Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2eb2fcd

Browse files
committed
Revert error-throwing wrappers for the printf family of functions.
This reverts commit16304a0, exceptfor its changes in src/port/snprintf.c; as well as commitcac18a7 which is no longer needed.Fujii Masao reported that the previous commit caused failures in psql onOS X, since if one exits the pager program early while viewing a queryresult, psql sees an EPIPE error from fprintf --- and the wrapper functionthought that was reason to panic. (It's a bit surprising that the samedoes not happen on Linux.) Further discussion among the security listconcluded that the risk of other such failures was far too great, andthat the one-size-fits-all approach to error handling embodied in theprevious patch is unlikely to be workable.This leaves us again exposed to the possibility of the type of failureenvisioned inCVE-2015-3166. However, that failure mode is strictlyhypothetical at this point: there is no concrete reason to believe thatan attacker could trigger information disclosure through the supposedmechanism. In the first place, the attack surface is fairly limited,since so much of what the backend does with format strings goes throughstringinfo.c or psprintf(), and those already had adequate defenses.In the second place, even granting that an unprivileged attacker couldcontrol the occurrence of ENOMEM with some precision, it's a stretch tobelieve that he could induce it just where the target buffer contains somevaluable information. So we concluded that the risk of non-hypotheticalproblems induced by the patch greatly outweighs the security risks.We will therefore revert, and instead undertake closer analysis toidentify specific calls that may need hardening, rather than attempt auniversal solution.We have kept the portion of the previous patch that improved snprintf.c'shandling of errors when it calls the platform's sprintf(). That seems tobe an unalloyed improvement.Security:CVE-2015-3166
1 parentada8447 commit2eb2fcd

File tree

16 files changed

+53
-251
lines changed

16 files changed

+53
-251
lines changed

‎src/include/port.h

Lines changed: 25 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -126,21 +126,19 @@ extern unsigned char pg_tolower(unsigned char ch);
126126
externunsignedcharpg_ascii_toupper(unsignedcharch);
127127
externunsignedcharpg_ascii_tolower(unsignedcharch);
128128

129+
#ifdefUSE_REPL_SNPRINTF
130+
129131
/*
130-
* Capture macro-compatible calls to printf() and friends, and redirect them
131-
* to wrappers that throw errors in lieu of reporting failure in a return
132-
* value. Versions of libintl >= 0.13 similarly redirect to versions that
133-
* understand the %$ format, so disable libintl macros first.
132+
* Versions of libintl >= 0.13 try to replace printf() and friends with
133+
* macros to their own versions that understand the %$ format. We do the
134+
* same, so disable their macros, if they exist.
134135
*/
135136
#ifdefvsnprintf
136137
#undef vsnprintf
137138
#endif
138139
#ifdefsnprintf
139140
#undef snprintf
140141
#endif
141-
#ifdefvsprintf
142-
#undef vsprintf
143-
#endif
144142
#ifdefsprintf
145143
#undef sprintf
146144
#endif
@@ -154,61 +152,11 @@ extern unsigned char pg_ascii_tolower(unsigned char ch);
154152
#undef printf
155153
#endif
156154

157-
externint
158-
vsnprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,va_listargs)
159-
__attribute__((format(PG_PRINTF_ATTRIBUTE,3,0)));
160-
externint
161-
snprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,...)
162-
__attribute__((format(PG_PRINTF_ATTRIBUTE,3,4)));
163-
externint
164-
vsprintf_throw_on_fail(char*str,constchar*fmt,va_listargs)
165-
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));
166-
externint
167-
sprintf_throw_on_fail(char*str,constchar*fmt,...)
168-
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));
169-
externint
170-
vfprintf_throw_on_fail(FILE*stream,constchar*fmt,va_listargs)
171-
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,0)));
172-
externint
173-
fprintf_throw_on_fail(FILE*stream,constchar*fmt,...)
174-
__attribute__((format(PG_PRINTF_ATTRIBUTE,2,3)));
175-
externint
176-
printf_throw_on_fail(constchar*fmt,...)
177-
__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));
178-
179-
/*
180-
*The GCC-specific code below prevents the __attribute__(... 'printf')
181-
*above from being replaced, and this is required because gcc doesn't
182-
*know anything about printf_throw_on_fail.
183-
*/
184-
#ifdef__GNUC__
185-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
186-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
187-
#definevsprintf(...)vsprintf_throw_on_fail(__VA_ARGS__)
188-
#definesprintf(...)sprintf_throw_on_fail(__VA_ARGS__)
189-
#definevfprintf(...)vfprintf_throw_on_fail(__VA_ARGS__)
190-
#definefprintf(...)fprintf_throw_on_fail(__VA_ARGS__)
191-
#defineprintf(...)printf_throw_on_fail(__VA_ARGS__)
192-
#else
193-
#definevsnprintfvsnprintf_throw_on_fail
194-
#definesnprintfsnprintf_throw_on_fail
195-
#definevsprintfvsprintf_throw_on_fail
196-
#definesprintfsprintf_throw_on_fail
197-
#definevfprintfvfprintf_throw_on_fail
198-
#definefprintffprintf_throw_on_fail
199-
#defineprintfprintf_throw_on_fail
200-
#endif
201-
202-
#ifdefUSE_REPL_SNPRINTF
203-
204-
/* Code outside syswrap.c should not call these. */
205-
206155
externintpg_vsnprintf(char*str,size_tcount,constchar*fmt,va_listargs);
207156
externint
208157
pg_snprintf(char*str,size_tcount,constchar*fmt,...)
209158
/* This extension allows gcc to check the format string */
210159
__attribute__((format(PG_PRINTF_ATTRIBUTE,3,4)));
211-
externintpg_vsprintf(char*str,constchar*fmt,va_listargs);
212160
externint
213161
pg_sprintf(char*str,constchar*fmt,...)
214162
/* This extension allows gcc to check the format string */
@@ -223,6 +171,26 @@ pg_printf(const char *fmt,...)
223171
/* This extension allows gcc to check the format string */
224172
__attribute__((format(PG_PRINTF_ATTRIBUTE,1,2)));
225173

174+
/*
175+
*The GCC-specific code below prevents the __attribute__(... 'printf')
176+
*above from being replaced, and this is required because gcc doesn't
177+
*know anything about pg_printf.
178+
*/
179+
#ifdef__GNUC__
180+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
181+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
182+
#definesprintf(...)pg_sprintf(__VA_ARGS__)
183+
#definevfprintf(...)pg_vfprintf(__VA_ARGS__)
184+
#definefprintf(...)pg_fprintf(__VA_ARGS__)
185+
#defineprintf(...)pg_printf(__VA_ARGS__)
186+
#else
187+
#definevsnprintfpg_vsnprintf
188+
#definesnprintfpg_snprintf
189+
#definesprintfpg_sprintf
190+
#definevfprintfpg_vfprintf
191+
#definefprintfpg_fprintf
192+
#defineprintfpg_printf
193+
#endif
226194
#endif/* USE_REPL_SNPRINTF */
227195

228196
#if defined(WIN32)

‎src/interfaces/ecpg/compatlib/Makefile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,6 @@ submake-pgtypeslib:
4747
# Shared library stuff
4848
include$(top_srcdir)/src/Makefile.shlib
4949

50-
# XXX This library uses no symbols from snprintf.c.
5150
snprintf.c:% :$(top_srcdir)/src/port/%
5251
rm -f$@&&$(LN_S)$<.
5352

‎src/interfaces/ecpg/ecpglib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
/pgstrcasecmp.c
66
/snprintf.c
77
/strlcpy.c
8-
/syswrap.c
98
/thread.c
109
/win32setlocale.c
1110
/isinf.c

‎src/interfaces/ecpg/ecpglib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
2525
LIBS :=$(filter-out -lpgport,$(LIBS))
2626

2727
OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o\
28-
connect.o misc.o path.o pgstrcasecmp.osyswrap.o\
28+
connect.o misc.o path.o pgstrcasecmp.o\
2929
$(filter snprintf.o strlcpy.o win32setlocale.o isinf.o,$(LIBOBJS))
3030

3131
# thread.c is needed only for non-WIN32 implementation of path.c
@@ -54,7 +54,7 @@ include $(top_srcdir)/src/Makefile.shlib
5454
# necessarily use the same object files as the backend uses. Instead,
5555
# symlink the source files in here and build our own object file.
5656

57-
path.cpgstrcasecmp.csnprintf.cstrlcpy.csyswrap.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
57+
path.cpgstrcasecmp.csnprintf.cstrlcpy.cthread.cwin32setlocale.cisinf.c:% :$(top_srcdir)/src/port/%
5858
rm -f$@&&$(LN_S)$<.
5959

6060
misc.o: misc.c$(top_builddir)/src/port/pg_config_paths.h
@@ -71,6 +71,6 @@ uninstall: uninstall-lib
7171

7272
cleandistclean: clean-lib
7373
rm -f$(OBJS)
74-
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.csyswrap.cthread.c win32setlocale.c isinf.c
74+
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c isinf.c
7575

7676
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/ecpg/pgtypeslib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,3 @@
44
/pgstrcasecmp.c
55
/rint.c
66
/snprintf.c
7-
/syswrap.c

‎src/interfaces/ecpg/pgtypeslib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ SHLIB_LINK += -lm
2929
SHLIB_EXPORTS = exports.txt
3030

3131
OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o\
32-
pgstrcasecmp.osyswrap.o\
32+
pgstrcasecmp.o\
3333
$(filter rint.o snprintf.o,$(LIBOBJS))
3434

3535
all: all-lib
@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib
4242
# necessarily use the same object files as the backend uses. Instead,
4343
# symlink the source files in here and build our own object file.
4444

45-
pgstrcasecmp.crint.csnprintf.csyswrap.c:% :$(top_srcdir)/src/port/%
45+
pgstrcasecmp.crint.csnprintf.c:% :$(top_srcdir)/src/port/%
4646
rm -f$@&&$(LN_S)$<.
4747

4848
install: all installdirs install-lib
@@ -52,6 +52,6 @@ installdirs: installdirs-lib
5252
uninstall: uninstall-lib
5353

5454
cleandistclean: clean-lib
55-
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
55+
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c
5656

5757
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/libpq/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
/strerror.c
1414
/strlcpy.c
1515
/system.c
16-
/syswrap.c
1716
/thread.c
1817
/win32error.c
1918
/win32setlocale.c

‎src/interfaces/libpq/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
3636
libpq-events.o
3737
# libpgport C files we always use
3838
OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o\
39-
syswrap.othread.o
39+
thread.o
4040
# libpgport C files that are needed if identified by configure
4141
OBJS +=$(filter crypt.o getaddrinfo.o getpeereid.o inet_aton.o open.o system.o snprintf.o strerror.o strlcpy.o win32error.o win32setlocale.o,$(LIBOBJS))
4242
# backend/libpq
@@ -89,7 +89,7 @@ backend_src = $(top_srcdir)/src/backend
8989
# For some libpgport modules, this only happens if configure decides
9090
# the module is needed (see filter hack in OBJS, above).
9191

92-
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.csyswrap.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
92+
chklocale.ccrypt.cgetaddrinfo.cgetpeereid.cinet_aton.cinet_net_ntop.cnoblock.copen.csystem.cpgsleep.cpgstrcasecmp.cpqsignal.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cwin32setlocale.c:% :$(top_srcdir)/src/port/%
9393
rm -f$@&&$(LN_S)$<.
9494

9595
ip.cmd5.c:% :$(backend_src)/libpq/%
@@ -150,7 +150,7 @@ clean distclean: clean-lib
150150
# Might be left over from a Win32 client-only build
151151
rm -f pg_config_paths.h
152152
rm -f inet_net_ntop.c noblock.c pgstrcasecmp.c pqsignal.c thread.c
153-
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.csyswrap.cwin32error.c win32setlocale.c
153+
rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c system.c snprintf.c strerror.c strlcpy.c win32error.c win32setlocale.c
154154
rm -f pgsleep.c
155155
rm -f md5.c ip.c
156156
rm -f encnames.c wchar.c

‎src/interfaces/libpq/bcc32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,6 @@ CLEAN :
107107
-@erase"$(INTDIR)\pgsleep.obj"
108108
-@erase"$(INTDIR)\open.obj"
109109
-@erase"$(INTDIR)\system.obj"
110-
-@erase"$(INTDIR)\syswrap.obj"
111110
-@erase"$(INTDIR)\win32error.obj"
112111
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
113112
-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -152,7 +151,6 @@ LIB32_OBJS= \
152151
"$(INTDIR)\pgsleep.obj"\
153152
"$(INTDIR)\open.obj"\
154153
"$(INTDIR)\system.obj"\
155-
"$(INTDIR)\syswrap.obj"\
156154
"$(INTDIR)\win32error.obj"\
157155
"$(INTDIR)\pthread-win32.obj"
158156

@@ -304,11 +302,6 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
304302
$(CPP_PROJ) /I"." ..\..\port\system.c
305303
<<
306304

307-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
308-
$(CPP) @<<
309-
$(CPP_PROJ) ..\..\port\syswrap.c
310-
<<
311-
312305
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
313306
$(CPP) @<<
314307
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/interfaces/libpq/win32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,6 @@ CLEAN :
114114
-@erase"$(INTDIR)\pgsleep.obj"
115115
-@erase"$(INTDIR)\open.obj"
116116
-@erase"$(INTDIR)\system.obj"
117-
-@erase"$(INTDIR)\syswrap.obj"
118117
-@erase"$(INTDIR)\win32error.obj"
119118
-@erase"$(INTDIR)\win32setlocale.obj"
120119
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
@@ -162,7 +161,6 @@ LIB32_OBJS= \
162161
"$(INTDIR)\pgsleep.obj"\
163162
"$(INTDIR)\open.obj"\
164163
"$(INTDIR)\system.obj"\
165-
"$(INTDIR)\syswrap.obj"\
166164
"$(INTDIR)\win32error.obj"\
167165
"$(INTDIR)\win32setlocale.obj"\
168166
"$(INTDIR)\pthread-win32.obj"
@@ -344,11 +342,6 @@ LINK32_OBJS= \
344342
$(CPP_PROJ) /I"." ..\..\port\system.c
345343
<<
346344

347-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
348-
$(CPP) @<<
349-
$(CPP_PROJ) ..\..\port\syswrap.c
350-
<<
351-
352345
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
353346
$(CPP) @<<
354347
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/pl/plperl/plperl.h

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,10 @@
3939
* So we undefine them here and redefine them after it's done its dirty deed.
4040
*/
4141

42+
#ifdefUSE_REPL_SNPRINTF
4243
#undef snprintf
4344
#undef vsnprintf
45+
#endif
4446

4547

4648
/* required for perl API */
@@ -49,19 +51,21 @@
4951
#include"XSUB.h"
5052

5153
/* put back our snprintf and vsnprintf */
54+
#ifdefUSE_REPL_SNPRINTF
5255
#ifdefsnprintf
5356
#undef snprintf
5457
#endif
5558
#ifdefvsnprintf
5659
#undef vsnprintf
5760
#endif
5861
#ifdef__GNUC__
59-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
60-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
62+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
63+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
6164
#else
62-
#definevsnprintfvsnprintf_throw_on_fail
63-
#definesnprintfsnprintf_throw_on_fail
65+
#definevsnprintfpg_vsnprintf
66+
#definesnprintfpg_snprintf
6467
#endif/* __GNUC__ */
68+
#endif/* USE_REPL_SNPRINTF */
6569

6670
/* perl version and platform portability */
6771
#defineNEED_eval_pv

‎src/pl/plpython/plpython.h

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,10 @@
3535
* So we undefine them here and redefine them after it's done its dirty deed.
3636
*/
3737

38+
#ifdefUSE_REPL_SNPRINTF
3839
#undef snprintf
3940
#undef vsnprintf
41+
#endif
4042

4143
#if defined(_MSC_VER)&& defined(_DEBUG)
4244
/* Python uses #pragma to bring in a non-default libpython on VC++ if
@@ -122,19 +124,21 @@ typedef int Py_ssize_t;
122124
#include<eval.h>
123125

124126
/* put back our snprintf and vsnprintf */
127+
#ifdefUSE_REPL_SNPRINTF
125128
#ifdefsnprintf
126129
#undef snprintf
127130
#endif
128131
#ifdefvsnprintf
129132
#undef vsnprintf
130133
#endif
131134
#ifdef__GNUC__
132-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
133-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
135+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
136+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
134137
#else
135-
#definevsnprintfvsnprintf_throw_on_fail
136-
#definesnprintfsnprintf_throw_on_fail
138+
#definevsnprintfpg_vsnprintf
139+
#definesnprintfpg_snprintf
137140
#endif/* __GNUC__ */
141+
#endif/* USE_REPL_SNPRINTF */
138142

139143
/*
140144
* Used throughout, and also by the Python 2/3 porting layer, so it's easier to

‎src/port/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ LIBS += $(PTHREAD_LIBS)
3333
OBJS =$(LIBOBJS) chklocale.o erand48.o fls.o inet_net_ntop.o\
3434
noblock.o path.o pgcheckdir.o pg_crc.o pgmkdirp.o pgsleep.o\
3535
pgstrcasecmp.o pqsignal.o\
36-
qsort.o qsort_arg.o quotes.o sprompt.osyswrap.otar.o thread.o
36+
qsort.o qsort_arg.o quotes.o sprompt.o tar.o thread.o
3737

3838
# foo_srv.o and foo.o are both built from foo.c, but only foo.o has -DFRONTEND
3939
OBJS_SRV =$(OBJS:%.o=%_srv.o)

‎src/port/snprintf.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,6 @@
9999
/* Prevent recursion */
100100
#undefvsnprintf
101101
#undefsnprintf
102-
#undefvsprintf
103102
#undefsprintf
104103
#undefvfprintf
105104
#undeffprintf
@@ -176,7 +175,7 @@ pg_snprintf(char *str, size_t count, const char *fmt,...)
176175
returnlen;
177176
}
178177

179-
int
178+
staticint
180179
pg_vsprintf(char*str,constchar*fmt,va_listargs)
181180
{
182181
PrintfTargettarget;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp