From 9e9de6c9cda56e20feb299607df2e3755ebf7613 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 29 Jul 2024 15:27:01 -0400 Subject: [PATCH 1/7] connection: Use bool, not int, for a boolean variable No functional change intended. Signed-off-by: Demi Marie Obenour --- src/connection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/connection.c b/src/connection.c index e1b751ac..330e45c2 100644 --- a/src/connection.c +++ b/src/connection.c @@ -413,7 +413,7 @@ decode_cmsg(struct wl_ring_buffer *buffer, struct msghdr *msg) { struct cmsghdr *cmsg; size_t size, i; - int overflow = 0; + bool overflow = false; for (cmsg = CMSG_FIRSTHDR(msg); cmsg != NULL; cmsg = CMSG_NXTHDR(msg, cmsg)) { @@ -424,7 +424,7 @@ decode_cmsg(struct wl_ring_buffer *buffer, struct msghdr *msg) size = cmsg->cmsg_len - CMSG_LEN(0); if (ring_buffer_ensure_space(buffer, size) < 0 || overflow) { - overflow = 1; + overflow = true; size /= sizeof(int32_t); for (i = 0; i < size; i++) close(((int*)CMSG_DATA(cmsg))[i]); From f00586ee5f47b7c7fa8d92f01f61d1ba593c142d Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 29 Jul 2024 15:27:10 -0400 Subject: [PATCH 2/7] connection: Add comments explaining safety No functional change intended. Signed-off-by: Demi Marie Obenour --- src/connection.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/connection.c b/src/connection.c index 330e45c2..300c28d8 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1052,7 +1052,10 @@ wl_connection_demarshal(struct wl_connection *connection, goto err; } + /* This ring buffer will always have a multiple of sizeof(int) + * bytes in it. */ ring_buffer_copy(&connection->fds_in, &fd, sizeof fd); + /* This can wrap but that is okay. */ connection->fds_in.tail += sizeof fd; closure->args[i].h = fd; break; From 568a9325f080b9772ef318ae777eaedb3040b248 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 29 Jul 2024 15:27:21 -0400 Subject: [PATCH 3/7] connection: empty iovecs are never created Neither ring_buffer_put_iov() nor ring_buffer_get_iov() distinguishes between a full wl_ring_buffer and an empty one. Instead, both just assume that the returned iovec should not be empty. However, both have only one caller, and that caller does guarantee that the ring buffer is not full (for ring_buffer_put_iov()) or empty (for ring_buffer_get_iov()). Therefore, the code is safe. Signed-off-by: Demi Marie Obenour --- src/connection.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/connection.c b/src/connection.c index 300c28d8..41410e7b 100644 --- a/src/connection.c +++ b/src/connection.c @@ -113,6 +113,7 @@ ring_buffer_put(struct wl_ring_buffer *b, const void *data, size_t count) return 0; } +/* Precondition: the buffer is not full */ static void ring_buffer_put_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) { @@ -125,10 +126,13 @@ ring_buffer_put_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) iov[0].iov_len = tail - head; *count = 1; } else if (tail == 0) { + /* We assume that head == 0 means an empty buffer, not a full one. */ iov[0].iov_base = b->data + head; iov[0].iov_len = ring_buffer_capacity(b) - head; *count = 1; } else { + /* head == 0 is checked earlier, so there is at least one byte to + * read after head. */ iov[0].iov_base = b->data + head; iov[0].iov_len = ring_buffer_capacity(b) - head; iov[1].iov_base = b->data; @@ -137,6 +141,7 @@ ring_buffer_put_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) } } +/* Precondition: the buffer is not empty */ static void ring_buffer_get_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) { @@ -161,6 +166,7 @@ ring_buffer_get_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) } } +/* Precondition: the data will not overflow the buffer */ static void ring_buffer_copy(struct wl_ring_buffer *b, void *data, size_t count) { @@ -456,6 +462,9 @@ wl_connection_flush(struct wl_connection *connection) tail = connection->out.tail; while (ring_buffer_size(&connection->out) > 0) { + /* Ring buffer is not empty, so this is safe. */ + ring_buffer_get_iov(&connection->out, iov, &count); + build_cmsg(&connection->fds_out, cmsg, &clen); if (clen >= CLEN) { @@ -530,6 +539,7 @@ wl_connection_read(struct wl_connection *connection) if (ring_buffer_ensure_space(&connection->in, 1) < 0) return -1; + /* Ring buffer is not full, so this is safe. */ ring_buffer_put_iov(&connection->in, iov, &count); msg.msg_name = NULL; From ac630dd3b465742a10eb2518b1aeb8c19fb96b2b Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Fri, 9 Aug 2024 17:56:35 -0400 Subject: [PATCH 4/7] connection: More explanations for why the code is safe This adds many assertions to check that buffers are valid. Signed-off-by: Demi Marie Obenour --- src/connection.c | 146 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 124 insertions(+), 22 deletions(-) diff --git a/src/connection.c b/src/connection.c index 41410e7b..1be14964 100644 --- a/src/connection.c +++ b/src/connection.c @@ -91,19 +91,45 @@ ring_buffer_mask(const struct wl_ring_buffer *b, size_t i) { return i & m; } +static size_t +ring_buffer_size(struct wl_ring_buffer *b) +{ + return b->head - b->tail; +} + +/* Precondition: the data will not overflow the buffer */ static int ring_buffer_put(struct wl_ring_buffer *b, const void *data, size_t count) { - size_t head, size; + size_t head, size, buffer_size, capacity; + + if (b->head < b->tail) { + wl_abort("ring_buffer_put: ring buffer corrupt, %zu < %zu\n", + b->head, b->tail); + } + + capacity = ring_buffer_capacity(b); + buffer_size = ring_buffer_size(b); + if (buffer_size > capacity) { + wl_abort("ring_buffer_put: ring buffer corrupt: " + "%zu - %zu > %zu\n", b->head, b->tail, capacity); + } if (count == 0) return 0; + if (capacity - buffer_size < count) { + wl_abort("ring_buffer_put: attempt to overfill buffer: " + "%zu - %zu < %zu\n", capacity, buffer_size, count); + } + head = ring_buffer_mask(b, b->head); - if (head + count <= ring_buffer_capacity(b)) { + size = capacity - head; + if (count <= size) { + /* Enough space after head to fulfill request */ memcpy(b->data + head, data, count); } else { - size = ring_buffer_capacity(b) - head; + /* Need to wrap around */ memcpy(b->data + head, data, size); memcpy(b->data, (const char *) data + size, count - size); } @@ -117,24 +143,54 @@ ring_buffer_put(struct wl_ring_buffer *b, const void *data, size_t count) static void ring_buffer_put_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) { - size_t head, tail; + size_t head, tail, size, capacity; + + if (b->head < b->tail) { + wl_abort("ring_buffer_put_iov: ring buffer corrupt, %zu < %zu\n", + b->head, b->tail); + } + + size = ring_buffer_size(b); + capacity = ring_buffer_capacity(b); + if (size >= capacity) { + wl_abort("ring_buffer_put_iov: ring buffer full or corrupt: " + "%zu - %zu >= %zu\n", b->head, b->tail, capacity); + } head = ring_buffer_mask(b, b->head); tail = ring_buffer_mask(b, b->tail); if (head < tail) { + /* Buffer is like this: + * head tail + * | | + * +---------+-----------------+---------+ + * | VALID | INVALID | VALID | + * +---------+-----------------+---------+ + */ iov[0].iov_base = b->data + head; iov[0].iov_len = tail - head; *count = 1; } else if (tail == 0) { - /* We assume that head == 0 means an empty buffer, not a full one. */ + /* Buffer is like this: + * tail head + * | | + * +---------------------------+---------+ + * | VALID | INVALID | + * +---------------------------+---------+ + */ iov[0].iov_base = b->data + head; - iov[0].iov_len = ring_buffer_capacity(b) - head; + iov[0].iov_len = capacity - head; *count = 1; } else { - /* head == 0 is checked earlier, so there is at least one byte to - * read after head. */ + /* Buffer is like this: + * tail head + * | | + * +---------------------------+---------+ + * | INVALID | VALID | INVALID | + * +---------------------------+---------+ + */ iov[0].iov_base = b->data + head; - iov[0].iov_len = ring_buffer_capacity(b) - head; + iov[0].iov_len = capacity - head; iov[1].iov_base = b->data; iov[1].iov_len = tail; *count = 2; @@ -145,52 +201,98 @@ ring_buffer_put_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) static void ring_buffer_get_iov(struct wl_ring_buffer *b, struct iovec *iov, int *count) { - size_t head, tail; + size_t head, tail, capacity; + + if (b->head <= b->tail) { + wl_abort("ring_buffer_get_iov(): empty or corrupt buffer: %zu <= %zu\n", + b->head, b->tail); + } + + capacity = ring_buffer_capacity(b); + if (ring_buffer_size(b) > capacity) { + wl_abort("ring_buffer_put_iov: ring buffer corrupt: " + "%zu - %zu > %zu\n", b->head, b->tail, capacity); + } head = ring_buffer_mask(b, b->head); tail = ring_buffer_mask(b, b->tail); if (tail < head) { + /* Buffer is like this: + * tail head + * | | + * +---------+-----------------+---------+ + * | INVALID | VALID | INVALID | + * +---------+-----------------+---------+ + */ iov[0].iov_base = b->data + tail; iov[0].iov_len = head - tail; *count = 1; } else if (head == 0) { + /* Buffer is like this: + * head tail + * | | + * +---------------------------+---------+ + * | INVALID | VALID | + * +---------------------------+---------+ + */ iov[0].iov_base = b->data + tail; - iov[0].iov_len = ring_buffer_capacity(b) - tail; + iov[0].iov_len = capacity - tail; *count = 1; } else { + /* Buffer is like this: + * head tail + * | | + * +-------+-------------------+---------+ + * | VALID | INVALID | VALID | + * +---------------------------+---------+ + */ iov[0].iov_base = b->data + tail; - iov[0].iov_len = ring_buffer_capacity(b) - tail; + iov[0].iov_len = capacity - tail; iov[1].iov_base = b->data; iov[1].iov_len = head; *count = 2; } } -/* Precondition: the data will not overflow the buffer */ +/* Precondition: the data will not underflow the buffer */ static void ring_buffer_copy(struct wl_ring_buffer *b, void *data, size_t count) { - size_t tail, size; + size_t tail, size, buffer_size, capacity; + + if (b->head < b->tail) { + wl_abort("ring_buffer_copy(): ring buffer corrupt, %zu < %zu\n", + b->head, b->tail); + } + + buffer_size = ring_buffer_size(b); + capacity = ring_buffer_capacity(b); + if (buffer_size > capacity) { + wl_abort("ring_buffer_copy(): ring buffer corrupt: " + "%zu - %zu > %zu\n", b->head, b->tail, capacity); + } if (count == 0) return; + if (buffer_size < count) { + wl_abort("ring_buffer_copy(): attempt to copy %zu bytes " + "but buffer has %zu bytes\n", + count, buffer_size); + } + tail = ring_buffer_mask(b, b->tail); - if (tail + count <= ring_buffer_capacity(b)) { + size = capacity - tail; + if (count <= size) { + /* Enough data after the tail to fulfill the request */ memcpy(data, b->data + tail, count); } else { - size = ring_buffer_capacity(b) - tail; + /* Must wrap buffer around */ memcpy(data, b->data + tail, size); memcpy((char *) data + size, b->data, count - size); } } -static size_t -ring_buffer_size(struct wl_ring_buffer *b) -{ - return b->head - b->tail; -} - static char * ring_buffer_tail(const struct wl_ring_buffer *b) { From 2bd88ca4bfa0c37e35a98bae1d1cc95d6ad42109 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 29 Jul 2024 15:27:26 -0400 Subject: [PATCH 5/7] connection: Document correct use of atoi() atoi() has undefined behavior on invalid input, but here the input comes from wayland-scanner, which is trusted. Signed-off-by: Demi Marie Obenour --- src/connection.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/connection.c b/src/connection.c index 1be14964..c322084c 100644 --- a/src/connection.c +++ b/src/connection.c @@ -795,6 +795,7 @@ wl_message_get_since(const struct wl_message *message) { int since; + /* This is trusted input */ since = atoi(message->signature); if (since == 0) From bd0aa37eb9e0e81619cb71bd97e66354ec64de8a Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 29 Jul 2024 15:27:30 -0400 Subject: [PATCH 6/7] server: Make wl_resource_post_no_memory() a wrapper function Save some code size. Signed-off-by: Demi Marie Obenour --- src/wayland-server.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/wayland-server.c b/src/wayland-server.c index 1d6be3ec..fb68f2a3 100644 --- a/src/wayland-server.c +++ b/src/wayland-server.c @@ -716,8 +716,7 @@ wl_client_post_implementation_error(struct wl_client *client, WL_EXPORT void wl_resource_post_no_memory(struct wl_resource *resource) { - wl_resource_post_error(resource->client->display_resource, - WL_DISPLAY_ERROR_NO_MEMORY, "no memory"); + wl_client_post_no_memory(resource->client); } /** Detect if a wl_resource uses the deprecated public definition. From 3ea4b30700d691ab8d4d944e5a5606b0af7f41f5 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 11 Aug 2024 19:23:21 -0400 Subject: [PATCH 7/7] connection: check for NULL string only once This removes a redundant check and combines two others. Signed-off-by: Demi Marie Obenour --- src/connection.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/connection.c b/src/connection.c index c322084c..4ba93092 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1063,14 +1063,14 @@ wl_connection_demarshal(struct wl_connection *connection, case WL_ARG_STRING: length = *p++; - if (length == 0 && !arg.nullable) { - wl_log("NULL string received on non-nullable " - "type, message %s(%s)\n", message->name, - message->signature); - errno = EINVAL; - goto err; - } if (length == 0) { + if (!arg.nullable) { + wl_log("NULL string received on non-nullable " + "type, message %s(%s)\n", message->name, + message->signature); + errno = EINVAL; + goto err; + } closure->args[i].s = NULL; break; } @@ -1088,7 +1088,7 @@ wl_connection_demarshal(struct wl_connection *connection, s = (char *) p; - if (length > 0 && s[length - 1] != '\0') { + if (s[length - 1] != '\0') { wl_log("string not nul-terminated, " "message %s(%s)\n", message->name, message->signature);