A sufficiently mad compiler optimiser can take undefined behaviour
according to the C standard as an opportunity to remove code. Since
"data + size" might be seen to be past the end of an array,
calculating such an expression is UB.
_mul_overflow is infrastructure for later patches.
* bucomm.h (_mul_overflow): Define.
* dwarf.c (get_encoded_value): Avoid pointer UB.
This patch makes use of the temp file descriptor in smart_rename
rather than reopening the file. I don't believe there is a security
issue in reopening the file, but this way is one less directory
operation. The patch also attempts to preserve S_ISUID and S_ISGID.
PR 27456
* bucomm.h (smart_rename): Update prototype.
* rename.c (smart_rename): Add fromfd and preserve_dates params.
Pass fromfd and target_stat to simple_copy. Call set_times
when preserve_dates.
(simple_copy): Accept fromfd rather than from filename. Add
target_stat param. Rewind fromfd rather than opening. Open
"to" file without O_CREAT. Try to preserve S_ISUID and S_ISGID.
* ar.c (write_archive): Rename ofd to tmpfd. Dup tmpfd before
closing output temp file, and pass tmpfd to smart_rename.
* arsup.c (temp_fd): Rename from real_fd.
(ar_save): Dup temp_fd and pass to smart_rename.
* objcopy.c (strip_main, copy_main): Likewise, and pass
preserve_dates.
Renaming over existing files needs additional care to restore
permissions and ownership, which may not always succeed.
Additionally, other properties of the file such as extended attributes
may be lost, making the operation flaky.
For predictable results, resort to rename() only if the file does not
exist, otherwise copy the file contents into the existing file. This
ensures that no additional tricks are needed to retain file
properties.
This also allows dropping of the redundant set_times on the tmpfile in
objcopy/strip since now we no longer rename over existing files.
binutils/
* ar.c (write_archive): Remove TARGET_STAT. Adjust call to
SMART_RENAME.
* arsup.c (ar_save): Likewise.
* objcopy (strip_main): Don't copy TMPFD. Don't set times on
temporary file and adjust call to SMART_RENAME.
(copy_main): Likewise.
* rename.c [!S_ISLNK]: Remove definitions.
(try_preserve_permissions): Remove function.
(smart_rename): Remove FD, PRESERVE_DATES arguments. Use
rename system call only if TO does not exist.
* bucomm.h (smart_rename): Adjust declaration.
smart_rename is capable of handling symlinks by copying and it also
tries to preserve ownership and permissions of files when they're
overwritten during the rename. This is useful in objcopy where the
file properties need to be preserved.
However because smart_rename does this using file names, it leaves a
race window between renames and permission fixes. This change removes
this race window by using file descriptors from the original BFDs that
were used to manipulate these files wherever possible.
The file that is to be renamed is also passed as a file descriptor so
that we use fchown/fchmod on the file descriptor, thus making sure
that we only modify the file we have opened to write. Further, in
case the file is to be overwritten (as is the case in ar or objcopy),
the permissions that need to be restored are taken from the file
descriptor that was opened for input so that integrity of the file
status is maintained all the way through to the rename.
binutils/
* rename.c
* ar.c
(write_archive) [!defined (_WIN32) || defined (__CYGWIN32__)]:
Initialize TARGET_STAT and OFD to pass to SMART_RENAME.
* arsup.c
(ar_save) [defined (_WIN32) || defined (__CYGWIN32__)]:
Likewise.
* bucomm.h (smart_rename): Add new arguments to declaration.
* objcopy.c
(strip_main)[defined (_WIN32) || defined (__CYGWIN32__)]:
Initialize COPYFD and pass to SMART_RENAME.
(copy_main) [defined (_WIN32) || defined (__CYGWIN32__)]:
Likewise.
* rename.c (try_preserve_permissions): New function.
(smart_rename): Use it and add new arguments.
The purpose of creating a temporary file securely using mkstemp is
defeated if it is closed in make_tempname and reopened later for use;
it is as good as using mktemp. Get the file descriptor instead and
then use it to create the BFD object.
bfd/
* opncls.c (bfd_fdopenw): New function.
* bfd-in2.h: Regenerate.
binutils/
* bucomm.c (make_tempname): Add argument to return file
descriptor.
* bucomm.h (make_tempname): Likewise.
* ar.c: Include libbfd.h.
(write_archive): Adjust for change in make_tempname. Call
bfd_fdopenw instead of bfd_openw.
* objcopy.c: Include libbfd.h.
(copy_file): New argument OFD. Use bfd_fdopenw instead of
bfd_openw.
(strip_main): Adjust for change in make_tempname and
copy_file.
(copy_main): Likewise.
This constifies the argument to make_tempname and make_tempdir,
removing some casts.
I initially thought that this obsoleted the allocation in
write_archive, but write_archive closes the BFD before using the name,
so this appears not to be the case.
binutils/ChangeLog
2019-09-11 Tom Tromey <tom@tromey.com>
* objcopy.c (copy_archive): Update.
* bucomm.h (make_tempname, make_tempdir): Make argument const.
* bucomm.c (make_tempname, make_tempdir): Make argument const.
PR 23107
* ar.c (display_offsets): New variable.
(usage): Add description of 'O' operator.
(decode_option): Handle 'O' operator.
(print_descr): Pass display_offsets to print_arelt_descr.
* arsup.c: Update call to printy_arelt_descr.
* objdump.c: Likewise.
* bucomm.c (print_arelt_descr): If offsets parameter is true then
display offset of archive element within the archive.
* bucomm.h: Update prototype for print_arelt_descr.
* doc/binutils.texi: Update description of ar command.
* NEWS: Mention the new feature.
* testsuite/binutils-all/ar.exp: Add text of new feature.
PR binutils/17552, binutils/17533
* bucomm.c (is_valid_archive_path): New function. Returns false
for absolute pathnames and pathnames that include /../.
* bucomm.h (is_valid_archive_path): Add prototype.
* ar.c (extract_file): Use new function to check for valid
pathnames when extracting files from an archive.
* objcopy.c (copy_archive): Likewise.
* doc/binutils.texi: Update documentation to mention the
limitation on pathname of archive members.
* bucomm.h (bfd_nonfatal_message): Declare.
* objcopy.c (RETURN_NONFATAL): Take BFD not NAME, use
bfd_nonfatal_message.
(copy_unknown_object): Adjust bfd_nonfatal and RETURN_NONFATAL
calls, or replace with bfd_nonfatal_message calls as appropriate.
(copy_object, copy_archive, copy_file, setup_section,
copy_section, write_debugging_info): Likewise.
* bucomm.c (template_in_dir): New function, split out from..
(make_tempname): ..here. Open the file with O_EXCL if !HAVE_MKSTEMP.
(make_tempdir): Use template_in_dir. Handle directory creation
when !HAVE_MKDTEMP.
* objcopy.c (MKDIR): Don't define.
(copy_archive): Use make_tempdir when !HAVE_MKDTEMP too. Fix
error message.
* configure.in: Check for the mkstemp and mkdtemp functions.
* configure: Regenerate.
* config.in (HAVE_MKDTEMP): New potential define.
(MAKE_MKSTEMP): Likewise.
* bucomm.c (make_tempname): Use mkstemp if it is available.
* make_tempdir): New function: Create a temporary directory using mkdtemp, if
it is available.
* bucomm.h (make_tempdir): New prototype.
* objcopy.c (copy_archive): Use make_tempdir if it is available.
(strip_main): Produce an warning message if a temporary file could not be
(copy_main): Likewise.
* ar.c (write_archive): Likewise.
