Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitcf89353

Browse files
committed
Revert error-throwing wrappers for the printf family of functions.
This reverts commit16304a0, exceptfor its changes in src/port/snprintf.c; as well as commitcac18a7 which is no longer needed.Fujii Masao reported that the previous commit caused failures in psql onOS X, since if one exits the pager program early while viewing a queryresult, psql sees an EPIPE error from fprintf --- and the wrapper functionthought that was reason to panic. (It's a bit surprising that the samedoes not happen on Linux.) Further discussion among the security listconcluded that the risk of other such failures was far too great, andthat the one-size-fits-all approach to error handling embodied in theprevious patch is unlikely to be workable.This leaves us again exposed to the possibility of the type of failureenvisioned inCVE-2015-3166. However, that failure mode is strictlyhypothetical at this point: there is no concrete reason to believe thatan attacker could trigger information disclosure through the supposedmechanism. In the first place, the attack surface is fairly limited,since so much of what the backend does with format strings goes throughstringinfo.c or psprintf(), and those already had adequate defenses.In the second place, even granting that an unprivileged attacker couldcontrol the occurrence of ENOMEM with some precision, it's a stretch tobelieve that he could induce it just where the target buffer contains somevaluable information. So we concluded that the risk of non-hypotheticalproblems induced by the patch greatly outweighs the security risks.We will therefore revert, and instead undertake closer analysis toidentify specific calls that may need hardening, rather than attempt auniversal solution.We have kept the portion of the previous patch that improved snprintf.c'shandling of errors when it calls the platform's sprintf(). That seems tobe an unalloyed improvement.Security:CVE-2015-3166
1 parent59cc2f5 commitcf89353

File tree

14 files changed

+37
-243
lines changed

14 files changed

+37
-243
lines changed

‎src/include/port.h

Lines changed: 25 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -148,21 +148,19 @@ extern intpg_strncasecmp(const char *s1, const char *s2, size_t n);
148148
externunsignedcharpg_toupper(unsignedcharch);
149149
externunsignedcharpg_tolower(unsignedcharch);
150150

151+
#ifdefUSE_REPL_SNPRINTF
152+
151153
/*
152-
* Capture macro-compatible calls to printf() and friends, and redirect them
153-
* to wrappers that throw errors in lieu of reporting failure in a return
154-
* value. Versions of libintl >= 0.13 similarly redirect to versions that
155-
* understand the %$ format, so disable libintl macros first.
154+
* Versions of libintl >= 0.13 try to replace printf() and friends with
155+
* macros to their own versions that understand the %$ format. We do the
156+
* same, so disable their macros, if they exist.
156157
*/
157158
#ifdefvsnprintf
158159
#undef vsnprintf
159160
#endif
160161
#ifdefsnprintf
161162
#undef snprintf
162163
#endif
163-
#ifdefvsprintf
164-
#undef vsprintf
165-
#endif
166164
#ifdefsprintf
167165
#undef sprintf
168166
#endif
@@ -176,61 +174,11 @@ extern unsigned char pg_tolower(unsigned char ch);
176174
#undef printf
177175
#endif
178176

179-
externint
180-
vsnprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,va_listargs)
181-
__attribute__((format(printf,3,0)));
182-
externint
183-
snprintf_throw_on_fail(char*str,size_tcount,constchar*fmt,...)
184-
__attribute__((format(printf,3,4)));
185-
externint
186-
vsprintf_throw_on_fail(char*str,constchar*fmt,va_listargs)
187-
__attribute__((format(printf,2,0)));
188-
externint
189-
sprintf_throw_on_fail(char*str,constchar*fmt,...)
190-
__attribute__((format(printf,2,3)));
191-
externint
192-
vfprintf_throw_on_fail(FILE*stream,constchar*fmt,va_listargs)
193-
__attribute__((format(printf,2,0)));
194-
externint
195-
fprintf_throw_on_fail(FILE*stream,constchar*fmt,...)
196-
__attribute__((format(printf,2,3)));
197-
externint
198-
printf_throw_on_fail(constchar*fmt,...)
199-
__attribute__((format(printf,1,2)));
200-
201-
/*
202-
*The GCC-specific code below prevents the __attribute__(... 'printf')
203-
*above from being replaced, and this is required because gcc doesn't
204-
*know anything about printf_throw_on_fail.
205-
*/
206-
#ifdef__GNUC__
207-
#definevsnprintf(...)vsnprintf_throw_on_fail(__VA_ARGS__)
208-
#definesnprintf(...)snprintf_throw_on_fail(__VA_ARGS__)
209-
#definevsprintf(...)vsprintf_throw_on_fail(__VA_ARGS__)
210-
#definesprintf(...)sprintf_throw_on_fail(__VA_ARGS__)
211-
#definevfprintf(...)vfprintf_throw_on_fail(__VA_ARGS__)
212-
#definefprintf(...)fprintf_throw_on_fail(__VA_ARGS__)
213-
#defineprintf(...)printf_throw_on_fail(__VA_ARGS__)
214-
#else
215-
#definevsnprintfvsnprintf_throw_on_fail
216-
#definesnprintfsnprintf_throw_on_fail
217-
#definevsprintfvsprintf_throw_on_fail
218-
#definesprintfsprintf_throw_on_fail
219-
#definevfprintfvfprintf_throw_on_fail
220-
#definefprintffprintf_throw_on_fail
221-
#defineprintfprintf_throw_on_fail
222-
#endif
223-
224-
#ifdefUSE_REPL_SNPRINTF
225-
226-
/* Code outside syswrap.c should not call these. */
227-
228177
externintpg_vsnprintf(char*str,size_tcount,constchar*fmt,va_listargs);
229178
externint
230179
pg_snprintf(char*str,size_tcount,constchar*fmt,...)
231180
/* This extension allows gcc to check the format string */
232181
__attribute__((format(printf,3,4)));
233-
externintpg_vsprintf(char*str,constchar*fmt,va_listargs);
234182
externint
235183
pg_sprintf(char*str,constchar*fmt,...)
236184
/* This extension allows gcc to check the format string */
@@ -245,6 +193,26 @@ pg_printf(const char *fmt,...)
245193
/* This extension allows gcc to check the format string */
246194
__attribute__((format(printf,1,2)));
247195

196+
/*
197+
*The GCC-specific code below prevents the __attribute__(... 'printf')
198+
*above from being replaced, and this is required because gcc doesn't
199+
*know anything about pg_printf.
200+
*/
201+
#ifdef__GNUC__
202+
#definevsnprintf(...)pg_vsnprintf(__VA_ARGS__)
203+
#definesnprintf(...)pg_snprintf(__VA_ARGS__)
204+
#definesprintf(...)pg_sprintf(__VA_ARGS__)
205+
#definevfprintf(...)pg_vfprintf(__VA_ARGS__)
206+
#definefprintf(...)pg_fprintf(__VA_ARGS__)
207+
#defineprintf(...)pg_printf(__VA_ARGS__)
208+
#else
209+
#definevsnprintfpg_vsnprintf
210+
#definesnprintfpg_snprintf
211+
#definesprintfpg_sprintf
212+
#definevfprintfpg_vfprintf
213+
#definefprintfpg_fprintf
214+
#defineprintfpg_printf
215+
#endif
248216
#endif/* USE_REPL_SNPRINTF */
249217

250218
/*

‎src/interfaces/ecpg/compatlib/Makefile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,6 @@ all: all-lib
3636
# Shared library stuff
3737
include$(top_srcdir)/src/Makefile.shlib
3838

39-
# XXX This library uses no symbols from snprintf.c.
4039
snprintf.c:% :$(top_srcdir)/src/port/%
4140
rm -f$@&&$(LN_S)$<.
4241

‎src/interfaces/ecpg/ecpglib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,4 @@
66
/path.c
77
/pgstrcasecmp.c
88
/strlcpy.c
9-
/syswrap.c
109
/thread.c

‎src/interfaces/ecpg/ecpglib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
2525
LIBS :=$(filter-out -lpgport,$(LIBS))
2626

2727
OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o\
28-
connect.o misc.o path.o pgstrcasecmp.osyswrap.o\
28+
connect.o misc.o path.o pgstrcasecmp.o\
2929
$(filter snprintf.o strlcpy.o isinf.o,$(LIBOBJS))
3030

3131
# thread.c is needed only for non-WIN32 implementation of path.c
@@ -58,7 +58,7 @@ include $(top_srcdir)/src/Makefile.shlib
5858
# necessarily use the same object files as the backend uses. Instead,
5959
# symlink the source files in here and build our own object file.
6060

61-
path.cpgstrcasecmp.csnprintf.cstrlcpy.csyswrap.cthread.cisinf.c:% :$(top_srcdir)/src/port/%
61+
path.cpgstrcasecmp.csnprintf.cstrlcpy.cthread.cisinf.c:% :$(top_srcdir)/src/port/%
6262
rm -f$@&&$(LN_S)$<.
6363

6464
misc.o: misc.c$(top_builddir)/src/port/pg_config_paths.h
@@ -75,6 +75,6 @@ uninstall: uninstall-lib
7575

7676
cleandistclean: clean-lib
7777
rm -f$(OBJS)
78-
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.csyswrap.cthread.c
78+
rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c
7979

8080
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/ecpg/pgtypeslib/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,3 @@
44
/exports.list
55

66
/pgstrcasecmp.c
7-
/syswrap.c

‎src/interfaces/ecpg/pgtypeslib/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ SHLIB_LINK += -lm
2929
SHLIB_EXPORTS = exports.txt
3030

3131
OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o\
32-
pgstrcasecmp.osyswrap.o\
32+
pgstrcasecmp.o\
3333
$(filter rint.o snprintf.o,$(LIBOBJS))
3434

3535
all: all-lib
@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib
4242
# necessarily use the same object files as the backend uses. Instead,
4343
# symlink the source files in here and build our own object file.
4444

45-
pgstrcasecmp.crint.csnprintf.csyswrap.c:% :$(top_srcdir)/src/port/%
45+
pgstrcasecmp.crint.csnprintf.c:% :$(top_srcdir)/src/port/%
4646
rm -f$@&&$(LN_S)$<.
4747

4848
install: all installdirs install-lib
@@ -52,6 +52,6 @@ installdirs: installdirs-lib
5252
uninstall: uninstall-lib
5353

5454
cleandistclean: clean-lib
55-
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
55+
rm -f$(OBJS) pgstrcasecmp.c rint.c snprintf.c
5656

5757
maintainer-clean: distclean maintainer-clean-lib

‎src/interfaces/libpq/.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@
88
/snprintf.c
99
/strerror.c
1010
/strlcpy.c
11-
/syswrap.c
1211
/thread.c
1312
/win32error.c
1413
/pgsleep.c

‎src/interfaces/libpq/Makefile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ LIBS := $(LIBS:-lpgport=)
3333
OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o\
3434
fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o\
3535
libpq-events.o\
36-
md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.osyswrap.othread.o\
36+
md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o thread.o\
3737
$(filter crypt.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o,$(LIBOBJS))
3838

3939
ifeq ($(PORTNAME), cygwin)
@@ -80,7 +80,7 @@ backend_src = $(top_srcdir)/src/backend
8080
# For port modules, this only happens if configure decides the module
8181
# is needed (see filter hack in OBJS, above).
8282

83-
crypt.cgetaddrinfo.cinet_aton.cnoblock.copen.cpgstrcasecmp.csnprintf.cstrerror.cstrlcpy.csyswrap.cthread.cwin32error.cpgsleep.c:% :$(top_srcdir)/src/port/%
83+
crypt.cgetaddrinfo.cinet_aton.cnoblock.copen.cpgstrcasecmp.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cpgsleep.c:% :$(top_srcdir)/src/port/%
8484
rm -f$@&&$(LN_S)$<.
8585

8686
md5.cip.c:% :$(backend_src)/libpq/%
@@ -133,7 +133,7 @@ ifneq (,$(findstring $(PORTNAME), win32 cygwin))
133133
endif
134134

135135
cleandistclean: clean-lib
136-
rm -f$(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.csyswrap.cthread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
136+
rm -f$(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
137137
# Might be left over from a Win32 client-only build
138138
rm -f pg_config_paths.h
139139

‎src/interfaces/libpq/bcc32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,6 @@ CLEAN :
104104
-@erase"$(INTDIR)\dirmod.obj"
105105
-@erase"$(INTDIR)\pgsleep.obj"
106106
-@erase"$(INTDIR)\open.obj"
107-
-@erase"$(INTDIR)\syswrap.obj"
108107
-@erase"$(INTDIR)\win32error.obj"
109108
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
110109
-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -146,7 +145,6 @@ LIB32_OBJS= \
146145
"$(INTDIR)\dirmod.obj"\
147146
"$(INTDIR)\pgsleep.obj"\
148147
"$(INTDIR)\open.obj"\
149-
"$(INTDIR)\syswrap.obj"\
150148
"$(INTDIR)\win32error.obj"\
151149
"$(INTDIR)\pthread-win32.obj"
152150

@@ -275,11 +273,6 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
275273
$(CPP_PROJ) /I"." ..\..\port\open.c
276274
<<
277275

278-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
279-
$(CPP) @<<
280-
$(CPP_PROJ) ..\..\port\syswrap.c
281-
<<
282-
283276
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
284277
$(CPP) @<<
285278
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/interfaces/libpq/win32.mak

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,6 @@ CLEAN :
111111
-@erase"$(INTDIR)\dirmod.obj"
112112
-@erase"$(INTDIR)\pgsleep.obj"
113113
-@erase"$(INTDIR)\open.obj"
114-
-@erase"$(INTDIR)\syswrap.obj"
115114
-@erase"$(INTDIR)\win32error.obj"
116115
-@erase"$(OUTDIR)\$(OUTFILENAME).lib"
117116
-@erase"$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -155,7 +154,6 @@ LIB32_OBJS= \
155154
"$(INTDIR)\dirmod.obj"\
156155
"$(INTDIR)\pgsleep.obj"\
157156
"$(INTDIR)\open.obj"\
158-
"$(INTDIR)\syswrap.obj"\
159157
"$(INTDIR)\win32error.obj"\
160158
"$(INTDIR)\pthread-win32.obj"
161159

@@ -313,11 +311,6 @@ LINK32_OBJS= \
313311
$(CPP_PROJ) /I"." ..\..\port\open.c
314312
<<
315313

316-
"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
317-
$(CPP) @<<
318-
$(CPP_PROJ) ..\..\port\syswrap.c
319-
<<
320-
321314
"$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
322315
$(CPP) @<<
323316
$(CPP_PROJ) /I"." ..\..\port\win32error.c

‎src/port/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ override CPPFLAGS := -I$(top_builddir)/src/port -DFRONTEND $(CPPFLAGS)
3131
LIBS +=$(PTHREAD_LIBS)
3232

3333
OBJS =$(LIBOBJS) chklocale.o dirmod.o exec.o noblock.o path.o\
34-
pgsleep.o pgstrcasecmp.o qsort.o qsort_arg.o sprompt.osyswrap.othread.o
34+
pgsleep.o pgstrcasecmp.o qsort.o qsort_arg.o sprompt.o thread.o
3535
ifneq (,$(filter$(PORTNAME),cygwin win32))
3636
OBJS += pipe.o
3737
endif

‎src/port/snprintf.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,6 @@
9999
/* Prevent recursion */
100100
#undefvsnprintf
101101
#undefsnprintf
102-
#undefvsprintf
103102
#undefsprintf
104103
#undefvfprintf
105104
#undeffprintf
@@ -176,7 +175,7 @@ pg_snprintf(char *str, size_t count, const char *fmt,...)
176175
returnlen;
177176
}
178177

179-
int
178+
staticint
180179
pg_vsprintf(char*str,constchar*fmt,va_listargs)
181180
{
182181
PrintfTargettarget;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp