current/SOURCES/217-glob-Add-new-test-tst-glob-tilde.patch

From 5ff2eb52b236ca3d77f92272e8711b3c2b98140b Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Sat, 21 Oct 2017 18:03:30 +0200
Subject: [PATCH 4/8] glob: Add new test tst-glob-tilde

The new test checks for memory leaks (see bug 22325) and attempts
to trigger the buffer overflow in bug 22320.

(cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)
---
 ChangeLog              |   8 +++
 posix/Makefile         |  11 +++-
 posix/tst-glob-tilde.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 153 insertions(+), 2 deletions(-)
 create mode 100644 posix/tst-glob-tilde.c

#diff --git a/ChangeLog b/ChangeLog
#index 5229661ab1..756a3cc0f0 100644
#--- a/ChangeLog
#+++ b/ChangeLog
##@@ -1,3 +1,11 @@
#+2017-10-21  Florian Weimer  <fweimer@redhat.com>
#+
#+      * posix/Makefile (tests): Add tst-glob-tilde.
#+      (tests-special): Add tst-glob-tilde-mem.out
#+      (tst-glob-tilde-ENV): Set MALLOC_TRACE.
#+      (tst-glob-tilde-mem.out): Add mtrace check.
#+      * posix/tst-glob-tilde.c: New file.
#+
# 2017-10-20  Paul Eggert <eggert@cs.ucla.edu>
# 
#       [BZ #22320]
diff --git a/posix/Makefile b/posix/Makefile
index 2894af0cb9..82a4020c76 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -87,7 +87,7 @@ tests         := tstgetopt testfnm runtests run
           bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
           bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
           tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
-                  tst-fnmatch3 bug-regex36 tst-getaddrinfo5
+                  tst-fnmatch3 bug-regex36 tst-getaddrinfo5 tst-glob-tilde
 xtests         := bug-ga2
 ifeq (yes,$(build-shared))
 test-srcs      := globtest
[tmb@thunder posix]$ 
[tmb@thunder glibc-2.20]$ diff -Nurp posix/Makefile.orig posix/Makefile 
--- posix/Makefile.orig 2017-12-22 13:44:31.728359617 +0200
+++ posix/Makefile      2017-12-22 13:46:49.439389455 +0200
@@ -87,7 +87,7 @@ tests         := tstgetopt testfnm runtests run
           bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
           bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
           tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
-                  tst-fnmatch3 bug-regex36
+                  tst-fnmatch3 bug-regex36 tst-glob-tilde
 xtests         := bug-ga2
 ifeq (yes,$(build-shared))
 test-srcs      := globtest
@@ -130,7 +130,8 @@ tests-special += $(objpfx)bug-regex2-mem
         $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \
         $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
         $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
-                $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out
+                $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
+                $(objpfx)tst-glob-tilde-mem.out
 xtests-special += $(objpfx)bug-ga2-mem.out
 endif
 
@@ -307,6 +308,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug
    $(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \
    $(evaluate-test)
 
+tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace
+
+$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out
+       $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \
+       $(evaluate-test)
+
 $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \
                $(objpfx)getconf.speclist FORCE
    $(addprefix $(..)./scripts/mkinstalldirs ,\
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
new file mode 100644
index 0000000000..9518b4a6f8
--- /dev/null
+++ b/posix/tst-glob-tilde.c
@@ -0,0 +1,136 @@
+/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <glob.h>
+#include <mcheck.h>
+#include <nss.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/support.h>
+
+/* Flag which indicates whether to pass the GLOB_ONLYDIR flag.  */
+static int do_onlydir;
+
+/* Flag which indicates whether to pass the GLOB_NOCHECK flag.  */
+static int do_nocheck;
+
+/* Flag which indicates whether to pass the GLOB_MARK flag.  */
+static int do_mark;
+
+static void
+one_test (const char *prefix, const char *middle, const char *suffix)
+{
+  char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix);
+  int flags = GLOB_TILDE;
+  if (do_onlydir)
+    flags |= GLOB_ONLYDIR;
+  if (do_nocheck)
+    flags |= GLOB_NOCHECK;
+  if (do_mark)
+    flags |= GLOB_MARK;
+  glob_t gl;
+  /* This glob call might result in crashes or memory leaks.  */
+  if (glob (pattern, flags, NULL, &gl) == 0)
+    globfree (&gl);
+  free (pattern);
+}
+
+enum
+  {
+    /* The largest base being tested.  */
+    largest_base_size = 500000,
+
+    /* The actual size is the base size plus a variable whose absolute
+       value is not greater than this.  This helps malloc to trigger
+       overflows.  */
+    max_size_skew = 16,
+
+    /* The maximum string length supported by repeating_string
+       below.  */
+    repeat_size = largest_base_size + max_size_skew,
+  };
+
+/* Used to construct strings which repeat a single character 'x'.  */
+static char *repeat;
+
+/* Return a string of SIZE characters.  */
+const char *
+repeating_string (int size)
+{
+  TEST_VERIFY (size >= 0);
+  TEST_VERIFY (size <= repeat_size);
+  const char *repeated_shifted = repeat + repeat_size - size;
+  TEST_VERIFY (strlen (repeated_shifted) == size);
+  return repeated_shifted;
+}
+
+static int
+do_test (void)
+{
+  /* Avoid network-based NSS modules and initialize nss_files with a
+     dummy lookup.  This has to come before mtrace because NSS does
+     not free all memory.  */
+  __nss_configure_lookup ("passwd", "files");
+  (void) getpwnam ("root");
+
+  mtrace ();
+
+  repeat = xmalloc (repeat_size + 1);
+  memset (repeat, 'x', repeat_size);
+  repeat[repeat_size] = '\0';
+
+  /* These numbers control the size of the user name.  The values
+     cover the minimum (0), a typical size (8), a large
+     stack-allocated size (100000), and a somewhat large
+     heap-allocated size (largest_base_size).  */
+  static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 };
+
+  for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
+    for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
+      for (do_mark = 0; do_mark < 2; ++do_mark)
+        for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+          {
+            for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+                 ++size_skew)
+              {
+                int size = base_sizes[base_idx] + size_skew;
+                if (size < 0)
+                  continue;
+
+                const char *user_name = repeating_string (size);
+                one_test ("~", user_name, "/a/b");
+              }
+
+            const char *user_name = repeating_string (base_sizes[base_idx]);
+            one_test ("~", user_name, "");
+            one_test ("~", user_name, "/");
+            one_test ("~", user_name, "/a");
+            one_test ("~", user_name, "/*/*");
+            one_test ("~", user_name, "\\/");
+            one_test ("/~", user_name, "");
+            one_test ("*/~", user_name, "/a/b");
+          }
+
+  free (repeat);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
-- 
2.15.1
1	From 5ff2eb52b236ca3d77f92272e8711b3c2b98140b Mon Sep 17 00:00:00 2001
2	From: Florian Weimer <fweimer@redhat.com>
3	Date: Sat, 21 Oct 2017 18:03:30 +0200
4	Subject: [PATCH 4/8] glob: Add new test tst-glob-tilde
5
6	The new test checks for memory leaks (see bug 22325) and attempts
7	to trigger the buffer overflow in bug 22320.
8
9	(cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)
10	---
11	ChangeLog \| 8 +++
12	posix/Makefile \| 11 +++-
13	posix/tst-glob-tilde.c \| 136 +++++++++++++++++++++++++++++++++++++++++++++++++
14	3 files changed, 153 insertions(+), 2 deletions(-)
15	create mode 100644 posix/tst-glob-tilde.c
16
17	#diff --git a/ChangeLog b/ChangeLog
18	#index 5229661ab1..756a3cc0f0 100644
19	#--- a/ChangeLog
20	#+++ b/ChangeLog
21	##@@ -1,3 +1,11 @@
22	#+2017-10-21 Florian Weimer <fweimer@redhat.com>
23	#+
24	#+ * posix/Makefile (tests): Add tst-glob-tilde.
25	#+ (tests-special): Add tst-glob-tilde-mem.out
26	#+ (tst-glob-tilde-ENV): Set MALLOC_TRACE.
27	#+ (tst-glob-tilde-mem.out): Add mtrace check.
28	#+ * posix/tst-glob-tilde.c: New file.
29	#+
30	# 2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
31	#
32	# [BZ #22320]
33	diff --git a/posix/Makefile b/posix/Makefile
34	index 2894af0cb9..82a4020c76 100644
35	--- a/posix/Makefile
36	+++ b/posix/Makefile
37	@@ -87,7 +87,7 @@ tests := tstgetopt testfnm runtests run
38	bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
39	bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
40	tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
41	- tst-fnmatch3 bug-regex36 tst-getaddrinfo5
42	+ tst-fnmatch3 bug-regex36 tst-getaddrinfo5 tst-glob-tilde
43	xtests := bug-ga2
44	ifeq (yes,$(build-shared))
45	test-srcs := globtest
46	[tmb@thunder posix]$
47	[tmb@thunder glibc-2.20]$ diff -Nurp posix/Makefile.orig posix/Makefile
48	--- posix/Makefile.orig 2017-12-22 13:44:31.728359617 +0200
49	+++ posix/Makefile 2017-12-22 13:46:49.439389455 +0200
50	@@ -87,7 +87,7 @@ tests := tstgetopt testfnm runtests run
51	bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
52	bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
53	tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
54	- tst-fnmatch3 bug-regex36
55	+ tst-fnmatch3 bug-regex36 tst-glob-tilde
56	xtests := bug-ga2
57	ifeq (yes,$(build-shared))
58	test-srcs := globtest
59	@@ -130,7 +130,8 @@ tests-special += $(objpfx)bug-regex2-mem
60	$(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \
61	$(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
62	$(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
63	- $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out
64	+ $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
65	+ $(objpfx)tst-glob-tilde-mem.out
66	xtests-special += $(objpfx)bug-ga2-mem.out
67	endif
68
69	@@ -307,6 +308,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug
70	$(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \
71	$(evaluate-test)
72
73	+tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace
74	+
75	+$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out
76	+ $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \
77	+ $(evaluate-test)
78	+
79	$(inst_libexecdir)/getconf: $(inst_bindir)/getconf \
80	$(objpfx)getconf.speclist FORCE
81	$(addprefix $(..)./scripts/mkinstalldirs ,\
82	diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
83	new file mode 100644
84	index 0000000000..9518b4a6f8
85	--- /dev/null
86	+++ b/posix/tst-glob-tilde.c
87	@@ -0,0 +1,136 @@
88	+/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
89	+ Copyright (C) 2017 Free Software Foundation, Inc.
90	+ This file is part of the GNU C Library.
91	+
92	+ The GNU C Library is free software; you can redistribute it and/or
93	+ modify it under the terms of the GNU Lesser General Public
94	+ License as published by the Free Software Foundation; either
95	+ version 2.1 of the License, or (at your option) any later version.
96	+
97	+ The GNU C Library is distributed in the hope that it will be useful,
98	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
99	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
100	+ Lesser General Public License for more details.
101	+
102	+ You should have received a copy of the GNU Lesser General Public
103	+ License along with the GNU C Library; if not, see
104	+ <http://www.gnu.org/licenses/>. */
105	+
106	+#include <glob.h>
107	+#include <mcheck.h>
108	+#include <nss.h>
109	+#include <pwd.h>
110	+#include <stdlib.h>
111	+#include <string.h>
112	+#include <support/check.h>
113	+#include <support/support.h>
114	+
115	+/* Flag which indicates whether to pass the GLOB_ONLYDIR flag. */
116	+static int do_onlydir;
117	+
118	+/* Flag which indicates whether to pass the GLOB_NOCHECK flag. */
119	+static int do_nocheck;
120	+
121	+/* Flag which indicates whether to pass the GLOB_MARK flag. */
122	+static int do_mark;
123	+
124	+static void
125	+one_test (const char prefix, const char middle, const char *suffix)
126	+{
127	+ char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix);
128	+ int flags = GLOB_TILDE;
129	+ if (do_onlydir)
130	+ flags \|= GLOB_ONLYDIR;
131	+ if (do_nocheck)
132	+ flags \|= GLOB_NOCHECK;
133	+ if (do_mark)
134	+ flags \|= GLOB_MARK;
135	+ glob_t gl;
136	+ /* This glob call might result in crashes or memory leaks. */
137	+ if (glob (pattern, flags, NULL, &gl) == 0)
138	+ globfree (&gl);
139	+ free (pattern);
140	+}
141	+
142	+enum
143	+ {
144	+ /* The largest base being tested. */
145	+ largest_base_size = 500000,
146	+
147	+ /* The actual size is the base size plus a variable whose absolute
148	+ value is not greater than this. This helps malloc to trigger
149	+ overflows. */
150	+ max_size_skew = 16,
151	+
152	+ /* The maximum string length supported by repeating_string
153	+ below. */
154	+ repeat_size = largest_base_size + max_size_skew,
155	+ };
156	+
157	+/* Used to construct strings which repeat a single character 'x'. */
158	+static char *repeat;
159	+
160	+/* Return a string of SIZE characters. */
161	+const char *
162	+repeating_string (int size)
163	+{
164	+ TEST_VERIFY (size >= 0);
165	+ TEST_VERIFY (size <= repeat_size);
166	+ const char *repeated_shifted = repeat + repeat_size - size;
167	+ TEST_VERIFY (strlen (repeated_shifted) == size);
168	+ return repeated_shifted;
169	+}
170	+
171	+static int
172	+do_test (void)
173	+{
174	+ /* Avoid network-based NSS modules and initialize nss_files with a
175	+ dummy lookup. This has to come before mtrace because NSS does
176	+ not free all memory. */
177	+ __nss_configure_lookup ("passwd", "files");
178	+ (void) getpwnam ("root");
179	+
180	+ mtrace ();
181	+
182	+ repeat = xmalloc (repeat_size + 1);
183	+ memset (repeat, 'x', repeat_size);
184	+ repeat[repeat_size] = '\0';
185	+
186	+ /* These numbers control the size of the user name. The values
187	+ cover the minimum (0), a typical size (8), a large
188	+ stack-allocated size (100000), and a somewhat large
189	+ heap-allocated size (largest_base_size). */
190	+ static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 };
191	+
192	+ for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
193	+ for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
194	+ for (do_mark = 0; do_mark < 2; ++do_mark)
195	+ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
196	+ {
197	+ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
198	+ ++size_skew)
199	+ {
200	+ int size = base_sizes[base_idx] + size_skew;
201	+ if (size < 0)
202	+ continue;
203	+
204	+ const char *user_name = repeating_string (size);
205	+ one_test ("~", user_name, "/a/b");
206	+ }
207	+
208	+ const char *user_name = repeating_string (base_sizes[base_idx]);
209	+ one_test ("~", user_name, "");
210	+ one_test ("~", user_name, "/");
211	+ one_test ("~", user_name, "/a");
212	+ one_test ("~", user_name, "//");
213	+ one_test ("~", user_name, "\\/");
214	+ one_test ("/~", user_name, "");
215	+ one_test ("*/~", user_name, "/a/b");
216	+ }
217	+
218	+ free (repeat);
219	+
220	+ return 0;
221	+}
222	+
223	+#include <support/test-driver.c>
224	--
225	2.15.1