(objpfx)tst-res_hconf_reorder: $(libdl) $(shared-thread-library)
tst-res_hconf_reorder-ENV = RESOLV_REORDER=on
$(objpfx)tst-leaks: $(objpfx)libresolv.so
tst-leaks-ENV = MALLOC_TRACE=$(objpfx)tst-leaks.mtrace
$(objpfx)mtrace-tst-leaks.out: $(objpfx)tst-leaks.out
$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks.mtrace > $@; \
$(evaluate-test)
tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
$(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
$(evaluate-test)
tst-resolv-res_ninit-ENV = MALLOC_TRACE=$(objpfx)tst-resolv-res_ninit.mtrace
$(objpfx)mtrace-tst-resolv-res_ninit.out: $(objpfx)tst-resolv-res_ninit.out
$(common-objpfx)malloc/mtrace \
$(objpfx)tst-resolv-res_ninit.mtrace > $@; \
$(evaluate-test)
$(objpfx)tst-bug18665-tcp: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-bug18665: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-res_use_inet6: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-edns: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-res_init: $(libdl) $(objpfx)libresolv.so
$(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
$(shared-thread-library)
$(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
$(shared-thread-library)
$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-threads: \
$(libdl) $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-canonname: \
$(libdl) $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-ns_name: $(objpfx)libresolv.so
$(objpfx)tst-ns_name.out: tst-ns_name.data
$(objpfx)tst-ns_name_compress: $(objpfx)libresolv.so
$(objpfx)tst-ns_name_pton: $(objpfx)libresolv.so
$(objpfx)tst-res_hnok: $(objpfx)libresolv.so
$(objpfx)tst-p_secstodate: $(objpfx)libresolv.so
# This test case uses the deprecated RES_USE_INET6 resolver option.
CFLAGS-tst-res_use_inet6.c += -Wno-error
Reference in New Issue View Git Blame Copy Permalink