Home | History | Annotate | Download | only in libprop
History log of /src/common/lib/libprop/prop_object.c
RevisionDateAuthorComments
 1.42  14-May-2025  thorpej Undo previous revert, and fix include ordering in prop_extern.c and
prop_intern.c that broke tools build on some hosts.
 1.41  13-May-2025  thorpej Revert previous while I investigate the build failure.
 1.40  13-May-2025  thorpej Separate the {extern,intern}alize support routines into their own files,
and reduce the verbosity of the names.

NFCI.
 1.39  26-Apr-2025  thorpej Hide the private symbols.
 1.38  24-Apr-2025  christos pass lint
 1.37  24-Apr-2025  christos typo police.
 1.36  23-Apr-2025  thorpej Add support for serializing to, and de-serializing from, JSON, as
specified in RFC 8259. Format is automatically detected for input,
and can be specified explicitly for output. The default format remains
XML.

As part of this change, generic prop_object_{internalize,externalize}()
functions are provided, and the "_with_format" flavor allows the output
format to be specified. Previous array- and dictionary-specific routines
remain for backwards compatibility.
 1.35  07-Aug-2022  riastradh branches: 1.35.8;
proplib: Allocate sizeof(*ctx), not sizeof(struct ...).

No functional change intended.
 1.34  04-Aug-2022  riastradh proplib: Fix mistake in previous -- use strncmp for prefix matching.
 1.33  03-Aug-2022  riastradh proplib: Don't run off end of buffer with memcmp.

The input is required to be NUL-terminated anyway, so just use strcmp
here.

Reported-by: syzbot+69838802c8ec55909ba3@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=927d66e8aa079ba2be43497425a6d9878025ad09
 1.32  03-Aug-2022  riastradh proplib: Nix trailing whitespace.
 1.31  08-May-2019  thorpej Use posix_madvise() rather than the legacy madvise() call, and
wrapp the calls in #ifdef for the advice we're giving. Should
address reports of host tool build issues.
 1.30  12-May-2015  christos branches: 1.30.16;
Now that _PROP_ISSPACE does not include the EOF check, put the check for
EOF inside the loop. Also fix another unbounded loop that did not check for
EOF. From Mateusz Kocielski
XXX: pullup-7
 1.29  18-Oct-2013  martin branches: 1.29.4;
Make this compilable with gcc 4.8.1 without options DIAGNOSTIC.
 1.28  27-Jul-2012  pooka branches: 1.28.2;
Bit-un-rot the proplib portability layer.
 1.27  20-Apr-2011  martin branches: 1.27.4;
Update also the non-void pointers to the current test objects.
Finaly fixes PR lib/43964.
 1.26  30-Mar-2009  haad Fix crash where user was able to crash proplib with trying to internalize
bad xml file with non-existing data type e.g. <number>.

Problem is that poi is not NULL even in case that we haven't find any match
in data type name. We need to check if poi->poi_tag is not NULL before
calling poi->poi_intern function which is non existing case NULL and will
cause crash.
 1.25  25-Jan-2009  lukem branches: 1.25.2;
sign-compare fix
 1.24  03-Jan-2009  pooka Get rid of locks with static initializers using once and atomic ops.
This makes proplib simplelock-free.
 1.23  30-Nov-2008  haad Fix two race conditions in proplib library. In prop_dictionary and prop_number
there was small window in which was entry left in rb tree with reference
count 0 which lead to rb tree coruption when another thread picked this up
before it was released.
Add 2 new members to the prop_object_t which are used for locking/unlocking
rb tree guard mutex.

Ok by joerg@, core@, thorpej@
 1.22  03-Aug-2008  thorpej branches: 1.22.4;
Fix an issue introduced with the prop_stack change: It's not a good idea to
return a 3-value enum from a function declared to return bool. This broke
the recurse case for prop_object_equals(). Instead, declare the object type
equals routine to return a _prop_object_equals_rv_t.

Give the same treatment to the object type free routines: declare them to
return a _prop_object_free_rv_t, and consistently check those return values
againt the enum type.

Tidy up some whitespace while we're here.
 1.21  28-Apr-2008  martin branches: 1.21.2;
Remove clause 3 and 4 from TNF licenses
 1.20  23-Feb-2008  lukem branches: 1.20.2;
Use mkstemp() + fchmod() instead of mktemp(), since the latter
results in linker warnings.
 1.19  05-Jan-2008  ad branches: 1.19.2;
Include sys/simplelock.h in prop_object_impl.h.
 1.18  04-Jan-2008  xtraeme sys/simplelock.h is required now.
 1.17  30-Aug-2007  xtraeme tyop: guaranty -> guarantee.
 1.16  30-Aug-2007  joerg Avoid using unbound amount of stack frames in prop_object_equal
by using a dynamic stack as well. Reorder arguments for the internalizer
as the iteration is always present and should go before possibly
NULL arguments.

Reviewed by mjf@ and adrianp@
 1.15  16-Aug-2007  joerg branches: 1.15.2;
libprop is currently using a recursive parser. While this is fine for
userland, deeply nested arrays and dictionaries can easily overflow
the kernel stack and thereby force a panic.

Fix the internalizer and prop_object_release to use a separate call
stack and alter the dictionary and array handling to not recurse on
the C stack. The default stack has an inline depth of 16 elements,
which should keep the overhead reasonable.

This issue was found by Pavel Cahyna and Jachym Holecek.

Additionally add a limit for prop_object_copyin_ioctl to prevent user
programs from temporary allocating unbound amount of kernel memory.
Allow malloc to fail so that tight loops of userland processes can't
force panics by exhausting the kernel map.

Tested with the sample exploit of Jachym, his test suite and reviewed
by himself (initial patch), Christos Zoulas and Jason Thorpe.
 1.14  16-Aug-2007  thorpej boolean_t -> bool
TRUE -> true
FALSE -> false
 1.13  16-Jul-2007  joerg prop_array_internalize and prop_dictionary_internalize are basically the
same code. Refactor it into _prop_generic_internalize, which gets passed
the second-level tag.
 1.12  19-Oct-2006  he branches: 1.12.2; 1.12.4; 1.12.12;
sysconf() returns long, which isn't neccessarily assignment-compatible
with size_t, as evidenced by sh5, so add an explicit cast.
 1.11  18-Oct-2006  martin Backout size_t casts - lint has been fixed.
 1.10  18-Oct-2006  martin Sprinkle a few size_t casts to avoid conversion warnings.
 1.9  16-Oct-2006  thorpej Add a _PROP_ARG_UNUSED that expands to __unused on NetBSD and to nothing
everywhere else. Use it where Christos decided to use __unused in this
code.
 1.8  15-Oct-2006  christos de-lint.
 1.7  12-Oct-2006  thorpej _prop_object_fini(): Consume all of the arguments.
 1.6  03-Oct-2006  thorpej - Add a reader-writer lock to array and dictionary objects that ensures that
the data structure is internally consistent in the face of multiple threads
accessing it concurrently. This is not designed to provide application-
level semantic consistency; applications are responsible for that locking
protocol should it be necessary.
- Rename _PROP_MUTEX_DECL() to _PROP_MUTEX_DECL_STATIC().
 1.5  27-Aug-2006  christos complete initialization.
 1.4  21-Aug-2006  thorpej Several changes to proplib:
- Arrays can now be externalized and internalized in the same way
dictionaries can.
- Add new "externalize to file" and "internalize from file" functions
to make reading a property list from a file and writing a property
list to a file more convenient.
- Many assertions in the object implementations are gone. Instead,
calling an accessor for one object type with a different object type
as an argument will return a suitable "invalid" value.
- prop_object_type() now returns a new PROP_TYPE_UNKNOWN value if called
with a NULL object.
- Externalized property lists now contain a reference to the Apple XML
plist DTD.
- Add a new prop_ingest(3) facility, which provides a convenient way to
translate a dictionary into an arbitrary binary representation.
 1.3  18-May-2006  thorpej branches: 1.3.2;
Move all of the locking compatibility definitions into prop_object_impl.h.
 1.2  18-May-2006  thorpej - Add prop_array_equals(), prop_dictionary_equals(), and
prop_dictionary_keysym_equals(), and prop_object_equals() functions.
- Use realloc() where it makes sense. There will be more changes in this
area.
- Add a _prop_object_type structure that is used internally to keep
information about the object types. Decreases the footprint of the
objects slightly by replacing several pointers with just one.
 1.1  27-Apr-2006  thorpej Initial commit of proplib, a library for manipulating property lists and
converting to/from an XML external representation (based on Apple XML
property lists). Works in the kernel and user space.
 1.3.2.1  23-Aug-2006  tron Pull up following revision(s) (requested by thorpej in ticket #43):
common/include/prop/prop_ingest.h: revision 1.1
common/lib/libprop/prop_number.c: revision 1.4
common/include/prop/prop_array.h: revision 1.3
common/lib/libprop/prop_object_impl.h: revision 1.4
common/include/prop/prop_dictionary.h: revision 1.4
distrib/sets/lists/comp/mi: revision 1.911
common/include/prop/Makefile: revision 1.2
common/lib/libprop/prop_bool.c: revision 1.4
distrib/sets/lists/base/shl.mi: revision 1.365
common/lib/libprop/prop_data.c: revision 1.3
lib/libprop/shlib_version: revision 1.4
lib/libprop/Makefile: revision 1.6
common/lib/libprop/prop_object.c: revision 1.4
common/lib/libprop/prop_object.3: revision 1.4
common/include/prop/proplib.h: revision 1.3
common/lib/libprop/Makefile.inc: revision 1.3
common/include/prop/prop_object.h: revision 1.4
common/lib/libprop/prop_array.c: revision 1.4
common/lib/libprop/prop_array.3: revision 1.4
common/lib/libprop/prop_string.c: revision 1.3
common/lib/libprop/prop_dictionary.3: revision 1.4
common/lib/libprop/prop_ingest.c: revision 1.1
common/lib/libprop/prop_ingest.3: revision 1.1
common/lib/libprop/prop_dictionary.c: revision 1.9
Several changes to proplib:
- Arrays can now be externalized and internalized in the same way
dictionaries can.
- Add new "externalize to file" and "internalize from file" functions
to make reading a property list from a file and writing a property
list to a file more convenient.
- Many assertions in the object implementations are gone. Instead,
calling an accessor for one object type with a different object type
as an argument will return a suitable "invalid" value.
- prop_object_type() now returns a new PROP_TYPE_UNKNOWN value if called
with a NULL object.
- Externalized property lists now contain a reference to the Apple XML
plist DTD.
- Add a new prop_ingest(3) facility, which provides a convenient way to
translate a dictionary into an arbitrary binary representation.
 1.12.12.1  30-Sep-2007  wrstuden Catch up on netbsd-4 as of a few days ago.
 1.12.4.3  31-Mar-2009  bouyer Apply patch (requested by haad in ticket #1296):
common/lib/libprop/prop_object.c: patch
Fix crash where user was able to crash proplib with trying to
internalize bad xml file with non-existing data type e.g. <number>.
 1.12.4.2  30-Nov-2008  snj Pull up following revision(s) (requested by haad in ticket #1243):
common/lib/libprop/prop_dictionary.c: revision 1.33
common/lib/libprop/prop_number.c: revision 1.20
common/lib/libprop/prop_object.c: revision 1.23 via patch
common/lib/libprop/prop_object_impl.h: revision 1.28
Fix two race conditions in proplib library. In prop_dictionary and
prop_number there was small window in which was entry left in rb tree
with reference count 0 which lead to rb tree coruption when another
thread picked this up before it was released.
Add 2 new members to the prop_object_t which are used for locking/unlocking
rb tree guard mutex.
Ok by joerg@, core@, thorpej@
 1.12.4.1  27-Sep-2007  xtraeme branches: 1.12.4.1.2;
Pull up following revision(s) (requested by joerg in ticket #904):
sbin/veriexecctl/veriexecctl.c: revision 1.29 (via patch)
common/lib/libprop/prop_string.c: revision 1.9 (via patch)
distrib/sets/lists/comp/mi: revision 1.1063 (via patch)
common/lib/libprop/prop_kern.c: revision 1.8 (via patch)
common/include/prop/prop_string.h: revision 1.2 (via patch)
common/include/prop/prop_ingest.h: revision 1.2 (via patch)
usr.sbin/btdevctl/btdevctl.c: revision 1.5 (via patch)
common/lib/libprop/prop_object_impl.h: revision 1.14 (via patch)
common/lib/libprop/prop_rb.c: revision 1.7 (via patch)
common/include/prop/prop_array.h: revision 1.5 (via patch)
common/lib/libprop/prop_stack.h: revision 1.1 (via patch)
common/lib/libprop/prop_object_impl.h: revision 1.16 (via patch)
common/lib/libprop/prop_number.3: revision 1.7 (via patch)
common/lib/libprop/prop_stack.h: revision 1.2 (via patch)
common/lib/libprop/prop_stack.c: revision 1.1 (via patch)
common/lib/libprop/prop_object_impl.h: revision 1.17 (via patch)
common/lib/libprop/prop_dictionary_util.c: revision 1.2 (via patch)
common/lib/libprop/prop_dictionary_util.3: revision 1.2 (via patch)
common/lib/libprop/prop_dictionary.c: revision 1.18 (via patch)
common/lib/libprop/prop_stack.c: revision 1.2 (via patch)
common/lib/libprop/prop_object_impl.h: revision 1.18 (via patch)
common/lib/libprop/prop_dictionary.c: revision 1.19 (via patch)
common/include/prop/prop_bool.h: revision 1.3 (via patch)
common/include/prop/prop_dictionary.h: revision 1.7 (via patch)
common/include/prop/prop_data.h: revision 1.2 (via patch)
sys/sys/dkio.h: revision 1.14 (via patch)
usr.sbin/btdevctl/sdp.c: revision 1.4 (via patch)
common/include/prop/Makefile: revision 1.3 (via patch)
common/include/prop/prop_number.h: revision 1.5 (via patch)
common/lib/libprop/prop_object.c: revision 1.14 (via patch)
common/lib/libprop/prop_object.c: revision 1.15 (via patch)
common/lib/libprop/prop_object.c: revision 1.16 (via patch)
common/lib/libprop/prop_bool.3: revision 1.3 (via patch)
common/lib/libprop/prop_data.3: revision 1.4 (via patch)
common/lib/libprop/prop_object.3: revision 1.6 (via patch)
common/lib/libprop/prop_data.c: revision 1.7 (via patch)
common/lib/libprop/prop_data.c: revision 1.8 (via patch)
common/lib/libprop/prop_data.c: revision 1.9 (via patch)
common/lib/libprop/prop_dictionary.c: revision 1.20 (via patch)
usr.sbin/btdevctl/print.c: revision 1.9 (via patch)
sbin/veriexecctl/veriexecctl_parse.y: revision 1.22 (via patch)
common/lib/libprop/prop_number.c: revision 1.12 (via patch)
common/include/prop/proplib.h: revision 1.5 (via patch)
common/lib/libprop/prop_number.c: revision 1.13 (via patch)
common/lib/libprop/prop_number.c: revision 1.14 (via patch)
common/include/prop/prop_object.h: revision 1.5 (via patch)
common/lib/libprop/prop_array.3: revision 1.5 (via patch)
common/include/prop/prop_object.h: revision 1.6 (via patch)
common/lib/libprop/prop_string.3: revision 1.4 (via patch)
common/lib/libprop/prop_bool.c: revision 1.10 (via patch)
common/lib/libprop/Makefile.inc: revision 1.6 (via patch)
common/lib/libprop/prop_ingest.c: revision 1.2 (via patch)
common/lib/libprop/prop_bool.c: revision 1.11 (via patch)
common/lib/libprop/prop_array.c: revision 1.10 (via patch)
common/lib/libprop/prop_ingest.3: revision 1.3 (via patch)
common/lib/libprop/prop_bool.c: revision 1.12 (via patch)
common/lib/libprop/prop_array.c: revision 1.11 (via patch)
common/lib/libprop/prop_string.c: revision 1.7 (via patch)
common/lib/libprop/prop_dictionary.3: revision 1.8 (via patch)
common/lib/libprop/prop_array.c: revision 1.9 (via patch)
usr.sbin/btdevctl/db.c: revision 1.4 (via patch)
common/lib/libprop/prop_string.c: revision 1.8 (via patch)
common/include/prop/plistref.h: revision 1.1 (via patch)
Consider '\r' to be white space. Discussed with and also kept as local
change by freza. With this change, DOS style line endings work.

boolean_t -> bool
TRUE -> true
FALSE -> false

libprop is currently using a recursive parser. While this is fine for
userland, deeply nested arrays and dictionaries can easily overflow
the kernel stack and thereby force a panic.

Fix the internalizer and prop_object_release to use a separate call
stack and alter the dictionary and array handling to not recurse on
the C stack. The default stack has an inline depth of 16 elements,
which should keep the overhead reasonable.

This issue was found by Pavel Cahyna and Jachym Holecek.

Additionally add a limit for prop_object_copyin_ioctl to prevent user
programs from temporary allocating unbound amount of kernel memory.

Allow malloc to fail so that tight loops of userland processes can't
force panics by exhausting the kernel map.

Tested with the sample exploit of Jachym, his test suite and reviewed
by himself (initial patch), Christos Zoulas and Jason Thorpe.
struct plistref does not reference other proplib data types, so split it
in its own header file to be included by dkio.h. Fixes breakage due to
pollution from proplib.h in programs which include ioctl.h. Tested and OK
by dogcow@.

Attempt at fixing build failures after proplib was converted to bool:
FALSE -> false, TRUE -> true, boolean_t -> bool, int -> bool when
appropriate, include stdbool.h . proplib.h no longer provides boolean_t,
so it is necessary to change to bool.
From Tom Spindler (dogcow@).

Avoid using unbound amount of stack frames in prop_object_equal
by using a dynamic stack as well. Reorder arguments for the internalizer
as the iteration is always present and should go before possibly
NULL arguments.
Reviewed by mjf@ and adrianp@
 1.12.4.1.2.2  31-Mar-2009  bouyer Apply patch (requested by haad in ticket #1296):
common/lib/libprop/prop_object.c: patch
Fix crash where user was able to crash proplib with trying to
internalize bad xml file with non-existing data type e.g. <number>.
 1.12.4.1.2.1  30-Nov-2008  snj Pull up following revision(s) (requested by haad in ticket #1243):
common/lib/libprop/prop_dictionary.c: revision 1.33
common/lib/libprop/prop_number.c: revision 1.20
common/lib/libprop/prop_object.c: revision 1.23 via patch
common/lib/libprop/prop_object_impl.h: revision 1.28
Fix two race conditions in proplib library. In prop_dictionary and
prop_number there was small window in which was entry left in rb tree
with reference count 0 which lead to rb tree coruption when another
thread picked this up before it was released.
Add 2 new members to the prop_object_t which are used for locking/unlocking
rb tree guard mutex.
Ok by joerg@, core@, thorpej@
 1.12.2.2  19-Oct-2006  he sysconf() returns long, which isn't neccessarily assignment-compatible
with size_t, as evidenced by sh5, so add an explicit cast.
 1.12.2.1  19-Oct-2006  he file prop_object.c was added on branch newlock2 on 2006-10-19 10:10:36 +0000
 1.15.2.2  23-Mar-2008  matt sync with HEAD
 1.15.2.1  06-Nov-2007  matt sync with HEAD
 1.19.2.1  24-Mar-2008  keiichi sync with head.
 1.20.2.1  18-May-2008  yamt sync with head.
 1.21.2.1  18-Sep-2008  wrstuden Sync with wrstuden-revivesa-base-2.
 1.22.4.2  30-Mar-2009  snj Pull up following revision(s) (requested by haad in ticket #623):
common/lib/libprop/prop_object.c: revision 1.26
Fix crash where user was able to crash proplib with trying to internalize
bad xml file with non-existing data type e.g. <number>.
Problem is that poi is not NULL even in case that we haven't find any match
in data type name. We need to check if poi->poi_tag is not NULL before
calling poi->poi_intern function which is non existing case NULL and will
cause crash.
 1.22.4.1  30-Nov-2008  snj Pull up following revision(s) (requested by haad in ticket #150):
common/lib/libprop/prop_dictionary.c: revision 1.33
common/lib/libprop/prop_number.c: revision 1.20
common/lib/libprop/prop_object.c: revision 1.23
common/lib/libprop/prop_object_impl.h: revision 1.28
Fix two race conditions in proplib library. In prop_dictionary and
prop_number there was small window in which was entry left in rb tree with
reference count 0 which lead to rb tree coruption when another thread picked
this up before it was released.
Add 2 new members to the prop_object_t which are used for locking/unlocking
rb tree guard mutex.
Ok by joerg@, core@, thorpej@
 1.25.2.1  13-May-2009  jym Sync with HEAD.

Commit is split, to avoid a "too many arguments" protocol error.
 1.27.4.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.27.4.1  30-Oct-2012  yamt sync with head
 1.28.2.1  19-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.29.4.1  16-May-2015  snj Pull up following revision(s) (requested by christos in ticket #782):
common/lib/libprop/prop_kern.c: revision 1.19
common/lib/libprop/prop_object.c: revision 1.30
common/lib/libprop/prop_object_impl.h: revision 1.32
Limit size of xml buffer for userland requests (From Mateusz Kocielski)
--
Don't treat NUL (EOF) as SPACE. All the code that uses _PROP_ISSPACE() checks
explicitly for _PROP_EOF() anyway, and this can be abused to cause run beyond
the end of buffer DoS (Mateusz Kocielski)
--
Now that _PROP_ISSPACE does not include the EOF check, put the check for
EOF inside the loop. Also fix another unbounded loop that did not check for
EOF. From Mateusz Kocielski
 1.30.16.3  21-Apr-2020  martin Ooops, restore accidently removed files from merge mishap
 1.30.16.2  21-Apr-2020  martin Sync with HEAD
 1.30.16.1  10-Jun-2019  christos Sync with HEAD
 1.35.8.1  02-Aug-2025  perseant Sync with HEAD

RSS XML Feed