[PATCH] libsemanage: genhomedircon - improve handling large groups

[PATCH] libsemanage: genhomedircon - improve handling large groups

[Petr Lautrbach]

getgrnam_r() uses a preallocated buffer to store a structure containing
the broken-out fields of the record in the group database. The size of
this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
not enough for groups with a large number of users.  In these cases,
getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
retry with a larger buffer.

Fixes:
$ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
OSError: Numerical result out of range

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libsemanage/src/genhomedircon.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 591941fb..ac376671 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -1077,10 +1077,20 @@ static int get_group_users(genhomedircon_settings_t * s,
 
 	const char *grname = selogin + 1;
 
-	if (getgrnam_r(grname, &grstorage, grbuf,
-			(size_t) grbuflen, &group) != 0) {
-		goto cleanup;
+	errno = 0;
+	while (
+		(retval = getgrnam_r(grname, &grstorage, grbuf, (size_t) grbuflen, &group)) != 0 &&
+		errno == ERANGE
+	) {
+		char *new_grbuf;
+		grbuflen *= 2;
+		new_grbuf = realloc(grbuf, grbuflen);
+		if (new_grbuf == NULL)
+			goto cleanup;
+		grbuf = new_grbuf;
 	}
+	if (retval == -1)
+		goto cleanup;
 
 	if (group == NULL) {
 		ERR(s->h_semanage, "Can't find group named %s\n", grname);
-- 
2.20.1

Re: [PATCH] libsemanage: genhomedircon - improve handling large groups

[Nicolas Iooss]

On Wed, Feb 6, 2019 at 8:45 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> getgrnam_r() uses a preallocated buffer to store a structure containing
> the broken-out fields of the record in the group database. The size of
> this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
> not enough for groups with a large number of users.  In these cases,
> getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
> retry with a larger buffer.
>
> Fixes:
> $ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
> libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
> OSError: Numerical result out of range
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>  libsemanage/src/genhomedircon.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 591941fb..ac376671 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -1077,10 +1077,20 @@ static int get_group_users(genhomedircon_settings_t * s,
>
>         const char *grname = selogin + 1;
>
> -       if (getgrnam_r(grname, &grstorage, grbuf,
> -                       (size_t) grbuflen, &group) != 0) {
> -               goto cleanup;
> +       errno = 0;
> +       while (
> +               (retval = getgrnam_r(grname, &grstorage, grbuf, (size_t) grbuflen, &group)) != 0 &&
> +               errno == ERANGE
> +       ) {
> +               char *new_grbuf;
> +               grbuflen *= 2;
> +               new_grbuf = realloc(grbuf, grbuflen);
> +               if (new_grbuf == NULL)
> +                       goto cleanup;
> +               grbuf = new_grbuf;
>         }

Hello,
When reading this for loop, I am concerned about the case where the
member list exceeds 2Go on a system with a 32-bit CPU (where
sizeof(long) = 4). Even if it seems very unlikely, if this ever
happens, the loop will become infinite. Would you agree with adding
"&& grbuflen > 0" to the condition of the while statement?

Anyway, if you do not agree, this patch looks good to me.
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Thanks,
Nicolas

> +       if (retval == -1)
> +               goto cleanup;
>
>         if (group == NULL) {
>                 ERR(s->h_semanage, "Can't find group named %s\n", grname);
> --
> 2.20.1
>

Re: [PATCH] libsemanage: genhomedircon - improve handling large groups

[Petr Lautrbach]

Nicolas Iooss <nicolas.iooss@m4x.org> writes:

> On Wed, Feb 6, 2019 at 8:45 PM Petr Lautrbach 
> <plautrba@redhat.com> wrote:
>>
>> getgrnam_r() uses a preallocated buffer to store a structure 
>> containing
>> the broken-out fields of the record in the group database. The 
>> size of
>> this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 
>> and it is
>> not enough for groups with a large number of users.  In these 
>> cases,
>> getgrnam_r() returns -1 and sets errno to ERANGE and the caller 
>> can
>> retry with a larger buffer.
>>
>> Fixes:
>> $ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
>> libsemanage.semanage_direct_commit: semanage_genhomedircon 
>> returned error code -1. (Numerical result out of range).
>> OSError: Numerical result out of range
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>  libsemanage/src/genhomedircon.c | 16 +++++++++++++---
>>  1 file changed, 13 insertions(+), 3 deletions(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c 
>> b/libsemanage/src/genhomedircon.c
>> index 591941fb..ac376671 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -1077,10 +1077,20 @@ static int 
>> get_group_users(genhomedircon_settings_t * s,
>>
>>         const char *grname = selogin + 1;
>>
>> -       if (getgrnam_r(grname, &grstorage, grbuf,
>> -                       (size_t) grbuflen, &group) != 0) {
>> -               goto cleanup;
>> +       errno = 0;
>> +       while (
>> +               (retval = getgrnam_r(grname, &grstorage, grbuf, 
>> (size_t) grbuflen, &group)) != 0 &&
>> +               errno == ERANGE
>> +       ) {
>> +               char *new_grbuf;
>> +               grbuflen *= 2;
>> +               new_grbuf = realloc(grbuf, grbuflen);
>> +               if (new_grbuf == NULL)
>> +                       goto cleanup;
>> +               grbuf = new_grbuf;
>>         }
>
> Hello,
> When reading this for loop, I am concerned about the case where 
> the
> member list exceeds 2Go on a system with a 32-bit CPU (where
> sizeof(long) = 4). Even if it seems very unlikely, if this ever
> happens, the loop will become infinite. Would you agree with 
> adding
> "&& grbuflen > 0" to the condition of the while statement?

Makes sense, I'll add it. Thanks.

> Anyway, if you do not agree, this patch looks good to me.
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Thanks,
> Nicolas
>
>> +       if (retval == -1)
>> +               goto cleanup;

According to the man page this check is not correct. - "In case of
error, an error number is returned, and NULL is stored in 
*result."

I'll fix it as well.


>>         if (group == NULL) {
>>                 ERR(s->h_semanage, "Can't find group named 
>>                 %s\n", grname);
>> --
>> 2.20.1
>>

[PATCH v2] libsemanage: genhomedircon - improve handling large groups

[Petr Lautrbach]

getgrnam_r() uses a preallocated buffer to store a structure containing
the broken-out fields of the record in the group database. The size of
this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
not enough for groups with a large number of users.  In these cases,
getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
retry with a larger buffer.

Fixes:
$ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
OSError: Numerical result out of range

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libsemanage/src/genhomedircon.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 591941fb..e5f8d371 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -1077,10 +1077,24 @@ static int get_group_users(genhomedircon_settings_t * s,
 
 	const char *grname = selogin + 1;
 
-	if (getgrnam_r(grname, &grstorage, grbuf,
-			(size_t) grbuflen, &group) != 0) {
-		goto cleanup;
+	errno = 0;
+	while (
+		(retval = getgrnam_r(grname, &grstorage, grbuf, (size_t) grbuflen, &group)) != 0 &&
+		errno == ERANGE
+	) {
+		char *new_grbuf;
+		grbuflen *= 2;
+		if (grbuflen < 0)
+			/* the member list could exceed 2Gb on a system with a 32-bit CPU (where
+			 * sizeof(long) = 4) - if this ever happened, the loop would become infinite. */
+			goto cleanup;
+		new_grbuf = realloc(grbuf, grbuflen);
+		if (new_grbuf == NULL)
+			goto cleanup;
+		grbuf = new_grbuf;
 	}
+	if (retval != 0)
+		goto cleanup;
 
 	if (group == NULL) {
 		ERR(s->h_semanage, "Can't find group named %s\n", grname);
-- 
2.20.1

Re: [PATCH v2] libsemanage: genhomedircon - improve handling large groups

[Nicolas Iooss]

On Tue, Feb 12, 2019 at 4:20 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> getgrnam_r() uses a preallocated buffer to store a structure containing
> the broken-out fields of the record in the group database. The size of
> this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
> not enough for groups with a large number of users.  In these cases,
> getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
> retry with a larger buffer.
>
> Fixes:
> $ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
> libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
> OSError: Numerical result out of range
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
>  libsemanage/src/genhomedircon.c | 20 +++++++++++++++++---
>  1 file changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 591941fb..e5f8d371 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -1077,10 +1077,24 @@ static int get_group_users(genhomedircon_settings_t * s,
>
>         const char *grname = selogin + 1;
>
> -       if (getgrnam_r(grname, &grstorage, grbuf,
> -                       (size_t) grbuflen, &group) != 0) {
> -               goto cleanup;
> +       errno = 0;
> +       while (
> +               (retval = getgrnam_r(grname, &grstorage, grbuf, (size_t) grbuflen, &group)) != 0 &&
> +               errno == ERANGE
> +       ) {
> +               char *new_grbuf;
> +               grbuflen *= 2;
> +               if (grbuflen < 0)
> +                       /* the member list could exceed 2Gb on a system with a 32-bit CPU (where
> +                        * sizeof(long) = 4) - if this ever happened, the loop would become infinite. */
> +                       goto cleanup;
> +               new_grbuf = realloc(grbuf, grbuflen);
> +               if (new_grbuf == NULL)
> +                       goto cleanup;
> +               grbuf = new_grbuf;
>         }
> +       if (retval != 0)
> +               goto cleanup;
>
>         if (group == NULL) {
>                 ERR(s->h_semanage, "Can't find group named %s\n", grname);
> --
> 2.20.1
>

Re: [PATCH v2] libsemanage: genhomedircon - improve handling large groups

[Petr Lautrbach]

Nicolas Iooss <nicolas.iooss@m4x.org> writes:

> On Tue, Feb 12, 2019 at 4:20 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> getgrnam_r() uses a preallocated buffer to store a structure containing
>> the broken-out fields of the record in the group database. The size of
>> this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
>> not enough for groups with a large number of users.  In these cases,
>> getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
>> retry with a larger buffer.
>>
>> Fixes:
>> $ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
>> libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
>> OSError: Numerical result out of range
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Merged.

>> ---
>>  libsemanage/src/genhomedircon.c | 20 +++++++++++++++++---
>>  1 file changed, 17 insertions(+), 3 deletions(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
>> index 591941fb..e5f8d371 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -1077,10 +1077,24 @@ static int get_group_users(genhomedircon_settings_t * s,
>>
>>         const char *grname = selogin + 1;
>>
>> -       if (getgrnam_r(grname, &grstorage, grbuf,
>> -                       (size_t) grbuflen, &group) != 0) {
>> -               goto cleanup;
>> +       errno = 0;
>> +       while (
>> +               (retval = getgrnam_r(grname, &grstorage, grbuf, (size_t) grbuflen, &group)) != 0 &&
>> +               errno == ERANGE
>> +       ) {
>> +               char *new_grbuf;
>> +               grbuflen *= 2;
>> +               if (grbuflen < 0)
>> +                       /* the member list could exceed 2Gb on a system with a 32-bit CPU (where
>> +                        * sizeof(long) = 4) - if this ever happened, the loop would become infinite. */
>> +                       goto cleanup;
>> +               new_grbuf = realloc(grbuf, grbuflen);
>> +               if (new_grbuf == NULL)
>> +                       goto cleanup;
>> +               grbuf = new_grbuf;
>>         }
>> +       if (retval != 0)
>> +               goto cleanup;
>>
>>         if (group == NULL) {
>>                 ERR(s->h_semanage, "Can't find group named %s\n", grname);
>> --
>> 2.20.1
>>