From owner-dev-commits-src-all@freebsd.org Fri Jan 15 14:26:58 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6EA664E731A; Fri, 15 Jan 2021 14:26:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DHNmL1Y4jz5128; Fri, 15 Jan 2021 14:26:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 08DB21D9DF; Fri, 15 Jan 2021 14:26:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 10FEQvbL013728; Fri, 15 Jan 2021 14:26:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 10FEQvqE013727; Fri, 15 Jan 2021 14:26:57 GMT (envelope-from git) Date: Fri, 15 Jan 2021 14:26:57 GMT Message-Id: <202101151426.10FEQvqE013727@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 56880a501396 - stable/12 - libc: fix undefined behavior from signed overflow in strstr and memmem MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 56880a50139647318a123d67fe459ca840351729 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2021 14:26:59 -0000 The branch stable/12 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=56880a50139647318a123d67fe459ca840351729 commit 56880a50139647318a123d67fe459ca840351729 Author: Ed Maste AuthorDate: 2020-11-19 00:03:15 +0000 Commit: Ed Maste CommitDate: 2021-01-15 14:25:35 +0000 libc: fix undefined behavior from signed overflow in strstr and memmem unsigned char promotes to int, which can overflow when shifted left by 24 bits or more. this has been reported multiple times but then forgotten. it's expected to be benign UB, but can trap when built with explicit overflow catching (ubsan or similar). fix it now. note that promotion to uint32_t is safe and portable even outside of the assumptions usually made in musl, since either uint32_t has rank at least unsigned int, so that no further default promotions happen, or int is wide enough that the shift can't overflow. this is a desirable property to have in case someone wants to reuse the code elsewhere. musl commit: 593caa456309714402ca4cb77c3770f4c24da9da Obtained from: musl (cherry picked from commit 33482dae89c26158a22ccb3b7f2ca6e6652f29b4) --- lib/libc/string/memmem.c | 8 ++++---- lib/libc/string/strstr.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/libc/string/memmem.c b/lib/libc/string/memmem.c index 9e7bf94b1464..be52763e2652 100644 --- a/lib/libc/string/memmem.c +++ b/lib/libc/string/memmem.c @@ -41,8 +41,8 @@ twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) static char * threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) { - uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8; - uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8; + uint32_t nw = (uint32_t)n[0] << 24 | n[1] << 16 | n[2] << 8; + uint32_t hw = (uint32_t)h[0] << 24 | h[1] << 16 | h[2] << 8; for (h += 3, k -= 3; k; k--, hw = (hw | *h++) << 8) if (hw == nw) return (char *)h - 3; @@ -52,8 +52,8 @@ threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) static char * fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n) { - uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8 | n[3]; - uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8 | h[3]; + uint32_t nw = (uint32_t)n[0] << 24 | n[1] << 16 | n[2] << 8 | n[3]; + uint32_t hw = (uint32_t)h[0] << 24 | h[1] << 16 | h[2] << 8 | h[3]; for (h += 4, k -= 4; k; k--, hw = hw << 8 | *h++) if (hw == nw) return (char *)h - 4; diff --git a/lib/libc/string/strstr.c b/lib/libc/string/strstr.c index d726aff1f1c3..72f8abb9e200 100644 --- a/lib/libc/string/strstr.c +++ b/lib/libc/string/strstr.c @@ -40,8 +40,8 @@ twobyte_strstr(const unsigned char *h, const unsigned char *n) static char * threebyte_strstr(const unsigned char *h, const unsigned char *n) { - uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8; - uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8; + uint32_t nw = (uint32_t)n[0] << 24 | n[1] << 16 | n[2] << 8; + uint32_t hw = (uint32_t)h[0] << 24 | h[1] << 16 | h[2] << 8; for (h += 2; *h && hw != nw; hw = (hw | *++h) << 8) ; return *h ? (char *)h - 2 : 0; @@ -50,8 +50,8 @@ threebyte_strstr(const unsigned char *h, const unsigned char *n) static char * fourbyte_strstr(const unsigned char *h, const unsigned char *n) { - uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8 | n[3]; - uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8 | h[3]; + uint32_t nw = (uint32_t)n[0] << 24 | n[1] << 16 | n[2] << 8 | n[3]; + uint32_t hw = (uint32_t)h[0] << 24 | h[1] << 16 | h[2] << 8 | h[3]; for (h += 3; *h && hw != nw; hw = hw << 8 | *++h) ; return *h ? (char *)h - 3 : 0;