Commit Graph

27098 Commits

Author SHA1 Message Date
Philip Withnall
c2dc74e2ec gvariant: Cut allocs of default values for children of non-normal arrays
This improves a slow case in `g_variant_get_normal_form()` where
allocating many identical default values for the children of a
variable-sized array which has a malformed offset table would take a lot
of time.

The fix is to make all child values after the first invalid one be
references to the default value emitted for the first invalid one,
rather than identical new `GVariant`s.

In particular, this fixes a case where an attacker could create an array
of length L of very large tuples of size T each, corrupt the offset table
so they don’t have to specify the array content, and then induce
`g_variant_get_normal_form()` into allocating L×T default values from an
input which is significantly smaller than L×T in length.

A pre-existing workaround for this issue is for code to call
`g_variant_is_normal_form()` before calling
`g_variant_get_normal_form()`, and to skip the latter call if the former
returns false. This commit improves the behaviour in the case that
`g_variant_get_normal_form()` is called anyway.

This fix changes the time to run the `fuzz_variant_binary` test on the
testcase from oss-fuzz#19777 from >60s (before being terminated) with
2.3GB of memory usage and 580k page faults; to 32s, 8.3MB of memory
usage and 1500 page faults (as measured by `time -v`).

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2540
oss-fuzz#19777
2022-12-13 18:15:20 +00:00
Philip Withnall
168f9b42e5 gvariant: Add internal g_variant_maybe_get_child_value()
This will be used in a following commit.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2540
2022-12-13 18:15:19 +00:00
Philip Withnall
e6490c84e8 gvariant: Port g_variant_deep_copy() to count its iterations directly
This is equivalent to what `GVariantIter` does, but it means that
`g_variant_deep_copy()` is making its own `g_variant_get_child_value()`
calls.

This will be useful in an upcoming commit, where those child values will
be inspected a little more deeply.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
35dee77ed8 gvariant: Clarify the docs for g_variant_get_normal_form()
Document how non-normal parts of the `GVariant` are handled.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-13 18:15:19 +00:00
Philip Withnall
4c0ddb26bc tests: Disable some random instance tests of GVariants
Building a `GVariant` using entirely random data may result in a
non-normally-formed `GVariant`. It’s always possible to read these
`GVariant`s, but the API might return default values for some or all of
their components.

In particular, this can easily happen when randomly generating the
offset tables for non-fixed-width container types.

If it does happen, bytewise comparison of the parsed `GVariant` with the
original bytes will not always match. So skip those checks.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
6fa41d5bf6 tests: Add another test for overlapping offsets in GVariant
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
d1a293c4e2 gvariant: Track checked and ordered offsets independently
The past few commits introduced the concept of known-good offsets in the
offset table (which is used for variable-width arrays and tuples).
Good offsets are ones which are non-overlapping with all the previous
offsets in the table.

If a bad offset is encountered when indexing into the array or tuple,
the cached known-good offset index will not be increased. In this way,
all child variants at and beyond the first bad offset can be returned as
default values rather than dereferencing potentially invalid data.

In this case, there was no information about the fact that the indexes
between the highest known-good index and the requested one had been
checked already. That could lead to a pathological case where an offset
table with an invalid first offset is repeatedly checked in full when
trying to access higher-indexed children.

Avoid that by storing the index of the highest checked offset in the
table, as well as the index of the highest good/ordered offset.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
7cf6f5b691 gvariant: Don’t allow child elements of a tuple to overlap each other
This is similar to the earlier commit which prevents child elements of a
variable-sized array from overlapping each other, but this time for
tuples. It is based heavily on ideas by William Manley.

Tuples are slightly different from variable-sized arrays in that they
contain a mixture of fixed and variable sized elements. All but one of
the variable sized elements have an entry in the frame offsets table.
This means that if we were to just check the ordering of the frame
offsets table, the variable sized elements could still overlap
interleaving fixed sized elements, which would be bad.

Therefore we have to check the elements rather than the frame offsets.

The logic of checking the elements up to the index currently being
requested, and caching the result in `ordered_offsets_up_to`, means that
the algorithmic cost implications are the same for this commit as for
variable-sized arrays: an O(N) cost for these checks is amortised out
over N accesses to O(1) per access.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2121
2022-12-13 18:15:17 +00:00
Philip Withnall
73d0aa81c2 gvariant-serialiser: Rework child size calculation
This reduces a few duplicate calls to `g_variant_type_info_query()` and
explains why they’re needed.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:14:30 +00:00
Philip Withnall
345cae9c1a gvariant-serialiser: Factor out code to get bounds of a tuple member
This introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:14:30 +00:00
William Manley
ade71fb544 gvariant: Don’t allow child elements to overlap with each other
If different elements of a variable sized array can overlap with each
other then we can cause a `GVariant` to normalise to a much larger type.

This commit changes the behaviour of `GVariant` with non-normal form data. If
an invalid frame offset is found all subsequent elements are given their
default value.

When retrieving an element at index `n` we scan the frame offsets up to index
`n` and if they are not in order we return an element with the default value
for that type.  This guarantees that elements don't overlap with each
other.  We remember the offset we've scanned up to so we don't need to
repeat this work on subsequent accesses.  We skip these checks for trusted
data.

Unfortunately this makes random access of untrusted data O(n) — at least
on first access.  It doesn't affect the algorithmic complexity of accessing
elements in order, such as when using the `GVariantIter` interface.  Also:
the cost of validation will be amortised as the `GVariant` instance is
continued to be used.

I've implemented this with 4 different functions, 1 for each element size,
rather than looping calling `gvs_read_unaligned_le` in the hope that the
compiler will find it easy to optimise and should produce fairly tight
code.

Fixes: #2121
2022-12-13 18:14:26 +00:00
Philip Withnall
298a537d5f gvariant: Zero-initialise various GVariantSerialised objects
The following few commits will add a couple of new fields to
`GVariantSerialised`, and they should be zero-filled by default.

Try and pre-empt that a bit by zero-filling `GVariantSerialised` by
default in a few places.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 17:36:33 +00:00
William Manley
446e69f5ed gvariant-serialiser: Factor out functions for dealing with framing offsets
This introduces no functional changes.

Helps: #2121
2022-12-13 17:36:33 +00:00
William Manley
1deacdd4e8 gvariant-core: Consolidate construction of GVariantSerialised
So I only need to change it in one place.

This introduces no functional changes.

Helps: #2121
2022-12-13 17:36:33 +00:00
Emmanuele Bassi
782b5cbee5 Merge branch 'mkenums-docs' into 'main'
docs: Remove a stray > in the glib-mkenums man page

See merge request GNOME/glib!3112
2022-12-13 17:15:33 +00:00
Marco Trevisan
9d51f98ecb Merge branch '2836-uninit-fds' into 'main'
tests: Fix use of three uninitialised array elements in spawn-singlethread

Closes #2836

See merge request GNOME/glib!3123
2022-12-13 16:24:13 +00:00
Marco Trevisan
a9e8b3f7e4 Merge branch '2837-test-timeouts' into 'main'
tests: Increase a timeout in contexts test

Closes #2837

See merge request GNOME/glib!3122
2022-12-13 14:57:44 +00:00
Philip Withnall
d5011f91a8 tests: Fix use of three uninitialised array elements in spawn-singlethread
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2836
2022-12-13 14:49:23 +00:00
Sebastian Dröge
a79c6af23e glib/gthread-posix: Conditionally use futex and/or futex_time64 syscalls as necessary and use the correct struct timespec definition
On some systems only `futex_time64` exists (e.g. riscv32) while on
others only `futex` exists (old Linux, 64 bit platforms), so it is
necessary to check for both and try calling both at runtime.

Additionally use the correct `struct timespec` definition. There is not
necessarily any relation between the libc's definition and the kernel's.

Specifically, the libc headers might use 64-bit `time_t` while the kernel
headers use 32-bit `__kernel_old_time_t` on certain systems.

To get around this problem we
  a) check if `futex_time64` is available, which only exists on 32-bit
     platforms and always uses 64-bit `time_t`.
  b) otherwise (or if that returns `ENOSYS`), we call the normal `futex`
     syscall with the `struct timespec` used by the kernel, which uses
     `__kernel_long_t` for both its fields. We use that instead of
     `__kernel_old_time_t` because it is equivalent and available in the
     kernel headers for a longer time.
2022-12-13 16:45:57 +02:00
Philip Withnall
cad9256c3d tests: Increase a timeout in contexts test
The timeout is just to stop the test hanging forever, so there’s no need
for it to be so short. It’s caused at least one spurious CI failure:
https://gitlab.gnome.org/GNOME/glib/-/jobs/2445023.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2837
2022-12-13 14:07:58 +00:00
Sebastian Dröge
f67e8636da glib/gthread-posix: Use cc.compiles() instead of cc.links() for checking for __NR_futex
`cc.compiles()` is minimally faster.

We only want to check here whether `__NR_futex` is defined and don't
want to check anything at link-time.
2022-12-13 15:06:21 +02:00
Philip Withnall
3c15df01c8 Merge branch 'wip/3v1n0/desktop-app-info-fail-on-not-existent' into 'main'
gdesktopappinfo: Fail early if trying to launch an invalid executable and always use desktop Path and context $PATH

See merge request GNOME/glib!3042
2022-12-13 13:01:09 +00:00
Philip Withnall
4ffb320e37 Merge branch 'final-type-check-2' into 'main'
gtype: Speed up type checking for final types

See merge request GNOME/glib!2728
2022-12-13 12:49:23 +00:00
Philip Withnall
a4c33bd621 Merge branch 'mcatanzaro/#2769' into 'main'
Failure to set thread scheduler settings should be fatal

Closes #2769

See merge request GNOME/glib!3121
2022-12-13 12:48:29 +00:00
Marco Trevisan (Treviño)
f6ac7bc907 gtype: Use is_final node bit to check if a type can be derived 2022-12-12 19:40:58 +01:00
Michael Catanzaro
d900d0efce Revert "GThread: Don't g_error() if setting the thread scheduler settings fails"
This reverts commit 965061797d.

We are having trouble tracking down the cause of #2769. When the bug
occurs, we fail to set scheduler settings for the new thread pool
thread. This can have serious consequences and should not be ignored. In
retrospect, making this a critical instead of a fatal error has made it
more difficult to notice, debug, and fix. This operation needs to always
work, so let's crash when it fails.

This does not fix #2769, but will hopefully help.
2022-12-12 12:39:46 -06:00
Michael Catanzaro
4d172a2015 Revert "gthread: Only print scheduler setting warnings once"
This reverts commit c8840ff9a8.
2022-12-12 12:39:25 -06:00
Marco Trevisan (Treviño)
5dc8d2ca00 gtype: Simplify g_type_test_flags() for node flags checks only
And this will affect G_TYPE_IS_FINAL, G_TYPE_IS_CLASSED,
G_TYPE_IS_INSTANTIATABLE and mixes of them.
2022-12-12 19:03:48 +01:00
Matthias Clasen
a31b042dfc gtype: Speed up type checking for final types
Store the final flag directly in the TypeNode,
so we can get it cheaply, and use it to speed
up g_type_instance_is_a for final types.
2022-12-12 19:03:48 +01:00
Marco Trevisan (Treviño)
6a0591f06c gobject/tests/type-flags: Add tests for type final type flags
Ensure that final flag is properly checked and used.
2022-12-12 19:03:48 +01:00
Marco Trevisan
7bb0261407 Merge branch 'ebassi/notify-queue-finalize-warning' into 'main'
Improve notification queue warning

See merge request GNOME/glib!3119
2022-12-12 16:01:59 +00:00
Emmanuele Bassi
fde157ace4 Improve notification queue warning
Instead of a plain reference count check failure that is really hard to
understand, let's be explicit, and warn that manipulating an object's
notification queue during its finalization is not allowed.
2022-12-12 15:01:19 +00:00
Marco Trevisan (Treviño)
511d1cad02 gdesktopappinfo: Fail early if trying to launch an invalid executable
GDesktopAppInfo never failed in the most simple of the cases: when a
desktop file or a command line app info was pointing to an invalid
executable (for the context).

The reason for this is that we're launching all the programs using
gio-launch-desktop which will always exist in a sane GLib installation,
and thus our call to execvp won't ever fail on failure.

This was partially mitigated by not allowing to create a desktop app
icon using a non-existent executable (even if not fully correctly) but
still did not work in case a custom PATH was provided in the launch
context.

To avoid this, use g_find_program_for_path() to find early if a program
that we're about to launch is available, and if it's not the case return
the same error that g_spawn_async_with_fds() would throw in such cases.

While this is slowing a bit our preparation phase, would avoid to leave
to the exec function the job to find where our program is.

Add tests simulating this behavior.
2022-12-12 15:58:13 +01:00
Marco Trevisan (Treviño)
da8aa0b66d desktop-app-info: Use launch context PATH and desktop Path to find terminals
We used to launch applications with terminals using the normal program
finder logic that did not consider the context path nor the desktop file
working dir. Switch to g_find_program_for_path() to find terminals so we
can ensure that both conditions are true.

Update tests to consider this case too.
2022-12-12 15:58:13 +01:00
Marco Trevisan (Treviño)
e41e3dc601 gdesktopappinfo: Take in account the desktop Path to find executables
Desktop files can provide the executable working path and that can be
used to pick the file to launch.

So take it in account.
2022-12-12 15:58:13 +01:00
Marco Trevisan (Treviño)
7bac92a2bb gutils: Split g_find_program_path() to make it more flexible and testable
Split g_find_program_path() in g_find_program_for_path() that supports
passing path arguments and providing a custom working directory.

Adding tests to cover the cases we were not doing before.
2022-12-12 15:58:13 +01:00
Philip Withnall
34618aea70 Merge branch 'gdbinit' into 'main'
tests: fix assert-msg-test with custom gdbinit

See merge request GNOME/glib!3117
2022-12-12 14:01:47 +00:00
Philip Withnall
7cd0750a41 Merge branch 'spawn-check-privfds' into 'main'
glib/spawn: check user source_fds doesn't contain private fds

See merge request GNOME/glib!2479
2022-12-12 13:53:59 +00:00
Marc-André Lureau
5f21c8da1c glib/tests: add /gthread/spawn-async-with-invalid-fds
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2022-12-12 17:41:12 +04:00
Marc-André Lureau
d8448636b4 glib/spawn: check user source_fds doesn't contain private fds
If the user provided source_fds set contains internal fds, this is a
programmer mistake. We can avoid further damage by preventing this
situation.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2022-12-12 11:28:58 +04:00
Marc-André Lureau
13acc3176b tests: fix assert-msg-test with custom gdbinit
As recommended by GDB on Fedora, I have "set debuginfod enabled on" in
my .gdbinit. However, this make assert-msg-test time out.

Let's ignore user gdbinit for the test, as this shouldn't be required
and can easily break the test.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2022-12-12 10:53:47 +04:00
Olga Smirnova
8df369612d Add Interlingue translation
(cherry picked from commit 17672aeb4d)
2022-12-12 00:16:24 +00:00
Philip Withnall
0f6f5d0b3a Merge branch 'ebassi/no-hacking' into 'main'
docs: Remove HACKING

See merge request GNOME/glib!3116
2022-12-09 15:25:09 +00:00
Emmanuele Bassi
a9d75f19e7 docs: Remove HACKING
The process of contributing to GLib is already outlined in the
contribution guide, and the HACKING file is just referencing out of date
dependencies.
2022-12-09 12:25:40 +00:00
Philip Withnall
febe922602 Merge branch '1904-action-crashes' into 'main'
gaction: Validate actions activated over D-Bus

Closes #1904

See merge request GNOME/glib!3113
2022-12-09 11:04:02 +00:00
Philip Withnall
191e89878d tests: Add basic GApplicationCommandLine unit tests
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-09 10:45:21 +00:00
Philip Withnall
c0eef5e226 gapplication: Validate types of well-known platform data keys
The platform data comes from the parent process, which should normally
be considered trusted (if we don’t trust it, it can do all sorts of
other things to mess this process up, such as setting
`LD_LIBRARY_PATH`).

However, it can also come from any process which calls `CommandLine`
over D-Bus, so always has to be able to handle untrusted input. In
particular, `v`-typed `GVariant`s must always have their dynamic type
validated before having values of a static type retrieved from them.

Includes unit tests.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #1904
2022-12-09 10:45:21 +00:00
Philip Withnall
eb0d9e709a gapplication: Document that command line options must be validated
They come from an external process, so they must be validated.

In particular, it’s always easy to forget to validate the type of a
`GVariant`, and just try to get the stored value using a well-known
type; but that’s a programming error if the `GVariant` actually stores a
different type. Always check the variant type first if loading from a
`v`.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #1904
2022-12-09 10:45:21 +00:00
Philip Withnall
83c11637ba gfdonotificationbackend: Validate actions before activating them
These actions are activated as a result of receiving the `ActionInvoked`
signal from `org.freedesktop.Notifications`. As that’s received from
another process over D-Bus, it’s feasible that it could be malformed.
Without validating the action and its parameter, assertions will be hit
within the `GAction` code.

While we should be able to trust whatever process owns
`org.freedesktop.Notifications`, it’s possible that’s not the case, so
best validate what we receive.

Includes unit tests.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #1904
2022-12-09 10:45:21 +00:00
Philip Withnall
08012bd3e0 tests: Add stub tests for GFdoNotificationBackend
This test is fairly pointless, but puts the infrastructure in place for
adding more tests for `GFdoNotificationBackend` in upcoming commits.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #1904
2022-12-09 10:45:21 +00:00