From: "Dmitry V. Levin" <ldv@altlinux.org>
To: ALT Devel discussion list <devel@lists.altlinux.org>
Subject: [devel] [PATCH apt 3/3] Fix UB in pointer arithmetic
Date: Tue, 10 Dec 2019 02:56:56 +0300
Message-ID: <20191209235654.GC15867@altlinux.org> (raw)
In-Reply-To: <20191209235406.GA15810@altlinux.org>
Commit 6d5e6a689d07de8feef2cbecb24bc42d5994861b aka 0.5.15lorg2-alt70~9
among other changes introduced UB in pointer arithmetic by casting raw
pointers to specific types.
Fix this by introducing two helpers for rebasing pointers in a safe way.
Co-developed-by: Aleksei Nikiforov <darktemplar@altlinux.org>
Fixes: 6d5e6a68 ("apt-pkg/pkgcachegen.{cc,h} changes")
---
apt/apt-pkg/Makefile.am | 1 +
apt/apt-pkg/cacheiterators.h | 14 ++++++++------
apt/apt-pkg/contrib/mmap.cc | 8 ++++----
apt/apt-pkg/pkgcachegen.cc | 27 +++++++++++----------------
apt/apt-pkg/rebase_pointer.h | 25 +++++++++++++++++++++++++
apt/apt-pkg/rpm/rpmlistparser.cc | 3 ++-
6 files changed, 51 insertions(+), 27 deletions(-)
create mode 100644 apt/apt-pkg/rebase_pointer.h
diff --git a/apt/apt-pkg/Makefile.am b/apt/apt-pkg/Makefile.am
index 4c0d234..d038d01 100644
--- a/apt/apt-pkg/Makefile.am
+++ b/apt/apt-pkg/Makefile.am
@@ -94,6 +94,7 @@ libapt_pkg_la_SOURCES = \
pkgsystem.h \
policy.cc \
policy.h \
+ rebase_pointer.h \
repository.cc \
repository.h \
scopeexit.h \
diff --git a/apt/apt-pkg/cacheiterators.h b/apt/apt-pkg/cacheiterators.h
index 9dffeb3..3c60cb8 100644
--- a/apt/apt-pkg/cacheiterators.h
+++ b/apt/apt-pkg/cacheiterators.h
@@ -34,6 +34,8 @@
#pragma interface "apt-pkg/cacheiterators.h"
#endif
+#include <apt-pkg/rebase_pointer.h>
+
// Package Iterator
class pkgCache::PkgIterator
{
@@ -87,7 +89,7 @@ class pkgCache::PkgIterator
{
if (Owner == 0 || Pkg == 0)
return;
- Pkg += static_cast<Package const *>(newMap) - static_cast<Package const *>(oldMap);
+ RebasePointer(Pkg, oldMap, newMap);
}
// Constructors
@@ -149,7 +151,7 @@ class pkgCache::VerIterator
{
if (Owner == 0 || Ver == 0)
return;
- Ver += static_cast<Version const *>(newMap) - static_cast<Version const *>(oldMap);
+ RebasePointer(Ver, oldMap, newMap);
}
inline VerIterator() : Ver(0), Owner(0) {};
@@ -222,7 +224,7 @@ class pkgCache::DepIterator
{
if (Owner == 0 || Dep == 0)
return;
- Dep += static_cast<Dependency const *>(newMap) - static_cast<Dependency const *>(oldMap);
+ RebasePointer(Dep, oldMap, newMap);
}
inline DepIterator(pkgCache &Owner,Dependency *Trg,Version * = 0) :
@@ -281,7 +283,7 @@ class pkgCache::PrvIterator
{
if (Owner == 0 || Prv == 0)
return;
- Prv += static_cast<Provides const *>(newMap) - static_cast<Provides const *>(oldMap);
+ RebasePointer(Prv, oldMap, newMap);
}
inline PrvIterator() : Prv(0), Type(PrvVer), Owner(0) {};
@@ -344,7 +346,7 @@ class pkgCache::PkgFileIterator
{
if (Owner == 0 || File == 0)
return;
- File += static_cast<PackageFile const *>(newMap) - static_cast<PackageFile const *>(oldMap);
+ RebasePointer(File, oldMap, newMap);
}
// Constructors
@@ -385,7 +387,7 @@ class pkgCache::VerFileIterator
{
if (Owner == 0 || FileP == 0)
return;
- FileP += static_cast<VerFile const *>(newMap) - static_cast<VerFile const *>(oldMap);
+ RebasePointer(FileP, oldMap, newMap);
}
inline VerFileIterator() : Owner(0), FileP(0) {};
diff --git a/apt/apt-pkg/contrib/mmap.cc b/apt/apt-pkg/contrib/mmap.cc
index 2064fc4..779d7a6 100644
--- a/apt/apt-pkg/contrib/mmap.cc
+++ b/apt/apt-pkg/contrib/mmap.cc
@@ -30,6 +30,7 @@
#include <apt-pkg/configuration.h>
#include <apt-pkg/mmap.h>
#include <apt-pkg/error.h>
+#include <apt-pkg/rebase_pointer.h>
#include <apti18n.h>
@@ -285,13 +286,12 @@ std::experimental::optional<map_ptrloc> DynamicMMap::Allocate(unsigned long Item
I->Count = size/ItemSize;
Pool* oldPools = Pools;
auto idxResult = RawAllocate(I->Count*ItemSize,ItemSize);
- if (Pools != oldPools)
- I += Pools - oldPools;
// Does the allocation failed ?
if (!idxResult)
return idxResult;
+ RebasePointer(I, oldPools, Pools);
Result = *idxResult;
I->Start = Result;
}
@@ -356,7 +356,7 @@ bool DynamicMMap::Grow(unsigned long long size)
Fd->Write(&C,sizeof(C));
}
- unsigned long const poolOffset = Pools - ((Pool*) Base);
+ const void *old_base = Base;
if (Fd != 0)
{
@@ -393,7 +393,7 @@ bool DynamicMMap::Grow(unsigned long long size)
memset((char*)Base + WorkSpace, 0, newSize - WorkSpace);
}
- Pools = (Pool*) Base + poolOffset;
+ RebasePointer(Pools, old_base, Base);
WorkSpace = newSize;
return true;
diff --git a/apt/apt-pkg/pkgcachegen.cc b/apt/apt-pkg/pkgcachegen.cc
index 56716b5..7a5a20c 100644
--- a/apt/apt-pkg/pkgcachegen.cc
+++ b/apt/apt-pkg/pkgcachegen.cc
@@ -26,6 +26,7 @@
#include <apt-pkg/strutl.h>
#include <apt-pkg/sptr.h>
#include <apt-pkg/pkgsystem.h>
+#include <apt-pkg/rebase_pointer.h>
#include <apti18n.h>
@@ -116,11 +117,11 @@ void pkgCacheGenerator::ReMap(void const * const oldMap, void const * const newM
Cache.ReMap(false);
- CurrentFile += (pkgCache::PackageFile*) newMap - (pkgCache::PackageFile*) oldMap;
+ RebasePointer(CurrentFile, oldMap, newMap);
for (size_t i = 0; i < _count(UniqHash); ++i)
if (UniqHash[i] != 0)
- UniqHash[i] += (pkgCache::StringItem*) newMap - (pkgCache::StringItem*) oldMap;
+ RebasePointer(UniqHash[i], oldMap, newMap);
for (auto i = Dynamic<pkgCache::PkgIterator>::toReMap.begin();
i != Dynamic<pkgCache::PkgIterator>::toReMap.end(); ++i)
@@ -269,11 +270,8 @@ bool pkgCacheGenerator::MergeList(ListParser &List,
continue;
}
- if (oldMap != Map.Data())
- {
- Last += (map_ptrloc*) Map.Data() - (map_ptrloc*) oldMap;
- oldMap = Map.Data();
- }
+ RebasePointer(Last, oldMap, Map.Data());
+ oldMap = Map.Data();
// Skip to the end of the same version set.
if (Res == 0)
@@ -296,8 +294,7 @@ bool pkgCacheGenerator::MergeList(ListParser &List,
return _error->Error(_("Error occurred while processing %s (NewVersion%d)"),
PackageName.c_str(), 1);
- if (oldMap != Map.Data())
- Last += (map_ptrloc*) Map.Data() - (map_ptrloc*) oldMap;
+ RebasePointer(Last, oldMap, Map.Data());
*Last = *verindex;
Ver->ParentPkg = Pkg.Index();
@@ -604,8 +601,9 @@ bool pkgCacheGenerator::ListParser::NewDepends(pkgCache::VerIterator &Ver,
for (pkgCache::DepIterator D = Ver.DependsList(); D.end() == false; D++)
OldDepLast = &D->NextDepends;
OldDepVer = Ver;
- } else if (oldMap != Owner->Map.Data())
- OldDepLast += (map_ptrloc*) Owner->Map.Data() - (map_ptrloc*) oldMap;
+ } else {
+ RebasePointer(OldDepLast, oldMap, Owner->Map.Data());
+ }
// Is it a file dependency?
if (PackageName[0] == '/')
@@ -745,11 +743,8 @@ std::experimental::optional<map_ptrloc> pkgCacheGenerator::WriteUniqString(const
if ((!Item) || (!idxString))
return std::experimental::optional<map_ptrloc>();
- if (oldMap != Map.Data())
- {
- Last += (map_ptrloc*) Map.Data() - (map_ptrloc*) oldMap;
- I += (pkgCache::StringItem*) Map.Data() - (pkgCache::StringItem*) oldMap;
- }
+ RebasePointer(Last, oldMap, Map.Data());
+ RebasePointer(I, oldMap, Map.Data());
*Last = *Item;
diff --git a/apt/apt-pkg/rebase_pointer.h b/apt/apt-pkg/rebase_pointer.h
new file mode 100644
index 0000000..2bbabea
--- /dev/null
+++ b/apt/apt-pkg/rebase_pointer.h
@@ -0,0 +1,25 @@
+#ifndef PKGLIB_REBASE_POINTER_H
+#define PKGLIB_REBASE_POINTER_H
+
+template <class T>
+static inline T*
+GetRebasedPointer(T*, const void *, const void *)
+__attribute__((__warn_unused_result__));
+
+template <class T>
+static inline T*
+GetRebasedPointer(T* ptr, const void *old_base, const void *new_base)
+{
+ // uintptr_t is a type with well-defined integer overflow semantics
+ uintptr_t diff = (uintptr_t) new_base - (uintptr_t) old_base;
+ return (T*) ((uintptr_t) ptr + diff);
+}
+
+template <class T>
+static inline void
+RebasePointer(T* &ptr, const void *old_base, const void *new_base)
+{
+ ptr = GetRebasedPointer(ptr, old_base, new_base);
+}
+
+#endif
diff --git a/apt/apt-pkg/rpm/rpmlistparser.cc b/apt/apt-pkg/rpm/rpmlistparser.cc
index 9b2e9ad..4aeb937 100644
--- a/apt/apt-pkg/rpm/rpmlistparser.cc
+++ b/apt/apt-pkg/rpm/rpmlistparser.cc
@@ -25,6 +25,7 @@
#include <apt-pkg/strutl.h>
#include <apt-pkg/crc-16.h>
#include <apt-pkg/tagfile.h>
+#include <apt-pkg/rebase_pointer.h>
#include <apti18n.h>
@@ -56,7 +57,7 @@ rpmListParser::rpmListParser(RPMHandler *Handler)
for (auto iter: *SeenPackages)
{
- tmp.insert(iter + (static_cast<const char *>(newMap) - static_cast<const char *>(oldMap)));
+ tmp.insert(GetRebasedPointer(iter, oldMap, newMap));
}
SeenPackages->swap(tmp);
--
ldv
next prev parent reply other threads:[~2019-12-09 23:56 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-06 13:16 [devel] [PATCH for apt 1/2] Add option for debugging DynamicMMap::Allocate Aleksei Nikiforov
2019-12-06 13:16 ` [devel] [PATCH for apt 2/2] Fix pointer arithmetics Aleksei Nikiforov
2019-12-06 13:36 ` Ivan A. Melnikov
2019-12-06 15:32 ` Aleksei Nikiforov
2019-12-06 15:36 ` [devel] [PATCH for apt 2/2 v2] " Aleksei Nikiforov
2019-12-07 14:52 ` Andrey Savchenko
2019-12-08 22:56 ` Dmitry V. Levin
2019-12-09 6:54 ` Aleksei Nikiforov
2019-12-12 19:20 ` Andrey Savchenko
2019-12-13 7:58 ` Aleksei Nikiforov
2019-12-08 23:21 ` Dmitry V. Levin
2019-12-09 7:08 ` Aleksei Nikiforov
2019-12-10 0:07 ` Dmitry V. Levin
2019-12-10 8:18 ` Aleksei Nikiforov
2019-12-10 10:20 ` Dmitry V. Levin
2019-12-10 10:58 ` Aleksei Nikiforov
2019-12-10 22:20 ` Dmitry V. Levin
2019-12-11 7:50 ` Aleksei Nikiforov
2019-12-12 19:43 ` Andrey Savchenko
2019-12-13 8:01 ` Aleksei Nikiforov
2019-12-08 23:31 ` [devel] [PATCH for apt 2/2] " Dmitry V. Levin
2019-12-09 7:09 ` Aleksei Nikiforov
2019-12-09 7:16 ` [devel] [PATCH for apt 2/2 v3] " Aleksei Nikiforov
2019-12-09 23:54 ` [devel] [PATCH apt 0/3] Fix 0.5.15lorg2-alt70~9 fallout Dmitry V. Levin
2019-12-09 23:56 ` [devel] [PATCH apt 1/3] apt-pkg/cacheiterators.h: revert #include <set> Dmitry V. Levin
2019-12-09 23:56 ` [devel] [PATCH apt 2/3] apt-pkg/contrib/mmap.cc: revert confusing change of Flags to this->Flags Dmitry V. Levin
2019-12-09 23:56 ` Dmitry V. Levin [this message]
2019-12-10 8:18 ` [devel] [PATCH apt 3/3] Fix UB in pointer arithmetic Aleksei Nikiforov
2019-12-08 22:50 ` [devel] [PATCH for apt 1/2] Add option for debugging DynamicMMap::Allocate Dmitry V. Levin
2019-12-09 6:58 ` Aleksei Nikiforov
2019-12-09 10:24 ` Dmitry V. Levin
2019-12-09 11:03 ` [devel] [PATCH for apt 1/2 v3] Add Debug::DynamicMMap::Allocate option Aleksei Nikiforov
2019-12-09 22:59 ` Dmitry V. Levin
2019-12-09 7:00 ` [devel] [PATCH for apt 1/2 v2] Add option for debugging Debug::DynamicMMap::Allocate Aleksei Nikiforov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191209235654.GC15867@altlinux.org \
--to=ldv@altlinux.org \
--cc=devel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git