Re: PR/58208 CVS commit: src

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,campbell+netbsd%mumble.net@localhost
Subject: Re: PR/58208 CVS commit: src
From: "Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Sat, 29 Mar 2025 02:55:01 +0000 (UTC)
The following reply was made to PR lib/58208; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: PR/58208 CVS commit: src
Date: Sat, 29 Mar 2025 02:53:12 +0000

 This is a multi-part message in MIME format.
 --=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj
 
 The attached patch fixes the remaining xfail tests by allocating a
 guard page before each of the
 
 C ctype
 C compat ctype
 C tolower
 C toupper
 
 tables in libc initializers.
 
 With this patch, any attempt to pass a negative char value into the
 ctype(3) functions in any locale will be detected noisily and trigger
 SIGSEGV or SIGABRT, rather than yield bogus and nondeterministic
 answers.
 
 This is tempting.  But I'm not sure this is worth the cost, because
 the cost is incurred at _every_ program startup with libc.  So it
 needs some measurement, at least.
 
 --=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj
 Content-Type: text/plain; charset="ISO-8859-1"; name="pr58208-staticctypeguardpage-v4"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment; filename="pr58208-staticctypeguardpage-v4.patch"
 
 # HG changeset patch
 # User Taylor R Campbell <riastradh%NetBSD.org@localhost>
 # Date 1743186173 0
 #      Fri Mar 28 18:22:53 2025 +0000
 # Branch trunk
 # Node ID 44cc0fea499139f79fe235456e01559239ede6b8
 # Parent  2f58eca9ae23856391bac5cbd7a9dc4d8581c1c9
 # EXP-Topic riastradh-pr58208-runtimectypeabusedetection
 libc: Put guard pages before the C ctype/tolower/toupper tables.
 
 This may incur some overhead from additional mmap/mprotect calls on
 every program startup in libc.
 
 This also only affects machines where char is signed for now.  (But
 maybe it would be worth doing unconditionally; users could still try
 to pass in explicit `signed char' inputs.)
 
 PR lib/58208: ctype(3) provides poor runtime feedback of abuse
 
 diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/citrus/citrus_lc_ctype.c
 --- a/lib/libc/citrus/citrus_lc_ctype.c	Sat Mar 29 01:40:59 2025 +0000
 +++ b/lib/libc/citrus/citrus_lc_ctype.c	Fri Mar 28 18:22:53 2025 +0000
 @@ -102,12 +102,32 @@ static __inline void
  	_DIAGASSERT(data !=3D NULL);
 =20
  	__mb_cur_max =3D _citrus_ctype_get_mb_cur_max(data->rl_citrus_ctype);
 -	_ctype_tab_ =3D data->rl_ctype_tab;
 -	_tolower_tab_ =3D data->rl_tolower_tab;
 -	_toupper_tab_ =3D data->rl_toupper_tab;
 +#ifndef __CHAR_UNSIGNED__
 +	if (__predict_false(data->rl_ctype_tab =3D=3D _C_ctype_tab_))
 +		_ctype_tab_ =3D _C_ctype_tab_guarded;
 +	else
 +#endif
 +		_ctype_tab_ =3D data->rl_ctype_tab;
 +#ifndef __CHAR_UNSIGNED__
 +	if (__predict_false(data->rl_tolower_tab =3D=3D _C_tolower_tab_))
 +		_tolower_tab_ =3D _C_tolower_tab_guarded;
 +	else
 +#endif
 +		_tolower_tab_ =3D data->rl_tolower_tab;
 +#ifndef __CHAR_UNSIGNED__
 +	if (__predict_false(data->rl_toupper_tab =3D=3D _C_toupper_tab_))
 +		_toupper_tab_ =3D _C_toupper_tab_guarded;
 +	else
 +#endif
 +		_toupper_tab_ =3D data->rl_toupper_tab;
 =20
  #ifdef __BUILD_LEGACY
 -	_ctype_ =3D data->rl_compat_bsdctype;
 +#ifndef __CHAR_UNSIGNED__
 +	if (__predict_false(data->rl_compat_bsdctype =3D=3D _C_compat_bsdctype))
 +		_ctype_ =3D _C_compat_bsdctype_guarded;
 +	else
 +#endif
 +		_ctype_ =3D data->rl_compat_bsdctype;
  #endif
  }
 =20
 diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/ctype_.c
 --- a/lib/libc/gen/ctype_.c	Sat Mar 29 01:40:59 2025 +0000
 +++ b/lib/libc/gen/ctype_.c	Fri Mar 28 18:22:53 2025 +0000
 @@ -44,8 +44,14 @@
  #endif /* LIBC_SCCS and not lint */
 =20
  #include <sys/ctype_bits.h>
 +#include <sys/mman.h>
 +
  #include <stdio.h>
 +#include <string.h>
 +#include <unistd.h>
 +
  #include "ctype_local.h"
 +#include "runetype_local.h"
 =20
  #if EOF !=3D -1
  #error "EOF !=3D -1"
 @@ -158,3 +164,52 @@ const unsigned short _C_ctype_tab_[1 + _
  #undef _X
 =20
  const unsigned short *_ctype_tab_ =3D &_C_ctype_tab_[0];
 +
 +#ifndef __CHAR_UNSIGNED__
 +
 +#define	roundup(X, N)	((((X) + ((N) - 1))/(N))*(N))
 +
 +__dso_hidden
 +const void *
 +guard_ctype(const void *tab, size_t size)
 +{
 +	const unsigned page_size =3D sysconf(_SC_PAGESIZE);
 +	size_t nbytes =3D 0;
 +	void *p =3D MAP_FAILED, *q =3D NULL;
 +
 +	nbytes =3D page_size + roundup(size, page_size);
 +	p =3D mmap(NULL, nbytes, PROT_READ|PROT_WRITE, MAP_ANON,
 +	    /*fd*/-1, /*offset*/0);
 +	if (p =3D=3D MAP_FAILED)
 +		goto fail;
 +	if (mprotect(p, page_size, PROT_NONE) =3D=3D -1)
 +		goto fail;
 +	q =3D (char *)p + page_size;
 +	memcpy(q, tab, size);
 +	memset((char *)q + size, 0xff, nbytes - size - page_size);
 +	return q;
 +
 +fail:	if (p !=3D MAP_FAILED)
 +		(void)munmap(p, nbytes);
 +	return tab;
 +}
 +
 +#ifdef __BUILD_LEGACY
 +__dso_hidden const unsigned char *_C_compat_bsdctype_guarded =3D
 +    &_C_compat_bsdctype[0];
 +#endif
 +__dso_hidden const unsigned short *_C_ctype_tab_guarded =3D &_C_ctype_tab_=
 [0];
 +
 +static void __attribute__((constructor))
 +ctype_guard_init(void)
 +{
 +
 +#ifdef __BUILD_LEGACY
 +	_ctype_ =3D _C_compat_bsdctype_guarded =3D
 +	    guard_ctype(_C_compat_bsdctype, sizeof(_C_compat_bsdctype));
 +#endif
 +	_ctype_tab_ =3D _C_ctype_tab_guarded =3D
 +	    guard_ctype(_C_ctype_tab_, sizeof(_C_ctype_tab_));
 +}
 +
 +#endif	/* __CHAR_UNSIGNED__ */
 diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/tolower_.c
 --- a/lib/libc/gen/tolower_.c	Sat Mar 29 01:40:59 2025 +0000
 +++ b/lib/libc/gen/tolower_.c	Fri Mar 28 18:22:53 2025 +0000
 @@ -61,3 +61,17 @@ const short _C_tolower_tab_[1 + _CTYPE_N
  #endif
 =20
  const short *_tolower_tab_ =3D &_C_tolower_tab_[0];
 +
 +#ifndef __CHAR_UNSIGNED__
 +
 +__dso_hidden const short *_C_tolower_tab_guarded =3D &_C_tolower_tab_[0];
 +
 +static void __attribute__((constructor))
 +tolower_guard_init(void)
 +{
 +
 +	_tolower_tab_ =3D _C_tolower_tab_guarded =3D
 +	    guard_ctype(_C_tolower_tab_, sizeof(_C_tolower_tab_));
 +}
 +
 +#endif	/* __CHAR_UNSIGNED__ */
 diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/gen/toupper_.c
 --- a/lib/libc/gen/toupper_.c	Sat Mar 29 01:40:59 2025 +0000
 +++ b/lib/libc/gen/toupper_.c	Fri Mar 28 18:22:53 2025 +0000
 @@ -61,3 +61,17 @@ const short _C_toupper_tab_[1 + _CTYPE_N
  #endif
 =20
  const short *_toupper_tab_ =3D &_C_toupper_tab_[0];
 +
 +#ifndef __CHAR_UNSIGNED__
 +
 +__dso_hidden const short *_C_toupper_tab_guarded =3D &_C_toupper_tab_[0];
 +
 +static void __attribute__((constructor))
 +toupper_guard_init(void)
 +{
 +
 +	_toupper_tab_ =3D _C_toupper_tab_guarded =3D
 +	    guard_ctype(_C_toupper_tab_, sizeof(_C_toupper_tab_));
 +}
 +
 +#endif	/* __CHAR_UNSIGNED__ */
 diff -r 2f58eca9ae23 -r 44cc0fea4991 lib/libc/locale/ctype_local.h
 --- a/lib/libc/locale/ctype_local.h	Sat Mar 29 01:40:59 2025 +0000
 +++ b/lib/libc/locale/ctype_local.h	Fri Mar 28 18:22:53 2025 +0000
 @@ -49,6 +49,16 @@ extern const short _C_tolower_tab_[];
  #ifdef __BUILD_LEGACY
  extern const unsigned char	*_ctype_;
  extern const unsigned char	_C_compat_bsdctype[];
 +#ifndef __CHAR_UNSIGNED__
 +__dso_hidden extern const unsigned char *_C_compat_bsdctype_guarded;
 +#endif
 +#endif
 +
 +#ifndef __CHAR_UNSIGNED__
 +__dso_hidden const void *guard_ctype(const void *, size_t);
 +__dso_hidden extern const unsigned short *_C_ctype_tab_guarded;
 +__dso_hidden extern const short *_C_tolower_tab_guarded;
 +__dso_hidden extern const short *_C_toupper_tab_guarded;
  #endif
 =20
  #endif /*_CTYPE_LOCAL_H_*/
 diff -r 2f58eca9ae23 -r 44cc0fea4991 tests/lib/libc/gen/t_ctype.c
 --- a/tests/lib/libc/gen/t_ctype.c	Sat Mar 29 01:40:59 2025 +0000
 +++ b/tests/lib/libc/gen/t_ctype.c	Fri Mar 28 18:22:53 2025 +0000
 @@ -112,13 +112,7 @@ test_abuse_in_locales(const char *name,=20
  		ATF_REQUIRE_MSG(setlocale(LC_CTYPE, locales[i]) !=3D NULL,
  		    "locales[i]=3D%s", locales[i]);
  		snprintf(buf, sizeof(buf), "[%s]%s", locales[i], name);
 -		if (macro && strcmp(locales[i], "C") =3D=3D 0) {
 -			atf_tc_expect_fail("PR lib/58208: ctype(3)"
 -			    " provides poor runtime feedback of abuse");
 -		}
  		test_abuse(buf, ctypefn);
 -		if (strcmp(locales[i], "C") =3D=3D 0)
 -			atf_tc_expect_pass();
  	}
  }
 =20
 @@ -789,8 +783,6 @@ ATF_TC_BODY(abuse_##FN##_macro_c, tc)		=09
  		atf_tc_skip("runtime ctype(3) abuse is impossible with"	      \
  		    " unsigned char");					      \
  	}								      \
 -	atf_tc_expect_fail("PR lib/58208:"				      \
 -	    " ctype(3) provides poor runtime feedback of abuse");	      \
  	test_abuse(#FN, &FN##_wrapper);					      \
  }									      \
  ATF_TC(abuse_##FN##_function_c);					      \
 
 --=_ml7q+P8YFLTA7qSAPcDHHBHCSIXmg0yj--
Prev by Date: Re: PR/58208 CVS commit: src
Next by Date: bin/59232: /etc/rd.d/wscons doesn't handle console or constty device
Previous by Thread: Re: PR/58208 CVS commit: src
Next by Thread: PR/58208 CVS commit: src
Indexes:
Home | Main Index | Thread Index | Old Index