From patchwork Wed Apr 10 12:20:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 787504 Delivered-To: patch@linaro.org Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp661439wrs; Wed, 10 Apr 2024 05:20:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX9i70JOV3w3C/7z6RzWbh982Bs2WTQI/GP5TMA6C/p+V3epVWkm6M9LNfhm5yT8jLlL4LQUqJlYi43qyx+/lu2 X-Google-Smtp-Source: AGHT+IG9gWU3I4BbVhtR348hyQLs/6Xikz/iikAS3nfuCgDgdd7P0W6pJUm5f4jtJtNePyhb89P4 X-Received: by 2002:a9d:69d7:0:b0:6ea:387b:690d with SMTP id v23-20020a9d69d7000000b006ea387b690dmr323411oto.29.1712751634643; Wed, 10 Apr 2024 05:20:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712751634; cv=pass; d=google.com; s=arc-20160816; b=duu7ngtKq5iKHQTLycTjsDfDpYMz5pA4eggoRllpQ44OyJds0ANioPFFdGQPi5FTjk xOH9EatELgD7r6JsgB2HFrOavjBwjQdGFh7nYF6Rt0XMNN1WllQsOrPPEpkzluWu+Ff3 YG50L+APi+A751zyDB9RheDJpJuuezE9nKMP29AM0/K+cptPu0LVETIU6WeyYXkImd0o +VhMcMBQaqrhzhUgm/vESLtMtBa3sZOxPXsVN4amuwCVGha7LVojaLyJ/hEEKb8N3Y+L 0sLlmoDpZ8/KH3C6hmObj11/MQdPCjdgDqjUFEvc7qDdkG7DVBzYwc4VuspD37OCJ520 a0Mg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=3awjmPbLCpg+ZZo/Xbk16JSu7X6uz0qQApiu3byFqww=; fh=rezyBBj2+lixs0MZkwNuWL6WZTKPVmV91tTsVnzjn3w=; b=01ClubKHj9ymNXGMbhyIuGT7+hdcDWHANYOKM6JNbKTNTAogS7TAGKEHKrEQ3NHedX icdPSu1n1GS7IxMJVuu629Hd9eUeEb1JyrrfKbPBE7hG+9tasytb77DDFHzcrJgYKBYL RWkpq2CBTxD7m8ZrbSmqhkRqlvsBB6IX3oY42hX04vuRwSzmEv9mwJzQ5kS2+ur3B7I9 AdAl3Lr2aAfOUlZSdAhBLQAtel3oou9b1zO8a8JMHbpnw1Aos7cgY4GrMqd4vNBjxzER pw7MUha5jiPz8oswIu4HUOe3HNSFFyw2O9EgstYXuzsgfgX7eqtDqZG9TsAvKRfGqPqR OJvw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iSk+1kRf; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id c11-20020a0ce64b000000b0069932468fccsi2762164qvn.423.2024.04.10.05.20.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 05:20:34 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iSk+1kRf; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 1AA34385842A for ; Wed, 10 Apr 2024 12:20:34 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by sourceware.org (Postfix) with ESMTPS id D3B063858D20 for ; Wed, 10 Apr 2024 12:20:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3B063858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3B063858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::535 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712751622; cv=none; b=xY8wuI7/zZGF6NZQyOSdRskQJeX0dsO6/g36a72g6qWOKB4o6w8B+2sCmeTArQPQmAr6iacTS3j/8/qqstp6iWFMYmEtC/zJA9oq1hRSn04xWBhhAsgfryW9jOJgb2KPm74xizNea5UoAQCECRoy0ngeM7bunEXoBJdu+hg7hx4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712751622; c=relaxed/simple; bh=qd/C6Y4yOe6sGXbPhznBGhx6GtJK18quTjMa8Zhgnrg=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=EcZhw2bogXn06YL9Emo7gRX/hVmEjG8LlSwLFO1ylhsJCu6YDIim69rJ7+DTChzGdLSYd1whB5M9CcRSJcbCJpV5f3X2JxUeV4rulYchZwwTBBn6Y2d/28qLSEVM3koC+Jzt5ZAQ9lBgCi8afnraypM8Sz8AMGRSOMLHZAKjSeQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-5d8ddbac4fbso5231057a12.0 for ; Wed, 10 Apr 2024 05:20:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712751614; x=1713356414; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=3awjmPbLCpg+ZZo/Xbk16JSu7X6uz0qQApiu3byFqww=; b=iSk+1kRfGmrQF1gdhvqDjxwXrA8XivBEthjZOUAqDd/XxCh0WMoPS6sV9UFGVmW3BE Ka4YmsP5h9sD+47bHvhHYAj/q0LhS73hc5IsePo0fEzyF52+UdgKd69YX7A3iV6BYKUm ZMm1aDtP6ZWjB/DQgZIig5qFkUGKTYgH7cfB4/G1i6z9UCNE62l3Nxt3CrkYx7t7x6mp 3QM/NM99ThEvbM2uPhdoaeJ7DhlVw0+zYP1FeAgDyO2++QrJ3jA+nSFPBKJE8WTDiTrV /ryLUYp5OGeYrDjC6eJPFu5XIOgmqid0W8PgsVt1SNBVXF78IU+yCIHtDbWEx1iVIYm4 NblQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712751614; x=1713356414; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3awjmPbLCpg+ZZo/Xbk16JSu7X6uz0qQApiu3byFqww=; b=wW9FXegL9PxXjHtN4ssI1C9GpLxX3cIWzf+zjxo7lJuoImB7QZYb9NTg8KeGwGs9iz C3p21peR6E+pTqJgqjxlmjIBkVLeowPdyhJFHyGOsTG+XeLekQHatH5rtS2vulStaJlN nXg3srj8S8mKUsp2rfx6ywrzIPaAQW5j4VKwl8H+KpkXhwT69dVTJLCcpaswsKGD3rVg 7WDEpgTqUPFsFhC907TCa2dgwaCm8Z6Si1tH/VRAGDW8/zbs7dghvU9JW1bSXTY0/H4c B/zahroGVpMfmHwmA1B9vckJjz5a00SJp2a95aQcw81Q9wfqBLe9/eBUL+GJ0Hz/kyBD H6iA== X-Gm-Message-State: AOJu0Yw3YPQraNNr1gOFVLC7sOGS4dhaGeIyVIWnvRTi47/uqTFOD+so Zs0tmOzEl+HC7x3dqalRyg0OBdMSl59rfhqqt1HD8UXzqUk+eSYxrOhHpckmR1pfAgRbRKFzcA2 Z X-Received: by 2002:a17:90a:cc4:b0:2a2:b097:dabc with SMTP id 4-20020a17090a0cc400b002a2b097dabcmr2601591pjt.31.1712751613837; Wed, 10 Apr 2024 05:20:13 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:3e7e:83f0:34cf:378:fed8]) by smtp.gmail.com with ESMTPSA id k62-20020a17090a4cc400b002a2559fe52esm1338704pjh.56.2024.04.10.05.20.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 05:20:13 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Paul Eggert , Bruno Haible Subject: [PATCH v5] posix: Sync tempname with gnulib Date: Wed, 10 Apr 2024 09:20:09 -0300 Message-Id: <20240410122009.784038-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-12.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org The gnulib version contains an important change (9ce573cde), which fixes some problems with multithreading, entropy loss, and ASLR leak nfo. It also fixes an issue where getrandom is not being used on some new files generation (only for __GT_NOCREATE on first try). The 044bf893ac removed __path_search, which is now moved to another gnulib shared files (stdio-common/tmpdir.{c,h}). Tthis patch also fixes direxists to use __stat64_time64 instead of __xstat64, and move the include of pathmax.h for !_LIBC (since it is not used by glibc). The license is also changed from LGPL 3.0 to 2.1, with permission from the authors (Bruno Haible and Paul Eggert). The sync also removed the clock fallback, since clock_gettime with CLOCK_REALTIME is expected to always succeed. It syncs with gnulib commit 323834962817af7b115187e8c9a833437f8d20ec. Checked on x86_64-linux-gnu. Reviewed-by: Bruno Haible --- Changes from v4: * Changed tmpdir.{c,h} license from LGPL 3.0 to 2.1. * Adjusted pathmax.h inclusion to !_LIBC. * Add a comment why clock fallback is not used. --- SHARED-FILES | 5 +- include/stdio.h | 5 -- libio/oldtmpfile.c | 1 + stdio-common/Makefile | 1 + stdio-common/tempnam.c | 1 + stdio-common/tempname.c | 12 --- stdio-common/tmpdir.c | 163 ++++++++++++++++++++++++++++++++++++ stdio-common/tmpdir.h | 28 +++++++ stdio-common/tmpfile.c | 1 + stdio-common/tmpnam.c | 1 + stdio-common/tmpnam_r.c | 1 + sysdeps/posix/tempname.c | 173 +++++++++++++-------------------------- 12 files changed, 260 insertions(+), 132 deletions(-) create mode 100644 stdio-common/tmpdir.c create mode 100644 stdio-common/tmpdir.h diff --git a/SHARED-FILES b/SHARED-FILES index 9c8e715fb5..179130d567 100644 --- a/SHARED-FILES +++ b/SHARED-FILES @@ -111,6 +111,9 @@ gnulib: string/strstr.c string/strtok_r.c string/strverscmp.c + # Merged from gnulib 2024-04-08 (gnulib commit 3238349628) + stdio-common/tmpdir.c + stdio-common/tmpdir.h sysdeps/generic/pty-private.h sysdeps/generic/siglist.h sysdeps/posix/euidaccess.c @@ -118,7 +121,7 @@ gnulib: sysdeps/posix/getcwd.c sysdeps/posix/pwrite.c sysdeps/posix/spawni.c - # Merged from gnulib 2014-6-23 + # Merged from gnulib 2024-04-08 (gnulib commit 3238349628) sysdeps/posix/tempname.c # Merged from gnulib 2014-6-27 time/mktime.c diff --git a/include/stdio.h b/include/stdio.h index 24f1652f19..e48d709919 100644 --- a/include/stdio.h +++ b/include/stdio.h @@ -156,11 +156,6 @@ extern FILE *__old_tmpfile (void); # include -/* Generate a unique file name (and possibly open it). */ -extern int __path_search (char *__tmpl, size_t __tmpl_len, - const char *__dir, const char *__pfx, - int __try_tempdir) attribute_hidden; - extern int __gen_tempname (char *__tmpl, int __suffixlen, int __flags, int __kind) attribute_hidden; /* The __kind argument to __gen_tempname may be one of: */ diff --git a/libio/oldtmpfile.c b/libio/oldtmpfile.c index af467a6e5a..f09ee0600c 100644 --- a/libio/oldtmpfile.c +++ b/libio/oldtmpfile.c @@ -22,6 +22,7 @@ #include #include #include +#include /* This returns a new stream opened on a temporary file (generated by tmpnam). The file is opened with mode "w+b" (binary read/write). diff --git a/stdio-common/Makefile b/stdio-common/Makefile index 6447b6b444..6bc972af1a 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -92,6 +92,7 @@ routines := \ sscanf \ tempnam \ tempname \ + tmpdir \ tmpfile \ tmpfile64 \ tmpnam \ diff --git a/stdio-common/tempnam.c b/stdio-common/tempnam.c index 0f8eaf3535..9e62442451 100644 --- a/stdio-common/tempnam.c +++ b/stdio-common/tempnam.c @@ -17,6 +17,7 @@ #include #include +#include "tmpdir.h" /* Generate a unique temporary filename using up to five characters of PFX if it is not NULL. The directory to put this file in is diff --git a/stdio-common/tempname.c b/stdio-common/tempname.c index d88f1c3946..77e695ca5f 100644 --- a/stdio-common/tempname.c +++ b/stdio-common/tempname.c @@ -20,18 +20,6 @@ #include #include -/* Perform the "SVID path search malarkey" on DIR and PFX. Write a - template suitable for use in __gen_tempname into TMPL, bounded - by TMPL_LEN. */ -int -__path_search (char *tmpl, size_t tmpl_len, const char *dir, const char *pfx, - int try_tmpdir) -{ - __set_errno (ENOSYS); - return -1; -} -stub_warning (__path_search) - /* Generate a (hopefully) unique temporary filename in DIR (if applicable), using template TMPL. KIND determines what to do with that name. It may be one of: diff --git a/stdio-common/tmpdir.c b/stdio-common/tmpdir.c new file mode 100644 index 0000000000..f189e85778 --- /dev/null +++ b/stdio-common/tmpdir.c @@ -0,0 +1,163 @@ +/* Copyright (C) 1999, 2001-2002, 2006, 2009-2024 Free Software Foundation, + Inc. + This file is part of the GNU C Library. + + This file is free software: you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation, either version 2.1 of the + License, or (at your option) any later version. + + This file is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . */ + +/* Extracted from sysdeps/posix/tempname.c. */ + +#include + +/* Specification. */ +#include "tmpdir.h" + +#include +#include + +#include +#ifndef __set_errno +# define __set_errno(Val) errno = (Val) +#endif + +#include +#ifndef P_tmpdir +# ifdef _P_tmpdir /* native Windows */ +# define P_tmpdir _P_tmpdir +# else +# define P_tmpdir "/tmp" +# endif +#endif + +#include + +#if defined _WIN32 && ! defined __CYGWIN__ +# define WIN32_LEAN_AND_MEAN /* avoid including junk */ +# include +#endif + +#if defined _WIN32 && ! defined __CYGWIN__ +/* Don't assume that UNICODE is not defined. */ +# undef GetTempPath +# define GetTempPath GetTempPathA +#endif + +#if _LIBC +# define struct_stat64 struct __stat64_t64 +#else +# include "pathmax.h" +# define struct_stat64 struct stat +# define __libc_secure_getenv secure_getenv +# define __stat64_time64(path, buf) stat (path, buf) +#endif + +/* Pathname support. + ISSLASH(C) tests whether C is a directory separator character. + */ +#if defined _WIN32 || defined __CYGWIN__ || defined __EMX__ || defined __DJGPP__ + /* Native Windows, Cygwin, OS/2, DOS */ +# define ISSLASH(C) ((C) == '/' || (C) == '\\') +#else + /* Unix */ +# define ISSLASH(C) ((C) == '/') +#endif + + +/* Return nonzero if DIR is an existent directory. */ +static bool +direxists (const char *dir) +{ + struct_stat64 buf; + return __stat64_time64 (dir, &buf) == 0 && S_ISDIR (buf.st_mode); +} + +/* Path search algorithm, for tmpnam, tmpfile, etc. If DIR is + non-null and exists, uses it; otherwise uses the first of $TMPDIR, + P_tmpdir, /tmp that exists. Copies into TMPL a template suitable + for use with mk[s]temp. Will fail (-1) if DIR is non-null and + doesn't exist, none of the searched dirs exists, or there's not + enough space in TMPL. */ +int +__path_search (char *tmpl, size_t tmpl_len, const char *dir, const char *pfx, + bool try_tmpdir) +{ + const char *d; + size_t dlen, plen; + bool add_slash; + + if (!pfx || !pfx[0]) + { + pfx = "file"; + plen = 4; + } + else + { + plen = strlen (pfx); + if (plen > 5) + plen = 5; + } + + if (try_tmpdir) + { + d = __libc_secure_getenv ("TMPDIR"); + if (d != NULL && direxists (d)) + dir = d; + else if (dir != NULL && direxists (dir)) + /* nothing */ ; + else + dir = NULL; + } + if (dir == NULL) + { +#if defined _WIN32 && ! defined __CYGWIN__ + char dirbuf[PATH_MAX]; + DWORD retval; + + /* Find Windows temporary file directory. + We try this before P_tmpdir because Windows defines P_tmpdir to "\\" + and will therefore try to put all temporary files in the root + directory (unless $TMPDIR is set). */ + retval = GetTempPath (PATH_MAX, dirbuf); + if (retval > 0 && retval < PATH_MAX && direxists (dirbuf)) + dir = dirbuf; + else +#endif + if (direxists (P_tmpdir)) + dir = P_tmpdir; + else if (strcmp (P_tmpdir, "/tmp") != 0 && direxists ("/tmp")) + dir = "/tmp"; + else + { + __set_errno (ENOENT); + return -1; + } + } + + dlen = strlen (dir); +#ifdef __VMS + add_slash = 0; +#else + add_slash = dlen != 0 && !ISSLASH (dir[dlen - 1]); +#endif + + /* check we have room for "${dir}/${pfx}XXXXXX\0" */ + if (tmpl_len < dlen + add_slash + plen + 6 + 1) + { + __set_errno (EINVAL); + return -1; + } + + memcpy (tmpl, dir, dlen); + sprintf (tmpl + dlen, &"/%.*sXXXXXX"[!add_slash], (int) plen, pfx); + return 0; +} diff --git a/stdio-common/tmpdir.h b/stdio-common/tmpdir.h new file mode 100644 index 0000000000..e187a31d65 --- /dev/null +++ b/stdio-common/tmpdir.h @@ -0,0 +1,28 @@ +/* Determine a temporary directory. + Copyright (C) 2001-2002, 2009-2024 Free Software Foundation, Inc. + + This file is free software: you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation, either version 2.1 of the + License, or (at your option) any later version. + + This file is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . */ + +#include +#include + +/* Path search algorithm, for tmpnam, tmpfile, etc. If DIR is + non-null and exists, uses it; otherwise uses the first of $TMPDIR, + P_tmpdir, /tmp that exists. Copies into TMPL a template suitable + for use with mk[s]temp. Will fail (-1) if DIR is non-null and + doesn't exist, none of the searched dirs exists, or there's not + enough space in TMPL. */ +extern int __path_search (char *tmpl, size_t tmpl_len, const char *dir, + const char *pfx, bool try_tmpdir) + attribute_hidden; diff --git a/stdio-common/tmpfile.c b/stdio-common/tmpfile.c index 9c49483fca..08cf9284bb 100644 --- a/stdio-common/tmpfile.c +++ b/stdio-common/tmpfile.c @@ -19,6 +19,7 @@ #include #include #include +#include "tmpdir.h" #include #define __fdopen _IO_fdopen diff --git a/stdio-common/tmpnam.c b/stdio-common/tmpnam.c index b02ad952e9..1cff363718 100644 --- a/stdio-common/tmpnam.c +++ b/stdio-common/tmpnam.c @@ -17,6 +17,7 @@ #include #include +#include "tmpdir.h" static char tmpnam_buffer[L_tmpnam]; diff --git a/stdio-common/tmpnam_r.c b/stdio-common/tmpnam_r.c index 2a3598af36..38f9bace9b 100644 --- a/stdio-common/tmpnam_r.c +++ b/stdio-common/tmpnam_r.c @@ -16,6 +16,7 @@ . */ #include +#include "tmpdir.h" /* Generate a unique filename in P_tmpdir. If S is NULL return NULL. This makes this function thread safe. */ diff --git a/sysdeps/posix/tempname.c b/sysdeps/posix/tempname.c index 2af22386eb..c00fe0c181 100644 --- a/sysdeps/posix/tempname.c +++ b/sysdeps/posix/tempname.c @@ -20,16 +20,9 @@ # include "tempname.h" #endif -#include -#include -#include - #include #include -#ifndef P_tmpdir -# define P_tmpdir "/tmp" -#endif #ifndef TMP_MAX # define TMP_MAX 238328 #endif @@ -43,12 +36,10 @@ # error report this to bug-gnulib@gnu.org #endif -#include #include #include #include -#include #include #include #include @@ -56,14 +47,12 @@ #if _LIBC # define struct_stat64 struct __stat64_t64 -# define __secure_getenv __libc_secure_getenv #else # define struct_stat64 struct stat # define __gen_tempname gen_tempname # define __mkdir mkdir # define __open open # define __lstat64_time64(file, buf) lstat (file, buf) -# define __stat64(file, buf) stat (file, buf) # define __getrandom getrandom # define __clock_gettime64 clock_gettime # define __timespec64 timespec @@ -77,94 +66,60 @@ typedef uint_fast64_t random_value; #define BASE_62_DIGITS 10 /* 62**10 < UINT_FAST64_MAX */ #define BASE_62_POWER (62LL * 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62) +/* Return the result of mixing the entropy from R and S. + Assume that R and S are not particularly random, + and that the result should look randomish to an untrained eye. */ + static random_value -random_bits (random_value var, bool use_getrandom) +mix_random_values (random_value r, random_value s) { - random_value r; - /* Without GRND_NONBLOCK it can be blocked for minutes on some systems. */ - if (use_getrandom && __getrandom (&r, sizeof r, GRND_NONBLOCK) == sizeof r) - return r; -#if _LIBC || (defined CLOCK_MONOTONIC && HAVE_CLOCK_GETTIME) - /* Add entropy if getrandom did not work. */ - struct __timespec64 tv; - __clock_gettime64 (CLOCK_MONOTONIC, &tv); - var ^= tv.tv_nsec; -#endif - return 2862933555777941757 * var + 3037000493; + /* As this code is used only when high-quality randomness is neither + available nor necessary, there is no need for fancier polynomials + such as those in the Linux kernel's 'random' driver. */ + return (2862933555777941757 * r + 3037000493) ^ s; } -#if _LIBC -/* Return nonzero if DIR is an existent directory. */ -static int -direxists (const char *dir) -{ - struct_stat64 buf; - return __stat64_time64 (dir, &buf) == 0 && S_ISDIR (buf.st_mode); -} +/* Set *R to a random value. + Return true if *R is set to high-quality value taken from getrandom. + Otherwise return false, falling back to a low-quality *R that might + depend on S. -/* Path search algorithm, for tmpnam, tmpfile, etc. If DIR is - non-null and exists, uses it; otherwise uses the first of $TMPDIR, - P_tmpdir, /tmp that exists. Copies into TMPL a template suitable - for use with mk[s]temp. Will fail (-1) if DIR is non-null and - doesn't exist, none of the searched dirs exists, or there's not - enough space in TMPL. */ -int -__path_search (char *tmpl, size_t tmpl_len, const char *dir, const char *pfx, - int try_tmpdir) + This function returns false only when getrandom fails. + On GNU systems this should happen only early in the boot process, + when the fallback should be good enough for programs using tempname + because any attacker likely has root privileges already. */ + +static bool +random_bits (random_value *r, random_value s) { - const char *d; - size_t dlen, plen; + /* Without GRND_NONBLOCK it can be blocked for minutes on some systems. */ + if (__getrandom (r, sizeof *r, GRND_NONBLOCK) == sizeof *r) + return true; - if (!pfx || !pfx[0]) - { - pfx = "file"; - plen = 4; - } - else - { - plen = strlen (pfx); - if (plen > 5) - plen = 5; - } + /* If getrandom did not work, use ersatz entropy based on low-order + clock bits. On GNU systems getrandom should fail only + early in booting, when ersatz should be good enough. + Do not use ASLR-based entropy, as that would leak ASLR info into + the resulting file name which is typically public. - if (try_tmpdir) - { - d = __secure_getenv ("TMPDIR"); - if (d != NULL && direxists (d)) - dir = d; - else if (dir != NULL && direxists (dir)) - /* nothing */ ; - else - dir = NULL; - } - if (dir == NULL) - { - if (direxists (P_tmpdir)) - dir = P_tmpdir; - else if (strcmp (P_tmpdir, "/tmp") != 0 && direxists ("/tmp")) - dir = "/tmp"; - else - { - __set_errno (ENOENT); - return -1; - } - } + Of course we are in a state of sin here. */ - dlen = strlen (dir); - while (dlen > 1 && dir[dlen - 1] == '/') - dlen--; /* remove trailing slashes */ + random_value v = s; - /* check we have room for "${dir}/${pfx}XXXXXX\0" */ - if (tmpl_len < dlen + 1 + plen + 6 + 1) - { - __set_errno (EINVAL); - return -1; - } +#if _LIBC || (defined CLOCK_REALTIME && HAVE_CLOCK_GETTIME) + struct __timespec64 tv; + __clock_gettime64 (CLOCK_REALTIME, &tv); + v = mix_random_values (v, tv.tv_sec); + v = mix_random_values (v, tv.tv_nsec); +#endif - sprintf (tmpl, "%.*s/%.*sXXXXXX", (int) dlen, dir, (int) plen, pfx); - return 0; + /* In glibc, clock_gettime with CLOCK_REALTIME is expected to always + succeed. */ +#if !_LIBC + *r = mix_random_values (v, clock ()); +#endif + return false; } -#endif /* _LIBC */ #if _LIBC static int try_tempname_len (char *, int, void *, int (*) (char *, void *), @@ -213,7 +168,7 @@ static const char letters[] = and return a read-write fd. The file is mode 0600. __GT_DIR: create a directory, which will be mode 0700. - We use a clever algorithm to get hard-to-predict names. */ + */ #ifdef _LIBC static #endif @@ -242,7 +197,7 @@ try_tempname_len (char *tmpl, int suffixlen, void *args, char *XXXXXX; unsigned int count; int fd = -1; - int save_errno = errno; + int saved_errno = errno; /* A lower bound on the number of temporary files to attempt to generate. The maximum total number of temporary file names that @@ -261,25 +216,17 @@ try_tempname_len (char *tmpl, int suffixlen, void *args, unsigned int attempts = ATTEMPTS_MIN; #endif - /* A random variable. The initial value is used only the for fallback path - on 'random_bits' on 'getrandom' failure. Its initial value tries to use - some entropy from the ASLR and ignore possible bits from the stack - alignment. */ - random_value v = ((uintptr_t) &v) / alignof (max_align_t); + /* A random variable. */ + random_value v = 0; - /* How many random base-62 digits can currently be extracted from V. */ + /* A value derived from the random variable, and how many random + base-62 digits can currently be extracted from VDIGBUF. */ + random_value vdigbuf; int vdigits = 0; - /* Whether to consume entropy when acquiring random bits. On the - first try it's worth the entropy cost with __GT_NOCREATE, which - is inherently insecure and can use the entropy to make it a bit - less secure. On the (rare) second and later attempts it might - help against DoS attacks. */ - bool use_getrandom = tryfunc == try_nocreate; - - /* Least unfair value for V. If V is less than this, V can generate - BASE_62_DIGITS digits fairly. Otherwise it might be biased. */ - random_value const unfair_min + /* Least biased value for V. If V is less than this, V can generate + BASE_62_DIGITS unbiased digits. Otherwise the digits are biased. */ + random_value const biased_min = RANDOM_VALUE_MAX - RANDOM_VALUE_MAX % BASE_62_POWER; len = strlen (tmpl); @@ -299,25 +246,23 @@ try_tempname_len (char *tmpl, int suffixlen, void *args, { if (vdigits == 0) { - do - { - v = random_bits (v, use_getrandom); - use_getrandom = true; - } - while (unfair_min <= v); + /* Worry about bias only if the bits are high quality. */ + while (random_bits (&v, v) && biased_min <= v) + continue; + vdigbuf = v; vdigits = BASE_62_DIGITS; } - XXXXXX[i] = letters[v % 62]; - v /= 62; + XXXXXX[i] = letters[vdigbuf % 62]; + vdigbuf /= 62; vdigits--; } fd = tryfunc (tmpl, args); if (fd >= 0) { - __set_errno (save_errno); + __set_errno (saved_errno); return fd; } else if (errno != EEXIST)