2015-09-22 19:40:17 +08:00
|
|
|
/* Test for bug 17079: heap overflow in NSS with small buffers.
|
2022-01-02 02:54:23 +08:00
|
|
|
Copyright (C) 2015-2022 Free Software Foundation, Inc.
|
2015-09-22 19:20:18 +08:00
|
|
|
This file is part of the GNU C Library.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
|
|
License along with the GNU C Library; if not, see
|
Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:
sed -ri '
s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
$(find $(git ls-files) -prune -type f \
! -name '*.po' \
! -name 'ChangeLog*' \
! -path COPYING ! -path COPYING.LIB \
! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
! -path manual/texinfo.tex ! -path scripts/config.guess \
! -path scripts/config.sub ! -path scripts/install-sh \
! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
! -path INSTALL ! -path locale/programs/charmap-kw.h \
! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
! '(' -name configure \
-execdir test -f configure.ac -o -f configure.in ';' ')' \
! '(' -name preconfigure \
-execdir test -f preconfigure.ac ';' ')' \
-print)
and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:
chmod a+x sysdeps/unix/sysv/linux/riscv/configure
# Omit irrelevant whitespace and comment-only changes,
# perhaps from a slightly-different Autoconf version.
git checkout -f \
sysdeps/csky/configure \
sysdeps/hppa/configure \
sysdeps/riscv/configure \
sysdeps/unix/sysv/linux/csky/configure
# Omit changes that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
git checkout -f \
sysdeps/powerpc/powerpc64/ppc-mcount.S \
sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
# Omit change that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 13:40:42 +08:00
|
|
|
<https://www.gnu.org/licenses/>. */
|
2015-09-22 19:20:18 +08:00
|
|
|
|
|
|
|
#include <errno.h>
|
2018-01-30 13:28:49 +08:00
|
|
|
#include <nss.h>
|
2015-09-22 19:20:18 +08:00
|
|
|
#include <pwd.h>
|
|
|
|
#include <stdbool.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
2017-08-18 05:58:25 +08:00
|
|
|
#include <support/support.h>
|
|
|
|
|
2015-09-22 19:20:18 +08:00
|
|
|
/* Check if two passwd structs contain the same data. */
|
|
|
|
static bool
|
|
|
|
equal (const struct passwd *a, const struct passwd *b)
|
|
|
|
{
|
|
|
|
return strcmp (a->pw_name, b->pw_name) == 0
|
|
|
|
&& strcmp (a->pw_passwd, b->pw_passwd) == 0
|
|
|
|
&& a->pw_uid == b->pw_uid
|
|
|
|
&& a->pw_gid == b->pw_gid
|
|
|
|
&& strcmp (a->pw_gecos, b->pw_gecos) == 0
|
|
|
|
&& strcmp (a->pw_dir, b->pw_dir) == 0
|
|
|
|
&& strcmp (a->pw_shell, b->pw_shell) == 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
enum { MAX_TEST_ITEMS = 10 };
|
|
|
|
static struct passwd test_items[MAX_TEST_ITEMS];
|
|
|
|
static int test_count;
|
|
|
|
|
|
|
|
/* Initialize test_items and test_count above, with data from the
|
|
|
|
passwd database. */
|
|
|
|
static bool
|
|
|
|
init_test_items (void)
|
|
|
|
{
|
|
|
|
setpwent ();
|
|
|
|
do
|
|
|
|
{
|
|
|
|
struct passwd *pwd = getpwent ();
|
|
|
|
if (pwd == NULL)
|
|
|
|
break;
|
|
|
|
struct passwd *target = test_items + test_count;
|
2017-08-18 05:58:25 +08:00
|
|
|
target->pw_name = xstrdup (pwd->pw_name);
|
|
|
|
target->pw_passwd = xstrdup (pwd->pw_passwd);
|
2015-09-22 19:20:18 +08:00
|
|
|
target->pw_uid = pwd->pw_uid;
|
|
|
|
target->pw_gid = pwd->pw_gid;
|
2017-08-18 05:58:25 +08:00
|
|
|
target->pw_gecos = xstrdup (pwd->pw_gecos);
|
|
|
|
target->pw_dir = xstrdup (pwd->pw_dir);
|
|
|
|
target->pw_shell = xstrdup (pwd->pw_shell);
|
2015-09-22 19:20:18 +08:00
|
|
|
}
|
|
|
|
while (++test_count < MAX_TEST_ITEMS);
|
|
|
|
endpwent ();
|
|
|
|
|
|
|
|
/* Filter out those test items which cannot be looked up by name or
|
|
|
|
UID. */
|
|
|
|
bool found = false;
|
|
|
|
for (int i = 0; i < test_count; ++i)
|
|
|
|
{
|
|
|
|
struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
|
|
|
|
struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
|
|
|
|
if (pwd1 == NULL || !equal (pwd1, test_items + i)
|
|
|
|
|| pwd2 == NULL || !equal (pwd2, test_items + i))
|
2015-09-26 02:20:33 +08:00
|
|
|
{
|
|
|
|
printf ("info: skipping user \"%s\", UID %ld due to inconsistency\n",
|
|
|
|
test_items[i].pw_name, (long) test_items[i].pw_uid);
|
|
|
|
test_items[i].pw_name = NULL;
|
|
|
|
}
|
2015-09-22 19:20:18 +08:00
|
|
|
else
|
|
|
|
found = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!found)
|
|
|
|
puts ("error: no accounts found which can be looked up by name and UID.");
|
|
|
|
return found;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set to true if an error is encountered. */
|
|
|
|
static bool errors;
|
|
|
|
|
|
|
|
/* Return true if the padding has not been tampered with. */
|
|
|
|
static bool
|
|
|
|
check_padding (char *buffer, size_t size, char pad)
|
|
|
|
{
|
|
|
|
char *end = buffer + size;
|
|
|
|
while (buffer < end)
|
|
|
|
{
|
|
|
|
if (*buffer != pad)
|
|
|
|
return false;
|
|
|
|
++buffer;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Test one buffer size and padding combination. */
|
|
|
|
static void
|
|
|
|
test_one (const struct passwd *item, size_t buffer_size,
|
|
|
|
char pad, size_t padding_size)
|
|
|
|
{
|
2017-08-18 05:58:25 +08:00
|
|
|
char *buffer = xmalloc (buffer_size + padding_size);
|
2015-09-22 19:20:18 +08:00
|
|
|
|
|
|
|
struct passwd pwd;
|
|
|
|
struct passwd *result;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* Test getpwname_r. */
|
|
|
|
memset (buffer, pad, buffer_size + padding_size);
|
|
|
|
pwd = (struct passwd) {};
|
|
|
|
ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
|
|
|
|
if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
|
|
{
|
|
|
|
printf ("error: padding change: "
|
|
|
|
"name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
|
|
item->pw_name, buffer_size, padding_size, (unsigned char) pad);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
if (ret == 0)
|
|
|
|
{
|
|
|
|
if (result == NULL)
|
|
|
|
{
|
|
|
|
printf ("error: no data: name \"%s\", buffer size %zu\n",
|
|
|
|
item->pw_name, buffer_size);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
else if (!equal (item, result))
|
|
|
|
{
|
|
|
|
printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
|
|
|
|
item->pw_name, buffer_size);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (ret != ERANGE)
|
|
|
|
{
|
|
|
|
errno = ret;
|
|
|
|
printf ("error: lookup failure for name \"%s\": %m (%d)\n",
|
|
|
|
item->pw_name, ret);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Test getpwuid_r. */
|
|
|
|
memset (buffer, pad, buffer_size + padding_size);
|
|
|
|
pwd = (struct passwd) {};
|
|
|
|
ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
|
|
|
|
if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
|
|
{
|
|
|
|
printf ("error: padding change: "
|
|
|
|
"UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
|
|
(long) item->pw_uid, buffer_size, padding_size,
|
|
|
|
(unsigned char) pad);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
if (ret == 0)
|
|
|
|
{
|
|
|
|
if (result == NULL)
|
|
|
|
{
|
|
|
|
printf ("error: no data: UID %ld, buffer size %zu\n",
|
|
|
|
(long) item->pw_uid, buffer_size);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
else if (!equal (item, result))
|
|
|
|
{
|
|
|
|
printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
|
|
|
|
(long) item->pw_uid, buffer_size);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (ret != ERANGE)
|
|
|
|
{
|
|
|
|
errno = ret;
|
|
|
|
printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
|
|
|
|
(long) item->pw_uid, ret);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
free (buffer);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Test one buffer size with different paddings. */
|
|
|
|
static void
|
|
|
|
test_buffer_size (size_t buffer_size)
|
|
|
|
{
|
|
|
|
for (int i = 0; i < test_count; ++i)
|
|
|
|
for (size_t padding_size = 0; padding_size < 3; ++padding_size)
|
|
|
|
{
|
2015-09-26 02:20:33 +08:00
|
|
|
/* Skip entries with inconsistent name/UID lookups. */
|
|
|
|
if (test_items[i].pw_name == NULL)
|
|
|
|
continue;
|
|
|
|
|
2015-09-22 19:20:18 +08:00
|
|
|
test_one (test_items + i, buffer_size, '\0', padding_size);
|
|
|
|
if (padding_size > 0)
|
|
|
|
{
|
|
|
|
test_one (test_items + i, buffer_size, ':', padding_size);
|
|
|
|
test_one (test_items + i, buffer_size, '\n', padding_size);
|
|
|
|
test_one (test_items + i, buffer_size, '\xff', padding_size);
|
|
|
|
test_one (test_items + i, buffer_size, '@', padding_size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
do_test (void)
|
|
|
|
{
|
2018-01-30 13:28:49 +08:00
|
|
|
__nss_configure_lookup ("passwd", "files");
|
|
|
|
|
2015-09-22 19:20:18 +08:00
|
|
|
if (!init_test_items ())
|
|
|
|
return 1;
|
|
|
|
printf ("info: %d test items\n", test_count);
|
|
|
|
|
|
|
|
for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
|
|
|
|
test_buffer_size (buffer_size);
|
|
|
|
for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
|
|
|
|
test_buffer_size (buffer_size);
|
|
|
|
test_buffer_size (255);
|
|
|
|
test_buffer_size (257);
|
|
|
|
for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
|
|
|
|
test_buffer_size (buffer_size);
|
|
|
|
test_buffer_size (511);
|
|
|
|
test_buffer_size (513);
|
|
|
|
test_buffer_size (1024);
|
|
|
|
test_buffer_size (2048);
|
|
|
|
|
|
|
|
if (errors)
|
|
|
|
return 1;
|
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 05:58:25 +08:00
|
|
|
#include <support/test-driver.c>
|