NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit2eb2fcd

committed

Revert error-throwing wrappers for the printf family of functions.

This reverts commit16304a0, exceptfor its changes in src/port/snprintf.c; as well as commitcac18a7 which is no longer needed.Fujii Masao reported that the previous commit caused failures in psql onOS X, since if one exits the pager program early while viewing a queryresult, psql sees an EPIPE error from fprintf --- and the wrapper functionthought that was reason to panic. (It's a bit surprising that the samedoes not happen on Linux.) Further discussion among the security listconcluded that the risk of other such failures was far too great, andthat the one-size-fits-all approach to error handling embodied in theprevious patch is unlikely to be workable.This leaves us again exposed to the possibility of the type of failureenvisioned inCVE-2015-3166. However, that failure mode is strictlyhypothetical at this point: there is no concrete reason to believe thatan attacker could trigger information disclosure through the supposedmechanism. In the first place, the attack surface is fairly limited,since so much of what the backend does with format strings goes throughstringinfo.c or psprintf(), and those already had adequate defenses.In the second place, even granting that an unprivileged attacker couldcontrol the occurrence of ENOMEM with some precision, it's a stretch tobelieve that he could induce it just where the target buffer contains somevaluable information. So we concluded that the risk of non-hypotheticalproblems induced by the patch greatly outweighs the security risks.We will therefore revert, and instead undertake closer analysis toidentify specific calls that may need hardening, rather than attempt auniversal solution.We have kept the portion of the previous patch that improved snprintf.c'shandling of errors when it calls the platform's sprintf(). That seems tobe an unalloyed improvement.Security:CVE-2015-3166

1 parentada8447 commit2eb2fcdCopy full SHA for 2eb2fcd

File tree

16 files changed

+53

-251

lines changed

src
- include
  - port.h
- interfaces
  - ecpg
    - compatlib
      - Makefile
    - ecpglib
      - .gitignore
      - Makefile
    - pgtypeslib
      - .gitignore
      - Makefile
  - libpq
- pl
  - plperl
    - plperl.h
  - plpython
    - plpython.h
- port
- tools/msvc
  - Mkvcbuild.pm

16 files changed

+53

-251

lines changed

`‎src/include/port.h`

Lines changed: 25 additions & 57 deletions

Original file line number	Diff line number	Diff line change
`@@ -126,21 +126,19 @@ extern unsigned char pg_tolower(unsigned char ch);`
`126`	`126`	`externunsignedcharpg_ascii_toupper(unsignedcharch);`
`127`	`127`	`externunsignedcharpg_ascii_tolower(unsignedcharch);`
`128`	`128`
	`129`	`+#ifdefUSE_REPL_SNPRINTF`
	`130`	`+`
`129`	`131`	`/*`
`130`		`- * Capture macro-compatible calls to printf() and friends, and redirect them`
`131`		`- * to wrappers that throw errors in lieu of reporting failure in a return`
`132`		`- * value. Versions of libintl >= 0.13 similarly redirect to versions that`
`133`		`- * understand the %$ format, so disable libintl macros first.`
	`132`	`+ * Versions of libintl >= 0.13 try to replace printf() and friends with`
	`133`	`+ * macros to their own versions that understand the %$ format. We do the`
	`134`	`+ * same, so disable their macros, if they exist.`
`134`	`135`	`*/`
`135`	`136`	`#ifdefvsnprintf`
`136`	`137`	`#undef vsnprintf`
`137`	`138`	`#endif`
`138`	`139`	`#ifdefsnprintf`
`139`	`140`	`#undef snprintf`
`140`	`141`	`#endif`
`141`		`-#ifdefvsprintf`
`142`		`-#undef vsprintf`
`143`		`-#endif`
`144`	`142`	`#ifdefsprintf`
`145`	`143`	`#undef sprintf`
`146`	`144`	`#endif`
`@@ -154,61 +152,11 @@ extern unsigned char pg_ascii_tolower(unsigned char ch);`
`154`	`152`	`#undef printf`
`155`	`153`	`#endif`
`156`	`154`
`157`		`-externint`
`158`		`-vsnprintf_throw_on_fail(charstr,size_tcount,constcharfmt,va_listargs)`
`159`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,3,0)));`
`160`		`-externint`
`161`		`-snprintf_throw_on_fail(charstr,size_tcount,constcharfmt,...)`
`162`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,3,4)));`
`163`		`-externint`
`164`		`-vsprintf_throw_on_fail(charstr,constcharfmt,va_listargs)`
`165`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));`
`166`		`-externint`
`167`		`-sprintf_throw_on_fail(charstr,constcharfmt,...)`
`168`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));`
`169`		`-externint`
`170`		`-vfprintf_throw_on_fail(FILEstream,constcharfmt,va_listargs)`
`171`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));`
`172`		`-externint`
`173`		`-fprintf_throw_on_fail(FILEstream,constcharfmt,...)`
`174`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));`
`175`		`-externint`
`176`		`-printf_throw_on_fail(constchar*fmt,...)`
`177`		`-__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));`
`178`		`-`
`179`		`-/*`
`180`		`- *The GCC-specific code below prevents the __attribute__(... 'printf')`
`181`		`- *above from being replaced, and this is required because gcc doesn't`
`182`		`- *know anything about printf_throw_on_fail.`
`183`		`- */`
`184`		`-#ifdef__GNUC__`
`185`		`-#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)`
`186`		`-#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)`
`187`		`-#definevsprintf(...)vsprintf_throw_on_fail(__VA_ARGS__)`
`188`		`-#definesprintf(...)sprintf_throw_on_fail(__VA_ARGS__)`
`189`		`-#definevfprintf(...)vfprintf_throw_on_fail(__VA_ARGS__)`
`190`		`-#definefprintf(...)fprintf_throw_on_fail(__VA_ARGS__)`
`191`		`-#defineprintf(...)printf_throw_on_fail(__VA_ARGS__)`
`192`		`-#else`
`193`		`-#definevsnprintfvsnprintf_throw_on_fail`
`194`		`-#definesnprintfsnprintf_throw_on_fail`
`195`		`-#definevsprintfvsprintf_throw_on_fail`
`196`		`-#definesprintfsprintf_throw_on_fail`
`197`		`-#definevfprintfvfprintf_throw_on_fail`
`198`		`-#definefprintffprintf_throw_on_fail`
`199`		`-#defineprintfprintf_throw_on_fail`
`200`		`-#endif`
`201`		`-`
`202`		`-#ifdefUSE_REPL_SNPRINTF`
`203`		`-`
`204`		`-/* Code outside syswrap.c should not call these. */`
`205`		`-`
`206`	`155`	`externintpg_vsnprintf(charstr,size_tcount,constcharfmt,va_listargs);`
`207`	`156`	`externint`
`208`	`157`	`pg_snprintf(charstr,size_tcount,constcharfmt,...)`
`209`	`158`	`/* This extension allows gcc to check the format string */`
`210`	`159`	`__attribute__((format(PG_PRINTF_ATTRIBUTE,3,4)));`
`211`		`-externintpg_vsprintf(charstr,constcharfmt,va_listargs);`
`212`	`160`	`externint`
`213`	`161`	`pg_sprintf(charstr,constcharfmt,...)`
`214`	`162`	`/* This extension allows gcc to check the format string */`
`@@ -223,6 +171,26 @@ pg_printf(const char *fmt,...)`
`223`	`171`	`/* This extension allows gcc to check the format string */`
`224`	`172`	`__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));`
`225`	`173`
	`174`	`+/*`
	`175`	`+ *The GCC-specific code below prevents the __attribute__(... 'printf')`
	`176`	`+ *above from being replaced, and this is required because gcc doesn't`
	`177`	`+ *know anything about pg_printf.`
	`178`	`+ */`
	`179`	`+#ifdef__GNUC__`
	`180`	`+#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)`
	`181`	`+#definesnprintf(...)pg_snprintf(__VA_ARGS__)`
	`182`	`+#definesprintf(...)pg_sprintf(__VA_ARGS__)`
	`183`	`+#definevfprintf(...)pg_vfprintf(__VA_ARGS__)`
	`184`	`+#definefprintf(...)pg_fprintf(__VA_ARGS__)`
	`185`	`+#defineprintf(...)pg_printf(__VA_ARGS__)`
	`186`	`+#else`
	`187`	`+#definevsnprintfpg_vsnprintf`
	`188`	`+#definesnprintfpg_snprintf`
	`189`	`+#definesprintfpg_sprintf`
	`190`	`+#definevfprintfpg_vfprintf`
	`191`	`+#definefprintfpg_fprintf`
	`192`	`+#defineprintfpg_printf`
	`193`	`+#endif`
`226`	`194`	`#endif/* USE_REPL_SNPRINTF */`
`227`	`195`
`228`	`196`	`#if defined(WIN32)`

`‎src/interfaces/ecpg/compatlib/Makefile`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,6 @@ submake-pgtypeslib:`
`47`	`47`	`# Shared library stuff`
`48`	`48`	`include$(top_srcdir)/src/Makefile.shlib`
`49`	`49`
`50`		`-# XXX This library uses no symbols from snprintf.c.`
`51`	`50`	`snprintf.c:% :$(top_srcdir)/src/port/%`
`52`	`51`	`rm -f$@&&$(LN_S)$<.`
`53`	`52`

`‎src/interfaces/ecpg/ecpglib/.gitignore`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@`
`5`	`5`	`/pgstrcasecmp.c`
`6`	`6`	`/snprintf.c`
`7`	`7`	`/strlcpy.c`
`8`		`-/syswrap.c`
`9`	`8`	`/thread.c`
`10`	`9`	`/win32setlocale.c`
`11`	`10`	`/isinf.c`

`‎src/interfaces/ecpg/ecpglib/Makefile`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)`
`25`	`25`	`LIBS :=$(filter-out -lpgport,$(LIBS))`
`26`	`26`
`27`	`27`	`OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o\`
`28`		`-connect.o misc.o path.o pgstrcasecmp.osyswrap.o\`
	`28`	`+connect.o misc.o path.o pgstrcasecmp.o\`
`29`	`29`	`$(filter snprintf.o strlcpy.o win32setlocale.o isinf.o,$(LIBOBJS))`
`30`	`30`
`31`	`31`	`# thread.c is needed only for non-WIN32 implementation of path.c`
`@@ -54,7 +54,7 @@ include $(top_srcdir)/src/Makefile.shlib`
`54`	`54`	`# necessarily use the same object files as the backend uses. Instead,`
`55`	`55`	`# symlink the source files in here and build our own object file.`
`56`	`56`
`57`		`-path.cpgstrcasecmp.csnprintf.cstrlcpy.csyswrap.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%`
	`57`	`+path.cpgstrcasecmp.csnprintf.cstrlcpy.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%`
`58`	`58`	`rm -f$@&&$(LN_S)$<.`
`59`	`59`
`60`	`60`	`misc.o: misc.c$(top_builddir)/src/port/pg_config_paths.h`
`@@ -71,6 +71,6 @@ uninstall: uninstall-lib`
`71`	`71`
`72`	`72`	`cleandistclean: clean-lib`
`73`	`73`	`rm -f$(OBJS)`
`74`		`-rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.csyswrap.cthread.c win32setlocale.c isinf.c`
	`74`	`+rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c isinf.c`
`75`	`75`
`76`	`76`	`maintainer-clean: distclean maintainer-clean-lib`

`‎src/interfaces/ecpg/pgtypeslib/.gitignore`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,4 +4,3 @@`
`4`	`4`	`/pgstrcasecmp.c`
`5`	`5`	`/rint.c`
`6`	`6`	`/snprintf.c`
`7`		`-/syswrap.c`

`‎src/interfaces/ecpg/pgtypeslib/Makefile`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ SHLIB_LINK += -lm`
`29`	`29`	`SHLIB_EXPORTS = exports.txt`
`30`	`30`
`31`	`31`	`OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o\`
`32`		`-pgstrcasecmp.osyswrap.o\`
	`32`	`+pgstrcasecmp.o\`
`33`	`33`	`$(filter rint.o snprintf.o,$(LIBOBJS))`
`34`	`34`
`35`	`35`	`all: all-lib`
`@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib`
`42`	`42`	`# necessarily use the same object files as the backend uses. Instead,`
`43`	`43`	`# symlink the source files in here and build our own object file.`
`44`	`44`
`45`		`-pgstrcasecmp.crint.csnprintf.csyswrap.c:% :$(top_srcdir)/src/port/%`
	`45`	`+pgstrcasecmp.crint.csnprintf.c:% :$(top_srcdir)/src/port/%`
`46`	`46`	`rm -f$@&&$(LN_S)$<.`
`47`	`47`
`48`	`48`	`install: all installdirs install-lib`
`@@ -52,6 +52,6 @@ installdirs: installdirs-lib`
`52`	`52`	`uninstall: uninstall-lib`
`53`	`53`
`54`	`54`	`cleandistclean: clean-lib`
`55`		`-rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c`
	`55`	`+rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c`
`56`	`56`
`57`	`57`	`maintainer-clean: distclean maintainer-clean-lib`

`‎src/interfaces/libpq/.gitignore`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,6 @@`
`13`	`13`	`/strerror.c`
`14`	`14`	`/strlcpy.c`
`15`	`15`	`/system.c`
`16`		`-/syswrap.c`
`17`	`16`	`/thread.c`
`18`	`17`	`/win32error.c`
`19`	`18`	`/win32setlocale.c`

`‎src/interfaces/libpq/Makefile`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \`
`36`	`36`	`libpq-events.o`
`37`	`37`	`# libpgport C files we always use`
`38`	`38`	`OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o\`
`39`		`-syswrap.othread.o`
	`39`	`+thread.o`
`40`	`40`	`# libpgport C files that are needed if identified by configure`
`41`	`41`	`OBJS +=$(filter crypt.o getaddrinfo.o getpeereid.o inet_aton.o open.o system.o snprintf.o strerror.o strlcpy.o win32error.o win32setlocale.o,$(LIBOBJS))`
`42`	`42`	`# backend/libpq`
`@@ -89,7 +89,7 @@ backend_src = $(top_srcdir)/src/backend`
`89`	`89`	`# For some libpgport modules, this only happens if configure decides`
`90`	`90`	`# the module is needed (see filter hack in OBJS, above).`
`91`	`91`
`92`		`-chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.csyswrap.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%`
	`92`	`+chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%`
`93`	`93`	`rm -f$@&&$(LN_S)$<.`
`94`	`94`
`95`	`95`	`ip.cmd5.c:% :$(backend_src)/libpq/%`
`@@ -150,7 +150,7 @@ clean distclean: clean-lib`
`150`	`150`	`# Might be left over from a Win32 client-only build`
`151`	`151`	`rm -f pg_config_paths.h`
`152`	`152`	`rm -f inet_net_ntop.c noblock.c pgstrcasecmp.c pqsignal.c thread.c`
`153`		`-rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.csyswrap.cwin32error.c win32setlocale.c`
	`153`	`+rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.c win32error.c win32setlocale.c`
`154`	`154`	`rm -f pgsleep.c`
`155`	`155`	`rm -f md5.c ip.c`
`156`	`156`	`rm -f encnames.c wchar.c`

`‎src/interfaces/libpq/bcc32.mak`

Lines changed: 0 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,6 @@ CLEAN :`
`107`	`107`	`-@erase"$(INTDIR)\pgsleep.obj"`
`108`	`108`	`-@erase"$(INTDIR)\open.obj"`
`109`	`109`	`-@erase"$(INTDIR)\system.obj"`
`110`		`--@erase"$(INTDIR)\syswrap.obj"`
`111`	`110`	`-@erase"$(INTDIR)\win32error.obj"`
`112`	`111`	`-@erase"$(OUTDIR)\$(OUTFILENAME).lib"`
`113`	`112`	`-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"`
`@@ -152,7 +151,6 @@ LIB32_OBJS= \`
`152`	`151`	`"$(INTDIR)\pgsleep.obj"\`
`153`	`152`	`"$(INTDIR)\open.obj"\`
`154`	`153`	`"$(INTDIR)\system.obj"\`
`155`		`-"$(INTDIR)\syswrap.obj"\`
`156`	`154`	`"$(INTDIR)\win32error.obj"\`
`157`	`155`	`"$(INTDIR)\pthread-win32.obj"`
`158`	`156`
`@@ -304,11 +302,6 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v`
`304`	`302`	`$(CPP_PROJ) /I"." ..\..\port\system.c`
`305`	`303`	`<<`
`306`	`304`
`307`		`-"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c`
`308`		`-$(CPP) @<<`
`309`		`-$(CPP_PROJ) ..\..\port\syswrap.c`
`310`		`-<<`
`311`		`-`
`312`	`305`	`"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c`
`313`	`306`	`$(CPP) @<<`
`314`	`307`	`$(CPP_PROJ) /I"." ..\..\port\win32error.c`

`‎src/interfaces/libpq/win32.mak`

Lines changed: 0 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,6 @@ CLEAN :`
`114`	`114`	`-@erase"$(INTDIR)\pgsleep.obj"`
`115`	`115`	`-@erase"$(INTDIR)\open.obj"`
`116`	`116`	`-@erase"$(INTDIR)\system.obj"`
`117`		`--@erase"$(INTDIR)\syswrap.obj"`
`118`	`117`	`-@erase"$(INTDIR)\win32error.obj"`
`119`	`118`	`-@erase"$(INTDIR)\win32setlocale.obj"`
`120`	`119`	`-@erase"$(OUTDIR)\$(OUTFILENAME).lib"`
`@@ -162,7 +161,6 @@ LIB32_OBJS= \`
`162`	`161`	`"$(INTDIR)\pgsleep.obj"\`
`163`	`162`	`"$(INTDIR)\open.obj"\`
`164`	`163`	`"$(INTDIR)\system.obj"\`
`165`		`-"$(INTDIR)\syswrap.obj"\`
`166`	`164`	`"$(INTDIR)\win32error.obj"\`
`167`	`165`	`"$(INTDIR)\win32setlocale.obj"\`
`168`	`166`	`"$(INTDIR)\pthread-win32.obj"`
`@@ -344,11 +342,6 @@ LINK32_OBJS= \`
`344`	`342`	`$(CPP_PROJ) /I"." ..\..\port\system.c`
`345`	`343`	`<<`
`346`	`344`
`347`		`-"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c`
`348`		`-$(CPP) @<<`
`349`		`-$(CPP_PROJ) ..\..\port\syswrap.c`
`350`		`-<<`
`351`		`-`
`352`	`345`	`"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c`
`353`	`346`	`$(CPP) @<<`
`354`	`347`	`$(CPP_PROJ) /I"." ..\..\port\win32error.c`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2eb2fcd

File tree

16 files changed

16 files changed

`‎src/include/port.h`

`‎src/interfaces/ecpg/compatlib/Makefile`

`‎src/interfaces/ecpg/ecpglib/.gitignore`

`‎src/interfaces/ecpg/ecpglib/Makefile`

`‎src/interfaces/ecpg/pgtypeslib/.gitignore`

`‎src/interfaces/ecpg/pgtypeslib/Makefile`

`‎src/interfaces/libpq/.gitignore`

`‎src/interfaces/libpq/Makefile`

`‎src/interfaces/libpq/bcc32.mak`

`‎src/interfaces/libpq/win32.mak`

0 commit comments