Revert error-throwing wrappers for the printf family of functions.

tglsfdc · tglsfdc · commit 0510cff6e801 · 2015-05-19T18:18:16.000-04:00
This reverts commit 16304a0, except for its changes in src/port/snprintf.c; as well as commit cac18a7 which is no longer needed. Fujii Masao reported that the previous commit caused failures in psql on OS X, since if one exits the pager program early while viewing a query result, psql sees an EPIPE error from fprintf --- and the wrapper function thought that was reason to panic. (It's a bit surprising that the same does not happen on Linux.) Further discussion among the security list concluded that the risk of other such failures was far too great, and that the one-size-fits-all approach to error handling embodied in the previous patch is unlikely to be workable. This leaves us again exposed to the possibility of the type of failure envisioned in CVE-2015-3166. However, that failure mode is strictly hypothetical at this point: there is no concrete reason to believe that an attacker could trigger information disclosure through the supposed mechanism. In the first place, the attack surface is fairly limited, since so much of what the backend does with format strings goes through stringinfo.c or psprintf(), and those already had adequate defenses. In the second place, even granting that an unprivileged attacker could control the occurrence of ENOMEM with some precision, it's a stretch to believe that he could induce it just where the target buffer contains some valuable information. So we concluded that the risk of non-hypothetical problems induced by the patch greatly outweighs the security risks. We will therefore revert, and instead undertake closer analysis to identify specific calls that may need hardening, rather than attempt a universal solution. We have kept the portion of the previous patch that improved snprintf.c's handling of errors when it calls the platform's sprintf(). That seems to be an unalloyed improvement. Security: CVE-2015-3166
diff --git a/src/include/port.h b/src/include/port.h
@@ -155,21 +155,19 @@ extern unsigned char pg_tolower(unsigned char ch);
 extern unsigned char pg_ascii_toupper(unsigned char ch);
 extern unsigned char pg_ascii_tolower(unsigned char ch);
 
+#ifdef USE_REPL_SNPRINTF
+
 /*
- * Capture macro-compatible calls to printf() and friends, and redirect them
- * to wrappers that throw errors in lieu of reporting failure in a return
- * value.  Versions of libintl >= 0.13 similarly redirect to versions that
- * understand the %$ format, so disable libintl macros first.
+ * Versions of libintl >= 0.13 try to replace printf() and friends with
+ * macros to their own versions that understand the %$ format.  We do the
+ * same, so disable their macros, if they exist.
  */
 #ifdef vsnprintf
 #undef vsnprintf
 #endif
 #ifdef snprintf
 #undef snprintf
 #endif
-#ifdef vsprintf
-#undef vsprintf
-#endif
 #ifdef sprintf
 #undef sprintf
 #endif
@@ -183,61 +181,11 @@ extern unsigned char pg_ascii_tolower(unsigned char ch);
 #undef printf
 #endif
 
-extern int
-vsnprintf_throw_on_fail(char *str, size_t count, const char *fmt, va_list args)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 3, 0)));
-extern int
-snprintf_throw_on_fail(char *str, size_t count, const char *fmt,...)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 3, 4)));
-extern int
-vsprintf_throw_on_fail(char *str, const char *fmt, va_list args)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 2, 0)));
-extern int
-sprintf_throw_on_fail(char *str, const char *fmt,...)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 2, 3)));
-extern int
-vfprintf_throw_on_fail(FILE *stream, const char *fmt, va_list args)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 2, 0)));
-extern int
-fprintf_throw_on_fail(FILE *stream, const char *fmt,...)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 2, 3)));
-extern int
-printf_throw_on_fail(const char *fmt,...)
-__attribute__((format(PG_PRINTF_ATTRIBUTE, 1, 2)));
-
-/*
- *	The GCC-specific code below prevents the __attribute__(... 'printf')
- *	above from being replaced, and this is required because gcc doesn't
- *	know anything about printf_throw_on_fail.
- */
-#ifdef __GNUC__
-#define vsnprintf(...)	vsnprintf_throw_on_fail(__VA_ARGS__)
-#define snprintf(...)	snprintf_throw_on_fail(__VA_ARGS__)
-#define vsprintf(...)	vsprintf_throw_on_fail(__VA_ARGS__)
-#define sprintf(...)	sprintf_throw_on_fail(__VA_ARGS__)
-#define vfprintf(...)	vfprintf_throw_on_fail(__VA_ARGS__)
-#define fprintf(...)	fprintf_throw_on_fail(__VA_ARGS__)
-#define printf(...)		printf_throw_on_fail(__VA_ARGS__)
-#else
-#define vsnprintf		vsnprintf_throw_on_fail
-#define snprintf		snprintf_throw_on_fail
-#define vsprintf		vsprintf_throw_on_fail
-#define sprintf			sprintf_throw_on_fail
-#define vfprintf		vfprintf_throw_on_fail
-#define fprintf			fprintf_throw_on_fail
-#define printf			printf_throw_on_fail
-#endif
-
-#ifdef USE_REPL_SNPRINTF
-
-/* Code outside syswrap.c should not call these. */
-
 extern int	pg_vsnprintf(char *str, size_t count, const char *fmt, va_list args);
 extern int
 pg_snprintf(char *str, size_t count, const char *fmt,...)
 /* This extension allows gcc to check the format string */
 __attribute__((format(PG_PRINTF_ATTRIBUTE, 3, 4)));
-extern int	pg_vsprintf(char *str, const char *fmt, va_list args);
 extern int
 pg_sprintf(char *str, const char *fmt,...)
 /* This extension allows gcc to check the format string */
@@ -252,6 +200,26 @@ pg_printf(const char *fmt,...)
 /* This extension allows gcc to check the format string */
 __attribute__((format(PG_PRINTF_ATTRIBUTE, 1, 2)));
 
+/*
+ *	The GCC-specific code below prevents the __attribute__(... 'printf')
+ *	above from being replaced, and this is required because gcc doesn't
+ *	know anything about pg_printf.
+ */
+#ifdef __GNUC__
+#define vsnprintf(...)	pg_vsnprintf(__VA_ARGS__)
+#define snprintf(...)	pg_snprintf(__VA_ARGS__)
+#define sprintf(...)	pg_sprintf(__VA_ARGS__)
+#define vfprintf(...)	pg_vfprintf(__VA_ARGS__)
+#define fprintf(...)	pg_fprintf(__VA_ARGS__)
+#define printf(...)		pg_printf(__VA_ARGS__)
+#else
+#define vsnprintf		pg_vsnprintf
+#define snprintf		pg_snprintf
+#define sprintf			pg_sprintf
+#define vfprintf		pg_vfprintf
+#define fprintf			pg_fprintf
+#define printf			pg_printf
+#endif
 #endif   /* USE_REPL_SNPRINTF */
 
 #if defined(WIN32)
diff --git a/src/interfaces/ecpg/compatlib/Makefile b/src/interfaces/ecpg/compatlib/Makefile
@@ -45,7 +45,6 @@ submake-pgtypeslib:
 # Shared library stuff
 include $(top_srcdir)/src/Makefile.shlib
 
-# XXX This library uses no symbols from snprintf.c.
 snprintf.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
diff --git a/src/interfaces/ecpg/ecpglib/.gitignore b/src/interfaces/ecpg/ecpglib/.gitignore
@@ -7,5 +7,4 @@
 /path.c
 /pgstrcasecmp.c
 /strlcpy.c
-/syswrap.c
 /thread.c
diff --git a/src/interfaces/ecpg/ecpglib/Makefile b/src/interfaces/ecpg/ecpglib/Makefile
@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
 LIBS := $(filter-out -lpgport, $(LIBS))
 
 OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o \
-	connect.o misc.o path.o pgstrcasecmp.o syswrap.o \
+	connect.o misc.o path.o pgstrcasecmp.o \
 	$(filter snprintf.o strlcpy.o win32setlocale.o isinf.o, $(LIBOBJS))
 
 # thread.c is needed only for non-WIN32 implementation of path.c
@@ -57,7 +57,7 @@ include $(top_srcdir)/src/Makefile.shlib
 # necessarily use the same object files as the backend uses. Instead,
 # symlink the source files in here and build our own object file.
 
-path.c pgstrcasecmp.c snprintf.c strlcpy.c syswrap.c thread.c win32setlocale.c isinf.c: % : $(top_srcdir)/src/port/%
+path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c isinf.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 misc.o: misc.c $(top_builddir)/src/port/pg_config_paths.h
@@ -74,6 +74,6 @@ uninstall: uninstall-lib
 
 clean distclean: clean-lib
 	rm -f $(OBJS)
-	rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c syswrap.c thread.c win32setlocale.c
+	rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c win32setlocale.c
 
 maintainer-clean: distclean maintainer-clean-lib
diff --git a/src/interfaces/ecpg/pgtypeslib/.gitignore b/src/interfaces/ecpg/pgtypeslib/.gitignore
@@ -5,4 +5,3 @@
 /exports.list
 
 /pgstrcasecmp.c
-/syswrap.c
diff --git a/src/interfaces/ecpg/pgtypeslib/Makefile b/src/interfaces/ecpg/pgtypeslib/Makefile
@@ -29,7 +29,7 @@ SHLIB_LINK += -lm
 SHLIB_EXPORTS = exports.txt
 
 OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o \
-	pgstrcasecmp.o syswrap.o \
+	pgstrcasecmp.o \
 	$(filter rint.o snprintf.o, $(LIBOBJS))
 
 all: all-lib
@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib
 # necessarily use the same object files as the backend uses. Instead,
 # symlink the source files in here and build our own object file.
 
-pgstrcasecmp.c rint.c snprintf.c syswrap.c: % : $(top_srcdir)/src/port/%
+pgstrcasecmp.c rint.c snprintf.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 install: all installdirs install-lib
@@ -52,6 +52,6 @@ installdirs: installdirs-lib
 uninstall: uninstall-lib
 
 clean distclean: clean-lib
-	rm -f $(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
+	rm -f $(OBJS) pgstrcasecmp.c rint.c snprintf.c
 
 maintainer-clean: distclean maintainer-clean-lib
diff --git a/src/interfaces/libpq/.gitignore b/src/interfaces/libpq/.gitignore
@@ -11,7 +11,6 @@
 /snprintf.c
 /strerror.c
 /strlcpy.c
-/syswrap.c
 /thread.c
 /win32error.c
 /win32setlocale.c
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
@@ -35,7 +35,7 @@ OBJS=	fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o \
 	libpq-events.o
 # libpgport C files we always use
-OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o syswrap.o thread.o
+OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o thread.o
 # libpgport C files that are needed if identified by configure
 OBJS += $(filter crypt.o getaddrinfo.o getpeereid.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o win32setlocale.o, $(LIBOBJS))
 # backend/libpq
@@ -88,7 +88,7 @@ backend_src = $(top_srcdir)/src/backend
 # For some libpgport modules, this only happens if configure decides 
 # the module is needed (see filter hack in OBJS, above).
 
-chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c inet_net_ntop.c noblock.c open.c pgsleep.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c syswrap.c thread.c win32error.c win32setlocale.c: % : $(top_srcdir)/src/port/%
+chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c inet_net_ntop.c noblock.c open.c pgsleep.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c win32setlocale.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 ip.c md5.c: % : $(backend_src)/libpq/%
@@ -145,7 +145,7 @@ clean distclean: clean-lib
 # Might be left over from a Win32 client-only build
 	rm -f pg_config_paths.h
 	rm -f inet_net_ntop.c noblock.c pgstrcasecmp.c thread.c
-	rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c snprintf.c strerror.c strlcpy.c syswrap.c win32error.c win32setlocale.c
+	rm -f chklocale.c crypt.c getaddrinfo.c getpeereid.c inet_aton.c open.c snprintf.c strerror.c strlcpy.c win32error.c win32setlocale.c
 	rm -f pgsleep.c	
 	rm -f md5.c ip.c
 	rm -f encnames.c wchar.c
diff --git a/src/interfaces/libpq/bcc32.mak b/src/interfaces/libpq/bcc32.mak
@@ -106,7 +106,6 @@ CLEAN :
 	-@erase "$(INTDIR)\dirmod.obj"
 	-@erase "$(INTDIR)\pgsleep.obj"
 	-@erase "$(INTDIR)\open.obj"
-	-@erase "$(INTDIR)\syswrap.obj"
 	-@erase "$(INTDIR)\win32error.obj"
 	-@erase "$(OUTDIR)\$(OUTFILENAME).lib"
 	-@erase "$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -150,7 +149,6 @@ LIB32_OBJS= \
 	"$(INTDIR)\dirmod.obj" \
 	"$(INTDIR)\pgsleep.obj" \
 	"$(INTDIR)\open.obj" \
-	"$(INTDIR)\syswrap.obj" \
 	"$(INTDIR)\win32error.obj" \
 	"$(INTDIR)\pthread-win32.obj"
 
@@ -289,11 +287,6 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
 	$(CPP_PROJ) /I"." ..\..\port\open.c
 <<
 
-"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
-	$(CPP) @<<
-	$(CPP_PROJ) ..\..\port\syswrap.c
-<<
-
 "$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
 	$(CPP) @<<
 	$(CPP_PROJ) /I"." ..\..\port\win32error.c
diff --git a/src/interfaces/libpq/win32.mak b/src/interfaces/libpq/win32.mak
@@ -113,7 +113,6 @@ CLEAN :
 	-@erase "$(INTDIR)\dirmod.obj"
 	-@erase "$(INTDIR)\pgsleep.obj"
 	-@erase "$(INTDIR)\open.obj"
-	-@erase "$(INTDIR)\syswrap.obj"
 	-@erase "$(INTDIR)\win32error.obj"
 	-@erase "$(INTDIR)\win32setlocale.obj"
 	-@erase "$(OUTDIR)\$(OUTFILENAME).lib"
@@ -160,7 +159,6 @@ LIB32_OBJS= \
 	"$(INTDIR)\dirmod.obj" \
 	"$(INTDIR)\pgsleep.obj" \
 	"$(INTDIR)\open.obj" \
-	"$(INTDIR)\syswrap.obj" \
 	"$(INTDIR)\win32error.obj" \
 	"$(INTDIR)\win32setlocale.obj" \
 	"$(INTDIR)\pthread-win32.obj"
@@ -329,11 +327,6 @@ LINK32_OBJS= \
 	$(CPP_PROJ) /I"." ..\..\port\open.c
 <<
 
-"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
-	$(CPP) @<<
-	$(CPP_PROJ) ..\..\port\syswrap.c
-<<
-
 "$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
 	$(CPP) @<<
 	$(CPP_PROJ) /I"." ..\..\port\win32error.c
diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h
@@ -39,8 +39,10 @@
  * So we undefine them here and redefine them after it's done its dirty deed.
  */
 
+#ifdef USE_REPL_SNPRINTF
 #undef snprintf
 #undef vsnprintf
+#endif
 
 
 /* required for perl API */
@@ -49,19 +51,21 @@
 #include "XSUB.h"
 
 /* put back our snprintf and vsnprintf */
+#ifdef USE_REPL_SNPRINTF
 #ifdef snprintf
 #undef snprintf
 #endif
 #ifdef vsnprintf
 #undef vsnprintf
 #endif
 #ifdef __GNUC__
-#define vsnprintf(...)	vsnprintf_throw_on_fail(__VA_ARGS__)
-#define snprintf(...)	snprintf_throw_on_fail(__VA_ARGS__)
+#define vsnprintf(...)	pg_vsnprintf(__VA_ARGS__)
+#define snprintf(...)	pg_snprintf(__VA_ARGS__)
 #else
-#define vsnprintf		vsnprintf_throw_on_fail
-#define snprintf		snprintf_throw_on_fail
+#define vsnprintf		pg_vsnprintf
+#define snprintf		pg_snprintf
 #endif   /* __GNUC__ */
+#endif   /* USE_REPL_SNPRINTF */
 
 /* perl version and platform portability */
 #define NEED_eval_pv
diff --git a/src/port/Makefile b/src/port/Makefile
@@ -32,7 +32,7 @@ LIBS += $(PTHREAD_LIBS)
 
 OBJS = $(LIBOBJS) chklocale.o dirmod.o exec.o inet_net_ntop.o noblock.o \
 	path.o pgcheckdir.o pgmkdirp.o pgsleep.o pgstrcasecmp.o \
-	qsort.o qsort_arg.o sprompt.o syswrap.o thread.o
+	qsort.o qsort_arg.o sprompt.o thread.o
 
 # foo_srv.o and foo.o are both built from foo.c, but only foo.o has -DFRONTEND
 OBJS_SRV = $(OBJS:%.o=%_srv.o)
diff --git a/src/port/snprintf.c b/src/port/snprintf.c
@@ -99,7 +99,6 @@
 /* Prevent recursion */
 #undef	vsnprintf
 #undef	snprintf
-#undef	vsprintf
 #undef	sprintf
 #undef	vfprintf
 #undef	fprintf
@@ -176,7 +175,7 @@ pg_snprintf(char *str, size_t count, const char *fmt,...)
 	return len;
 }
 
-int
+static int
 pg_vsprintf(char *str, const char *fmt, va_list args)
 {
 	PrintfTarget target;
diff --git a/src/port/syswrap.c b/src/port/syswrap.c
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm

Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,3 @@`
`5`	`5`	`/exports.list`
`6`	`6`
`7`	`7`	`/pgstrcasecmp.c`
`8`		`-/syswrap.c`