* [gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, libsandbox/, tests/
@ 2012-12-25 0:51 Mike Frysinger
0 siblings, 0 replies; 2+ messages in thread
From: Mike Frysinger @ 2012-12-25 0:51 UTC (permalink / raw
To: gentoo-commits
commit: dd726dcc6a95355d0e0cc949018d9c8aefc89a02
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 25 00:41:49 2012 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Dec 25 00:50:59 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commit;h=dd726dcc
libsandbox: reject "" paths with *at funcs before checking the dirfd
When it comes to processing errors, an empty path is checked before
an invalid dirfd. Make sure sandbox matches that behavior for the
random testsuites out there that look for this.
URL: https://bugs.gentoo.org/346929
Reported-by: Marien Zwart <marienz <AT> gentoo.org>
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
---
libsandbox/wrapper-funcs/__pre_check.c | 2 ++
libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------
libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++-----------
libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
libsandbox/wrappers.h | 2 ++
tests/mkdirat-3.sh | 7 +++++++
tests/mkdirat.at | 1 +
tests/openat-2.sh | 9 +++++++++
tests/openat.at | 1 +
tests/unlinkat-4.sh | 7 +++++++
tests/unlinkat.at | 1 +
11 files changed, 44 insertions(+), 35 deletions(-)
diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
index 2d5711f..28ad91f 100644
--- a/libsandbox/wrapper-funcs/__pre_check.c
+++ b/libsandbox/wrapper-funcs/__pre_check.c
@@ -20,3 +20,5 @@
#if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
# include "unlinkat_pre_check.c"
#endif
+
+#include "__pre_at_check.c"
diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
index 77a65df..0b48d1f 100644
--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
@@ -1,27 +1,20 @@
/*
* mkdir*() pre-check.
*
- * Copyright 1999-2009 Gentoo Foundation
+ * Copyright 1999-2012 Gentoo Foundation
* Licensed under the GPL-2
*/
bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
{
char canonic[SB_PATH_MAX];
- char dirfd_path[SB_PATH_MAX];
save_errno();
- /* Expand the dirfd path first */
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
- case -1:
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
- func, pathname, strerror(errno));
- return false;
- case 0:
- pathname = dirfd_path;
- break;
- }
+ /* Check incoming args against common *at issues */
+ char dirfd_path[SB_PATH_MAX];
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
+ return false;
/* Then break down any relative/symlink paths */
if (-1 == canonicalize(pathname, canonic))
diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
index 0127708..5fd5eaa 100644
--- a/libsandbox/wrapper-funcs/openat_pre_check.c
+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
@@ -1,7 +1,7 @@
/*
* open*() pre-check.
*
- * Copyright 1999-2009 Gentoo Foundation
+ * Copyright 1999-2012 Gentoo Foundation
* Licensed under the GPL-2
*/
@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
save_errno();
- /* Expand the dirfd path first */
+ /* Check incoming args against common *at issues */
char dirfd_path[SB_PATH_MAX];
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
- case -1:
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
- func, pathname, strerror(errno));
- return false;
- case 0:
- pathname = dirfd_path;
- break;
- }
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
+ return false;
/* Doesn't exist -> skip permission checks */
struct stat st;
diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
index 9f5e7d7..c004d15 100644
--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
@@ -1,27 +1,20 @@
/*
* unlink*() pre-check.
*
- * Copyright 1999-2009 Gentoo Foundation
+ * Copyright 1999-2012 Gentoo Foundation
* Licensed under the GPL-2
*/
bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
{
char canonic[SB_PATH_MAX];
- char dirfd_path[SB_PATH_MAX];
save_errno();
- /* Expand the dirfd path first */
- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
- case -1:
- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
- func, pathname, strerror(errno));
- return false;
- case 0:
- pathname = dirfd_path;
- break;
- }
+ /* Check incoming args against common *at issues */
+ char dirfd_path[SB_PATH_MAX];
+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
+ return false;
/* Then break down any relative/symlink paths */
if (-1 == canonicalize(pathname, canonic))
diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
index 5b97787..0aa58bb 100644
--- a/libsandbox/wrappers.h
+++ b/libsandbox/wrappers.h
@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn
attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
+ char *dirfd_path, size_t dirfd_path_len);
#endif
diff --git a/tests/mkdirat-3.sh b/tests/mkdirat-3.sh
new file mode 100755
index 0000000..fe20579
--- /dev/null
+++ b/tests/mkdirat-3.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# verify mkdirat("") returns ENOENT in various ways #346929
+
+set -e
+mkdirat-0 -1,ENOENT .:O_DIRECTORY '' 0
+
+mkdirat-0 -1,ENOENT -3 '' 0
diff --git a/tests/mkdirat.at b/tests/mkdirat.at
index d364b4b..eec4638 100644
--- a/tests/mkdirat.at
+++ b/tests/mkdirat.at
@@ -1,2 +1,3 @@
SB_CHECK(1)
SB_CHECK(2)
+SB_CHECK(3)
diff --git a/tests/openat-2.sh b/tests/openat-2.sh
new file mode 100755
index 0000000..b615c2d
--- /dev/null
+++ b/tests/openat-2.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# verify openat("") returns ENOENT in various ways #346929
+
+set -e
+openat-0 -1,ENOENT .:O_DIRECTORY '' O_RDONLY 0
+openat-0 -1,ENOENT .:O_DIRECTORY '' 'O_CREAT|O_WRONLY' 0
+
+openat-0 -1,ENOENT -3 '' O_RDONLY 0
+openat-0 -1,ENOENT -3 '' 'O_CREAT|O_WRONLY' 0
diff --git a/tests/openat.at b/tests/openat.at
index 081d7d2..d364b4b 100644
--- a/tests/openat.at
+++ b/tests/openat.at
@@ -1 +1,2 @@
SB_CHECK(1)
+SB_CHECK(2)
diff --git a/tests/unlinkat-4.sh b/tests/unlinkat-4.sh
new file mode 100755
index 0000000..4b23107
--- /dev/null
+++ b/tests/unlinkat-4.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# verify unlinkat("") returns ENOENT in various ways #346929
+
+set -e
+unlinkat-0 -1,ENOENT .:O_DIRECTORY '' 0
+
+unlinkat-0 -1,ENOENT -3 '' 0
diff --git a/tests/unlinkat.at b/tests/unlinkat.at
index eec4638..1909650 100644
--- a/tests/unlinkat.at
+++ b/tests/unlinkat.at
@@ -1,3 +1,4 @@
SB_CHECK(1)
SB_CHECK(2)
SB_CHECK(3)
+SB_CHECK(4)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, libsandbox/, tests/
@ 2017-10-03 16:37 Michał Górny
0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2017-10-03 16:37 UTC (permalink / raw
To: gentoo-commits
commit: ffc185bb4929de36ad3f8766b114cd11be8f0a62
Author: Mart Raudsepp <leio <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 11 10:34:48 2016 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Sep 26 20:14:36 2017 +0000
URL: https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=ffc185bb
libsandbox: do not abort with a long name to opendir
Add a pre-check for opendir that catches too long name arguments
given to opendir, as it would get messed up and abort before it
even gets to the open*() syscall (which would handle it correctly),
due to opendir going through before_syscall/check_syscall, even
though it isn't a true syscall and it getting cut to SB_PATH_MAX
inbetween and getting confused somewhere.
Test case added by Michał Górny <mgorny <AT> gentoo.org>.
Bug: https://bugs.gentoo.org/553092
Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org>
libsandbox/wrapper-funcs/opendir.c | 2 ++
libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++
libsandbox/wrappers.h | 1 +
tests/opendir-1.sh | 7 +++++++
tests/opendir.at | 1 +
5 files changed, 37 insertions(+)
diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
index 7670775..70c2692 100644
--- a/libsandbox/wrapper-funcs/opendir.c
+++ b/libsandbox/wrapper-funcs/opendir.c
@@ -10,4 +10,6 @@
#define WRAPPER_SAFE() SB_SAFE(name)
#define WRAPPER_RET_TYPE DIR *
#define WRAPPER_RET_DEFAULT NULL
+#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name)
+
#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c
new file mode 100644
index 0000000..60c869f
--- /dev/null
+++ b/libsandbox/wrapper-funcs/opendir_pre_check.c
@@ -0,0 +1,26 @@
+/*
+ * opendir() pre-check.
+ *
+ * Copyright 1999-2016 Gentoo Foundation
+ * Licensed under the GPL-2
+ */
+
+bool sb_opendir_pre_check(const char *func, const char *name)
+{
+ /* If length of name is larger than PATH_MAX, we would mess it up
+ * before it reaches the open syscall, which would cleanly error out
+ * via sandbox as well (actually with much smaller lengths than even
+ * PATH_MAX).
+ * So error out early in this case, in order to avoid an abort in
+ * check_syscall later on, which gets ran for opendir, despite it not
+ * being a syscall.
+ */
+ if (strnlen(name, PATH_MAX) == PATH_MAX) {
+ errno = ENAMETOOLONG;
+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
+ func, name, strerror(errno));
+ return false;
+ }
+
+ return true;
+}
diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
index 0aa58bb..bf5bf64 100644
--- a/libsandbox/wrappers.h
+++ b/libsandbox/wrappers.h
@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check (const char *func, const char *pathn
attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathname, int dirfd);
attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
+attribute_hidden bool sb_opendir_pre_check (const char *func, const char *name);
attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
char *dirfd_path, size_t dirfd_path_len);
diff --git a/tests/opendir-1.sh b/tests/opendir-1.sh
new file mode 100755
index 0000000..a66f234
--- /dev/null
+++ b/tests/opendir-1.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# check that very long paths to opendir() do not cause segv
+path=
+for (( i = 0; i < 1000; i++ )); do
+ path+=/verylong
+done
+exec opendir-0 0,ENAMETOOLONG "${path}"
diff --git a/tests/opendir.at b/tests/opendir.at
new file mode 100644
index 0000000..081d7d2
--- /dev/null
+++ b/tests/opendir.at
@@ -0,0 +1 @@
+SB_CHECK(1)
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-03 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-25 0:51 [gentoo-commits] proj/sandbox:master commit in: libsandbox/wrapper-funcs/, libsandbox/, tests/ Mike Frysinger
-- strict thread matches above, loose matches on Subject: below --
2017-10-03 16:37 Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox