Commit Graph

22341 Commits

Author SHA1 Message Date
Philip Withnall
be8834340a gio: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()`), so that they use
`g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 17:51:01 +00:00
Philip Withnall
5e5f75a77e gstrfuncs: Add internal g_memdup2() function
This will replace the existing `g_memdup()` function for use within
GLib. It has an unavoidable security flaw of taking its `byte_size`
argument as a `guint` rather than as a `gsize`. Most callers will
expect it to be a `gsize`, and may pass in large values which could
silently be truncated, resulting in an undersize allocation compared
to what the caller expects.

This could lead to a classic buffer overflow vulnerability for many
callers of `g_memdup()`.

`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.

Spotted by Kevin Backhouse of GHSL.

In GLib 2.68, `g_memdup2()` will be a new public API. In this version
for backport to older stable releases, it’s a new `static inline` API
in a private header, so that use of `g_memdup()` within GLib can be
fixed without adding a new API in a stable release series.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: GHSL-2021-045
Helps: #2319
2021-02-04 17:06:04 +00:00
Philip Withnall
79c5866d31 2.66.5
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-02-03 15:27:28 +00:00
Simon McVittie
0051c06355 Merge branch 'backport-1920-setgid-dbus-session-glib-2-66' into 'glib-2-66'
Backport !1920 “Resolve GDBus regressions in setcap/setgid programs” to glib-2-66

See merge request GNOME/glib!1922
2021-02-03 12:07:51 +00:00
Simon McVittie
3f11992875 gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid
This is against my better judgement, but it's the least bad regression
fix I can think of. If we don't do this, at least gnome-keyring-daemon
(setcap) and msmtp (setgid) are known to regress.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2305
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981555
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-03 11:49:45 +00:00
Simon McVittie
375cbee175 gdbus: Rename a variable to be less misleading
We're using "setuid" here as shorthand for any elevated privileges
that should make us distrust the caller: setuid, setgid, filesystem
capabilities, more obscure Linux things that set the AT_SECURE flag
(such as certain AppArmor transitions), and their equivalents on
other operating systems. This is fine if we do it consistently, but
I'm about to add a check for whether we are *literally* setuid,
which would be particularly confusing without a rename.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-03 11:49:45 +00:00
Simon McVittie
72eadbde6b gdbus: Improve readability by avoiding ternary operator
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-03 11:49:45 +00:00
Sebastian Dröge
894396dc45 Merge branch 'backport-1902-spawn-path-fix-glib-2-66' into 'glib-2-66'
Backport !1902 “spawn: Don't set a search path if we don't want to search PATH” to glib-2-66

See merge request GNOME/glib!1913
2021-02-02 10:48:31 +00:00
Simon McVittie
9eb4fe3c00 Expand test coverage for G_SPAWN_SEARCH_PATH
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 12:00:05 +00:00
Thomas Haller
8a3c3b8cd9 spawn: prefer allocating buffers on stack for small sizes to avoid valgrind leaks
We preallocate buffers that are used after forked. That is because
malloc()/free() are not async-signal-safe and must not be used between
fork() and exec().

However, for the child process that exits without fork, valgrind wrongly
reports these buffers as leaked.
That can be suppressed with "--child-silent-after-fork=yes", but it is
cumbersome.

Work around by trying to allocate the buffers on the stack. At
least in the common cases where the pointers are small enough
so that we can reasonably do that.

If the buffers happen to be large, we still allocate them on the heap
and the problem still happens. Maybe we could have also allocated them
as thread_local, but currently glib doesn't use that.

[smcv: Cosmetic adjustments to address review comments from pwithnall]
2021-02-01 12:00:05 +00:00
Simon McVittie
136a9d7ffd Add test coverage for G_SPAWN_SEARCH_PATH
For manual test coverage that would reproduce the bug fixed in !1902,
copy /bin/true (or any other harmless executable) to
/usr/bin/spawn-test-helper.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 12:00:05 +00:00
Simon McVittie
0d50c6bbe6 spawn: Don't set a search path if we don't want to search PATH
do_exec() and g_execute() rely on being passed a NULL search path
if we intend to avoid searching the PATH, but since the refactoring
in commit 62ce66d4, this was never done. This resulted in some spawn
calls searching the PATH when it was not intended.

Spawn calls that go through the posix_spawn fast-path were unaffected.

The deprecated gtester utility, as used in GTK 3, relies on the
ability to run an executable from the current working directory by
omitting the G_SPAWN_SEARCH_PATH flag. This *mostly* worked, because
our fallback PATH ends with ".". However, if an executable of the
same name existed in /usr/bin or /bin, it would run that instead of the
intended test: in particular, GTK 3's build-time tests failed if
ImageMagick happens to be installed, because gtester would accidentally
run display(1) instead of testsuite/gdk/display.

Fixes: 62ce66d4 "gspawn: Don’t use getenv() in async-signal-safe context"
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977961
2021-02-01 12:00:05 +00:00
Emmanuele Bassi
872181c4f8 Merge branch 'backport-1868-desktop-parsing-glib-2-66' into 'glib-2-66'
Backport !1868 “gdesktopappinfo: Fix validation of XDG_CURRENT_DESKTOP” to glib-2-66

See merge request GNOME/glib!1872
2021-01-11 12:30:32 +00:00
Krzesimir Nowak
4963b48a84 tests: Update the expected count in file test
We added another desktop file, so update the file count.
2021-01-11 12:04:00 +00:00
Krzesimir Nowak
6f6dfc9487 gdesktopappinfo: Fix validation of XDG_CURRENT_DESKTOP
Split out XDG_CURRENT_DESKTOP handling to a separate function and make
sure that it drops all the invalid entries properly. Earlier a bad
entry could slip through the checks by sitting just after another bad
entry, like in env being set to `invalid1!:invalid2!`, where
`invalid2!` could slip the checks.
2021-01-11 12:04:00 +00:00
Sebastian Dröge
13732f800c Merge branch 'backport-1862-gio-envvars-glib-2-66' into 'glib-2-66'
Backport !1862 “gio: Ignore various environment variables when running as setuid” to glib-2-66

See merge request GNOME/glib!1864
2021-01-08 09:10:15 +00:00
Philip Withnall
20387ee6b1 gsettingsschema: Ignore GSETTINGS_SCHEMA_DIR when running setuid
As with previous commits, this could have been used to load private data
for an unprivileged caller.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2168
2021-01-07 17:14:12 +00:00
Philip Withnall
55233b6e14 gresource: Ignore G_RESOURCE_OVERLAYS when running as setuid
It could have been used to load private data which would not normally be
accessible to an unprivileged caller.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2168
2021-01-07 17:14:12 +00:00
Philip Withnall
661ae020bd gdesktopappinfo: Validate XDG_CURRENT_DESKTOP before using it
Its components are used to build filenames, so if the value of
`XDG_CURRENT_DESKTOP` comes from an untrusted caller (as can happen in
setuid programs), using it unvalidated may be unsafe.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2168
2021-01-07 17:14:12 +00:00
Philip Withnall
b52da3d259 gdbusaddress: Ignore D-Bus addresses from the environment when setuid
As with the previous commit, it’s unsafe to trust the environment when
running as setuid, as it comes from an untrusted caller. In particular,
with D-Bus, the caller could set up a fake ‘system’ bus which fed
incorrect data to this process.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2168
2021-01-07 17:14:12 +00:00
Philip Withnall
5bdda2a6b5 giomodule: Ignore GIO_MODULE_DIR when running as setuid
Even if the modules in the given directory never get chosen to be used,
loading arbitrary code from a user-provided directory is not safe when
running as setuid, as the process’ environment comes from an untrusted
source.

Also ignore `GIO_EXTRA_MODULES`.

Spotted by Simon McVittie.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2168
2021-01-07 17:14:12 +00:00
Philip Withnall
a7ad3fd33a Merge branch '266.c89' into 'glib-2-66'
gdatetime.c: Fix MSVC builds for lack of NAN items

See merge request GNOME/glib!1831
2021-01-04 15:37:25 +00:00
Sebastian Dröge
55ebcf05ba Merge branch 'backport-1827-win32-fd-read-glib-2-66' into 'glib-2-66'
Backport !1827 “Windows: fix FD_READ condition flag still set on recoverable UDP socket errors.” to glib-2-66

See merge request GNOME/glib!1836
2021-01-04 15:32:53 +00:00
Marco Mastropaolo
6900d53ed8 Windows: fix FD_READ condition flag still set on recoverable UDP socket errors.
Contrary to what the WSARecvFrom seem to imply, a UDP socket is perfectly recoverable and usable after a WSAECONNRESET error (and, I assume, WSAENETRESET).
However GSocket condition has the FD_READ bit set after a UDP socket fails with WSAECONNRESET, even if no data is available on the socket anymore; this causes select calls to report the socket as readable when, in fact, it's not.

The change resets FD_READ flag on a socket upon the above error conditions; there's no 'if' to filter between datagram and stream sockets as the change should be harmless in the case of stream sockets which are, however, very unlikely to be usable after a WSAECONNRESET.
2021-01-04 15:09:03 +00:00
Chun-wei Fan
d6e5db6ed8 gdatetime.c: Fix MSVC builds for lack of NAN items
Use a fallback for isnan() on Visual Studio 2012 or earlier, and define
NAN if it does not exist.
2020-12-30 19:40:03 +08:00
Sebastian Dröge
b20a8b5a5a Merge branch 'backport-1821-date-lengths-glib-2-66' into 'glib-2-66'
Backport !1821 “gdate: Limit length of dates which can be parsed as valid” to glib-2-66

See merge request GNOME/glib!1824
2020-12-21 18:15:35 +00:00
Philip Withnall
59999737c9 gdate: Use string length when validating UTF-8
Makes the validation a tiny bit faster.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-21 17:50:52 +00:00
Philip Withnall
3fc314ec38 gdate: Limit length of dates which can be parsed as valid
Realistically any date over 200 bytes long is not going to be valid, so
limit the input length so we can’t spend too long doing UTF-8 validation
or normalisation.

oss-fuzz#28718

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-21 17:50:52 +00:00
Sebastian Dröge
4c6daefd6b Merge branch 'wip/chergert/merge-private-fix' into 'glib-2-66'
gthread: Destroy value after replacing it in g_private_replace()

See merge request GNOME/glib!1820
2020-12-17 18:43:24 +00:00
Philip Withnall
e4af46fc09 gthread: Destroy value after replacing it in g_private_replace()
If the old value is destroyed before updating the TLS value in pthreads
(or the Windows equivalent) then there’s a risk of infinite recursion if
`g_private_replace()` is called from within the `GDestroyNotify`.

Avoid that by destroying the old value after doing the TLS update.

Thanks to Matthias Clasen for diagnosing the issue.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2210
2020-12-17 10:30:54 -08:00
Philip Withnall
bacbec652d 2.66.4
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-17 11:45:52 +00:00
Sebastian Dröge
9ee19e06da Merge branch 'backport-1797-freebsd-date-parsing-glib-2-66' into 'glib-2-66'
Backport !1797 “gdatetime: Improve ISO 8601 parsing to avoid floating point checks” to glib-2-66

See merge request GNOME/glib!1805
2020-12-13 09:16:39 +00:00
Philip Withnall
d8794aaf70 tests: Add more tests for GDateTime ISO 8601 seconds parsing
This should add a few more lines/branches to the test coverage.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-12 18:35:20 +00:00
Philip Withnall
72246a564d gdatetime: Use isnan() instead of !isfinite()
Both are provided by libm, but `isnan()` is provided as a macro, whereas
`isfinite()` is an actual function, and hence libm has to be available
at runtime. That didn’t trivially work on FreeBSD, resulting in this
refactor.

`isfinite(x)` is equivalent to `!isnan(x) && !isinfinite(x)`. The case
of `x` being (negative or positive) infinity is already handled by the
range checks on the next line, so it’s safe to switch to `isnan()` here.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-12 18:35:20 +00:00
Philip Withnall
e470dca95f gdatetime: Remove floating point from seconds parsing code
Rather than parsing the seconds in an ISO 8601 date/time using a pair of
floating point numbers (numerator and denominator), use two integers
instead. This avoids issues around floating point precision, and also
makes it easier to check for potential overflow from overlong inputs.

This last point means that the `isfinite()` check can be removed, as it
was covering the case where a NAN was generated, which isn’t now
possible using integer arithmetic.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-12 18:35:20 +00:00
Sebastian Dröge
035975e7e6 Merge branch 'backport-1794-gio-tool-critical-glib-2-66' into 'glib-2-66'
Backport !1794 “gio-tool-info: Prevent criticals if mount options are not available” to glib-2-66

See merge request GNOME/glib!1799
2020-12-11 15:04:54 +00:00
Ondrej Holy
7cc8aec39c gio-tool-info: Prevent criticals if mount options are not available
NULL is valid return value for the g_unix_mount_get_options function
because mount options are currently provided only by libmount implementation.
However, the gio tool passes the returned value to the g_strescape function
without checking, which produces the following critical warning:
GLib-CRITICAL **: 13:47:15.294: g_strescape: assertion 'source != NULL' failed

Let's add the missing check to prevent the critical warnings.
2020-12-11 14:33:24 +00:00
Sebastian Dröge
22c0e5db8e Merge branch 'backport-1791-datetime-nan-glib-2-66' into 'glib-2-66'
Backport !1791 “gdatetime: Disallow NAN as a number of seconds in a GDateTime” to glib-2-66

See merge request GNOME/glib!1793
2020-12-09 15:48:55 +00:00
Sebastian Dröge
120b659bd1 Merge branch 'backport-1789-array-sort-empty-glib-2-66' into 'glib-2-66'
Backport !1789 “array: Avoid sorting 0-sized arrays” to glib-2-66

See merge request GNOME/glib!1792
2020-12-09 15:40:27 +00:00
Philip Withnall
83e5b9cab1 gdatetime: Disallow NAN as a number of seconds in a GDateTime
The fiendish thing about NAN is that it never compares TRUE against
anything, so the limit checks `seconds < 0.0 || seconds >= 60.0` were
never triggering.

oss-fuzz#28473

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-09 15:24:45 +00:00
Timm Bäder
0e50c8d6cd array: Avoid sorting 0-sized arrays
Fixes #2264
2020-12-09 15:24:15 +00:00
Sebastian Dröge
2c25fe26c8 Merge branch 'backport-1788-ossfuzz-28458-date-overflow' into 'glib-2-66'
Backport !1788 “gdate: Validate input as UTF-8 before parsing” to glib-2-66

See merge request GNOME/glib!1790
2020-12-09 15:11:45 +00:00
Philip Withnall
6181244559 gdate: Validate input as UTF-8 before parsing
Dates have to be valid UTF-8.

oss-fuzz#28458

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-12-09 13:48:56 +00:00
Sebastian Dröge
0cbe9efb90 Merge branch 'backport-1771-macos-frexpl-glib-2-66' into 'glib-2-66'
Backport !1771 “macos: fix frexpl checks in cross-compilation” to glib-2-66

See merge request GNOME/glib!1774
2020-11-29 11:22:57 +00:00
Andoni Morales Alastruey
a5388cf3ba macos: fix frexpl checks in cross-compilation
Cross-compilation to arm64 for Apple Silicon is not possible
due to the hardcoded settings for frexpl.
See: #1868
2020-11-25 19:57:36 +00:00
Philip Withnall
30c06eb5fc 2.66.3
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-11-16 12:19:06 +00:00
Emmanuele Bassi
e18a6a850f Merge branch 'backport-1734-hidden-cache-glib-2-66' into 'glib-2-66'
Backport !1734 “glocalfileinfo: Use a single timeout source at a time for hidden file cache” to glib-2-66

See merge request GNOME/glib!1736
2020-11-03 17:24:05 +00:00
Carlos Garnacho
92c19ebda2 glocalfileinfo: Use a single timeout source at a time for hidden file cache
As hidden file caches currently work, every look up on a directory caches
its .hidden file contents, and sets a 5s timeout to prune the directory
from the cache.

This creates a problem for usecases like Tracker Miners, which is in the
business of inspecting as many files as possible from as many directories
as possible in the shortest time possible. One timeout is created for each
directory, which possibly means gobbling thousands of entries in the hidden
file cache. This adds as many GSources to the glib worker thread, with the
involved CPU overhead in iterating those in its main context.

To fix this, use a unique timeout that will keep running until the cache
is empty. This will keep the overhead constant with many files/folders
being queried.
2020-11-03 16:34:31 +00:00
Simon McVittie
4daaf303a0 Merge branch 'backport-1725-gdbus-fds-glib-2-66' into 'glib-2-66'
Backport !1725 “gdbus: Cope with sending fds in a message that takes multiple writes” to glib-2-66

See merge request GNOME/glib!1727
2020-10-28 15:17:58 +00:00
Simon McVittie
60c3c948b5 gio/tests/gdbus-peer: Exercise fds attached to a large message
This incidentally also exercises the intended pattern for sending fds in
a D-Bus message: the fd list is meant to contain exactly those fds that
are referenced by a handle (type 'h') in the body of the message, with
numeric handle value n corresponding to g_unix_fd_list_peek_fds(...)[n].

Being able to send and receive file descriptors that are not referenced by
a handle (as in OpenFile here) is a quirk of the GDBus API, and while it's
entirely possible in the wire protocol, other D-Bus implementations like
libdbus and sd-bus typically don't provide APIs that make this possible.

Reproduces: https://gitlab.gnome.org/GNOME/glib/-/issues/2074
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-10-28 14:59:57 +00:00