Commit Graph

27027 Commits

Author SHA1 Message Date
Philip Withnall
aee72d3dce Merge branch 'concurrent-rand' into 'main'
tests/slice-concurrent.c: avoid using rand() from multiple threads

See merge request GNOME/glib!3141
2022-12-16 17:00:56 +00:00
Alexander Richardson
9f558a2c50 tests/slice-concurrent.c: avoid using rand() from multiple threads 2022-12-16 17:00:56 +00:00
Philip Withnall
58521101b3 Merge branch 'wip/smcv/gvariant-big-endian' into 'main'
gvariant-serialiser: Convert endianness of offsets

Closes #2839

See merge request GNOME/glib!3136
2022-12-16 13:32:39 +00:00
Simon McVittie
0e3b21000d Merge branch 'posix_memalign-requirements' into 'main'
tests/gvariant.c: ensure posix_memalign alignment argument is correct

See merge request GNOME/glib!3145
2022-12-16 13:24:52 +00:00
Simon McVittie
ba2137b0d9 gvariant-serialiser: Convert endianness of offsets
The array of offsets is little-endian, even on big-endian architectures
like s390x.

Fixes: ade71fb5 "gvariant: Don’t allow child elements to overlap with each other"
Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2839
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-12-16 13:03:37 +00:00
Simon McVittie
8b80c451a5 Merge branch 'wip/pwithnall/temporarily-disable-freebsd' into 'main'
ci: Temporarily only run the FreeBSD 13 CI on a schedule

See merge request GNOME/glib!3147
2022-12-16 13:01:59 +00:00
Simon McVittie
79cddc6c75 Merge branch 'varargs-missing-argument' into 'main'
tests/gdbus-method-invocation: Fix missing g_variant_new() argument

See merge request GNOME/glib!3142
2022-12-16 12:53:37 +00:00
Philip Withnall
4f5bd5439e ci: Temporarily only run the FreeBSD 13 CI on a schedule
Rather than on every commit, because the CI runner is currently broken:
https://gitlab.gnome.org/Infrastructure/GitLab/-/issues/594.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: !3136
2022-12-16 12:34:03 +00:00
Alex Richardson
994f96fb2b tests/gdbus-method-invocation: Fix missing g_variant_new() argument
I noticed this when running the test on an Arm Morello system where varargs
have bounds. g_variant_new() was trying to read an integer using va_arg(),
but since there was no argument it resulted in a bounds errors there.
On most other architectures this will just read whatever value is contained
in the next argument register and is not something that ASan can detect, so
it never resulted in test failures.
2022-12-16 10:28:50 +00:00
Alex Richardson
58f70cebb6 Fix test_aligned_mem for Morello
On Arm Morello sizeof(void*) is 16 bytes so we fail the check for
`(alignment % sizeof (void *)) != 0))` in gmem.c.
2022-12-15 23:50:23 +00:00
Alex Richardson
34236af33c tests/gvariant.c: ensure posix_memalign alignment argument is correct
posix_memalign() requires the alignment to be a multiple of sizeof(void*),
and a power of 2. Passing 8 does not fulfil both of those constraints on
Arm Morello which resulted in a "posix_memalign failed" test failure.

Co-authored-by: Graeme Jenkinson <graeme@capabilitieslimited.co.uk>
2022-12-15 23:50:23 +00:00
Marco Trevisan (Treviño)
cdda03a690 GCancellable: Ensure it is always cancelled on connect callback
When a cancellable is cancelled when we call g_cancellable_connect we
used to immediately call the provided callback, while this is fine we
actually had race in case the cancellable was about to be reset or in
the middle of a cancellation.

In fact it could happen that when we released the mutex, another thread
could reset the cancellable just before the callback is actually called
and so leading to call it with g_cancellable_cancelled() == FALSE.

So to handle this, make disconnect and reset function to wait for
connection emission to finish, not to break their assumptions.

This can be tested using some "brute-force" tests where multiple threads
are racing to connect and disconnect while others are cancelling and
resetting a cancellable, ensuring that all works as we expect.
2022-12-15 19:30:43 +01:00
Marco Trevisan (Treviño)
f520066563 gutils: Add a private API to unset the cached temporary directory
We may need to avoid using a cached temp directory for testing purposes,
so let's provide an internal API to perform such task.

This implies removing GOnce and going with mutex-based version, but
that's still using atomic logic in most unix implementations anyways.
2022-12-15 17:29:00 +01:00
Marco Trevisan
ded3099afc Merge branch 'coverity-fix' into 'main'
gtestutils: Check for failure to setenv() and return

See merge request GNOME/glib!3132
2022-12-14 16:35:13 +00:00
Philip Withnall
8a60c22bb4 Merge branch '861-dbus-menu-model-robustness' into 'main'
gmenumodel: disallow exporting large menus on the bus

Closes #861

See merge request GNOME/glib!3133
2022-12-14 16:18:07 +00:00
Lars Uebernickel
89a7bbcf6e gmenumodel: disallow exporting large menus on the bus
This solves problems with validating untrusted inputs from D-Bus, where
invalid numbers of added and removed menu entries, and positions, could
be specified.

Original patch from
https://bugzilla.gnome.org/show_bug.cgi?id=728733#c7, tweaked by Philip
Withnall to add a few code comments and make
`G_MENU_EXPORTER_MAX_SECTION_SIZE` public so callers can check their
inputs against it if they want. Also tweaked to use `g_warning()` instead
of the nonexistent `g_dbus_warning()`.

Fixes: #861
2022-12-14 15:42:14 +00:00
Marco Trevisan
6d5c623510 Merge branch '2835-gapplication-test-failure' into 'main'
tests: Release GApplication a little later to avoid assertion failures

Closes #2835

See merge request GNOME/glib!3131
2022-12-14 15:39:47 +00:00
Philip Withnall
b012c3470b gtestutils: Check for failure to setenv() and return
This is very unlikely to happen, but it makes Coverity happier.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Coverity CID: #1474388
2022-12-14 15:11:10 +00:00
Philip Withnall
a2c8a8c630 tests: Release GApplication a little later to avoid assertion failures
If it takes one more `GMainContext` cycle than expected for the
`activate` signals to be handled, the `GApplication` under test can be
released too early, and the test will fail due to not seeing a high
enough value of `n_activations`.

Hopefully avoid that by moving the release to a low priority idle
callback.

This fix is only hopeful because I’ve only been able to reproduce the
failure on FreeBSD CI and not locally.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2835
2022-12-14 09:33:18 +00:00
Marco Trevisan
a0dbaeed2f Merge branch 'more-gobject-performance-tests' into 'main'
More gobject performance tests

See merge request GNOME/glib!3124
2022-12-14 02:46:28 +00:00
Marco Trevisan (Treviño)
c6f252108c gobject/tests/performance: Add object get/set performance tests 2022-12-14 03:05:50 +01:00
Marco Trevisan (Treviño)
77a2d26ea2 gobject/tests/performance: Add object notify performance tests 2022-12-14 03:05:50 +01:00
Marco Trevisan
3df4a0225c Merge branch 'security-docs-fix' into 'main'
docs: Update SECURITY to stop mentioning a deprecated mailing list

See merge request GNOME/glib!3127
2022-12-14 02:03:05 +00:00
Philip Withnall
4eb9b09014 Merge branch '2121-2540-2794-2797-gvariant-normal-forms' into 'main'
Various fixes to normal form handling in GVariant

Closes #2121, #2540, #2794, and #2797

See merge request GNOME/glib!3125
2022-12-13 19:52:21 +00:00
Philip Withnall
1309719c50 docs: Update SECURITY to stop mentioning a deprecated mailing list
Discourse has replaced the GNOME mailing lists.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-13 19:16:35 +00:00
Philip Withnall
a70a16b28b gvariant: Allow g_variant_byteswap() to operate on tree-form variants
This avoids needing to always serialise a variant before byteswapping it.
With variants in non-normal forms, serialisation can result in a large
increase in size of the variant, and a lot of allocations for leaf
`GVariant`s. This can lead to a denial of service attack.

Avoid that by changing byteswapping so that it happens on the tree form
of the variant if the input is in non-normal form. If the input is in
normal form (either serialised or in tree form), continue using the
existing code as byteswapping an already-serialised normal variant is
about 3× faster than byteswapping on the equivalent tree form.

The existing unit tests cover byteswapping well, but need some
adaptation so that they operate on tree form variants too.

I considered dropping the serialised byteswapping code and doing all
byteswapping on tree-form variants, as that would make maintenance
simpler (avoiding having two parallel implementations of byteswapping).
However, most inputs to `g_variant_byteswap()` are likely to be
serialised variants (coming from a byte array of input from some foreign
source) and most of them are going to be in normal form (as corruption
and malicious action are rare). So getting rid of the serialised
byteswapping code would impose quite a performance penalty on the common
case.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2797
2022-12-13 19:04:15 +00:00
Philip Withnall
4c4cf568f0 gvariant: Fix g_variant_byteswap() returning non-normal data sometimes
If `g_variant_byteswap()` was called on a non-normal variant of a type
which doesn’t need byteswapping, it would return a non-normal output.

That contradicts the documentation, which says that the return value is
always in normal form.

Fix the code so it matches the documentation.

Includes a unit test.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2797
2022-12-13 19:04:15 +00:00
Philip Withnall
5f4485c4ff gvariant-serialiser: Check offset table entry size is minimal
The entries in an offset table (which is used for variable sized arrays
and tuples containing variable sized members) are sized so that they can
address every byte in the overall variant.

The specification requires that for a variant to be in normal form, its
offset table entries must be the minimum width such that they can
address every byte in the variant.

That minimality requirement was not checked in
`g_variant_is_normal_form()`, leading to two different byte arrays being
interpreted as the normal form of a given variant tree. That kind of
confusion could potentially be exploited, and is certainly a bug.

Fix it by adding the necessary checks on offset table entry width, and
unit tests.

Spotted by William Manley.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2794
2022-12-13 18:20:16 +00:00
Philip Withnall
f98c60e4ee gvariant: Fix a leak of a GVariantTypeInfo on an error handling path
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-13 18:15:20 +00:00
Philip Withnall
c2dc74e2ec gvariant: Cut allocs of default values for children of non-normal arrays
This improves a slow case in `g_variant_get_normal_form()` where
allocating many identical default values for the children of a
variable-sized array which has a malformed offset table would take a lot
of time.

The fix is to make all child values after the first invalid one be
references to the default value emitted for the first invalid one,
rather than identical new `GVariant`s.

In particular, this fixes a case where an attacker could create an array
of length L of very large tuples of size T each, corrupt the offset table
so they don’t have to specify the array content, and then induce
`g_variant_get_normal_form()` into allocating L×T default values from an
input which is significantly smaller than L×T in length.

A pre-existing workaround for this issue is for code to call
`g_variant_is_normal_form()` before calling
`g_variant_get_normal_form()`, and to skip the latter call if the former
returns false. This commit improves the behaviour in the case that
`g_variant_get_normal_form()` is called anyway.

This fix changes the time to run the `fuzz_variant_binary` test on the
testcase from oss-fuzz#19777 from >60s (before being terminated) with
2.3GB of memory usage and 580k page faults; to 32s, 8.3MB of memory
usage and 1500 page faults (as measured by `time -v`).

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2540
oss-fuzz#19777
2022-12-13 18:15:20 +00:00
Philip Withnall
168f9b42e5 gvariant: Add internal g_variant_maybe_get_child_value()
This will be used in a following commit.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2540
2022-12-13 18:15:19 +00:00
Philip Withnall
e6490c84e8 gvariant: Port g_variant_deep_copy() to count its iterations directly
This is equivalent to what `GVariantIter` does, but it means that
`g_variant_deep_copy()` is making its own `g_variant_get_child_value()`
calls.

This will be useful in an upcoming commit, where those child values will
be inspected a little more deeply.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
35dee77ed8 gvariant: Clarify the docs for g_variant_get_normal_form()
Document how non-normal parts of the `GVariant` are handled.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-13 18:15:19 +00:00
Philip Withnall
4c0ddb26bc tests: Disable some random instance tests of GVariants
Building a `GVariant` using entirely random data may result in a
non-normally-formed `GVariant`. It’s always possible to read these
`GVariant`s, but the API might return default values for some or all of
their components.

In particular, this can easily happen when randomly generating the
offset tables for non-fixed-width container types.

If it does happen, bytewise comparison of the parsed `GVariant` with the
original bytes will not always match. So skip those checks.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
6fa41d5bf6 tests: Add another test for overlapping offsets in GVariant
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
d1a293c4e2 gvariant: Track checked and ordered offsets independently
The past few commits introduced the concept of known-good offsets in the
offset table (which is used for variable-width arrays and tuples).
Good offsets are ones which are non-overlapping with all the previous
offsets in the table.

If a bad offset is encountered when indexing into the array or tuple,
the cached known-good offset index will not be increased. In this way,
all child variants at and beyond the first bad offset can be returned as
default values rather than dereferencing potentially invalid data.

In this case, there was no information about the fact that the indexes
between the highest known-good index and the requested one had been
checked already. That could lead to a pathological case where an offset
table with an invalid first offset is repeatedly checked in full when
trying to access higher-indexed children.

Avoid that by storing the index of the highest checked offset in the
table, as well as the index of the highest good/ordered offset.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:15:19 +00:00
Philip Withnall
7cf6f5b691 gvariant: Don’t allow child elements of a tuple to overlap each other
This is similar to the earlier commit which prevents child elements of a
variable-sized array from overlapping each other, but this time for
tuples. It is based heavily on ideas by William Manley.

Tuples are slightly different from variable-sized arrays in that they
contain a mixture of fixed and variable sized elements. All but one of
the variable sized elements have an entry in the frame offsets table.
This means that if we were to just check the ordering of the frame
offsets table, the variable sized elements could still overlap
interleaving fixed sized elements, which would be bad.

Therefore we have to check the elements rather than the frame offsets.

The logic of checking the elements up to the index currently being
requested, and caching the result in `ordered_offsets_up_to`, means that
the algorithmic cost implications are the same for this commit as for
variable-sized arrays: an O(N) cost for these checks is amortised out
over N accesses to O(1) per access.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2121
2022-12-13 18:15:17 +00:00
Philip Withnall
73d0aa81c2 gvariant-serialiser: Rework child size calculation
This reduces a few duplicate calls to `g_variant_type_info_query()` and
explains why they’re needed.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:14:30 +00:00
Philip Withnall
345cae9c1a gvariant-serialiser: Factor out code to get bounds of a tuple member
This introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 18:14:30 +00:00
William Manley
ade71fb544 gvariant: Don’t allow child elements to overlap with each other
If different elements of a variable sized array can overlap with each
other then we can cause a `GVariant` to normalise to a much larger type.

This commit changes the behaviour of `GVariant` with non-normal form data. If
an invalid frame offset is found all subsequent elements are given their
default value.

When retrieving an element at index `n` we scan the frame offsets up to index
`n` and if they are not in order we return an element with the default value
for that type.  This guarantees that elements don't overlap with each
other.  We remember the offset we've scanned up to so we don't need to
repeat this work on subsequent accesses.  We skip these checks for trusted
data.

Unfortunately this makes random access of untrusted data O(n) — at least
on first access.  It doesn't affect the algorithmic complexity of accessing
elements in order, such as when using the `GVariantIter` interface.  Also:
the cost of validation will be amortised as the `GVariant` instance is
continued to be used.

I've implemented this with 4 different functions, 1 for each element size,
rather than looping calling `gvs_read_unaligned_le` in the hope that the
compiler will find it easy to optimise and should produce fairly tight
code.

Fixes: #2121
2022-12-13 18:14:26 +00:00
Philip Withnall
298a537d5f gvariant: Zero-initialise various GVariantSerialised objects
The following few commits will add a couple of new fields to
`GVariantSerialised`, and they should be zero-filled by default.

Try and pre-empt that a bit by zero-filling `GVariantSerialised` by
default in a few places.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2121
2022-12-13 17:36:33 +00:00
William Manley
446e69f5ed gvariant-serialiser: Factor out functions for dealing with framing offsets
This introduces no functional changes.

Helps: #2121
2022-12-13 17:36:33 +00:00
William Manley
1deacdd4e8 gvariant-core: Consolidate construction of GVariantSerialised
So I only need to change it in one place.

This introduces no functional changes.

Helps: #2121
2022-12-13 17:36:33 +00:00
Emmanuele Bassi
782b5cbee5 Merge branch 'mkenums-docs' into 'main'
docs: Remove a stray > in the glib-mkenums man page

See merge request GNOME/glib!3112
2022-12-13 17:15:33 +00:00
Marco Trevisan
9d51f98ecb Merge branch '2836-uninit-fds' into 'main'
tests: Fix use of three uninitialised array elements in spawn-singlethread

Closes #2836

See merge request GNOME/glib!3123
2022-12-13 16:24:13 +00:00
Marco Trevisan
a9e8b3f7e4 Merge branch '2837-test-timeouts' into 'main'
tests: Increase a timeout in contexts test

Closes #2837

See merge request GNOME/glib!3122
2022-12-13 14:57:44 +00:00
Philip Withnall
d5011f91a8 tests: Fix use of three uninitialised array elements in spawn-singlethread
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2836
2022-12-13 14:49:23 +00:00
Sebastian Dröge
a79c6af23e glib/gthread-posix: Conditionally use futex and/or futex_time64 syscalls as necessary and use the correct struct timespec definition
On some systems only `futex_time64` exists (e.g. riscv32) while on
others only `futex` exists (old Linux, 64 bit platforms), so it is
necessary to check for both and try calling both at runtime.

Additionally use the correct `struct timespec` definition. There is not
necessarily any relation between the libc's definition and the kernel's.

Specifically, the libc headers might use 64-bit `time_t` while the kernel
headers use 32-bit `__kernel_old_time_t` on certain systems.

To get around this problem we
  a) check if `futex_time64` is available, which only exists on 32-bit
     platforms and always uses 64-bit `time_t`.
  b) otherwise (or if that returns `ENOSYS`), we call the normal `futex`
     syscall with the `struct timespec` used by the kernel, which uses
     `__kernel_long_t` for both its fields. We use that instead of
     `__kernel_old_time_t` because it is equivalent and available in the
     kernel headers for a longer time.
2022-12-13 16:45:57 +02:00
Philip Withnall
cad9256c3d tests: Increase a timeout in contexts test
The timeout is just to stop the test hanging forever, so there’s no need
for it to be so short. It’s caused at least one spurious CI failure:
https://gitlab.gnome.org/GNOME/glib/-/jobs/2445023.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Fixes: #2837
2022-12-13 14:07:58 +00:00
Sebastian Dröge
f67e8636da glib/gthread-posix: Use cc.compiles() instead of cc.links() for checking for __NR_futex
`cc.compiles()` is minimally faster.

We only want to check here whether `__NR_futex` is defined and don't
want to check anything at link-time.
2022-12-13 15:06:21 +02:00