[PATCH] [RFC] fts: avoid reading beyond the heap allocation

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] [RFC] fts: avoid reading beyond the heap allocation

From:	Pádraig Brady
Subject:	[PATCH] [RFC] fts: avoid reading beyond the heap allocation
Date:	Thu, 25 Jun 2015 00:06:54 +0100

GCC 5.1.1 with -O2 and -fsanitize=address reports
the following from `chmod a+rx ..` for example:

  ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be48
  READ of size 4 at 0x61200000be48 thread T0
    #0 0x40f0a1 in fts_stat lib/fts.c:1821
    #1 0x4141ec in fts_open lib/fts.c:514
    #2 0x40ca6e in xfts_open lib/xfts.c:36
    #3 0x402c35 in process_files src/chmod.c:336
    #4 0x402c35 in main src/chmod.c:566
    #5 0x7f8fdc38678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x404608 in _start (/home/padraig/git/coreutils/src/chmod+0x404608)

  0x61200000be4b is located 0 bytes to the right of
  267-byte region [0x61200000bd40,0x61200000be4b) allocated by thread T0 here:
    #0 0x7f8fdd4cfa0a in malloc (/lib64/libasan.so.2+0x98a0a)
    #1 0x40f22c in fts_alloc lib/fts.c:1916

The read of size 4 from a heap object of size 3 is indeed invalid.
The read is coming from the a[2] access in ISDOT() which GCC seems
to assume can access according to the alignment of the main structure,
since the flexible array members are being accessed directly.
One could cast the parameter to ISDOT() to (char const*) to restrict
to byte at a time access, however it seems more correct and maintainable
to increase the buffer size to the appropriate alignment to avoid this issue.
For reference some notes on alignment and flexible array members are at:
https://sites.google.com/site/embeddedmonologue/home/c-programming/data-alignment-structure-padding-and-flexible-array-member

* lib/fts.c (fts_alloc): Increase allocation to alignof(FTSENT).
---
 lib/fts.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/fts.c b/lib/fts.c
index 6084101..eb19dd1 100644
--- a/lib/fts.c
+++ b/lib/fts.c
@@ -62,6 +62,7 @@ static char sccsid[] = "@(#)fts.c       8.6 (Berkeley) 
8/14/94";
 #endif
 #include <fcntl.h>
 #include <errno.h>
+#include <stdalign.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1906,6 +1907,12 @@ fts_alloc (FTS *sp, const char *name, register size_t 
namelen)
          * structure and the file name in one chunk.
          */
         len = offsetof(FTSENT, fts_name) + namelen + 1;
+        /* Round the allocation up so it has the same alignment as FTSENT,
+           so that trailing padding may be referenced by direct access
+           to the flexible array members, without triggering undefined behavior
+           by accessing bytes beyond the heap allocation.  This implicit access
+           was seen for example with ISDOT() and GCC 5.1.1 at -O2.  */
+        len = (len + alignof (FTSENT) - 1) & ~(alignof (FTSENT) - 1);
         if ((p = malloc(len)) == NULL)
                 return (NULL);
 
-- 
2.4.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] [RFC] fts: avoid reading beyond the heap allocation, Pádraig Brady <=
- Re: [PATCH] [RFC] fts: avoid reading beyond the heap allocation, Paul Eggert, 2015/06/24
  - Re: [PATCH] [RFC] fts: avoid reading beyond the heap allocation, Pádraig Brady, 2015/06/24

Prev by Date: [PATCH] savedir: avoid undefined behavior in qsort call
Next by Date: Re: [PATCH] [RFC] fts: avoid reading beyond the heap allocation
Previous by thread: [PATCH] savedir: avoid undefined behavior in qsort call
Next by thread: Re: [PATCH] [RFC] fts: avoid reading beyond the heap allocation
Index(es):
- Date
- Thread