Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220413034411.GS7074@brightrain.aerifal.cx>
Date: Tue, 12 Apr 2022 23:44:11 -0400
From: Rich Felker <dalias@...c.org>
To: "Gary E. Miller" <gem@...lim.com>
Cc: musl@...ts.openwall.com
Subject: Re: ✘strerror_r() bug in
 musl

On Tue, Apr 12, 2022 at 01:43:55PM -0700, Gary E. Miller wrote:
> Yo All!
> 
> I'm new to the list.  I;ve been trying to report a musl bug on #musl since
> last Friday, but no one seems to live there.
> 
> musl (all versions) has a bug in strerror_r().
> 
> The musl reference manual says of _GNUSOURCE:
> 
>     _GNU_SOURCE (or _ALL_SOURCE)
> 
>     Adds everything above, plus interfaces modeled after GNU libc
>     extensions and interfaces for making use of Linux-specific features.
> 
> I take that to mean that when _GNU_SOURCE is used to compile code with musl
> that the results will behave as GNU libc (glinc).

This is really a deficiency of the documentation. The text that's
there isn't factually wrong but it's in some sense wrong by omission
-- it omits clearly stating that _GNU_SOURCE does not change anything
to behave in ways that conflict with the standards-specified behaviors
(or change the behavior of standards-specified interfaces whatsoever).
It *only* exposes extension interfaces.

In addition to correcting this, the "criteria for exclusion/inclusion"
of extension functionality should really be written up well and placed
in a conspicuous place. At present it's just scattered across mailing
list discussions of various proposed extensions.

And likewise, the specific example of `strerror_r` (note: `basename`
is like this and is already covered) should be mentioned on the wiki
"differences from glibc" page.

> Is if musl intends its strerror_r() to work like glibc's strerror_r() then
> there is a bug.
> 
> Particularly nasty to have functions that only run when an error condition
> occurs, to themselves cause crashes.

The code should not even compile if it's using the wrong signature.
The GNU version of the function does not guarantee that the string is
stored in the provided buf, so you have to examine the return value,
and assignment/passing of an int where a pointer type is expected is a
constraint violation. By default gcc only treats this as a warning
(-Wint-conversion) but you can and should make it an error via
-Werror=int-conversion since code doing this is unconditionally wrong.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.