Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2e3bd06

Browse files
committed
Add error-throwing wrappers for the printf family of functions.
All known standard library implementations of these functions can failwith ENOMEM. A caller neglecting to check for failure would experiencemissing output, information exposure, or a crash. Check return valueswithin wrappers and code, currently just snprintf.c, that bypasses thewrappers. The wrappers do not return after an error, so their callersneed not check. Back-patch to 9.0 (all supported versions).Popular free software standard library implementations do take pains tobypass malloc() in simple cases, but they risk ENOMEM for floating pointnumbers, positional arguments, large field widths, and large precisions.No specification demands such caution, so this commit regards every callto a printf family function as a potential threat.Injecting the wrappers implicitly is a compromise between patch scopeand design goals. I would prefer to edit each call site to name awrapper explicitly. libpq and the ECPG libraries would, ideally, conveyerrors to the caller rather than abort(). All that would be painfullyinvasive for a back-patched security fix, hence this compromise.Security:CVE-2015-3166
1 parentf7c4fe7 commit2e3bd06

File tree

16 files changed

+300
-93
lines changed

16 files changed

+300
-93
lines changed

‎src/include/port.h‎

Lines changed: 53 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -126,12 +126,11 @@ extern unsigned char pg_tolower(unsigned char ch);
126126
externunsignedcharpg_ascii_toupper(unsignedcharch);
127127
externunsignedcharpg_ascii_tolower(unsignedcharch);
128128

129-
#ifdefUSE_REPL_SNPRINTF
130-
131129
/*
132-
* Versions of libintl >= 0.13 try to replace printf() and friends with
133-
* macros to their own versions that understand the %$ format. We do the
134-
* same, so disable their macros, if they exist.
130+
* Capture macro-compatible calls to printf() and friends, and redirect them
131+
* to wrappers that throw errors in lieu of reporting failure in a return
132+
* value. Versions of libintl >= 0.13 similarly redirect to versions that
133+
* understand the %$ format, so disable libintl macros first.
135134
*/
136135
#ifdefvsnprintf
137136
#undef vsnprintf
@@ -155,6 +154,55 @@ extern unsigned char pg_ascii_tolower(unsigned char ch);
155154
#undef printf
156155
#endif
157156

157+
externint
158+
vsnprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,va_listargs)
159+
__attribute__((format(PG_PRINTF_ATTRIBUTE,3,0)));
160+
externint
161+
snprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,...)
162+
__attribute__((format(PG_PRINTF_ATTRIBUTE,3,4)));
163+
externint
164+
vsprintf_throw_on_fail(char*str,constchar*fmt,va_listargs)
165+
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));
166+
externint
167+
sprintf_throw_on_fail(char*str,constchar*fmt,...)
168+
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));
169+
externint
170+
vfprintf_throw_on_fail(FILE*stream,constchar*fmt,va_listargs)
171+
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));
172+
externint
173+
fprintf_throw_on_fail(FILE*stream,constchar*fmt,...)
174+
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));
175+
externint
176+
printf_throw_on_fail(constchar*fmt,...)
177+
__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));
178+
179+
/*
180+
*The GCC-specific code below prevents the __attribute__(... 'printf')
181+
*above from being replaced, and this is required because gcc doesn't
182+
*know anything about printf_throw_on_fail.
183+
*/
184+
#ifdef__GNUC__
185+
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
186+
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
187+
#definevsprintf(...)vsprintf_throw_on_fail(__VA_ARGS__)
188+
#definesprintf(...)sprintf_throw_on_fail(__VA_ARGS__)
189+
#definevfprintf(...)vfprintf_throw_on_fail(__VA_ARGS__)
190+
#definefprintf(...)fprintf_throw_on_fail(__VA_ARGS__)
191+
#defineprintf(...)printf_throw_on_fail(__VA_ARGS__)
192+
#else
193+
#definevsnprintfvsnprintf_throw_on_fail
194+
#definesnprintfsnprintf_throw_on_fail
195+
#definevsprintfvsprintf_throw_on_fail
196+
#definesprintfsprintf_throw_on_fail
197+
#definevfprintfvfprintf_throw_on_fail
198+
#definefprintffprintf_throw_on_fail
199+
#defineprintfprintf_throw_on_fail
200+
#endif
201+
202+
#ifdefUSE_REPL_SNPRINTF
203+
204+
/* Code outside syswrap.c should not call these. */
205+
158206
externintpg_vsnprintf(char*str,size_tcount,constchar*fmt,va_listargs);
159207
externint
160208
pg_snprintf(char*str,size_tcount,constchar*fmt,...)
@@ -175,28 +223,6 @@ pg_printf(const char *fmt,...)
175223
/* This extension allows gcc to check the format string */
176224
__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));
177225

178-
/*
179-
*The GCC-specific code below prevents the __attribute__(... 'printf')
180-
*above from being replaced, and this is required because gcc doesn't
181-
*know anything about pg_printf.
182-
*/
183-
#ifdef__GNUC__
184-
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
185-
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
186-
#definevsprintf(...)pg_vsprintf(__VA_ARGS__)
187-
#definesprintf(...)pg_sprintf(__VA_ARGS__)
188-
#definevfprintf(...)pg_vfprintf(__VA_ARGS__)
189-
#definefprintf(...)pg_fprintf(__VA_ARGS__)
190-
#defineprintf(...)pg_printf(__VA_ARGS__)
191-
#else
192-
#definevsnprintfpg_vsnprintf
193-
#definesnprintfpg_snprintf
194-
#definevsprintfpg_vsprintf
195-
#definesprintfpg_sprintf
196-
#definevfprintfpg_vfprintf
197-
#definefprintfpg_fprintf
198-
#defineprintfpg_printf
199-
#endif
200226
#endif/* USE_REPL_SNPRINTF */
201227

202228
#if defined(WIN32)

‎src/interfaces/ecpg/compatlib/Makefile‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ submake-pgtypeslib:
4747
# Shared library stuff
4848
include$(top_srcdir)/src/Makefile.shlib
4949

50+
# XXX This library uses no symbols from snprintf.c.
5051
snprintf.c:% :$(top_srcdir)/src/port/%
5152
rm -f$@&&$(LN_S)$<.
5253

‎src/interfaces/ecpg/ecpglib/.gitignore‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
/pgstrcasecmp.c
66
/snprintf.c
77
/strlcpy.c
8+
/syswrap.c
89
/thread.c
910
/win32setlocale.c
1011
/isinf.c

‎src/interfaces/ecpg/ecpglib/Makefile‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
2525
LIBS :=$(filter-out -lpgport,$(LIBS))
2626

2727
OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o\
28-
connect.o misc.o path.o pgstrcasecmp.o\
28+
connect.o misc.o path.o pgstrcasecmp.osyswrap.o\
2929
$(filter snprintf.o strlcpy.o win32setlocale.o isinf.o,$(LIBOBJS))
3030

3131
# thread.c is needed only for non-WIN32 implementation of path.c
@@ -54,7 +54,7 @@ include $(top_srcdir)/src/Makefile.shlib
5454
# necessarily use the same object files as the backend uses. Instead,
5555
# symlink the source files in here and build our own object file.
5656

57-
path.cpgstrcasecmp.csnprintf.cstrlcpy.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
57+
path.cpgstrcasecmp.csnprintf.cstrlcpy.csyswrap.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
5858
rm -f$@&&$(LN_S)$<.
5959

6060
misc.o: misc.c$(top_builddir)/src/port/pg_config_paths.h
@@ -71,6 +71,6 @@ uninstall: uninstall-lib
7171

7272
cleandistclean: clean-lib
7373
rm -f$(OBJS)
74-
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c isinf.c
74+
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.csyswrap.cthread.c win32setlocale.c isinf.c
7575

7676
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/ecpg/pgtypeslib/.gitignore‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,4 @@
44
/pgstrcasecmp.c
55
/rint.c
66
/snprintf.c
7+
/syswrap.c

‎src/interfaces/ecpg/pgtypeslib/Makefile‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ SHLIB_LINK += -lm
2929
SHLIB_EXPORTS = exports.txt
3030

3131
OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o\
32-
pgstrcasecmp.o\
32+
pgstrcasecmp.osyswrap.o\
3333
$(filter rint.o snprintf.o,$(LIBOBJS))
3434

3535
all: all-lib
@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib
4242
# necessarily use the same object files as the backend uses. Instead,
4343
# symlink the source files in here and build our own object file.
4444

45-
pgstrcasecmp.crint.csnprintf.c:% :$(top_srcdir)/src/port/%
45+
pgstrcasecmp.crint.csnprintf.csyswrap.c:% :$(top_srcdir)/src/port/%
4646
rm -f$@&&$(LN_S)$<.
4747

4848
install: all installdirs install-lib
@@ -52,6 +52,6 @@ installdirs: installdirs-lib
5252
uninstall: uninstall-lib
5353

5454
cleandistclean: clean-lib
55-
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c
55+
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
5656

5757
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/libpq/.gitignore‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
/strerror.c
1414
/strlcpy.c
1515
/system.c
16+
/syswrap.c
1617
/thread.c
1718
/win32error.c
1819
/win32setlocale.c

‎src/interfaces/libpq/Makefile‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
3636
libpq-events.o
3737
# libpgport C files we always use
3838
OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o\
39-
thread.o
39+
syswrap.othread.o
4040
# libpgport C files that are needed if identified by configure
4141
OBJS +=$(filter crypt.o getaddrinfo.o getpeereid.o inet_aton.o open.o system.o snprintf.o strerror.o strlcpy.o win32error.o win32setlocale.o,$(LIBOBJS))
4242
# backend/libpq
@@ -89,7 +89,7 @@ backend_src = $(top_srcdir)/src/backend
8989
# For some libpgport modules, this only happens if configure decides
9090
# the module is needed (see filter hack in OBJS, above).
9191

92-
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
92+
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.csyswrap.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
9393
rm -f$@&&$(LN_S)$<.
9494

9595
ip.cmd5.c:% :$(backend_src)/libpq/%
@@ -150,7 +150,7 @@ clean distclean: clean-lib
150150
# Might be left over from a Win32 client-only build
151151
rm -f pg_config_paths.h
152152
rm -f inet_net_ntop.c noblock.c pgstrcasecmp.c pqsignal.c thread.c
153-
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.c win32error.c win32setlocale.c
153+
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.csyswrap.cwin32error.c win32setlocale.c
154154
rm -f pgsleep.c
155155
rm -f md5.c ip.c
156156
rm -f encnames.c wchar.c

‎src/interfaces/libpq/bcc32.mak‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,7 @@ CLEAN :
107107
-@erase"$(INTDIR)\pgsleep.obj"
108108
-@erase"$(INTDIR)\open.obj"
109109
-@erase"$(INTDIR)\system.obj"
110+
-@erase"$(INTDIR)\syswrap.obj"
110111
-@erase"$(INTDIR)\win32error.obj"
111112
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
112113
-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -151,6 +152,7 @@ LIB32_OBJS= \
151152
"$(INTDIR)\pgsleep.obj"\
152153
"$(INTDIR)\open.obj"\
153154
"$(INTDIR)\system.obj"\
155+
"$(INTDIR)\syswrap.obj"\
154156
"$(INTDIR)\win32error.obj"\
155157
"$(INTDIR)\pthread-win32.obj"
156158

@@ -302,6 +304,11 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
302304
$(CPP_PROJ) /I"." ..\..\port\system.c
303305
<<
304306

307+
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
308+
$(CPP) @<<
309+
$(CPP_PROJ) ..\..\port\syswrap.c
310+
<<
311+
305312
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
306313
$(CPP) @<<
307314
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/interfaces/libpq/win32.mak‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,7 @@ CLEAN :
114114
-@erase"$(INTDIR)\pgsleep.obj"
115115
-@erase"$(INTDIR)\open.obj"
116116
-@erase"$(INTDIR)\system.obj"
117+
-@erase"$(INTDIR)\syswrap.obj"
117118
-@erase"$(INTDIR)\win32error.obj"
118119
-@erase"$(INTDIR)\win32setlocale.obj"
119120
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
@@ -161,6 +162,7 @@ LIB32_OBJS= \
161162
"$(INTDIR)\pgsleep.obj"\
162163
"$(INTDIR)\open.obj"\
163164
"$(INTDIR)\system.obj"\
165+
"$(INTDIR)\syswrap.obj"\
164166
"$(INTDIR)\win32error.obj"\
165167
"$(INTDIR)\win32setlocale.obj"\
166168
"$(INTDIR)\pthread-win32.obj"
@@ -342,6 +344,11 @@ LINK32_OBJS= \
342344
$(CPP_PROJ) /I"." ..\..\port\system.c
343345
<<
344346

347+
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
348+
$(CPP) @<<
349+
$(CPP_PROJ) ..\..\port\syswrap.c
350+
<<
351+
345352
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
346353
$(CPP) @<<
347354
$(CPP_PROJ) /I"." ..\..\port\win32error.c

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp