Partial backport (without ABI changes, using libc_nonshared.a instead) of: commit 090dfa40a5e46f7c0e4d6e8369bcbbd51267625f Author: Frédéric Bérat Date: Fri Mar 7 18:16:30 2025 +0100 Add _FORTIFY_SOURCE support for inet_ntop - Create the __inet_ntop_chk routine that verifies that the builtin size of the destination buffer is at least as big as the size given by the user. - Redirect calls from inet_ntop to __inet_ntop_chk or __inet_ntop_warn - Update the abilist (Dropped) for this new routine - Update the manual to mention the new fortification Reviewed-by: Florian Weimer Conflicts: debug/inet_ntop_chk.c (attribute_hidden added, use inet_ntop instead of __inet_ntop) debug/Makefile (Routine added to static-only-routines) debug/Versions (Dropped) inet/bits/inet-fortified.h (removed attribute_overloadable and clang specific handling) sysdeps/mach/hurd/i386/libc.abilist sysdeps/mach/hurd/x86_64/libc.abilist sysdeps/unix/sysv/linux/aarch64/libc.abilist sysdeps/unix/sysv/linux/alpha/libc.abilist sysdeps/unix/sysv/linux/arc/libc.abilist sysdeps/unix/sysv/linux/arm/be/libc.abilist sysdeps/unix/sysv/linux/arm/le/libc.abilist sysdeps/unix/sysv/linux/csky/libc.abilist sysdeps/unix/sysv/linux/hppa/libc.abilist sysdeps/unix/sysv/linux/i386/libc.abilist sysdeps/unix/sysv/linux/loongarch/lp64/libc.abilist sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist sysdeps/unix/sysv/linux/microblaze/be/libc.abilist sysdeps/unix/sysv/linux/microblaze/le/libc.abilist sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist sysdeps/unix/sysv/linux/or1k/libc.abilist sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist sysdeps/unix/sysv/linux/powerpc/powerpc64/be/libc.abilist sysdeps/unix/sysv/linux/powerpc/powerpc64/le/libc.abilist sysdeps/unix/sysv/linux/riscv/rv32/libc.abilist sysdeps/unix/sysv/linux/riscv/rv64/libc.abilist sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist sysdeps/unix/sysv/linux/sh/be/libc.abilist sysdeps/unix/sysv/linux/sh/le/libc.abilist sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist sysdeps/unix/sysv/linux/x86_64/64/libc.abilist sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist (Dropped) diff --git a/debug/Makefile b/debug/Makefile index 76c311d2845df9c1..db9a400711a2ce91 100644 --- a/debug/Makefile +++ b/debug/Makefile @@ -119,7 +119,10 @@ routines = \ wmemset_chk \ wprintf_chk \ # routines -static-only-routines := stack_chk_fail_local +static-only-routines := \ + inet_ntop_chk \ + stack_chk_fail_local \ + # static-only-routines # Don't add stack_chk_fail_local.o to libc.a since __stack_chk_fail_local # is an alias of __stack_chk_fail in stack_chk_fail.o. diff --git a/debug/inet_ntop_chk.c b/debug/inet_ntop_chk.c new file mode 100644 index 0000000000000000..8a3994dd3fc9bfe4 --- /dev/null +++ b/debug/inet_ntop_chk.c @@ -0,0 +1,31 @@ +/* Copyright (C) 2025 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include + +attribute_hidden +const char * +__inet_ntop_chk (int af, const void *src, char *dst, + socklen_t size, size_t dst_size) +{ + if (size > dst_size) + __chk_fail (); + + return inet_ntop (af, src, dst, size); +} +libc_hidden_def (__inet_ntop_chk) diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c index ae738ff10a305575..f9b97531749d363b 100644 --- a/debug/tst-fortify.c +++ b/debug/tst-fortify.c @@ -23,6 +23,7 @@ #include #include +#include #include #include #include @@ -1832,6 +1833,26 @@ do_test (void) # endif #endif + struct in6_addr addr6 = {}; + struct in_addr addr = {}; + char addrstr6[INET6_ADDRSTRLEN]; + char addrstr[INET_ADDRSTRLEN]; + + if (inet_ntop (AF_INET6, &addr6, addrstr6, sizeof (addrstr6)) == NULL) + FAIL (); + if (inet_ntop (AF_INET, &addr, addrstr, sizeof (addrstr)) == NULL) + FAIL (); + +#if __USE_FORTIFY_LEVEL >= 1 + CHK_FAIL_START + inet_ntop (AF_INET6, &addr6, buf, INET6_ADDRSTRLEN); + CHK_FAIL_END + + CHK_FAIL_START + inet_ntop (AF_INET, &addr, buf, INET_ADDRSTRLEN); + CHK_FAIL_END +#endif + return ret; } diff --git a/include/arpa/inet.h b/include/arpa/inet.h index d9e55a3c7f2db9f2..a02892f48a27454e 100644 --- a/include/arpa/inet.h +++ b/include/arpa/inet.h @@ -3,12 +3,18 @@ #include #ifndef _ISOMAC +/* Declare functions with security checks. + This needs to be included unconditionally as these definition are needed even + when fortification is disabled in inet/arpa/inet.h. */ +#include + /* Variant of inet_aton which rejects trailing garbage. */ extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp); libc_hidden_proto (__inet_aton_exact) extern __typeof (inet_ntop) __inet_ntop; libc_hidden_proto (__inet_ntop) +libc_hidden_proto (__inet_ntop_chk) libc_hidden_proto (inet_pton) extern __typeof (inet_pton) __inet_pton; diff --git a/include/bits/inet-fortified-decl.h b/include/bits/inet-fortified-decl.h new file mode 100644 index 0000000000000000..e6ad4d4663c61a0d --- /dev/null +++ b/include/bits/inet-fortified-decl.h @@ -0,0 +1 @@ +#include diff --git a/include/bits/inet-fortified.h b/include/bits/inet-fortified.h new file mode 100644 index 0000000000000000..abba7c57014c2a23 --- /dev/null +++ b/include/bits/inet-fortified.h @@ -0,0 +1 @@ +#include diff --git a/inet/Makefile b/inet/Makefile index cb97b45f0f9d223f..01208235c4f800bb 100644 --- a/inet/Makefile +++ b/inet/Makefile @@ -25,6 +25,8 @@ include ../Makeconfig headers := \ $(wildcard arpa/*.h protocols/*.h) \ bits/in.h \ + bits/inet-fortified-decl.h \ + bits/inet-fortified.h \ ifaddrs.h \ netinet/ether.h \ netinet/icmp6.h \ diff --git a/inet/arpa/inet.h b/inet/arpa/inet.h index c005340a8004dcaf..2b8eac147280306e 100644 --- a/inet/arpa/inet.h +++ b/inet/arpa/inet.h @@ -101,6 +101,11 @@ extern char *inet_nsap_ntoa (int __len, const unsigned char *__cp, char *__buf) __THROW; #endif +#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function +/* Include functions with security checks. */ +# include +#endif + __END_DECLS #endif /* arpa/inet.h */ diff --git a/inet/bits/inet-fortified-decl.h b/inet/bits/inet-fortified-decl.h new file mode 100644 index 0000000000000000..23e3cf4b2238c81a --- /dev/null +++ b/inet/bits/inet-fortified-decl.h @@ -0,0 +1,35 @@ +/* Declarations of checking macros for inet functions. + Copyright (C) 2025 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _BITS_INET_FORTIFIED_DEC_H +#define _BITS_INET_FORTIFIED_DEC_H 1 + +#ifndef _ARPA_INET_H +# error "Never include directly; use instead." +#endif + +extern const char *__inet_ntop_chk (int, const void *, char *, socklen_t, size_t); + +extern const char *__REDIRECT_FORTIFY_NTH (__inet_ntop_alias, + (int, const void *, char *, socklen_t), inet_ntop); +extern const char *__REDIRECT_NTH (__inet_ntop_chk_warn, + (int, const void *, char *, socklen_t, size_t), __inet_ntop_chk) + __warnattr ("inet_ntop called with bigger length than " + "size of destination buffer"); + +#endif /* bits/inet-fortified-decl.h. */ diff --git a/inet/bits/inet-fortified.h b/inet/bits/inet-fortified.h new file mode 100644 index 0000000000000000..af26f36ef6ae0533 --- /dev/null +++ b/inet/bits/inet-fortified.h @@ -0,0 +1,37 @@ +/* Checking macros for inet functions. + Copyright (C) 2025 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _BITS_INET_FORTIFIED_H +#define _BITS_INET_FORTIFIED_H 1 + +#ifndef _ARPA_INET_H +# error "Never include directly; use instead." +#endif + +#include + +__fortify_function const char * +__NTH (inet_ntop (int __af, const void * __restrict __src, + char *__restrict __dst, socklen_t __dst_size)) +{ + return __glibc_fortify (inet_ntop, __dst_size, sizeof (char), + __glibc_objsize (__dst), + __af, __src, __dst, __dst_size); +}; + +#endif /* bits/inet-fortified.h. */ diff --git a/manual/maint.texi b/manual/maint.texi index 04faa222e2bd2fc4..ce6a556c68925b49 100644 --- a/manual/maint.texi +++ b/manual/maint.texi @@ -303,6 +303,8 @@ The following functions and macros are fortified in @theglibc{}: @item @code{getwd} +@item @code{inet_ntop} + @item @code{longjmp} @item @code{mbsnrtowcs}