Commit Graph

202 Commits

Author SHA1 Message Date
Akira TAGOH 0e9b2a1527 Fix FcCacheOffsetsValid()
Validation fails when the FcValueList contains more than font->num.
this logic was wrong because font->num contains a number of the elements
in FcPatternElt but FcValue in FcValueList.

This corrects 7a4a5bd7.

Patch from Tobias Stoeckmann
2016-11-14 20:16:40 +09:00
Tobias Stoeckmann 7a4a5bd789 Properly validate offsets in cache files.
The cache files are insufficiently validated. Even though the magic
number at the beginning of the file as well as time stamps are checked,
it is not verified if contained offsets are in legal ranges or are
even pointers.

The lack of validation allows an attacker to trigger arbitrary free()
calls, which in turn allows double free attacks and therefore arbitrary
code execution. Due to the conversion from offsets into pointers through
macros, this even allows to circumvent ASLR protections.

This attack vector allows privilege escalation when used with setuid
binaries like fbterm. A user can create ~/.fonts or any other
system-defined user-private font directory, run fc-cache and adjust
cache files in ~/.cache/fontconfig. The execution of setuid binaries will
scan these files and therefore are prone to attacks.

If it's not about code execution, an endless loop can be created by
letting linked lists become circular linked lists.

This patch verifies that:

- The file is not larger than the maximum addressable space, which
  basically only affects 32 bit systems. This allows out of boundary
  access into unallocated memory.
- Offsets are always positive or zero
- Offsets do not point outside file boundaries
- No pointers are allowed in cache files, every "pointer or offset"
  field must be an offset or NULL
- Iterating linked lists must not take longer than the amount of elements
  specified. A violation of this rule can break a possible endless loop.

If one or more of these points are violated, the cache is recreated.
This is current behaviour.

Even though this patch fixes many issues, the use of mmap() shall be
forbidden in setuid binaries. It is impossible to guarantee with these
checks that a malicious user does not change cache files after
verification. This should be handled in a different patch.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2016-08-05 14:35:05 +09:00
Erik de Castro Lopo ea26c5e9f8 Fix a couple of minor memory leaks
These fixes are needed for the test suite to pass when compiled
with Address Sanitizer.
2016-05-30 10:30:10 +09:00
Petr Filipsky d15c46d75e Fix memory leak in FcDirCacheLock 2016-05-23 11:09:22 +09:00
Akira TAGOH d179cbc253 Revert "Workaround another race condition issue"
This reverts commit f44bfad235.
2016-04-06 14:39:15 +09:00
Patrick Haller d570a841a2 Optimizations in FcStrSet
Applied optimizations:
- skip duplicate check in FcStrSetAppend for values originating from readdir()
- grow FcStrSet in 64-element bulks for local FcStrSets (FcConfig layout unaltered)

Starting gedit is measured to

                        Unoptimized     Optimized
user[s]                         0,806         0,579
sys[s]                          0,062         0,062
Total Instr Fetch Cost: 1.658.683.750   895.069.820
Cachegrind D Refs:        513.917.619   312.000.436
Cachegrind Dl Misses:       8.605.632     4.954.639
2016-01-12 10:42:40 +09:00
Akira TAGOH bd96984e4b Use int64_t instead of long long 2015-10-15 15:51:50 +09:00
Akira TAGOH 7ccde89758 Fix build issue on MinGW 2015-10-13 13:06:54 +09:00
Akira TAGOH a44cc450b5 Use long long to see the same size between LP64 and LLP64 2015-10-13 13:04:33 +09:00
Akira TAGOH ad9f588050 Fix the broken cache more.
Take a look at the nano second in the mtime to figure out
if the cache needs to be updated if available.
and do the mutex lock between scanning and writing a cache
to avoid the conflict.

Also we don't need to scan directories again after writing
caches. so getting rid of the related code as well.

https://bugs.freedesktop.org/show_bug.cgi?id=69845

and for reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1236034
2015-08-14 17:19:29 +09:00
Behdad Esfahbod ee2d1da2d2 Reduce number of places that cache version is specified to 1 2015-05-27 14:36:35 -07:00
Akira TAGOH d17f556153 Read the config files and fonts on the sysroot when --sysroot is given to fc-cache
Fix for e96d776088

https://bugs.freedesktop.org/show_bug.cgi?id=59456
2014-06-17 20:11:02 +09:00
Akira TAGOH f44bfad235 Workaround another race condition issue
See https://bugzilla.redhat.com/show_bug.cgi?id=921706
2014-06-05 19:06:02 +09:00
Akira TAGOH 7a6622f25c Improve the performance issue on rescanning directories 2013-12-20 11:57:16 +09:00
Akira TAGOH 5152115349 Simplify to validate the availability of posix_fadvise 2013-12-02 18:43:10 +09:00
Akira TAGOH 06b388523d Fix build issue on Debian/kFreeBSD 7.0
There are posix_fadvise(2) but not POSIX_FADV_WILLNEED.
Patch from Ryo ONODERA.
2013-10-21 11:50:55 +09:00
Akira TAGOH 43f768b53f avoid reading config.h twice
config.h is read from fcint.h now so having a line of the sort of #include "config.h"
is duplicate.

Bug 69833 - Incorrect SIZEOF_VOID_P and ALIGNOF_DOUBLE definitions causes nasty warnings on MacOSX when building fat libraries
2013-09-26 17:51:15 +09:00
Akira TAGOH 041deb0cc5 warn deprecated only when migration failed 2013-08-07 12:05:32 +09:00
Akira TAGOH e96d776088 Bug 59456 - Adding a --sysroot like option to fc-cache
Add an ability to set the system root to generate the caches.
In order to do this, new APIs, FcConfigGetSysRoot() and
FcConfigSetSysRoot() is available.
2013-03-05 18:38:50 +09:00
Akira TAGOH 6363193a05 Fix mkstemp absence for some platform
Patch from LRN and modified to make more generic.
2013-01-22 12:11:02 +09:00
Behdad Esfahbod 55d39bcad0 Fix fc-cache crash caused by looking up NULL object incorrectly
We were returning a skiplist node when looking up NULL!
2013-01-16 07:31:15 -06:00
Akira TAGOH d837a7a584 missing header file to declare _mkdir 2013-01-08 16:18:32 +09:00
Akira TAGOH 596931c8b4 Bug 47705 - Using O_CLOEXEC 2013-01-08 15:34:09 +09:00
Behdad Esfahbod ec8a40d238 Fix build and warnings on win32 2013-01-02 17:35:56 -06:00
Behdad Esfahbod 2ae07bbcd2 Make FcDirCacheDispose() threadsafe 2013-01-02 01:04:58 -06:00
Behdad Esfahbod 68b8ae9af8 Make cache hash threadsafe
This concludes my first pass at making fontconfig threadsafe.  Now to
testing and actually fixing it!
2013-01-02 01:04:47 -06:00
Behdad Esfahbod adb03b730d Make random-state initialization threadsafe 2013-01-02 01:04:03 -06:00
Behdad Esfahbod 91dd7d28ff Add a big cache lock
Not used yet.
2013-01-02 01:03:49 -06:00
Behdad Esfahbod 8d2bbb193a Make cache refcounting threadsafe 2013-01-02 01:03:22 -06:00
Behdad Esfahbod b8f238e49d Make FcCacheIsMmapSafe() threadsafe 2013-01-02 01:03:06 -06:00
Behdad Esfahbod dd69d96e06 Fix sign-compare warnings 2012-12-29 22:47:49 -05:00
Behdad Esfahbod 83d8019011 Fix unused-parameter warnings 2012-12-29 22:32:56 -05:00
Akira TAGOH 535e0a37d6 Bug 54138 - X_OK permission is invalid for win32 access(..) calls
X_OK checking was added back in 8ae1e3d5dc
which was removed due to the same reason in
238489030a.
apparently the test case in Bug#18934 still works without it.
so I'm removing it again to get this working on Windows.
2012-08-31 12:39:38 +09:00
Mikhail Gusarov 0ac6c98294 Fix cache aging for fonts on FAT filesystem under Linux
Windows does not update mtime of directory on FAT filesystem when
file is added to it or removed from it. Fontconfig uses mtime of
directory to check cache file aging and hence fails to detect
newly added or recently removed files.

This changeset detects FAT filesystem (currently implemented for
Linux) and adds generating checksum of directory entries instead
of using mtime which guarantees proper cache rebuild.

For non-FAT filesystems this patch adds single syscall per directory
which is negligeable overhead.

This fixes bug https://bugs.freedesktop.org/show_bug.cgi?id=25535

Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
2012-05-28 16:46:04 +09:00
Akira TAGOH dc2da23e69 Move statfs/statvfs wrapper to fcstat.c and add a test for the mtime broken fs
just rework to share the efforts between FcIsFsMmapSafe() and FcIsFsMtimeBroken().
2012-05-28 16:46:01 +09:00
Mikhail Gusarov 6a83c1ad40 Move FcStat to separate compilation unit
FcStat() logic is quite complicated in presence of various semi-broken operating
systems and filesystems, split it out in order to make it a bit easier.

Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
2012-05-28 16:01:00 +09:00
Akira TAGOH 7d65f9f514 Bug 39278 - make usage of mmap optional
Stop using mmap() if the cache file is stored on NFS.
also added FONTCONFIG_USE_MMAP environment variable to enforce the use of
or not the use of mmap(2) regardless of what the filesystem the cache files
are stored on.
2012-04-25 16:38:01 +09:00
Akira TAGOH 06d6b7c312 Create CACHEDIR.TAG when fc-cache is run or only when the cache directory is created at the runtime.
Also add FcCacheCreateTagFile() API to do create CACHEDIR.TAG on the cache
directory.
2012-04-23 11:26:32 +09:00
Akira TAGOH dd2a3d3520 Bug 25151 - Move cleanCacheDirectory() from fc-cache.c into
the library

Add FcDirCacheScan() API to clean up the cache files in the directory.
2012-04-18 12:55:23 +09:00
Keith Packard 9e62fcedfe Use posix_fadvise to speed startup
Given that fontconfig will scan all of the cache file data during the
first font search, ask the kernel to start reading the pages right away.

Signed-off-by: Keith Packard <keithp@keithp.com>
2012-04-17 12:20:25 +09:00
Akira TAGOH 470e92c9db Bug 27526 - Compatibility fix for old windows sytems
Patch from Gianluigi Tiesi
2012-04-12 14:01:25 +09:00
Akira TAGOH a13d518fdd Bug 41694 - FcCache functions have random-number-generator side effects
Use the own random number generator state if possible.
2012-02-28 12:52:25 +09:00
Mike Frysinger 647569d029 FcStat: change to FcChar8 for first arg
This shouldn't affect the ABI, makes FcStat more like the rest of the
fontconfig API, and fixes warnings where we pass FcChar8* pointers in
to this func from other places.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2012-02-21 14:15:58 -05:00
Mike Frysinger e3a66c2937 delete unused variables
Newer gcc is better at detecting set-but-unused variables.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2012-02-21 14:15:58 -05:00
Behdad Esfahbod 082caefb6d Bug 41171 - Invalid use of memset 2011-09-24 13:52:05 -04:00
Behdad Esfahbod c21fb9ac27 Always define FcStat as a function
Such that first arg is const char *.  We also need to make more changes
in that function as part of some other bug.
2011-03-14 18:49:21 -03:00
Behdad Esfahbod d1a0fca316 Make fc-arch stuff cross-compiling-safe
Fixes:
Bug 32679 - fontconfig-2.8.0 does not cross compile
Bug 25462 - Cross-compilation doesn't work
2010-12-28 01:22:34 -06:00
Behdad Esfahbod 5aaf466d38 Cleanup copyright notices to replace "Keith Packard" with "the author(s)" 2010-11-10 16:45:42 -05:00
Behdad Esfahbod 594dcef0f3 Remove all training whitespaces 2010-04-12 12:19:05 -04:00
Serge van den Boom 1dd95fcb8b Correctly handle mmap() failure (#21062) 2009-06-24 13:52:10 -04:00