From e6f7184ad57345d14085d5aadc7d82efc58b8ac5 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sun, 28 Apr 2024 13:15:49 +0000 Subject: [PATCH] libc: Put guard pages before locale ctype/tolower/toupper tables. This way, triggering the undefined behaviour of negative inputs to the ctype functions leads to instant SIGSEGV, rather than silently giving bonkers (and likely nondeterministic) answers. (See ctype(3) man page for details.) This only affects non-default locales, i.e., locales other than C. The C locale's tables are statically linked into libc, and the symbols defining them are baked into the ABI, so putting a guard page before them will require some careful elven surgery. This also only affects machines where char is signed for now. (But maybe it would be worth doing unconditionally; users could still try to pass in explicit `signed char' inputs.) PR lib/58208 --- lib/libc/locale/rune.c | 75 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/lib/libc/locale/rune.c b/lib/libc/locale/rune.c index ea9381fd9a4f..634ceb2584a0 100644 --- a/lib/libc/locale/rune.c +++ b/lib/libc/locale/rune.c @@ -54,9 +54,15 @@ typedef struct { _RuneLocale rl; +#ifdef __CHAR_UNSIGNED__ unsigned short rlp_ctype_tab [_CTYPE_NUM_CHARS + 1]; short rlp_tolower_tab[_CTYPE_NUM_CHARS + 1]; short rlp_toupper_tab[_CTYPE_NUM_CHARS + 1]; +#else + unsigned short *rlp_ctype_tab; + short *rlp_tolower_tab; + short *rlp_toupper_tab; +#endif char rlp_codeset[33]; /* XXX */ #ifdef __BUILD_LEGACY @@ -64,6 +70,51 @@ typedef struct { #endif } _RuneLocalePriv; +#ifndef __CHAR_UNSIGNED__ + +#define roundup(X, N) ((((X) + ((N) - 1))/(N))*(N)) + +static void * +alloc_guarded(size_t elemsize, size_t nelem) +{ + const unsigned page_size = sysconf(_SC_PAGESIZE); + size_t nbytes = 0; + void *p = NULL, *q = NULL; + + if (elemsize > SIZE_MAX/nelem) + goto fail; + nbytes = page_size + roundup(elemsize*nelem, page_size); + p = mmap(NULL, nbytes, PROT_READ|PROT_WRITE, MAP_ANON, + /*fd*/-1, /*offset*/0); + if (p == MAP_FAILED) + goto fail; + if (mprotect(p, page_size, PROT_NONE) == -1) + goto fail; + q = (char *)p + page_size; + return q; + +fail: if (p != MAP_FAILED) + (void)munmap(p, nbytes); + return NULL; +} + +static void +free_guarded(void *q, size_t elemsize, size_t nelem) +{ + const unsigned page_size = sysconf(_SC_PAGESIZE); + size_t nbytes = 0; + void *p; + + if (q == NULL) + return; + _DIAGASSERT(elemsize <= SIZE_MAX/nelem); + nbytes = page_size + roundup(elemsize*nelem, page_size); + p = (char *)q - page_size; + (void)munmap(p, nbytes); +} + +#endif /* !__CHAR_UNSIGNED__ */ + static __inline void _rune_wctype_init(_RuneLocale *rl) { @@ -213,6 +264,30 @@ _rune_read_file(const char * __restrict var, size_t lenvar, rlp = (_RuneLocalePriv *)malloc(n); if (rlp == NULL) return ENOMEM; +#ifndef __CHAR_UNSIGNED__ + rlp->rlp_ctype_tab = NULL; + rlp->rlp_tolower_tab = NULL; + rlp->rlp_toupper_tab = NULL; + if ((rlp->rlp_ctype_tab = alloc_guarded(sizeof(rlp->rlp_ctype_tab[0]), + _CTYPE_NUM_CHARS + 1)) == NULL || + (rlp->rlp_tolower_tab = + alloc_guarded(sizeof(rlp->rlp_tolower_tab[0]), + _CTYPE_NUM_CHARS + 1)) == NULL || + (rlp->rlp_toupper_tab = + alloc_guarded(sizeof(rlp->rlp_toupper_tab[0]), + _CTYPE_NUM_CHARS + 1)) == NULL) { + free_guarded(rlp->rlp_ctype_tab, sizeof(rlp->rlp_ctype_tab[0]), + _CTYPE_NUM_CHARS + 1); + free_guarded(rlp->rlp_tolower_tab, + sizeof(rlp->rlp_tolower_tab[0]), + _CTYPE_NUM_CHARS + 1); + free_guarded(rlp->rlp_toupper_tab, + sizeof(rlp->rlp_toupper_tab[0]), + _CTYPE_NUM_CHARS + 1); + ret = ENOMEM; + goto err; + } +#endif /* !__CHAR_UNSIGNED__ */ _rune_init_priv(rlp); rl = &rlp->rl;