changeset 18026:1a086f523d28

fts: avoid reading beyond the heap allocation GCC 5.1.1 with -O2 and -fsanitize=address reports the following from `chmod a+rx ..` for example: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be48 READ of size 4 at 0x61200000be48 thread T0 #0 0x40f0a1 in fts_stat lib/fts.c:1821 #1 0x4141ec in fts_open lib/fts.c:514 #2 0x40ca6e in xfts_open lib/xfts.c:36 #3 0x402c35 in process_files src/chmod.c:336 #4 0x402c35 in main src/chmod.c:566 #5 0x7f8fdc38678f in __libc_start_main (/lib64/libc.so.6+0x2078f) #6 0x404608 in _start (/home/padraig/git/coreutils/src/chmod+0x404608) 0x61200000be4b is located 0 bytes to the right of 267-byte region [0x61200000bd40,0x61200000be4b) allocated by thread T0 here: #0 0x7f8fdd4cfa0a in malloc (/lib64/libasan.so.2+0x98a0a) #1 0x40f22c in fts_alloc lib/fts.c:1916 The read of size 4 from a heap object of size 3 is indeed invalid, though this may be due to incorrect padding assumptions by GCC, see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66661 The read is coming from the a[2] access in ISDOT() which GCC seems to assume can access according to the alignment of the main structure, since the flexible array members are being accessed directly. One could cast the parameter to ISDOT() to (char const*) to restrict to byte at a time access, however it seems more correct and maintainable to increase the buffer size to the appropriate alignment to avoid this issue. For reference some notes on alignment and flexible array members are at: https://sites.google.com/site/embeddedmonologue/home/c-programming/data-alignment-structure-padding-and-flexible-array-member * lib/fts.c (fts_alloc): Increase allocation to alignof(FTSENT). * modules/fts: Depend on stdalign.
author Pádraig Brady <P@draigBrady.com>
date Wed, 24 Jun 2015 23:52:24 +0100
parents 5201cc72e203
children 870a2ccf6d6f
files ChangeLog lib/fts.c modules/fts
diffstat 3 files changed, 18 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2015-06-25  Pádraig Brady  <P@draigBrady.com>
+
+	fts: avoid reading beyond the heap allocation
+	GCC 5.1.1 with -O2 and -fsanitize=address reports
+	a read of size 4 from a heap object of size 3 is indeed invalid,
+	though this may be due to incorrect padding assumptions by GCC, see:
+	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66661
+	* lib/fts.c (fts_alloc): Increase allocation to alignof(FTSENT).
+	* modules/fts: Depend on stdalign.
+
 2015-06-24  Pádraig Brady  <P@draigBrady.com>
 
 	savedir: avoid undefined behavior in qsort call
--- a/lib/fts.c
+++ b/lib/fts.c
@@ -62,6 +62,7 @@
 #endif
 #include <fcntl.h>
 #include <errno.h>
+#include <stdalign.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1906,6 +1907,12 @@
          * structure and the file name in one chunk.
          */
         len = offsetof(FTSENT, fts_name) + namelen + 1;
+        /* Round the allocation up so it has the same alignment as FTSENT,
+           so that trailing padding may be referenced by direct access
+           to the flexible array members, without triggering undefined behavior
+           by accessing bytes beyond the heap allocation.  This implicit access
+           was seen for example with ISDOT() and GCC 5.1.1 at -O2.  */
+        len = (len + alignof(FTSENT) - 1) & ~(alignof(FTSENT) - 1);
         if ((p = malloc(len)) == NULL)
                 return (NULL);
 
--- a/modules/fts
+++ b/modules/fts
@@ -29,6 +29,7 @@
 openat-safer
 opendir
 readdir
+stdalign
 stdbool
 unistd-safer