From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9C1A3716D
	for <liba2i@lists.linux.dev>; Thu, 18 Jul 2024 16:52:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721321531; cv=none; b=cV2q0WExbf/prPZVSW9HWFhEUudc7gElWExn5OFYmjNqSryTl/e3shqWCBvUmjpJn4TASg5hJsn1g70qSvzuCY9tV77wxf7qnqsTLsgv2wUXGZfDWr78poDdVqhpYgC1/NS+ADfeVvVi7oVzYI8mge7B/G13T2qXq6oD5P2+FVU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721321531; c=relaxed/simple;
	bh=LynoLKDncZT5sJHgodmUTHqXs5vx4AAgxEbLvj5bX1A=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=Ti+tEFqXaEFxPzI6HjTVCuGo18AIspRg4/RRfegX3OIgqaLcc0nK2T04cpjEl69GLLss7MYOv7Pv/+bOXeXjRR/AAy9/uTlcyU9OMbdCbeyOx+o8FZ/e9C7BuCFWL7uSMqfuLA1NwqQbhQW1yrSUcpXvD+0PimiMFu7qWVngnrM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bvW1opjo; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bvW1opjo"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 43FE5C116B1;
	Thu, 18 Jul 2024 16:52:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1721321531;
	bh=LynoLKDncZT5sJHgodmUTHqXs5vx4AAgxEbLvj5bX1A=;
	h=Date:From:To:Cc:Subject:From;
	b=bvW1opjoNRwPi02bqw6L2cI1A6QIp78X6DrlBzD7VGq3jfwamYdRVdsccH4Q5X9m9
	 Xakt9k5GJOdUopIAQnzJczjNuMlnnKQ7wO+WlH1D+xXfD9W1J/S/LS+2kEJMVEX+nE
	 KYGVZz54z0iLgdJ/kTmURHyH2Yg0M5VHP3ipVnfRgQBCqMmibj3nymhDtv/oodkfXY
	 saNxnbj8L/4xl7sNunp/mD0io2CwHi/7KSkliQAKvBi1zcmG0XWdOmGhSBoW5dHF/5
	 odYm9NprgnOu+lQyK37xX+oZ5F2YPXYUMwC9dOJuFMG7Usx/CrA/FOLk0tF+LUJ5mt
	 tXAXU1DfwvPLA==
Date: Thu, 18 Jul 2024 18:52:07 +0200
From: Alejandro Colomar <alx@kernel.org>
To: bug-gnulib@gnu.org
Cc: Alejandro Colomar <alx@kernel.org>, Paul Eggert <eggert@cs.ucla.edu>, 
	=?utf-8?B?xJBvw6BuIFRy4bqnbiBDw7RuZw==?= Danh <congdanhqx@gmail.com>, Eli Schwartz <eschwartz93@gmail.com>, Sam James <sam@gentoo.org>, 
	Serge Hallyn <serge@hallyn.com>, Iker Pedrosa <ipedrosa@redhat.com>, 
	"Andrew J. Hesford" <ajh@sideband.org>, Michael Vetter <jubalh@iodoru.org>, liba2i@lists.linux.dev
Subject: [PATCH v1] xstrtol: 1 is not a valid base
Message-ID: <20240718165154.38938-1-alx@kernel.org>
X-Mailer: git-send-email 2.45.2
Precedence: bulk
X-Mailing-List: liba2i@lists.linux.dev
List-Id: <liba2i.lists.linux.dev>
List-Subscribe: <mailto:liba2i+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:liba2i+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="qyofym5wuv3nffow"
Content-Disposition: inline


--qyofym5wuv3nffow
Content-Type: text/plain; protected-headers=v1; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
From: Alejandro Colomar <alx@kernel.org>
To: bug-gnulib@gnu.org
Cc: Alejandro Colomar <alx@kernel.org>, Paul Eggert <eggert@cs.ucla.edu>, 
	=?utf-8?B?xJBvw6BuIFRy4bqnbiBDw7RuZw==?= Danh <congdanhqx@gmail.com>, Eli Schwartz <eschwartz93@gmail.com>, Sam James <sam@gentoo.org>, 
	Serge Hallyn <serge@hallyn.com>, Iker Pedrosa <ipedrosa@redhat.com>, 
	"Andrew J. Hesford" <ajh@sideband.org>, Michael Vetter <jubalh@iodoru.org>, liba2i@lists.linux.dev
Subject: [PATCH v1] xstrtol: 1 is not a valid base
MIME-Version: 1.0

If xstrtol() was being called with a base of 1, under some conditions it
would invoke Undefined Behavior.

Here's the code that would trigger UB:

	char  *end;

	xstrtol(str, &end, 1, ...);  // Let's ignore trailing args.

The reason why this triggers UB is that since the following line lets a
base of 1 go through:

	assure (0 <=3D strtol_base && strtol_base <=3D 36);

then we arrive at this call:

	tmp =3D __strtol (s, p, strtol_base);

which sets errno to EINVAL and returns 0 immediately, without updating
the 'p' pointer.  Then, the following line of code:

	if (*p =3D=3D s)

dereferences an uninitialized pointer.

This was found while searching for examples of why strtol(3) is a bad
API, and how it makes it so easy to misuse.

Fixes: 034a18049cbc (2014-12-20, "assure: new module")
Link: <https://github.com/void-linux/void-packages/issues/51261#issuecommen=
t-2237013621>
Cc: Paul Eggert <eggert@cs.ucla.edu>
Cc: =C4=90o=C3=A0n Tr=E1=BA=A7n C=C3=B4ng Danh <congdanhqx@gmail.com>
Cc: Eli Schwartz <eschwartz93@gmail.com>
Cc: Sam James <sam@gentoo.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: "Andrew J. Hesford" <ajh@sideband.org>
Cc: Michael Vetter <jubalh@iodoru.org>
Cc: <liba2i@lists.linux.dev>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
Range-diff against v0:
-:  ---------- > 1:  49c4c25b0a xstrtol: 1 is not a valid base

 lib/xstrtol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/xstrtol.c b/lib/xstrtol.c
index e4bce43681..575c16d45f 100644
--- a/lib/xstrtol.c
+++ b/lib/xstrtol.c
@@ -83,7 +83,7 @@ __xstrtol (const char *s, char **ptr, int strtol_base,
   __strtol_t tmp;
   strtol_error err =3D LONGINT_OK;
=20
-  assure (0 <=3D strtol_base && strtol_base <=3D 36);
+  assure (0 =3D=3D strtol_base || (2 <=3D strtol_base && strtol_base <=3D =
36));
=20
   p =3D (ptr ? ptr : &t_ptr);
=20
--=20
2.45.2


--qyofym5wuv3nffow
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmaZSDcACgkQnowa+77/
2zK+Qw//Ysx/pgeInyaB6ZApS7kIoEhblVOSYwhuLeJ8Mo/SwUxqWZuh6iMXhoeP
9d3Nogr9Wvmv2K4k6Zmo8vGLqv+y7sFzgcyGdH9MW98LXEErA9ywiIozqdeEoM+p
2ErAmt+ZoviTPXF3ALddFho4bz9zq1FEIlUYR8Hq3J7FkiyLUhOAGFpv0WpnlGaQ
bmkOUhR1pf76x4SLFnGccVK4z4vF/40k4eqlMN/Wv3rQR/6RvbGpMB06/6yV8PeO
gyKMp2lENaOP+3guLpL6WqIQTv5ZYNFTiECEpN8Tm0jTIT3TlxmiN7vG+ChxQL1E
ql40syIbrOLgUJpvxsYn+7FuSk7lfwGgrMEX2iGlIsIQg4b2n1VdXHcMxvLMajpS
KycHDudTcUbfIeV1WfN2i8qggmhchXL3GZIcI63gGdGmKrVBWyOYWkDg36B0eUUK
3KO3zjmwks6Me+NIOw2m45d4gX2mRGgYUfrrly4JhMWmKv/xTSEWH7xMZFqEBcvv
wk7keJ4lSpxJ3mswiXthR6qDs1YQ4w6VSq1DUB5YjenIN1EcZ/rDxqjUHkFxnYDR
X621KjbKdEB6bcqQML2tAWjmtJSkNB948QSL/oxYOP5alAAUX9Y1rOEtOv4i3NZh
+QyTb7jfrRL5yc0jppPiWoMFDcPiMdEKoNRN8ZG7incZmHq42z4=
=GsFC
-----END PGP SIGNATURE-----

--qyofym5wuv3nffow--