[PATCH v1] xstrtol: 1 is not a valid base

[PATCH v1] xstrtol: 1 is not a valid base

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1911 bytes --]

If xstrtol() was being called with a base of 1, under some conditions it
would invoke Undefined Behavior.

Here's the code that would trigger UB:

	char  *end;

	xstrtol(str, &end, 1, ...);  // Let's ignore trailing args.

The reason why this triggers UB is that since the following line lets a
base of 1 go through:

	assure (0 <= strtol_base && strtol_base <= 36);

then we arrive at this call:

	tmp = __strtol (s, p, strtol_base);

which sets errno to EINVAL and returns 0 immediately, without updating
the 'p' pointer.  Then, the following line of code:

	if (*p == s)

dereferences an uninitialized pointer.

This was found while searching for examples of why strtol(3) is a bad
API, and how it makes it so easy to misuse.

Fixes: 034a18049cbc (2014-12-20, "assure: new module")
Link: <https://github.com/void-linux/void-packages/issues/51261#issuecomment-2237013621>
Cc: Paul Eggert <eggert@cs.ucla.edu>
Cc: Đoàn Trần Công Danh <congdanhqx@gmail.com>
Cc: Eli Schwartz <eschwartz93@gmail.com>
Cc: Sam James <sam@gentoo.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: "Andrew J. Hesford" <ajh@sideband.org>
Cc: Michael Vetter <jubalh@iodoru.org>
Cc: <liba2i@lists.linux.dev>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
Range-diff against v0:
-:  ---------- > 1:  49c4c25b0a xstrtol: 1 is not a valid base

 lib/xstrtol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/xstrtol.c b/lib/xstrtol.c
index e4bce43681..575c16d45f 100644
--- a/lib/xstrtol.c
+++ b/lib/xstrtol.c
@@ -83,7 +83,7 @@ __xstrtol (const char *s, char **ptr, int strtol_base,
   __strtol_t tmp;
   strtol_error err = LONGINT_OK;
 
-  assure (0 <= strtol_base && strtol_base <= 36);
+  assure (0 == strtol_base || (2 <= strtol_base && strtol_base <= 36));
 
   p = (ptr ? ptr : &t_ptr);
 
-- 
2.45.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v1] xstrtol: 1 is not a valid base

[Bruno Haible]

Alejandro Colomar wrote:
> If xstrtol() was being called with a base of 1, under some conditions it
> would invoke Undefined Behavior.

Yes, sure. A numeric base of 1 makes no sense, mathematically.

Thanks for the patch; applied.

Note that I disagree with the statement from
https://github.com/void-linux/void-packages/issues/51261#issuecomment-2237055195 :
> Yet he introduced that bug a decade ago

I wouldn't call it a bug. Gnulib does not document that passing a base of 1
to xstrtol is valid. It's known to everyone in the field that a base of 1
makes no sense. So, what you saw here was a slightly incomplete input
validation check.

Thanks for the improvement.

Bruno

Re: [PATCH v1] xstrtol: 1 is not a valid base

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1474 bytes --]

Hi Bruno,

On Thu, Jul 18, 2024 at 08:06:07PM GMT, Bruno Haible wrote:
> Alejandro Colomar wrote:
> > If xstrtol() was being called with a base of 1, under some conditions it
> > would invoke Undefined Behavior.
> 
> Yes, sure. A numeric base of 1 makes no sense, mathematically.
> 
> Thanks for the patch; applied.
> 
> Note that I disagree with the statement from
> https://github.com/void-linux/void-packages/issues/51261#issuecomment-2237055195 :
> > Yet he introduced that bug a decade ago
> 
> I wouldn't call it a bug. Gnulib does not document that passing a base of 1
> to xstrtol is valid.

While it's your api, borrowing the name of strtol(3) comes with implied
semantics.  I think it'd be common to assume that unless specifically
documented, you behave like POSIX's strtol(3), which produces defined
behavior for a base of 1.  If not a bug, it was at least misleading.

I don't claim that POSIX's choice was good; actually I think it makes
little sense, and ISO C's choice of leaving it undefined was probably
better.

BTW, does gnulib have documentation for xstrtol()?  I couldn't find it.
And for MALLOC()?  I'm interested in reading both.

> It's known to everyone in the field that a base of 1
> makes no sense. So, what you saw here was a slightly incomplete input
> validation check.
> 
> Thanks for the improvement.

You're welcome!

Have a lovely night!
Alex

> Bruno

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v1] xstrtol: 1 is not a valid base

[Bruno Haible]

Alejandro Colomar wrote:
> BTW, does gnulib have documentation for xstrtol()?  I couldn't find it.
> And for MALLOC()?  I'm interested in reading both.

Paul added the documentation for xstrtol().

There is no macro or symbol named MALLOC in gnulib; I don't know what you
are referring to.

Bruno