From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.2 Received: (qmail 7472 invoked from network); 24 Apr 2020 09:40:30 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with UTF8ESMTPZ; 24 Apr 2020 09:40:30 -0000 Received: (qmail 1524 invoked by uid 550); 24 Apr 2020 09:40:27 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 1506 invoked from network); 24 Apr 2020 09:40:27 -0000 From: Pascal Cuoq To: "musl@lists.openwall.com" Thread-Topic: [musl] Invalid pointer subtractions in __shlim and __shgetc Thread-Index: AQHWFNC0VEu0t//oAEethmur3WJvWah9WzWAgAAJk4CAABM0gIAJHPUigAA0dYCAAUV3YA== Date: Fri, 24 Apr 2020 09:40:15 +0000 Message-ID: <1587721262422.2983@trust-in-soft.com> References: <1587138997905.95619@trust-in-soft.com> <20200417161351.GH11469@brightrain.aerifal.cx> <20200417164807.GI11469@brightrain.aerifal.cx> <20200417175651.GK11469@brightrain.aerifal.cx> <1587641710830.20636@trust-in-soft.com>,<20200423161435.GT11469@brightrain.aerifal.cx> In-Reply-To: <20200423161435.GT11469@brightrain.aerifal.cx> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [93.6.34.187] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [musl] Invalid pointer subtractions in __shlim and __shgetc Hello,=0A= =0A= Rich Felker wrote:=0A= > The attached should fix it, I think.=0A= =0A= The patch sets f.rpos and f.rend to buf+4, but it also leaves=0A= f.buf containing 0 from =93FILE f =3D {0};=94:=0A= --- a/src/stdlib/wcstol.c=0A= +++ b/src/stdlib/wcstol.c=0A= @@ -35,8 +35,7 @@ static unsigned long long wcstox(const wchar_t *s, wchar_= t **p, int base, unsign=0A= unsigned char buf[64];=0A= FILE f =3D {0};=0A= f.flags =3D 0;=0A= - f.rpos =3D f.rend =3D 0;=0A= - f.buf =3D buf + 4;=0A= + f.rpos =3D f.rend =3D buf + 4;=0A= f.buf_size =3D sizeof buf - 4;=0A= f.lock =3D -1;=0A= f.read =3D do_read;=0A= =0A= Unfortunately, the function __shlim also subtracts f.rpos from f.buf, at th= is line:=0A= =0A= f->shcnt =3D f->buf - f->rpos;=0A= =0A= (https://git.musl-libc.org/cgit/musl/tree/src/internal/shgetc.c?id=3D33338e= bc853d37c80f0f236cc7a92cb0acc6aace#n11 )=0A= =0A= So that is now where the invalid subtraction happens.=0A= =0A= For what it's worth, we have tested the patch consisting in=0A= initializing all three of f.rpos, f.rend and f.buf to buf+4, and that=0A= does not cause UB in this test. But we can't tell if if provides the=0A= correct functional behavior for this test and for other inputs.=0A= =0A= Pascal=