Add error-throwing wrappers for the printf family of functions.

nmisch · nmisch · commit b08c7aff708b · 2015-05-18T10:02:38.000-04:00
All known standard library implementations of these functions can fail with ENOMEM. A caller neglecting to check for failure would experience missing output, information exposure, or a crash. Check return values within wrappers and code, currently just snprintf.c, that bypasses the wrappers. The wrappers do not return after an error, so their callers need not check. Back-patch to 9.0 (all supported versions). Popular free software standard library implementations do take pains to bypass malloc() in simple cases, but they risk ENOMEM for floating point numbers, positional arguments, large field widths, and large precisions. No specification demands such caution, so this commit regards every call to a printf family function as a potential threat. Injecting the wrappers implicitly is a compromise between patch scope and design goals. I would prefer to edit each call site to name a wrapper explicitly. libpq and the ECPG libraries would, ideally, convey errors to the caller rather than abort(). All that would be painfully invasive for a back-patched security fix, hence this compromise. Security: CVE-2015-3166
diff --git a/src/include/port.h b/src/include/port.h
@@ -148,12 +148,11 @@ extern int	pg_strncasecmp(const char *s1, const char *s2, size_t n);
 extern unsigned char pg_toupper(unsigned char ch);
 extern unsigned char pg_tolower(unsigned char ch);
 
-#ifdef USE_REPL_SNPRINTF
-
 /*
- * Versions of libintl >= 0.13 try to replace printf() and friends with
- * macros to their own versions that understand the %$ format.  We do the
- * same, so disable their macros, if they exist.
+ * Capture macro-compatible calls to printf() and friends, and redirect them
+ * to wrappers that throw errors in lieu of reporting failure in a return
+ * value.  Versions of libintl >= 0.13 similarly redirect to versions that
+ * understand the %$ format, so disable libintl macros first.
  */
 #ifdef vsnprintf
 #undef vsnprintf
@@ -177,6 +176,55 @@ extern unsigned char pg_tolower(unsigned char ch);
 #undef printf
 #endif
 
+extern int
+vsnprintf_throw_on_fail(char *str, size_t count, const char *fmt, va_list args)
+__attribute__((format(printf, 3, 0)));
+extern int
+snprintf_throw_on_fail(char *str, size_t count, const char *fmt,...)
+__attribute__((format(printf, 3, 4)));
+extern int
+vsprintf_throw_on_fail(char *str, const char *fmt, va_list args)
+__attribute__((format(printf, 2, 0)));
+extern int
+sprintf_throw_on_fail(char *str, const char *fmt,...)
+__attribute__((format(printf, 2, 3)));
+extern int
+vfprintf_throw_on_fail(FILE *stream, const char *fmt, va_list args)
+__attribute__((format(printf, 2, 0)));
+extern int
+fprintf_throw_on_fail(FILE *stream, const char *fmt,...)
+__attribute__((format(printf, 2, 3)));
+extern int
+printf_throw_on_fail(const char *fmt,...)
+__attribute__((format(printf, 1, 2)));
+
+/*
+ *	The GCC-specific code below prevents the __attribute__(... 'printf')
+ *	above from being replaced, and this is required because gcc doesn't
+ *	know anything about printf_throw_on_fail.
+ */
+#ifdef __GNUC__
+#define vsnprintf(...)	vsnprintf_throw_on_fail(__VA_ARGS__)
+#define snprintf(...)	snprintf_throw_on_fail(__VA_ARGS__)
+#define vsprintf(...)	vsprintf_throw_on_fail(__VA_ARGS__)
+#define sprintf(...)	sprintf_throw_on_fail(__VA_ARGS__)
+#define vfprintf(...)	vfprintf_throw_on_fail(__VA_ARGS__)
+#define fprintf(...)	fprintf_throw_on_fail(__VA_ARGS__)
+#define printf(...)		printf_throw_on_fail(__VA_ARGS__)
+#else
+#define vsnprintf		vsnprintf_throw_on_fail
+#define snprintf		snprintf_throw_on_fail
+#define vsprintf		vsprintf_throw_on_fail
+#define sprintf			sprintf_throw_on_fail
+#define vfprintf		vfprintf_throw_on_fail
+#define fprintf			fprintf_throw_on_fail
+#define printf			printf_throw_on_fail
+#endif
+
+#ifdef USE_REPL_SNPRINTF
+
+/* Code outside syswrap.c should not call these. */
+
 extern int	pg_vsnprintf(char *str, size_t count, const char *fmt, va_list args);
 extern int
 pg_snprintf(char *str, size_t count, const char *fmt,...)
@@ -197,28 +245,6 @@ pg_printf(const char *fmt,...)
 /* This extension allows gcc to check the format string */
 __attribute__((format(printf, 1, 2)));
 
-/*
- *	The GCC-specific code below prevents the __attribute__(... 'printf')
- *	above from being replaced, and this is required because gcc doesn't
- *	know anything about pg_printf.
- */
-#ifdef __GNUC__
-#define vsnprintf(...)	pg_vsnprintf(__VA_ARGS__)
-#define snprintf(...)	pg_snprintf(__VA_ARGS__)
-#define vsprintf(...)	pg_vsprintf(__VA_ARGS__)
-#define sprintf(...)	pg_sprintf(__VA_ARGS__)
-#define vfprintf(...)	pg_vfprintf(__VA_ARGS__)
-#define fprintf(...)	pg_fprintf(__VA_ARGS__)
-#define printf(...)		pg_printf(__VA_ARGS__)
-#else
-#define vsnprintf		pg_vsnprintf
-#define snprintf		pg_snprintf
-#define vsprintf		pg_vsprintf
-#define sprintf			pg_sprintf
-#define vfprintf		pg_vfprintf
-#define fprintf			pg_fprintf
-#define printf			pg_printf
-#endif
 #endif   /* USE_REPL_SNPRINTF */
 
 /*
diff --git a/src/interfaces/ecpg/compatlib/Makefile b/src/interfaces/ecpg/compatlib/Makefile
@@ -36,6 +36,7 @@ all: all-lib
 # Shared library stuff
 include $(top_srcdir)/src/Makefile.shlib
 
+# XXX This library uses no symbols from snprintf.c.
 snprintf.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
diff --git a/src/interfaces/ecpg/ecpglib/.gitignore b/src/interfaces/ecpg/ecpglib/.gitignore
@@ -6,4 +6,5 @@
 /path.c
 /pgstrcasecmp.c
 /strlcpy.c
+/syswrap.c
 /thread.c
diff --git a/src/interfaces/ecpg/ecpglib/Makefile b/src/interfaces/ecpg/ecpglib/Makefile
@@ -25,7 +25,7 @@ override CFLAGS += $(PTHREAD_CFLAGS)
 LIBS := $(filter-out -lpgport, $(LIBS))
 
 OBJS= execute.o typename.o descriptor.o sqlda.o data.o error.o prepare.o memory.o \
-	connect.o misc.o path.o pgstrcasecmp.o \
+	connect.o misc.o path.o pgstrcasecmp.o syswrap.o \
 	$(filter snprintf.o strlcpy.o isinf.o, $(LIBOBJS))
 
 # thread.c is needed only for non-WIN32 implementation of path.c
@@ -58,7 +58,7 @@ include $(top_srcdir)/src/Makefile.shlib
 # necessarily use the same object files as the backend uses. Instead,
 # symlink the source files in here and build our own object file.
 
-path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c isinf.c: % : $(top_srcdir)/src/port/%
+path.c pgstrcasecmp.c snprintf.c strlcpy.c syswrap.c thread.c isinf.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 misc.o: misc.c $(top_builddir)/src/port/pg_config_paths.h
@@ -75,6 +75,6 @@ uninstall: uninstall-lib
 
 clean distclean: clean-lib
 	rm -f $(OBJS)
-	rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c thread.c
+	rm -f path.c pgstrcasecmp.c snprintf.c strlcpy.c syswrap.c thread.c
 
 maintainer-clean: distclean maintainer-clean-lib
diff --git a/src/interfaces/ecpg/pgtypeslib/.gitignore b/src/interfaces/ecpg/pgtypeslib/.gitignore
@@ -4,3 +4,4 @@
 /exports.list
 
 /pgstrcasecmp.c
+/syswrap.c
diff --git a/src/interfaces/ecpg/pgtypeslib/Makefile b/src/interfaces/ecpg/pgtypeslib/Makefile
@@ -29,7 +29,7 @@ SHLIB_LINK += -lm
 SHLIB_EXPORTS = exports.txt
 
 OBJS= numeric.o datetime.o common.o dt_common.o timestamp.o interval.o \
-	pgstrcasecmp.o \
+	pgstrcasecmp.o syswrap.o \
 	$(filter rint.o snprintf.o, $(LIBOBJS))
 
 all: all-lib
@@ -42,7 +42,7 @@ include $(top_srcdir)/src/Makefile.shlib
 # necessarily use the same object files as the backend uses. Instead,
 # symlink the source files in here and build our own object file.
 
-pgstrcasecmp.c rint.c snprintf.c: % : $(top_srcdir)/src/port/%
+pgstrcasecmp.c rint.c snprintf.c syswrap.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 install: all installdirs install-lib
@@ -52,6 +52,6 @@ installdirs: installdirs-lib
 uninstall: uninstall-lib
 
 clean distclean: clean-lib
-	rm -f $(OBJS) pgstrcasecmp.c rint.c snprintf.c
+	rm -f $(OBJS) pgstrcasecmp.c rint.c snprintf.c syswrap.c
 
 maintainer-clean: distclean maintainer-clean-lib
diff --git a/src/interfaces/libpq/.gitignore b/src/interfaces/libpq/.gitignore
@@ -8,6 +8,7 @@
 /snprintf.c
 /strerror.c
 /strlcpy.c
+/syswrap.c
 /thread.c
 /win32error.c
 /pgsleep.c
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
@@ -33,7 +33,7 @@ LIBS := $(LIBS:-lpgport=)
 OBJS=	fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o \
 	libpq-events.o \
-	md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o thread.o \
+	md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o syswrap.o thread.o \
 	$(filter crypt.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o, $(LIBOBJS))
 
 ifeq ($(PORTNAME), cygwin)
@@ -80,7 +80,7 @@ backend_src = $(top_srcdir)/src/backend
 # For port modules, this only happens if configure decides the module
 # is needed (see filter hack in OBJS, above).
 
-crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/%
+crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c syswrap.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 md5.c ip.c: % : $(backend_src)/libpq/%
@@ -133,7 +133,7 @@ ifneq (,$(findstring $(PORTNAME), win32 cygwin))
 endif
 
 clean distclean: clean-lib
-	rm -f $(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
+	rm -f $(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c syswrap.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
 # Might be left over from a Win32 client-only build
 	rm -f pg_config_paths.h
 
diff --git a/src/interfaces/libpq/bcc32.mak b/src/interfaces/libpq/bcc32.mak
@@ -104,6 +104,7 @@ CLEAN :
 	-@erase "$(INTDIR)\dirmod.obj"
 	-@erase "$(INTDIR)\pgsleep.obj"
 	-@erase "$(INTDIR)\open.obj"
+	-@erase "$(INTDIR)\syswrap.obj"
 	-@erase "$(INTDIR)\win32error.obj"
 	-@erase "$(OUTDIR)\$(OUTFILENAME).lib"
 	-@erase "$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -145,6 +146,7 @@ LIB32_OBJS= \
 	"$(INTDIR)\dirmod.obj" \
 	"$(INTDIR)\pgsleep.obj" \
 	"$(INTDIR)\open.obj" \
+	"$(INTDIR)\syswrap.obj" \
 	"$(INTDIR)\win32error.obj" \
 	"$(INTDIR)\pthread-win32.obj"
 
@@ -273,6 +275,11 @@ LINK32_FLAGS = -Gn -L$(BCB)\lib;$(INTDIR); -x -Tpd -v
 	$(CPP_PROJ) /I"." ..\..\port\open.c
 <<
 
+"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
+	$(CPP) @<<
+	$(CPP_PROJ) ..\..\port\syswrap.c
+<<
+
 "$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
 	$(CPP) @<<
 	$(CPP_PROJ) /I"." ..\..\port\win32error.c
diff --git a/src/interfaces/libpq/win32.mak b/src/interfaces/libpq/win32.mak
@@ -111,6 +111,7 @@ CLEAN :
 	-@erase "$(INTDIR)\dirmod.obj"
 	-@erase "$(INTDIR)\pgsleep.obj"
 	-@erase "$(INTDIR)\open.obj"
+	-@erase "$(INTDIR)\syswrap.obj"
 	-@erase "$(INTDIR)\win32error.obj"
 	-@erase "$(OUTDIR)\$(OUTFILENAME).lib"
 	-@erase "$(OUTDIR)\$(OUTFILENAME)dll.lib"
@@ -154,6 +155,7 @@ LIB32_OBJS= \
 	"$(INTDIR)\dirmod.obj" \
 	"$(INTDIR)\pgsleep.obj" \
 	"$(INTDIR)\open.obj" \
+	"$(INTDIR)\syswrap.obj" \
 	"$(INTDIR)\win32error.obj" \
 	"$(INTDIR)\pthread-win32.obj"
 
@@ -311,6 +313,11 @@ LINK32_OBJS= \
 	$(CPP_PROJ) /I"." ..\..\port\open.c
 <<
 
+"$(INTDIR)\syswrap.obj" : ..\..\port\syswrap.c
+	$(CPP) @<<
+	$(CPP_PROJ) ..\..\port\syswrap.c
+<<
+
 "$(INTDIR)\win32error.obj" : ..\..\port\win32error.c
 	$(CPP) @<<
 	$(CPP_PROJ) /I"." ..\..\port\win32error.c
diff --git a/src/port/Makefile b/src/port/Makefile
@@ -31,7 +31,7 @@ override CPPFLAGS := -I$(top_builddir)/src/port -DFRONTEND $(CPPFLAGS)
 LIBS += $(PTHREAD_LIBS)
 
 OBJS = $(LIBOBJS) chklocale.o dirmod.o exec.o noblock.o path.o \
-	pgsleep.o pgstrcasecmp.o qsort.o qsort_arg.o sprompt.o thread.o
+	pgsleep.o pgstrcasecmp.o qsort.o qsort_arg.o sprompt.o syswrap.o thread.o
 ifneq (,$(filter $(PORTNAME),cygwin win32))
 OBJS += pipe.o
 endif
diff --git a/src/port/snprintf.c b/src/port/snprintf.c
diff --git a/src/port/syswrap.c b/src/port/syswrap.c
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm

Original file line number	Diff line number	Diff line change
`@@ -4,3 +4,4 @@`
`4`	`4`	`/exports.list`
`5`	`5`
`6`	`6`	`/pgstrcasecmp.c`
	`7`	`+/syswrap.c`