From beeb5b354b9f5fd8745cc034694041b2ca91e31d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20B=C3=A9rat?= Date: Thu, 4 Jun 2026 11:49:13 +0200 Subject: [PATCH] Fix gconv module reference counter overflow in swscanf and swprintf families Resolves: RHEL-145156 --- glibc-RHEL-145156-1.patch | 206 ++++++++++++++++++++++++++++++++++++++ glibc-RHEL-145156-2.patch | 57 +++++++++++ glibc-RHEL-145156-3.patch | 123 +++++++++++++++++++++++ glibc-RHEL-145156-4.patch | 146 +++++++++++++++++++++++++++ glibc-RHEL-145156-5.patch | 111 ++++++++++++++++++++ 5 files changed, 643 insertions(+) create mode 100644 glibc-RHEL-145156-1.patch create mode 100644 glibc-RHEL-145156-2.patch create mode 100644 glibc-RHEL-145156-3.patch create mode 100644 glibc-RHEL-145156-4.patch create mode 100644 glibc-RHEL-145156-5.patch diff --git a/glibc-RHEL-145156-1.patch b/glibc-RHEL-145156-1.patch new file mode 100644 index 0000000..d591eea --- /dev/null +++ b/glibc-RHEL-145156-1.patch @@ -0,0 +1,206 @@ +commit 0981c03c2752b5f12ede24e6e696d5a29f7c6396 +Author: Frédéric Bérat +Date: Wed Apr 29 15:53:51 2026 +0200 + + libio: Fix gconv module reference counter overflow in swscanf + + The swscanf family of functions creates a wide-oriented FILE stream + on the stack. Initialization of this stream invokes `_IO_fwide`, which + clones the global locale's gconv transformation steps via + `__wcsmbs_clone_conv`. This increments the reference counter (`__counter`) + of the gconv module. + + Because the FILE stream is stack-allocated, `fclose` cannot be called, + and so `__gconv_release_step` is never invoked. The counter leaks, + eventually hitting the 32-bit integer overflow limit and aborting the + process. + + To resolve this, we introduce `_IO_wstrfile_fclose_stack`, a dedicated + cleanup function for stack-allocated FILE streams. This function invokes + `_IO_FINISH` and correctly releases the gconv steps via + `__gconv_release_step` without attempting to `free` the FILE pointer. + This cleanup function is then hooked into all variants of swscanf right + before they return. + + Reviewed-by: Adhemerval Zanella + +Conflicts: + sysdeps/ieee754/ldbl-opt/nldbl-compat.c + (isoc23 variants not present downstream) + sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc23_swscanf.c + (not present downstream) + sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc23_vswscanf.c + (not present downstream) + wcsmbs/isoc23_swscanf.c + (not present downstream) + wcsmbs/isoc23_vswscanf.c + (not present downstream) + +diff --git a/libio/iofwide.c b/libio/iofwide.c +index a7f29fa0b9693cc3..972f154365e88bb3 100644 +--- a/libio/iofwide.c ++++ b/libio/iofwide.c +@@ -257,3 +257,18 @@ __libio_codecvt_length (struct _IO_codecvt *codecvt, __mbstate_t *statep, + + return result; + } ++ ++void ++_IO_wstrfile_fclose_stack (FILE *fp) ++{ ++ _IO_FINISH (fp); ++ if (fp->_mode > 0) ++ { ++ struct _IO_codecvt *cc = fp->_codecvt; ++ ++ __libc_lock_lock (__gconv_lock); ++ __gconv_release_step (cc->__cd_in.step); ++ __gconv_release_step (cc->__cd_out.step); ++ __libc_lock_unlock (__gconv_lock); ++ } ++} +diff --git a/libio/iovswscanf.c b/libio/iovswscanf.c +index 35bddc0daeca917f..284c61615ebddd47 100644 +--- a/libio/iovswscanf.c ++++ b/libio/iovswscanf.c +@@ -38,6 +38,8 @@ __vswscanf (const wchar_t *string, const wchar_t *format, va_list args) + _IO_strfile sf; + struct _IO_wide_data wd; + FILE *f = _IO_strfile_readw (&sf, &wd, string); +- return __vfwscanf_internal (f, format, args, 0); ++ int done = __vfwscanf_internal (f, format, args, 0); ++ _IO_wstrfile_fclose_stack (f); ++ return done; + } + ldbl_weak_alias (__vswscanf, vswscanf) +diff --git a/libio/libioP.h b/libio/libioP.h +index 50570f89de5a7010..76fd7853dc087bf9 100644 +--- a/libio/libioP.h ++++ b/libio/libioP.h +@@ -594,6 +594,7 @@ extern FILE* _IO_new_file_fopen (FILE *, const char *, const char *, + int); + extern void _IO_no_init (FILE *, int, int, struct _IO_wide_data *, + const struct _IO_jump_t *) __THROW; ++extern void _IO_wstrfile_fclose_stack (FILE *) attribute_hidden; + extern void _IO_new_file_init_internal (struct _IO_FILE_plus *) + __THROW attribute_hidden; + extern FILE* _IO_new_file_setbuf (FILE *, char *, ssize_t); +diff --git a/libio/swscanf.c b/libio/swscanf.c +index 88a19144342cdc38..cb3795599c6f70c6 100644 +--- a/libio/swscanf.c ++++ b/libio/swscanf.c +@@ -37,7 +37,7 @@ __swscanf (const wchar_t *s, const wchar_t *format, ...) + va_start (arg, format); + done = __vfwscanf_internal (f, format, arg, 0); + va_end (arg); +- ++ _IO_wstrfile_fclose_stack (f); + return done; + } + ldbl_strong_alias (__swscanf, swscanf) +diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c +index ef8c1317dcd7f5e5..96bf2ac3559186e7 100644 +--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c ++++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_swscanf.c +@@ -34,7 +34,7 @@ ___ieee128_isoc99_swscanf (const wchar_t *string, const wchar_t *format, ...) + va_start (ap, format); + done = __vfwscanf_internal (fp, format, ap, mode_flags); + va_end (ap); +- ++ _IO_wstrfile_fclose_stack (fp); + return done; + } + strong_alias (___ieee128_isoc99_swscanf, __isoc99_swscanfieee128) +diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c +index f77bb64638a4717f..8fa10ee2e22e238f 100644 +--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c ++++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-isoc99_vswscanf.c +@@ -27,6 +27,8 @@ ___ieee128_isoc99_vswscanf (wchar_t *string, const wchar_t *format, va_list ap) + struct _IO_wide_data wd; + FILE *fp = _IO_strfile_readw (&sf, &wd, string); + int mode_flags = SCANF_ISOC99_A | SCANF_LDBL_USES_FLOAT128; +- return __vfwscanf_internal (fp, format, ap, mode_flags); ++ int done = __vfwscanf_internal (fp, format, ap, mode_flags); ++ _IO_wstrfile_fclose_stack (fp); ++ return done; + } + strong_alias (___ieee128_isoc99_vswscanf, __isoc99_vswscanfieee128) +diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c +index 04ee5419200298b1..509eaa663d0a9a33 100644 +--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c ++++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-swscanf.c +@@ -34,7 +34,7 @@ ___ieee128_swscanf (const wchar_t *string, const wchar_t *format, ...) + done = __vfwscanf_internal (fp, format, ap, + SCANF_LDBL_USES_FLOAT128); + va_end (ap); +- ++ _IO_wstrfile_fclose_stack (fp); + return done; + } + strong_alias (___ieee128_swscanf, __swscanfieee128) +diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c +index 7aebc5f1c12939b6..18aa6deaacdde682 100644 +--- a/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c ++++ b/sysdeps/ieee754/ldbl-128ibm-compat/ieee128-vswscanf.c +@@ -27,6 +27,8 @@ ___ieee128_vswscanf (const wchar_t *string, const wchar_t *format, + _IO_strfile sf; + struct _IO_wide_data wd; + FILE *fp = _IO_strfile_readw (&sf, &wd, string); +- return __vfwscanf_internal (fp, format, ap, SCANF_LDBL_USES_FLOAT128); ++ int done = __vfwscanf_internal (fp, format, ap, SCANF_LDBL_USES_FLOAT128); ++ _IO_wstrfile_fclose_stack (fp); ++ return done; + } + strong_alias (___ieee128_vswscanf, __vswscanfieee128) +diff --git a/sysdeps/ieee754/ldbl-opt/nldbl-compat.c b/sysdeps/ieee754/ldbl-opt/nldbl-compat.c +index a6c5c49ecb151bf5..81d53a4cf30acb89 100644 +--- a/sysdeps/ieee754/ldbl-opt/nldbl-compat.c ++++ b/sysdeps/ieee754/ldbl-opt/nldbl-compat.c +@@ -388,7 +388,9 @@ __nldbl_vswscanf (const wchar_t *s, const wchar_t *fmt, va_list ap) + struct _IO_wide_data wd; + FILE *f = _IO_strfile_readw (&sf, &wd, s); + +- return __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL); ++ int ret = __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL); ++ _IO_wstrfile_fclose_stack (f); ++ return ret; + } + libc_hidden_def (__nldbl_vswscanf) + +@@ -952,7 +954,9 @@ __nldbl___isoc99_vswscanf (const wchar_t *s, const wchar_t *fmt, va_list ap) + struct _IO_wide_data wd; + FILE *f = _IO_strfile_readw (&sf, &wd, s); + +- return __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL | SCANF_ISOC99_A); ++ int ret = __vfwscanf_internal (f, fmt, ap, SCANF_LDBL_IS_DBL | SCANF_ISOC99_A); ++ _IO_wstrfile_fclose_stack (f); ++ return ret; + } + libc_hidden_def (__nldbl___isoc99_vswscanf) + +diff --git a/wcsmbs/isoc99_swscanf.c b/wcsmbs/isoc99_swscanf.c +index bb6d8f2035d8e4a4..3fda1f7be695b31e 100644 +--- a/wcsmbs/isoc99_swscanf.c ++++ b/wcsmbs/isoc99_swscanf.c +@@ -32,6 +32,6 @@ __isoc99_swscanf (const wchar_t *s, const wchar_t *format, ...) + va_start (arg, format); + done = __vfwscanf_internal (f, format, arg, SCANF_ISOC99_A); + va_end (arg); +- ++ _IO_wstrfile_fclose_stack (f); + return done; + } +diff --git a/wcsmbs/isoc99_vswscanf.c b/wcsmbs/isoc99_vswscanf.c +index 3cd0a28c21ffa36f..1df90438416d3bb7 100644 +--- a/wcsmbs/isoc99_vswscanf.c ++++ b/wcsmbs/isoc99_vswscanf.c +@@ -33,6 +33,8 @@ __isoc99_vswscanf (const wchar_t *string, const wchar_t *format, va_list args) + _IO_strfile sf; + struct _IO_wide_data wd; + FILE *f = _IO_strfile_readw (&sf, &wd, string); +- return __vfwscanf_internal (f, format, args, SCANF_ISOC99_A); ++ int done = __vfwscanf_internal (f, format, args, SCANF_ISOC99_A); ++ _IO_wstrfile_fclose_stack (f); ++ return done; + } + libc_hidden_def (__isoc99_vswscanf) diff --git a/glibc-RHEL-145156-2.patch b/glibc-RHEL-145156-2.patch new file mode 100644 index 0000000..01b7d9c --- /dev/null +++ b/glibc-RHEL-145156-2.patch @@ -0,0 +1,57 @@ +libio: Fix gconv module reference counter overflow in vswprintf + +The vswprintf family of functions (swprintf, vswprintf and their +fortified/ldbl-compat wrappers) creates a wide-oriented FILE stream +on the stack via _IO_no_init with _IO_wstrn_jumps, then calls +_IO_fwide which clones the gconv transformation steps via +__wcsmbs_clone_conv, incrementing the __counter reference counter. + +Because the FILE is stack-allocated, fclose is never called, and the +counter is never decremented. In a long-running process calling +swprintf repeatedly with a non-builtin locale (e.g. en_US.UTF-8), +the counter eventually overflows, triggering a fatal abort. + +This is the same class of bug fixed upstream for swscanf in commit +0981c03c2752b5f12ede24e6e696d5a29f7c6396. Upstream resolved the +swprintf path architecturally by reworking the printf subsystem to +use struct __wprintf_buffer instead of FILE * (commit 118816de3383), +eliminating the _IO_fwide call entirely. That rework is too large +to backport to glibc 2.34. + +Instead, apply the same pattern as the swscanf fix: call +_IO_wstrfile_fclose_stack after __vfwprintf_internal returns to +release the gconv steps before the stack FILE goes out of scope. +All ldbl-compat wrappers (ieee128, nldbl) call __vswprintf_internal, +so they are covered by this single change. + +Note: _IO_wstrfile_fclose_stack calls _IO_FINISH which invokes +_IO_wstr_finish, and that NULLs out _IO_buf_base. Therefore the +cleanup must happen after the overflow check (which compares +_IO_buf_base against overflow_buf) and after string termination +(which dereferences _IO_write_ptr). + +diff --git a/libio/vswprintf.c b/libio/vswprintf.c +index b7036f1480733ac6..accbb8516f860680 100644 +--- a/libio/vswprintf.c ++++ b/libio/vswprintf.c +@@ -111,13 +111,17 @@ __vswprintf_internal (wchar_t *string, size_t maxlen, const wchar_t *format, + ret = __vfwprintf_internal ((FILE *) &sf.f._sbf, format, args, mode_flags); + + if (sf.f._sbf._f._wide_data->_IO_buf_base == sf.overflow_buf) +- /* ISO C99 requires swprintf/vswprintf to return an error if the +- output does not fit in the provided buffer. */ +- return -1; ++ { ++ /* ISO C99 requires swprintf/vswprintf to return an error if the ++ output does not fit in the provided buffer. */ ++ _IO_wstrfile_fclose_stack ((FILE *) &sf.f._sbf); ++ return -1; ++ } + + /* Terminate the string. */ + *sf.f._sbf._f._wide_data->_IO_write_ptr = '\0'; + ++ _IO_wstrfile_fclose_stack ((FILE *) &sf.f._sbf); + return ret; + } + diff --git a/glibc-RHEL-145156-3.patch b/glibc-RHEL-145156-3.patch new file mode 100644 index 0000000..78b117e --- /dev/null +++ b/glibc-RHEL-145156-3.patch @@ -0,0 +1,123 @@ +commit 1cc165baed20b6589ef2f2c8c0e0415139bbb151 +Author: Frédéric Bérat +Date: Wed Apr 29 13:26:38 2026 +0200 + + test: Add gconv refcount leak test for swscanf + + Add a new internal test, `tst-wcsmbs-clone-overflow`, to verify correct + gconv module reference counting. The Makefile is updated to include this + test in the `tests-internal` list and ensure it runs with generated locales. + + This test specifically checks that the `__counter` for `gconv_fcts->towc` + does not leak references when `swscanf` is used with a stack-allocated + wide character stream. It ensures that `_IO_wstrfile_fclose_stack` + properly decrements the module reference counter, preventing a module + from staying loaded indefinitely due to unreleased references. + + Assisted-by: LLM + Reviewed-by: Adhemerval Zanella + +Conflicts: + wcsmbs/Makefile + (test-c8rtomb, test-mbrtoc8, tst-wscanf-to_inpunct not present + downstream) + wcsmbs/tst-wcsmbs-clone-overflow.c + (struct lc_ctype_data not present downstream; use + loc->private.ctype directly instead) + +diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile +index 0e5fe909a83c7a13..f74b06d9749eaa02 100644 +--- a/wcsmbs/Makefile ++++ b/wcsmbs/Makefile +@@ -59,6 +59,12 @@ tests := tst-wcstof wcsmbs-tst1 tst-wcsnlen tst-btowc tst-mbrtowc \ + # This test runs for a long time. + xtests += test-wcsncmp-nonarray + ++tests-internal += \ ++ tst-wcsmbs-clone-overflow ++ ++tests-static += \ ++ tst-wcsmbs-clone-overflow ++ + + include ../Rules + +@@ -77,6 +83,7 @@ $(objpfx)tst-wcstol-locale.out: $(gen-locales) + $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales) + $(objpfx)tst-c16-surrogate.out: $(gen-locales) + $(objpfx)tst-c32-state.out: $(gen-locales) ++$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) + endif + + $(objpfx)tst-wcstod-round: $(libm) +diff --git a/wcsmbs/tst-wcsmbs-clone-overflow.c b/wcsmbs/tst-wcsmbs-clone-overflow.c +new file mode 100644 +index 0000000000000000..412e1c54085c68d5 +--- /dev/null ++++ b/wcsmbs/tst-wcsmbs-clone-overflow.c +@@ -0,0 +1,65 @@ ++/* Test for gconv module reference counter leak. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* Internal headers for accessing the gconv structures. */ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL) ++ FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated"); ++ ++ wchar_t buf[32] = L"123"; ++ int j; ++ ++ /* First iteration initializes the gconv functions internally. */ ++ if (swscanf (buf, L"%d", &j) < 1) ++ FAIL_EXIT1 ("swscanf failed"); ++ ++ /* Retrieve the current gconv_fcts from the LC_CTYPE locale data. */ ++ struct __locale_data *loc = _NL_CURRENT_DATA (LC_CTYPE); ++ const struct gconv_fcts *fcts = loc->private.ctype; ++ ++ TEST_VERIFY_EXIT (fcts != NULL); ++ TEST_VERIFY_EXIT (fcts->towc != NULL); ++ ++ /* Capture the reference counter. */ ++ int initial_counter = fcts->towc->__counter; ++ ++ /* Perform a second iteration of swscanf. If the stack-allocated FILE ++ leaks the gconv reference, the counter will increment. */ ++ if (swscanf (buf, L"%d", &j) < 1) ++ FAIL_EXIT1 ("swscanf failed"); ++ ++ /* The counter should be unchanged, as _IO_wstrfile_fclose_stack should ++ have decremented it correctly. */ ++ TEST_COMPARE (fcts->towc->__counter, initial_counter); ++ ++ return 0; ++} ++ ++#include diff --git a/glibc-RHEL-145156-4.patch b/glibc-RHEL-145156-4.patch new file mode 100644 index 0000000..62dec63 --- /dev/null +++ b/glibc-RHEL-145156-4.patch @@ -0,0 +1,146 @@ +commit 9ef37798fa7dc2b10926742e3f3bd304a17a9ad1 +Author: Frédéric Bérat +Date: Tue May 26 13:29:57 2026 +0200 + + test: Fix and stabilize tst-wcsmbs-clone-overflow test + + The test tst-wcsmbs-clone-overflow was initially added to tests-static. + However, this causes the test to be unstable because gconv modules + dynamically load libc.so. Any discrepancy between the statically linked + version and the dynamically loaded one can lead to a crash. + + By removing the test from tests-static, it relies on dynamic linking, + safely bypassing the dlopen crash. Since the test is now dynamically + linked, it cannot use the internal thread-local symbol + _NL_CURRENT_DATA(LC_CTYPE) because _nl_current_LC_CTYPE is hidden in + libc.so, leading to undefined references. Thus, the test now uses + newlocale and uselocale, safely extracting the locale data from the + returned locale_t object. + + Furthermore, using newlocale requires the gconv-modules configuration to + be built and available so that the ISO8859-1.so module can be + dynamically loaded. Otherwise, glibc falls back to the built-in C locale + conversions, leaving __shlib_handle as NULL and silently bypassing the + reference counter increment. + A new Makefile fragment, gen-gconv-modules.mk, is introduced to ensure + the gconv-modules are built before the test runs, and an explicit check + for __shlib_handle != NULL is added to the test. + + Reviewed-by: Carlos O'Donell + +Conflicts: + wcsmbs/Makefile + (test-c8rtomb, test-mbrtoc8, tst-wscanf-to_inpunct not present + downstream) + wcsmbs/tst-wcsmbs-clone-overflow.c + (struct lc_ctype_data not present downstream; use + loc->private.ctype directly instead) + +diff --git a/gen-gconv-modules.mk b/gen-gconv-modules.mk +new file mode 100644 +index 0000000000000000..046721a7a7bf460c +--- /dev/null ++++ b/gen-gconv-modules.mk +@@ -0,0 +1,6 @@ ++# defines target $(gen-gconv-modules) that ensures gconv-modules are available ++ ++gen-gconv-modules := $(common-objpfx)iconvdata/gconv-modules ++ ++$(gen-gconv-modules): ++ $(MAKE) -C ../iconvdata subdir=iconvdata $@ +diff --git a/localedata/Makefile b/localedata/Makefile +index 56de42e9262decd3..0cc02c430d96d804 100644 +--- a/localedata/Makefile ++++ b/localedata/Makefile +@@ -204,7 +204,7 @@ install-others := $(addprefix $(inst_i18ndir)/, \ + $(locales)) + endif + +-tests: $(objdir)/iconvdata/gconv-modules ++tests: $(gen-gconv-modules) + + tests-static += tst-langinfo-newlocale-static tst-langinfo-setlocale-static + +@@ -315,6 +315,7 @@ LOCALES := \ + $(NULL) + + include ../gen-locales.mk ++include ../gen-gconv-modules.mk + + $(objpfx)tst-iconv-math-trans.out: $(gen-locales) + endif +@@ -486,6 +487,3 @@ $(objpfx)mtrace-tst-leaks.out: $(objpfx)tst-leaks.out + + bug-setlocale1-ENV-only = LOCPATH=$(objpfx) LC_CTYPE=de_DE.UTF-8 + bug-setlocale1-static-ENV-only = $(bug-setlocale1-ENV-only) +- +-$(objdir)/iconvdata/gconv-modules: +- $(MAKE) -C ../iconvdata subdir=iconvdata $@ +diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile +index f74b06d9749eaa02..bb03d92576700a99 100644 +--- a/wcsmbs/Makefile ++++ b/wcsmbs/Makefile +@@ -62,16 +62,13 @@ xtests += test-wcsncmp-nonarray + tests-internal += \ + tst-wcsmbs-clone-overflow + +-tests-static += \ +- tst-wcsmbs-clone-overflow +- +- + include ../Rules + + ifeq ($(run-built-tests),yes) + LOCALES := de_DE.ISO-8859-1 de_DE.UTF-8 en_US.ANSI_X3.4-1968 hr_HR.ISO-8859-2 \ + ja_JP.EUC-JP zh_TW.EUC-TW tr_TR.UTF-8 tr_TR.ISO-8859-9 + include ../gen-locales.mk ++include ../gen-gconv-modules.mk + + $(objpfx)tst-btowc.out: $(gen-locales) + $(objpfx)tst-c16c32-1.out: $(gen-locales) +@@ -83,7 +80,7 @@ $(objpfx)tst-wcstol-locale.out: $(gen-locales) + $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales) + $(objpfx)tst-c16-surrogate.out: $(gen-locales) + $(objpfx)tst-c32-state.out: $(gen-locales) +-$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) ++$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) $(gen-gconv-modules) + endif + + $(objpfx)tst-wcstod-round: $(libm) +diff --git a/wcsmbs/tst-wcsmbs-clone-overflow.c b/wcsmbs/tst-wcsmbs-clone-overflow.c +index 412e1c54085c68d5..6d8b643f48aa7775 100644 +--- a/wcsmbs/tst-wcsmbs-clone-overflow.c ++++ b/wcsmbs/tst-wcsmbs-clone-overflow.c +@@ -30,8 +30,11 @@ + static int + do_test (void) + { +- if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL) +- FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated"); ++ locale_t loc_obj = newlocale (LC_ALL_MASK, "de_DE.ISO-8859-1", NULL); ++ if (loc_obj == NULL) ++ FAIL_EXIT1 ("newlocale failed, check if de_DE.ISO-8859-1 is generated"); ++ ++ uselocale (loc_obj); + + wchar_t buf[32] = L"123"; + int j; +@@ -41,7 +44,7 @@ do_test (void) + FAIL_EXIT1 ("swscanf failed"); + + /* Retrieve the current gconv_fcts from the LC_CTYPE locale data. */ +- struct __locale_data *loc = _NL_CURRENT_DATA (LC_CTYPE); ++ struct __locale_data *loc = loc_obj->__locales[LC_CTYPE]; + const struct gconv_fcts *fcts = loc->private.ctype; + + TEST_VERIFY_EXIT (fcts != NULL); +@@ -50,6 +53,9 @@ do_test (void) + /* Capture the reference counter. */ + int initial_counter = fcts->towc->__counter; + ++ if (fcts->towc->__shlib_handle == NULL) ++ FAIL_EXIT1 ("__shlib_handle is NULL!"); ++ + /* Perform a second iteration of swscanf. If the stack-allocated FILE + leaks the gconv reference, the counter will increment. */ + if (swscanf (buf, L"%d", &j) < 1) diff --git a/glibc-RHEL-145156-5.patch b/glibc-RHEL-145156-5.patch new file mode 100644 index 0000000..41d91fd --- /dev/null +++ b/glibc-RHEL-145156-5.patch @@ -0,0 +1,111 @@ +test: Add gconv refcount leak test for swprintf + +Add a new internal test, tst-wcsmbs-clone-overflow-swprintf, to verify +correct gconv module reference counting for the swprintf path. + +This is the swprintf counterpart to tst-wcsmbs-clone-overflow (which +tests swscanf). The vswprintf/swprintf family creates a wide-oriented +stack-allocated FILE stream via _IO_no_init and _IO_fwide, which clones +the gconv transformation steps. This test verifies that the __counter +for gconv_fcts->towc does not leak references after swprintf returns, +confirming that _IO_wstrfile_fclose_stack properly releases the gconv +steps. + +diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile +index bb03d92576700a99..252630457146de35 100644 +--- a/wcsmbs/Makefile ++++ b/wcsmbs/Makefile +@@ -60,7 +60,8 @@ tests := tst-wcstof wcsmbs-tst1 tst-wcsnlen tst-btowc tst-mbrtowc \ + xtests += test-wcsncmp-nonarray + + tests-internal += \ +- tst-wcsmbs-clone-overflow ++ tst-wcsmbs-clone-overflow \ ++ tst-wcsmbs-clone-overflow-swprintf + + include ../Rules + +@@ -81,6 +82,7 @@ $(objpfx)tst-wcstod-nan-locale.out: $(gen-locales) + $(objpfx)tst-c16-surrogate.out: $(gen-locales) + $(objpfx)tst-c32-state.out: $(gen-locales) + $(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales) $(gen-gconv-modules) ++$(objpfx)tst-wcsmbs-clone-overflow-swprintf.out: $(gen-locales) $(gen-gconv-modules) + endif + + $(objpfx)tst-wcstod-round: $(libm) +diff --git a/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c b/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c +new file mode 100644 +index 0000000000000000..daccb08e6352a943 +--- /dev/null ++++ b/wcsmbs/tst-wcsmbs-clone-overflow-swprintf.c +@@ -0,0 +1,70 @@ ++/* Test for gconv module reference counter leak in swprintf. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* Internal headers for accessing the gconv structures. */ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ locale_t loc_obj = newlocale (LC_ALL_MASK, "de_DE.ISO-8859-1", NULL); ++ if (loc_obj == NULL) ++ FAIL_EXIT1 ("newlocale failed, check if de_DE.ISO-8859-1 is generated"); ++ ++ uselocale (loc_obj); ++ ++ wchar_t buf[32]; ++ ++ /* First iteration initializes the gconv functions internally. */ ++ if (swprintf (buf, sizeof (buf) / sizeof (buf[0]), L"%d", 123) < 0) ++ FAIL_EXIT1 ("swprintf failed"); ++ ++ /* Retrieve the current gconv_fcts from the LC_CTYPE locale data. */ ++ struct __locale_data *loc = loc_obj->__locales[LC_CTYPE]; ++ const struct gconv_fcts *fcts = loc->private.ctype; ++ ++ TEST_VERIFY_EXIT (fcts != NULL); ++ TEST_VERIFY_EXIT (fcts->towc != NULL); ++ ++ /* Capture the reference counter. */ ++ int initial_counter = fcts->towc->__counter; ++ ++ if (fcts->towc->__shlib_handle == NULL) ++ FAIL_EXIT1 ("__shlib_handle is NULL!"); ++ ++ /* Perform a second iteration of swprintf. If the stack-allocated FILE ++ leaks the gconv reference, the counter will increment. */ ++ if (swprintf (buf, sizeof (buf) / sizeof (buf[0]), L"%d", 456) < 0) ++ FAIL_EXIT1 ("swprintf failed"); ++ ++ /* The counter should be unchanged, as _IO_wstrfile_fclose_stack should ++ have decremented it correctly. */ ++ TEST_COMPARE (fcts->towc->__counter, initial_counter); ++ ++ return 0; ++} ++ ++#include