Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0c07193

Browse files
committed
Revert error-throwing wrappers for the printf family of functions.
This reverts commit16304a0, exceptfor its changes in src/port/snprintf.c; as well as commitcac18a7 which is no longer needed.Fujii Masao reported that the previous commit caused failures in psql onOS X, since if one exits the pager program early while viewing a queryresult, psql sees an EPIPE error from fprintf --- and the wrapper functionthought that was reason to panic. (It's a bit surprising that the samedoes not happen on Linux.) Further discussion among the security listconcluded that the risk of other such failures was far too great, andthat the one-size-fits-all approach to error handling embodied in theprevious patch is unlikely to be workable.This leaves us again exposed to the possibility of the type of failureenvisioned inCVE-2015-3166. However, that failure mode is strictlyhypothetical at this point: there is no concrete reason to believe thatan attacker could trigger information disclosure through the supposedmechanism. In the first place, the attack surface is fairly limited,since so much of what the backend does with format strings goes throughstringinfo.c or psprintf(), and those already had adequate defenses.In the second place, even granting that an unprivileged attacker couldcontrol the occurrence of ENOMEM with some precision, it's a stretch tobelieve that he could induce it just where the target buffer contains somevaluable information. So we concluded that the risk of non-hypotheticalproblems induced by the patch greatly outweighs the security risks.We will therefore revert, and instead undertake closer analysis toidentify specific calls that may need hardening, rather than attempt auniversal solution.We have kept the portion of the previous patch that improved snprintf.c'shandling of errors when it calls the platform's sprintf(). That seems tobe an unalloyed improvement.Security:CVE-2015-3166
1 parent9bc77c4 commit0c07193

File tree

16 files changed

+52
-250
lines changed

16 files changed

+52
-250
lines changed

‎src/include/port.h

Lines changed: 24 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -126,21 +126,19 @@ extern unsigned char pg_tolower(unsigned char ch);
126126
externunsignedcharpg_ascii_toupper(unsignedcharch);
127127
externunsignedcharpg_ascii_tolower(unsignedcharch);
128128

129+
#ifdefUSE_REPL_SNPRINTF
130+
129131
/*
130-
* Capture macro-compatible calls to printf() and friends, and redirect them
131-
* to wrappers that throw errors in lieu of reporting failure in a return
132-
* value. Versions of libintl >= 0.13 similarly redirect to versions that
133-
* understand the %$ format, so disable libintl macros first.
132+
* Versions of libintl >= 0.13 try to replace printf() and friends with
133+
* macros to their own versions that understand the %$ format. We do the
134+
* same, so disable their macros, if they exist.
134135
*/
135136
#ifdefvsnprintf
136137
#undef vsnprintf
137138
#endif
138139
#ifdefsnprintf
139140
#undef snprintf
140141
#endif
141-
#ifdefvsprintf
142-
#undef vsprintf
143-
#endif
144142
#ifdefsprintf
145143
#undef sprintf
146144
#endif
@@ -154,63 +152,33 @@ extern unsigned char pg_ascii_tolower(unsigned char ch);
154152
#undef printf
155153
#endif
156154

157-
externint
158-
vsnprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,va_listargs)
159-
pg_attribute_printf(3,0);
160-
externint
161-
snprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,...)
162-
pg_attribute_printf(3,4);
163-
externint
164-
vsprintf_throw_on_fail(char*str,constchar*fmt,va_listargs)
165-
pg_attribute_printf(2,0);
166-
externint
167-
sprintf_throw_on_fail(char*str,constchar*fmt,...)
168-
pg_attribute_printf(2,3);
169-
externint
170-
vfprintf_throw_on_fail(FILE*stream,constchar*fmt,va_listargs)
171-
pg_attribute_printf(2,0);
172-
externint
173-
fprintf_throw_on_fail(FILE*stream,constchar*fmt,...)
174-
pg_attribute_printf(2,3);
175-
externint
176-
printf_throw_on_fail(constchar*fmt,...)
177-
pg_attribute_printf(1,2);
155+
externintpg_vsnprintf(char*str,size_tcount,constchar*fmt,va_listargs);
156+
externintpg_snprintf(char*str,size_tcount,constchar*fmt,...)pg_attribute_printf(3,4);
157+
externintpg_sprintf(char*str,constchar*fmt,...)pg_attribute_printf(2,3);
158+
externintpg_vfprintf(FILE*stream,constchar*fmt,va_listargs);
159+
externintpg_fprintf(FILE*stream,constchar*fmt,...)pg_attribute_printf(2,3);
160+
externintpg_printf(constchar*fmt,...)pg_attribute_printf(1,2);
178161

179162
/*
180163
*The GCC-specific code below prevents the pg_attribute_printf above from
181164
*being replaced, and this is required because gcc doesn't know anything
182-
*aboutprintf_throw_on_fail.
165+
*aboutpg_printf.
183166
*/
184167
#ifdef__GNUC__
185-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
186-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
187-
#definevsprintf(...)vsprintf_throw_on_fail(__VA_ARGS__)
188-
#definesprintf(...)sprintf_throw_on_fail(__VA_ARGS__)
189-
#definevfprintf(...)vfprintf_throw_on_fail(__VA_ARGS__)
190-
#definefprintf(...)fprintf_throw_on_fail(__VA_ARGS__)
191-
#defineprintf(...)printf_throw_on_fail(__VA_ARGS__)
168+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
169+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
170+
#definesprintf(...)pg_sprintf(__VA_ARGS__)
171+
#definevfprintf(...)pg_vfprintf(__VA_ARGS__)
172+
#definefprintf(...)pg_fprintf(__VA_ARGS__)
173+
#defineprintf(...)pg_printf(__VA_ARGS__)
192174
#else
193-
#definevsnprintfvsnprintf_throw_on_fail
194-
#definesnprintfsnprintf_throw_on_fail
195-
#definevsprintfvsprintf_throw_on_fail
196-
#definesprintfsprintf_throw_on_fail
197-
#definevfprintfvfprintf_throw_on_fail
198-
#definefprintffprintf_throw_on_fail
199-
#defineprintfprintf_throw_on_fail
175+
#definevsnprintfpg_vsnprintf
176+
#definesnprintfpg_snprintf
177+
#definesprintfpg_sprintf
178+
#definevfprintfpg_vfprintf
179+
#definefprintfpg_fprintf
180+
#defineprintfpg_printf
200181
#endif
201-
202-
#ifdefUSE_REPL_SNPRINTF
203-
204-
/* Code outside syswrap.c should not call these. */
205-
206-
externintpg_vsnprintf(char*str,size_tcount,constchar*fmt,va_listargs);
207-
externintpg_snprintf(char*str,size_tcount,constchar*fmt,...)pg_attribute_printf(3,4);
208-
externintpg_vsprintf(char*str,constchar*fmt,va_listargs);
209-
externintpg_sprintf(char*str,constchar*fmt,...)pg_attribute_printf(2,3);
210-
externintpg_vfprintf(FILE*stream,constchar*fmt,va_listargs);
211-
externintpg_fprintf(FILE*stream,constchar*fmt,...)pg_attribute_printf(2,3);
212-
externintpg_printf(constchar*fmt,...)pg_attribute_printf(1,2);
213-
214182
#endif/* USE_REPL_SNPRINTF */
215183

216184
#if defined(WIN32)

‎src/interfaces/ecpg/compatlib/Makefile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,6 @@ submake-pgtypeslib:
4848
# Shared library stuff
4949
include$(top_srcdir)/src/Makefile.shlib
5050

51-
# XXX This library uses no symbols from snprintf.c.
5251
snprintf.c:% :$(top_srcdir)/src/port/%
5352
rm -f$@&&$(LN_S)$<.
5453

‎src/interfaces/ecpg/ecpglib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
/pgstrcasecmp.c
66
/snprintf.c
77
/strlcpy.c
8-
/syswrap.c
98
/thread.c
109
/win32setlocale.c
1110
/isinf.c

‎src/interfaces/ecpg/ecpglib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
2626
LIBS :=$(filter-out -lpgport,$(LIBS))
2727

2828
OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o\
29-
connect.o misc.o path.o pgstrcasecmp.osyswrap.o\
29+
connect.o misc.o path.o pgstrcasecmp.o\
3030
$(filter snprintf.o strlcpy.o win32setlocale.o isinf.o,$(LIBOBJS))$(WIN32RES)
3131

3232
# thread.c is needed only for non-WIN32 implementation of path.c
@@ -55,7 +55,7 @@ include $(top_srcdir)/src/Makefile.shlib
5555
# necessarily use the same object files as the backend uses. Instead,
5656
# symlink the source files in here and build our own object file.
5757

58-
path.cpgstrcasecmp.csnprintf.cstrlcpy.csyswrap.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
58+
path.cpgstrcasecmp.csnprintf.cstrlcpy.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
5959
rm -f$@&&$(LN_S)$<.
6060

6161
misc.o: misc.c$(top_builddir)/src/port/pg_config_paths.h
@@ -72,6 +72,6 @@ uninstall: uninstall-lib
7272

7373
cleandistclean: clean-lib
7474
rm -f$(OBJS)
75-
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.csyswrap.cthread.c win32setlocale.c isinf.c
75+
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c isinf.c
7676

7777
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/ecpg/pgtypeslib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,3 @@
44
/pgstrcasecmp.c
55
/rint.c
66
/snprintf.c
7-
/syswrap.c

‎src/interfaces/ecpg/pgtypeslib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ SHLIB_LINK += -lm
3030
SHLIB_EXPORTS = exports.txt
3131

3232
OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o\
33-
pgstrcasecmp.osyswrap.o\
33+
pgstrcasecmp.o\
3434
$(filter rint.o snprintf.o,$(LIBOBJS))$(WIN32RES)
3535

3636
all: all-lib
@@ -43,7 +43,7 @@ include $(top_srcdir)/src/Makefile.shlib
4343
# necessarily use the same object files as the backend uses. Instead,
4444
# symlink the source files in here and build our own object file.
4545

46-
pgstrcasecmp.crint.csnprintf.csyswrap.c:% :$(top_srcdir)/src/port/%
46+
pgstrcasecmp.crint.csnprintf.c:% :$(top_srcdir)/src/port/%
4747
rm -f$@&&$(LN_S)$<.
4848

4949
install: all installdirs install-lib
@@ -53,6 +53,6 @@ installdirs: installdirs-lib
5353
uninstall: uninstall-lib
5454

5555
cleandistclean: clean-lib
56-
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
56+
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c
5757

5858
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/libpq/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
/strerror.c
1414
/strlcpy.c
1515
/system.c
16-
/syswrap.c
1716
/thread.c
1817
/win32error.c
1918
/win32setlocale.c

‎src/interfaces/libpq/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
3636
libpq-events.o
3737
# libpgport C files we always use
3838
OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o\
39-
syswrap.othread.o
39+
thread.o
4040
# libpgport C files that are needed if identified by configure
4141
OBJS +=$(filter crypt.o getaddrinfo.o getpeereid.o inet_aton.o open.o system.o snprintf.o strerror.o strlcpy.o win32error.o win32setlocale.o,$(LIBOBJS))
4242
# backend/libpq
@@ -93,7 +93,7 @@ backend_src = $(top_srcdir)/src/backend
9393
# For some libpgport modules, this only happens if configure decides
9494
# the module is needed (see filter hack in OBJS, above).
9595

96-
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.csyswrap.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
96+
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
9797
rm -f$@&&$(LN_S)$<.
9898

9999
ip.cmd5.c:% :$(backend_src)/libpq/%
@@ -145,7 +145,7 @@ clean distclean: clean-lib
145145
# Might be left over from a Win32 client-only build
146146
rm -f pg_config_paths.h
147147
rm -f inet_net_ntop.c noblock.c pgstrcasecmp.c pqsignal.c thread.c
148-
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.csyswrap.cwin32error.c win32setlocale.c
148+
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.c win32error.c win32setlocale.c
149149
rm -f pgsleep.c
150150
rm -f md5.c ip.c
151151
rm -f encnames.c wchar.c

‎src/interfaces/libpq/bcc32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,6 @@ CLEAN :
107107
-@erase"$(INTDIR)\pgsleep.obj"
108108
-@erase"$(INTDIR)\open.obj"
109109
-@erase"$(INTDIR)\system.obj"
110-
-@erase"$(INTDIR)\syswrap.obj"
111110
-@erase"$(INTDIR)\win32error.obj"
112111
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
113112
-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -152,7 +151,6 @@ LIB32_OBJS= \
152151
"$(INTDIR)\pgsleep.obj"\
153152
"$(INTDIR)\open.obj"\
154153
"$(INTDIR)\system.obj"\
155-
"$(INTDIR)\syswrap.obj"\
156154
"$(INTDIR)\win32error.obj"\
157155
"$(INTDIR)\pthread-win32.obj"
158156

@@ -304,11 +302,6 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
304302
$(CPP_PROJ) /I"." ..\..\port\system.c
305303
<<
306304

307-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
308-
$(CPP) @<<
309-
$(CPP_PROJ) ..\..\port\syswrap.c
310-
<<
311-
312305
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
313306
$(CPP) @<<
314307
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/interfaces/libpq/win32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,6 @@ CLEAN :
114114
-@erase"$(INTDIR)\pgsleep.obj"
115115
-@erase"$(INTDIR)\open.obj"
116116
-@erase"$(INTDIR)\system.obj"
117-
-@erase"$(INTDIR)\syswrap.obj"
118117
-@erase"$(INTDIR)\win32error.obj"
119118
-@erase"$(INTDIR)\win32setlocale.obj"
120119
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
@@ -165,7 +164,6 @@ LIB32_OBJS= \
165164
"$(INTDIR)\pgsleep.obj"\
166165
"$(INTDIR)\open.obj"\
167166
"$(INTDIR)\system.obj"\
168-
"$(INTDIR)\syswrap.obj"\
169167
"$(INTDIR)\win32error.obj"\
170168
"$(INTDIR)\win32setlocale.obj"\
171169
"$(INTDIR)\pthread-win32.obj"
@@ -350,11 +348,6 @@ LINK32_OBJS= \
350348
$(CPP_PROJ) /I"." ..\..\port\system.c
351349
<<
352350

353-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
354-
$(CPP) @<<
355-
$(CPP_PROJ) ..\..\port\syswrap.c
356-
<<
357-
358351
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
359352
$(CPP) @<<
360353
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/pl/plperl/plperl.h

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,10 @@
3737
* So we undefine them here and redefine them after it's done its dirty deed.
3838
*/
3939

40+
#ifdefUSE_REPL_SNPRINTF
4041
#undef snprintf
4142
#undef vsnprintf
43+
#endif
4244

4345

4446
/* required for perl API */
@@ -47,19 +49,21 @@
4749
#include"XSUB.h"
4850

4951
/* put back our snprintf and vsnprintf */
52+
#ifdefUSE_REPL_SNPRINTF
5053
#ifdefsnprintf
5154
#undef snprintf
5255
#endif
5356
#ifdefvsnprintf
5457
#undef vsnprintf
5558
#endif
5659
#ifdef__GNUC__
57-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
58-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
60+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
61+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
5962
#else
60-
#definevsnprintfvsnprintf_throw_on_fail
61-
#definesnprintfsnprintf_throw_on_fail
63+
#definevsnprintfpg_vsnprintf
64+
#definesnprintfpg_snprintf
6265
#endif/* __GNUC__ */
66+
#endif/* USE_REPL_SNPRINTF */
6367

6468
/* perl version and platform portability */
6569
#defineNEED_eval_pv

‎src/pl/plpython/plpython.h

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,10 @@
3535
* So we undefine them here and redefine them after it's done its dirty deed.
3636
*/
3737

38+
#ifdefUSE_REPL_SNPRINTF
3839
#undef snprintf
3940
#undef vsnprintf
41+
#endif
4042

4143
#if defined(_MSC_VER)&& defined(_DEBUG)
4244
/* Python uses #pragma to bring in a non-default libpython on VC++ if
@@ -123,19 +125,21 @@ typedef int Py_ssize_t;
123125
#include<eval.h>
124126

125127
/* put back our snprintf and vsnprintf */
128+
#ifdefUSE_REPL_SNPRINTF
126129
#ifdefsnprintf
127130
#undef snprintf
128131
#endif
129132
#ifdefvsnprintf
130133
#undef vsnprintf
131134
#endif
132135
#ifdef__GNUC__
133-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
134-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
136+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
137+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
135138
#else
136-
#definevsnprintfvsnprintf_throw_on_fail
137-
#definesnprintfsnprintf_throw_on_fail
139+
#definevsnprintfpg_vsnprintf
140+
#definesnprintfpg_snprintf
138141
#endif/* __GNUC__ */
142+
#endif/* USE_REPL_SNPRINTF */
139143

140144
/*
141145
* Used throughout, and also by the Python 2/3 porting layer, so it's easier to

‎src/port/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ LIBS += $(PTHREAD_LIBS)
3333
OBJS =$(LIBOBJS)$(PG_CRC32C_OBJS) chklocale.o erand48.o inet_net_ntop.o\
3434
noblock.o path.o pgcheckdir.o pgmkdirp.o pgsleep.o\
3535
pgstrcasecmp.o pqsignal.o\
36-
qsort.o qsort_arg.o quotes.o sprompt.osyswrap.otar.o thread.o
36+
qsort.o qsort_arg.o quotes.o sprompt.o tar.o thread.o
3737

3838
# foo_srv.o and foo.o are both built from foo.c, but only foo.o has -DFRONTEND
3939
OBJS_SRV =$(OBJS:%.o=%_srv.o)

‎src/port/snprintf.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,6 @@
9999
/* Prevent recursion */
100100
#undefvsnprintf
101101
#undefsnprintf
102-
#undefvsprintf
103102
#undefsprintf
104103
#undefvfprintf
105104
#undeffprintf
@@ -176,7 +175,7 @@ pg_snprintf(char *str, size_t count, const char *fmt,...)
176175
returnlen;
177176
}
178177

179-
int
178+
staticint
180179
pg_vsprintf(char*str,constchar*fmt,va_listargs)
181180
{
182181
PrintfTargettarget;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp