mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-21 01:12:26 +08:00
5a82c74822
Also, change sources.redhat.com to sourceware.org. This patch was automatically generated by running the following shell script, which uses GNU sed, and which avoids modifying files imported from upstream: sed -ri ' s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g ' \ $(find $(git ls-files) -prune -type f \ ! -name '*.po' \ ! -name 'ChangeLog*' \ ! -path COPYING ! -path COPYING.LIB \ ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \ ! -path manual/texinfo.tex ! -path scripts/config.guess \ ! -path scripts/config.sub ! -path scripts/install-sh \ ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \ ! -path INSTALL ! -path locale/programs/charmap-kw.h \ ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \ ! '(' -name configure \ -execdir test -f configure.ac -o -f configure.in ';' ')' \ ! '(' -name preconfigure \ -execdir test -f preconfigure.ac ';' ')' \ -print) and then by running 'make dist-prepare' to regenerate files built from the altered files, and then executing the following to cleanup: chmod a+x sysdeps/unix/sysv/linux/riscv/configure # Omit irrelevant whitespace and comment-only changes, # perhaps from a slightly-different Autoconf version. git checkout -f \ sysdeps/csky/configure \ sysdeps/hppa/configure \ sysdeps/riscv/configure \ sysdeps/unix/sysv/linux/csky/configure # Omit changes that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines git checkout -f \ sysdeps/powerpc/powerpc64/ppc-mcount.S \ sysdeps/unix/sysv/linux/s390/s390-64/syscall.S # Omit change that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
243 lines
7.1 KiB
C
243 lines
7.1 KiB
C
/* Test for bug 17079: heap overflow in NSS with small buffers.
|
|
Copyright (C) 2015-2019 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <errno.h>
|
|
#include <nss.h>
|
|
#include <pwd.h>
|
|
#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include <support/support.h>
|
|
|
|
/* Check if two passwd structs contain the same data. */
|
|
static bool
|
|
equal (const struct passwd *a, const struct passwd *b)
|
|
{
|
|
return strcmp (a->pw_name, b->pw_name) == 0
|
|
&& strcmp (a->pw_passwd, b->pw_passwd) == 0
|
|
&& a->pw_uid == b->pw_uid
|
|
&& a->pw_gid == b->pw_gid
|
|
&& strcmp (a->pw_gecos, b->pw_gecos) == 0
|
|
&& strcmp (a->pw_dir, b->pw_dir) == 0
|
|
&& strcmp (a->pw_shell, b->pw_shell) == 0;
|
|
}
|
|
|
|
enum { MAX_TEST_ITEMS = 10 };
|
|
static struct passwd test_items[MAX_TEST_ITEMS];
|
|
static int test_count;
|
|
|
|
/* Initialize test_items and test_count above, with data from the
|
|
passwd database. */
|
|
static bool
|
|
init_test_items (void)
|
|
{
|
|
setpwent ();
|
|
do
|
|
{
|
|
struct passwd *pwd = getpwent ();
|
|
if (pwd == NULL)
|
|
break;
|
|
struct passwd *target = test_items + test_count;
|
|
target->pw_name = xstrdup (pwd->pw_name);
|
|
target->pw_passwd = xstrdup (pwd->pw_passwd);
|
|
target->pw_uid = pwd->pw_uid;
|
|
target->pw_gid = pwd->pw_gid;
|
|
target->pw_gecos = xstrdup (pwd->pw_gecos);
|
|
target->pw_dir = xstrdup (pwd->pw_dir);
|
|
target->pw_shell = xstrdup (pwd->pw_shell);
|
|
}
|
|
while (++test_count < MAX_TEST_ITEMS);
|
|
endpwent ();
|
|
|
|
/* Filter out those test items which cannot be looked up by name or
|
|
UID. */
|
|
bool found = false;
|
|
for (int i = 0; i < test_count; ++i)
|
|
{
|
|
struct passwd *pwd1 = getpwnam (test_items[i].pw_name);
|
|
struct passwd *pwd2 = getpwuid (test_items[i].pw_uid);
|
|
if (pwd1 == NULL || !equal (pwd1, test_items + i)
|
|
|| pwd2 == NULL || !equal (pwd2, test_items + i))
|
|
{
|
|
printf ("info: skipping user \"%s\", UID %ld due to inconsistency\n",
|
|
test_items[i].pw_name, (long) test_items[i].pw_uid);
|
|
test_items[i].pw_name = NULL;
|
|
}
|
|
else
|
|
found = true;
|
|
}
|
|
|
|
if (!found)
|
|
puts ("error: no accounts found which can be looked up by name and UID.");
|
|
return found;
|
|
}
|
|
|
|
/* Set to true if an error is encountered. */
|
|
static bool errors;
|
|
|
|
/* Return true if the padding has not been tampered with. */
|
|
static bool
|
|
check_padding (char *buffer, size_t size, char pad)
|
|
{
|
|
char *end = buffer + size;
|
|
while (buffer < end)
|
|
{
|
|
if (*buffer != pad)
|
|
return false;
|
|
++buffer;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/* Test one buffer size and padding combination. */
|
|
static void
|
|
test_one (const struct passwd *item, size_t buffer_size,
|
|
char pad, size_t padding_size)
|
|
{
|
|
char *buffer = xmalloc (buffer_size + padding_size);
|
|
|
|
struct passwd pwd;
|
|
struct passwd *result;
|
|
int ret;
|
|
|
|
/* Test getpwname_r. */
|
|
memset (buffer, pad, buffer_size + padding_size);
|
|
pwd = (struct passwd) {};
|
|
ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result);
|
|
if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
{
|
|
printf ("error: padding change: "
|
|
"name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
item->pw_name, buffer_size, padding_size, (unsigned char) pad);
|
|
errors = true;
|
|
}
|
|
if (ret == 0)
|
|
{
|
|
if (result == NULL)
|
|
{
|
|
printf ("error: no data: name \"%s\", buffer size %zu\n",
|
|
item->pw_name, buffer_size);
|
|
errors = true;
|
|
}
|
|
else if (!equal (item, result))
|
|
{
|
|
printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n",
|
|
item->pw_name, buffer_size);
|
|
errors = true;
|
|
}
|
|
}
|
|
else if (ret != ERANGE)
|
|
{
|
|
errno = ret;
|
|
printf ("error: lookup failure for name \"%s\": %m (%d)\n",
|
|
item->pw_name, ret);
|
|
errors = true;
|
|
}
|
|
|
|
/* Test getpwuid_r. */
|
|
memset (buffer, pad, buffer_size + padding_size);
|
|
pwd = (struct passwd) {};
|
|
ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result);
|
|
if (!check_padding (buffer + buffer_size, padding_size, pad))
|
|
{
|
|
printf ("error: padding change: "
|
|
"UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n",
|
|
(long) item->pw_uid, buffer_size, padding_size,
|
|
(unsigned char) pad);
|
|
errors = true;
|
|
}
|
|
if (ret == 0)
|
|
{
|
|
if (result == NULL)
|
|
{
|
|
printf ("error: no data: UID %ld, buffer size %zu\n",
|
|
(long) item->pw_uid, buffer_size);
|
|
errors = true;
|
|
}
|
|
else if (!equal (item, result))
|
|
{
|
|
printf ("error: lookup mismatch: UID %ld, buffer size %zu\n",
|
|
(long) item->pw_uid, buffer_size);
|
|
errors = true;
|
|
}
|
|
}
|
|
else if (ret != ERANGE)
|
|
{
|
|
errno = ret;
|
|
printf ("error: lookup failure for UID \"%ld\": %m (%d)\n",
|
|
(long) item->pw_uid, ret);
|
|
errors = true;
|
|
}
|
|
|
|
free (buffer);
|
|
}
|
|
|
|
/* Test one buffer size with different paddings. */
|
|
static void
|
|
test_buffer_size (size_t buffer_size)
|
|
{
|
|
for (int i = 0; i < test_count; ++i)
|
|
for (size_t padding_size = 0; padding_size < 3; ++padding_size)
|
|
{
|
|
/* Skip entries with inconsistent name/UID lookups. */
|
|
if (test_items[i].pw_name == NULL)
|
|
continue;
|
|
|
|
test_one (test_items + i, buffer_size, '\0', padding_size);
|
|
if (padding_size > 0)
|
|
{
|
|
test_one (test_items + i, buffer_size, ':', padding_size);
|
|
test_one (test_items + i, buffer_size, '\n', padding_size);
|
|
test_one (test_items + i, buffer_size, '\xff', padding_size);
|
|
test_one (test_items + i, buffer_size, '@', padding_size);
|
|
}
|
|
}
|
|
}
|
|
|
|
int
|
|
do_test (void)
|
|
{
|
|
__nss_configure_lookup ("passwd", "files");
|
|
|
|
if (!init_test_items ())
|
|
return 1;
|
|
printf ("info: %d test items\n", test_count);
|
|
|
|
for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size)
|
|
test_buffer_size (buffer_size);
|
|
for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4)
|
|
test_buffer_size (buffer_size);
|
|
test_buffer_size (255);
|
|
test_buffer_size (257);
|
|
for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8)
|
|
test_buffer_size (buffer_size);
|
|
test_buffer_size (511);
|
|
test_buffer_size (513);
|
|
test_buffer_size (1024);
|
|
test_buffer_size (2048);
|
|
|
|
if (errors)
|
|
return 1;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
#include <support/test-driver.c>
|