Re: [PATCH] openssh: fix potential signed overflow to enable compilation with -ftrapv

["Yu, Mingli" <mingli.yu@windriver.com>]

ping

Thanks,

On 2016年08月26日 09:57, Yuanjie Huang wrote:
> From: Yuanjie Huang <yuanjie.huang@windriver.com>
>
> Pointer arithmatic results in implementation defined signed integer
> type, so that 's - src' in strlcpy and others may trigger signed overflow.
> In case of compilation by gcc or clang with -ftrapv option, the overflow
> would lead to program abort.
>
> Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608]
>
> Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
> ---
>   ...ial-signed-overflow-in-pointer-arithmatic.patch | 99 ++++++++++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_7.3p1.bb |  1 +
>   2 files changed, 100 insertions(+)
>   create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
> new file mode 100644
> index 0000000..df64a14
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
> @@ -0,0 +1,99 @@
> +From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
> +From: Yuanjie Huang <yuanjie.huang@windriver.com>
> +Date: Wed, 24 Aug 2016 03:15:43 +0000
> +Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
> +
> +Pointer arithmatic results in implementation defined signed integer
> +type, so that 's - src' in strlcpy and others may trigger signed overflow.
> +In case of compilation by gcc or clang with -ftrapv option, the overflow
> +would lead to program abort.
> +
> +Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
> +
> +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
> +---
> + openbsd-compat/strlcat.c | 8 ++++++--
> + openbsd-compat/strlcpy.c | 8 ++++++--
> + openbsd-compat/strnlen.c | 8 ++++++--
> + 3 files changed, 18 insertions(+), 6 deletions(-)
> +
> +diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
> +index bcc1b61..e758ebf 100644
> +--- a/openbsd-compat/strlcat.c
> ++++ b/openbsd-compat/strlcat.c
> +@@ -23,6 +23,7 @@
> +
> + #include <sys/types.h>
> + #include <string.h>
> ++#include <stdint.h>
> +
> + /*
> +  * Appends src to string dst of size siz (unlike strncat, siz is the
> +@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
> + 		s++;
> + 	}
> + 	*d = '\0';
> +-
> +-	return(dlen + (s - src));	/* count does not include NUL */
> ++        /*
> ++	 * Cast pointers to unsigned type before calculation, to avoid signed
> ++	 * overflow when the string ends where the MSB has changed.
> ++	 */
> ++	return (dlen + ((uintptr_t)s - (uintptr_t)src));	/* count does not include NUL */
> + }
> +
> + #endif /* !HAVE_STRLCAT */
> +diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
> +index b4b1b60..b06f374 100644
> +--- a/openbsd-compat/strlcpy.c
> ++++ b/openbsd-compat/strlcpy.c
> +@@ -23,6 +23,7 @@
> +
> + #include <sys/types.h>
> + #include <string.h>
> ++#include <stdint.h>
> +
> + /*
> +  * Copy src to string dst of size siz.  At most siz-1 characters
> +@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
> + 		while (*s++)
> + 			;
> + 	}
> +-
> +-	return(s - src - 1);	/* count does not include NUL */
> ++        /*
> ++	 * Cast pointers to unsigned type before calculation, to avoid signed
> ++	 * overflow when the string ends where the MSB has changed.
> ++	 */
> ++	return ((uintptr_t)s - (uintptr_t)src - 1);	/* count does not include NUL */
> + }
> +
> + #endif /* !HAVE_STRLCPY */
> +diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
> +index 93d5155..9b8de5d 100644
> +--- a/openbsd-compat/strnlen.c
> ++++ b/openbsd-compat/strnlen.c
> +@@ -23,6 +23,7 @@
> + #include <sys/types.h>
> +
> + #include <string.h>
> ++#include <stdint.h>
> +
> + size_t
> + strnlen(const char *str, size_t maxlen)
> +@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
> +
> + 	for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
> + 		;
> +-
> +-	return (size_t)(cp - str);
> ++        /*
> ++	 * Cast pointers to unsigned type before calculation, to avoid signed
> ++	 * overflow when the string ends where the MSB has changed.
> ++	 */
> ++	return (size_t)((uintptr_t)cp - (uintptr_t)str);
> + }
> + #endif
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
> index b319726..039b0ff 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
> @@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>              file://run-ptest \
>              file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
>              file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
> +           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
>              "
>
>   PAM_SRC_URI = "file://sshd"
>