Bug 281953 - The fmemopen() function in libc/stdio opens a stream for writing even if the stream is specified as read-only
Summary: The fmemopen() function in libc/stdio opens a stream for writing even if the ...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 14.1-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Ed Maste
URL: https://reviews.freebsd.org/D47265
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-09 12:06 UTC by Erkki Moorits
Modified: 2024-10-29 19:17 UTC (History)
1 user (show)

See Also:

Attachments
Test code for fmemopen(.., .., "r") (432 bytes, text/plain)
2024-10-09 12:06 UTC, Erkki Moorits 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erkki Moorits 2024-10-09 12:06:42 UTC 
Created attachment 254107 [details]
Test code for fmemopen(.., .., "r")

When memory buffer is opened in read-only mode with the fmemopen(.., .., "r") function, then the stream opened in read-write mode.

Attached test code with this issue report.

Expected result is (this compiled and run on Ubuntu Linux):
buffer before:	'Hello123'
buffer after:	'Hello123'
fprintf result:	-1

Test code, compiled and run on FreeBSD 14.1, give following output:
buffer before:	'Hello123'
buffer after:	'test:1'
fprintf result:	6 

Possible cause of this issue are on following lines:
https://cgit.freebsd.org/src/tree/lib/libc/stdio/fmemopen.c#n139

f = funopen(ck,
	    flags & O_WRONLY ? NULL : fmemopen_read, 
	    flags & O_RDONLY ? NULL : fmemopen_write,
	    fmemopen_seek, fmemopen_close);
	    
where 'flags & O_RDONLY' give always result 0; 

But it should be like this (needs testing):
f = funopen(ck,
	    (flags & O_ACCMODE) == O_WRONLY ? NULL : fmemopen_read, 
	    (flags & O_ACCMODE) == O_RDONLY ? NULL : fmemopen_write,
	    fmemopen_seek, fmemopen_close);
	    
Or this (needs testing):
f = funopen(ck,
	    rc & __SWR ? NULL : fmemopen_read, 
	    rc & __SRD ? NULL : fmemopen_write,
	    fmemopen_seek, fmemopen_close);
Comment 1 commit-hook freebsd_committer freebsd_triage 2024-10-23 17:12:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0953460ce149e6f384aafbcb1e6213dfbf8f6a16

commit 0953460ce149e6f384aafbcb1e6213dfbf8f6a16
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-10-23 13:41:51 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-23 17:11:14 +0000

    libc: fix access mode tests in fmemopen(3)

    Previously a stream opened as read-only could be written to.  Add a test
    case for the fix.

    Also correct another incorrect access mode check that worked by
    accident, and improve the tests for that.

    PR:             281953
    Reported by:    Erkki Moorits, fuz
    Reviewed by:    fuz, khng (earlier)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D47265

 lib/libc/stdio/fmemopen.c             | 10 +++++-----
 lib/libc/tests/stdio/fmemopen2_test.c | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 5 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-10-29 19:12:03 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4fbd6e0e3ca8e69d2d3789ecda6e4dd76c34e06a

commit 4fbd6e0e3ca8e69d2d3789ecda6e4dd76c34e06a
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-10-23 13:41:51 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 19:11:38 +0000

    libc: fix access mode tests in fmemopen(3)

    Previously a stream opened as read-only could be written to.  Add a test
    case for the fix.

    Also correct another incorrect access mode check that worked by
    accident, and improve the tests for that.

    PR:             281953
    Reported by:    Erkki Moorits, fuz
    Reviewed by:    fuz, khng (earlier)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D47265

    (cherry picked from commit 0953460ce149e6f384aafbcb1e6213dfbf8f6a16)
    (cherry picked from commit 6b9f7133aba44189d9625c352bc2c2a59baf18ef)

 lib/libc/stdio/fmemopen.c             | 10 +++++-----
 lib/libc/tests/stdio/fmemopen2_test.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 5 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-10-29 19:13:09 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2b9e6e090a13ecba890fc4ad318a46ed23e25bad

commit 2b9e6e090a13ecba890fc4ad318a46ed23e25bad
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-10-23 13:41:51 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-29 19:12:17 +0000

    libc: fix access mode tests in fmemopen(3)

    Previously a stream opened as read-only could be written to.  Add a test
    case for the fix.

    Also correct another incorrect access mode check that worked by
    accident, and improve the tests for that.

    PR:             281953
    Reported by:    Erkki Moorits, fuz
    Reviewed by:    fuz, khng (earlier)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D47265

    (cherry picked from commit 0953460ce149e6f384aafbcb1e6213dfbf8f6a16)
    (cherry picked from commit 6b9f7133aba44189d9625c352bc2c2a59baf18ef)
    (cherry picked from commit 4fbd6e0e3ca8e69d2d3789ecda6e4dd76c34e06a)

 lib/libc/stdio/fmemopen.c             | 10 +++++-----
 lib/libc/tests/stdio/fmemopen2_test.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 5 deletions(-)
Comment 4 Ed Maste freebsd_committer freebsd_triage 2024-10-29 19:17:26 UTC 
Thank you for providing a detailed bug report! Now fixed in main and both supported stable branches.