diff options
author | Michael Olbrich <m.olbrich@pengutronix.de> | 2014-04-09 16:55:09 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2014-04-22 11:50:24 +0200 |
commit | 80da711799bc3002ce511be5c154e638d59a00d8 (patch) | |
tree | 74fe675138b9512ba5d49c55080aa728ecc06e2b | |
parent | c7a07012572b2ed7e989663ab2eef2f71e5cb6f6 (diff) | |
download | OSELAS.Toolchain-80da711799bc3002ce511be5c154e638d59a00d8.tar.gz OSELAS.Toolchain-80da711799bc3002ce511be5c154e638d59a00d8.tar.xz |
glibc-2.18: add security fixes from 2.19
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
(cherry picked from commit 09044aae4e087bdae603394a3c9abe77147bcca3)
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
10 files changed, 1842 insertions, 1 deletions
diff --git a/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch b/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch new file mode 100644 index 0000000..e715b38 --- /dev/null +++ b/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch @@ -0,0 +1,795 @@ +From: Siddhesh Poyarekar <siddhesh@redhat.com> +Date: Tue, 20 Aug 2013 08:40:05 +0530 +Subject: [PATCH] Simplify strcoll implementation + +Break up strcoll into simpler functions so that the logic is easier to +follow and maintain. +--- + string/strcoll_l.c | 701 ++++++++++++++++++++++------------------------------- + 1 file changed, 295 insertions(+), 406 deletions(-) + +diff --git a/string/strcoll_l.c b/string/strcoll_l.c +index ecda08f..50ed84d 100644 +--- a/string/strcoll_l.c ++++ b/string/strcoll_l.c +@@ -41,11 +41,244 @@ + + #include "../locale/localeinfo.h" + ++/* Track status while looking for sequences in a string. */ ++typedef struct ++{ ++ int len; /* Length of the current sequence. */ ++ int val; /* Position of the sequence relative to the ++ previous non-ignored sequence. */ ++ size_t idxnow; /* Current index in sequences. */ ++ size_t idxmax; /* Maximum index in sequences. */ ++ size_t idxcnt; /* Current count of indices. */ ++ size_t backw; /* Current Backward sequence index. */ ++ size_t backw_stop; /* Index where the backward sequences stop. */ ++ const USTRING_TYPE *us; /* The string. */ ++ int32_t *idxarr; /* Array to cache weight indices. */ ++ unsigned char *rulearr; /* Array to cache rules. */ ++} coll_seq; ++ ++/* Get next sequence. The weight indices are cached, so we don't need to ++ traverse the string. */ ++static void ++get_next_seq_cached (coll_seq *seq, int nrules, int pass, ++ const unsigned char *rulesets, ++ const USTRING_TYPE *weights) ++{ ++ int val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ size_t idxnow = seq->idxnow; ++ unsigned char *rulearr = seq->rulearr; ++ int32_t *idxarr = seq->idxarr; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* There is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idxnow = idxcnt; ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* Nothing any more. The backward sequence ++ ended with the last sequence in the string. */ ++ idxnow = ~0ul; ++ break; ++ } ++ } ++ else ++ idxnow = --backw; ++ } ++ else ++ { ++ backw_stop = idxcnt; ++ ++ while (idxcnt < idxmax) ++ { ++ if ((rulesets[rulearr[idxcnt] * nrules + pass] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop == idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax) ++ /* Note that LEN is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ idxnow = idxcnt++; ++ } ++ else ++ /* We pushed backward sequences. */ ++ idxnow = backw = idxcnt - 1; ++ } ++ len = weights[idxarr[idxnow]++]; ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxnow = idxnow; ++} ++ ++/* Get next sequence. Traverse the string as required. */ ++static void ++get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, ++ const USTRING_TYPE *weights, const int32_t *table, ++ const USTRING_TYPE *extra, const int32_t *indirect) ++{ ++#include WEIGHT_H ++ int val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ size_t idxnow = seq->idxnow; ++ unsigned char *rulearr = seq->rulearr; ++ int32_t *idxarr = seq->idxarr; ++ const USTRING_TYPE *us = seq->us; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* The is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idxnow = idxcnt; ++ backw_stop = ~0ul; ++ } ++ else ++ /* Nothing any more. The backward sequence ended with ++ the last sequence in the string. Note that LEN ++ is still zero. */ ++ break; ++ } ++ else ++ idxnow = --backw; ++ } ++ else ++ { ++ backw_stop = idxmax; ++ ++ while (*us != L('\0')) ++ { ++ int32_t tmp = findidx (&us, -1); ++ rulearr[idxmax] = tmp >> 24; ++ idxarr[idxmax] = tmp & 0xffffff; ++ idxcnt = idxmax++; ++ ++ if ((rulesets[rulearr[idxcnt] * nrules] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop >= idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax || backw_stop > idxcnt) ++ /* Note that LEN is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ idxnow = idxcnt; ++ } ++ else ++ /* We pushed backward sequences. */ ++ idxnow = backw = idxcnt - 1; ++ } ++ len = weights[idxarr[idxnow]++]; ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxmax = idxmax; ++ seq->idxnow = idxnow; ++ seq->us = us; ++} ++ ++/* Compare two sequences. */ ++static int ++do_compare (coll_seq *seq1, coll_seq *seq2, int position, ++ const USTRING_TYPE *weights) ++{ ++ int seq1len = seq1->len; ++ int seq2len = seq2->len; ++ int val1 = seq1->val; ++ int val2 = seq2->val; ++ int32_t *idx1arr = seq1->idxarr; ++ int32_t *idx2arr = seq2->idxarr; ++ int idx1now = seq1->idxnow; ++ int idx2now = seq2->idxnow; ++ int result = 0; ++ ++ /* Test for position if necessary. */ ++ if (position && val1 != val2) ++ { ++ result = val1 - val2; ++ goto out; ++ } ++ ++ /* Compare the two sequences. */ ++ do ++ { ++ if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) ++ { ++ /* The sequences differ. */ ++ result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; ++ goto out; ++ } ++ ++ /* Increment the offsets. */ ++ ++idx1arr[idx1now]; ++ ++idx2arr[idx2now]; ++ ++ --seq1len; ++ --seq2len; ++ } ++ while (seq1len > 0 && seq2len > 0); ++ ++ if (position && seq1len != seq2len) ++ result = seq1len - seq2len; ++ ++out: ++ seq1->len = seq1len; ++ seq2->len = seq2len; ++ return result; ++} ++ + int +-STRCOLL (s1, s2, l) +- const STRING_TYPE *s1; +- const STRING_TYPE *s2; +- __locale_t l; ++STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + { + struct __locale_data *current = l->__locales[LC_COLLATE]; + uint_fast32_t nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word; +@@ -56,34 +289,6 @@ STRCOLL (s1, s2, l) + const USTRING_TYPE *weights; + const USTRING_TYPE *extra; + const int32_t *indirect; +- uint_fast32_t pass; +- int result = 0; +- const USTRING_TYPE *us1; +- const USTRING_TYPE *us2; +- size_t s1len; +- size_t s2len; +- int32_t *idx1arr; +- int32_t *idx2arr; +- unsigned char *rule1arr; +- unsigned char *rule2arr; +- size_t idx1max; +- size_t idx2max; +- size_t idx1cnt; +- size_t idx2cnt; +- size_t idx1now; +- size_t idx2now; +- size_t backw1_stop; +- size_t backw2_stop; +- size_t backw1; +- size_t backw2; +- int val1; +- int val2; +- int position; +- int seq1len; +- int seq2len; +- int use_malloc; +- +-#include WEIGHT_H + + if (nrules == 0) + return STRCMP (s1, s2); +@@ -98,7 +303,6 @@ STRCOLL (s1, s2, l) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string; + indirect = (const int32_t *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string; +- use_malloc = 0; + + assert (((uintptr_t) table) % __alignof__ (table[0]) == 0); + assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0); +@@ -106,18 +310,13 @@ STRCOLL (s1, s2, l) + assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0); + + /* We need this a few times. */ +- s1len = STRLEN (s1); +- s2len = STRLEN (s2); ++ size_t s1len = STRLEN (s1); ++ size_t s2len = STRLEN (s2); + + /* Catch empty strings. */ +- if (__builtin_expect (s1len == 0, 0) || __builtin_expect (s2len == 0, 0)) ++ if (__glibc_unlikely (s1len == 0) || __glibc_unlikely (s2len == 0)) + return (s1len != 0) - (s2len != 0); + +- /* We need the elements of the strings as unsigned values since they +- are used as indeces. */ +- us1 = (const USTRING_TYPE *) s1; +- us2 = (const USTRING_TYPE *) s2; +- + /* Perform the first pass over the string and while doing this find + and store the weights for each character. Since we want this to + be as fast as possible we are using `alloca' to store the temporary +@@ -127,411 +326,101 @@ STRCOLL (s1, s2, l) + + Please note that the localedef programs makes sure that `position' + is not used at the first level. */ ++ ++ coll_seq seq1, seq2; ++ bool use_malloc = false; ++ int result = 0; ++ ++ memset (&seq1, 0, sizeof (seq1)); ++ seq2 = seq1; ++ ++ /* We need the elements of the strings as unsigned values since they ++ are used as indices. */ ++ seq1.us = (const USTRING_TYPE *) s1; ++ seq2.us = (const USTRING_TYPE *) s2; ++ + if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) + { +- idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); +- idx2arr = &idx1arr[s1len]; +- rule1arr = (unsigned char *) &idx2arr[s2len]; +- rule2arr = &rule1arr[s1len]; ++ seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); ++ seq2.idxarr = &seq1.idxarr[s1len]; ++ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; ++ seq2.rulearr = &seq1.rulearr[s1len]; + +- if (idx1arr == NULL) ++ if (seq1.idxarr == NULL) + /* No memory. Well, go with the stack then. + + XXX Once this implementation is stable we will handle this +- differently. Instead of precomputing the indeces we will ++ differently. Instead of precomputing the indices we will + do this in time. This means, though, that this happens for + every pass again. */ + goto try_stack; +- use_malloc = 1; ++ use_malloc = true; + } + else + { + try_stack: +- idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t)); +- idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t)); +- rule1arr = (unsigned char *) alloca (s1len); +- rule2arr = (unsigned char *) alloca (s2len); ++ seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); ++ seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); ++ seq1.rulearr = (unsigned char *) alloca (s1len); ++ seq2.rulearr = (unsigned char *) alloca (s2len); + } + +- idx1cnt = 0; +- idx2cnt = 0; +- idx1max = 0; +- idx2max = 0; +- idx1now = 0; +- idx2now = 0; +- backw1_stop = ~0ul; +- backw2_stop = ~0ul; +- backw1 = ~0ul; +- backw2 = ~0ul; +- seq1len = 0; +- seq2len = 0; +- position = rulesets[0] & sort_position; +- while (1) +- { +- val1 = 0; +- val2 = 0; +- +- /* Get the next non-IGNOREd element for string `s1'. */ +- if (seq1len == 0) +- do +- { +- ++val1; +- +- if (backw1_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw1 == backw1_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx1cnt < idx1max) +- { +- idx1now = idx1cnt; +- backw1_stop = ~0ul; +- } +- else +- /* Nothing anymore. The backward sequence ended with +- the last sequence in the string. Note that seq1len +- is still zero. */ +- break; +- } +- else +- idx1now = --backw1; +- } +- else +- { +- backw1_stop = idx1max; +- +- while (*us1 != L('\0')) +- { +- int32_t tmp = findidx (&us1, -1); +- rule1arr[idx1max] = tmp >> 24; +- idx1arr[idx1max] = tmp & 0xffffff; +- idx1cnt = idx1max++; +- +- if ((rulesets[rule1arr[idx1cnt] * nrules] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx1cnt; +- } +- +- if (backw1_stop >= idx1cnt) +- { +- /* No sequence at all or just one. */ +- if (idx1cnt == idx1max || backw1_stop > idx1cnt) +- /* Note that seq1len is still zero. */ +- break; +- +- backw1_stop = ~0ul; +- idx1now = idx1cnt; +- } +- else +- /* We pushed backward sequences. */ +- idx1now = backw1 = idx1cnt - 1; +- } +- } +- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); +- +- /* And the same for string `s2'. */ +- if (seq2len == 0) +- do +- { +- ++val2; +- +- if (backw2_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw2 == backw2_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx2cnt < idx2max) +- { +- idx2now = idx2cnt; +- backw2_stop = ~0ul; +- } +- else +- /* Nothing anymore. The backward sequence ended with +- the last sequence in the string. Note that seq2len +- is still zero. */ +- break; +- } +- else +- idx2now = --backw2; +- } +- else +- { +- backw2_stop = idx2max; +- +- while (*us2 != L('\0')) +- { +- int32_t tmp = findidx (&us2, -1); +- rule2arr[idx2max] = tmp >> 24; +- idx2arr[idx2max] = tmp & 0xffffff; +- idx2cnt = idx2max++; +- +- if ((rulesets[rule2arr[idx2cnt] * nrules] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx2cnt; +- } +- +- if (backw2_stop >= idx2cnt) +- { +- /* No sequence at all or just one. */ +- if (idx2cnt == idx2max || backw2_stop > idx2cnt) +- /* Note that seq1len is still zero. */ +- break; +- +- backw2_stop = ~0ul; +- idx2now = idx2cnt; +- } +- else +- /* We pushed backward sequences. */ +- idx2now = backw2 = idx2cnt - 1; +- } +- } +- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); +- +- /* See whether any or both strings are empty. */ +- if (seq1len == 0 || seq2len == 0) +- { +- if (seq1len == seq2len) +- /* Both ended. So far so good, both strings are equal at the +- first level. */ +- break; +- +- /* This means one string is shorter than the other. Find out +- which one and return an appropriate value. */ +- result = seq1len == 0 ? -1 : 1; +- goto free_and_return; +- } +- +- /* Test for position if necessary. */ +- if (position && val1 != val2) +- { +- result = val1 - val2; +- goto free_and_return; +- } +- +- /* Compare the two sequences. */ +- do +- { +- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) +- { +- /* The sequences differ. */ +- result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; +- goto free_and_return; +- } +- +- /* Increment the offsets. */ +- ++idx1arr[idx1now]; +- ++idx2arr[idx2now]; ++ seq1.rulearr[0] = 0; + +- --seq1len; +- --seq2len; +- } +- while (seq1len > 0 && seq2len > 0); +- +- if (position && seq1len != seq2len) +- { +- result = seq1len - seq2len; +- goto free_and_return; +- } +- } +- +- /* Now the remaining passes over the weights. We now use the +- indeces we found before. */ +- for (pass = 1; pass < nrules; ++pass) ++ /* Cache values in the first pass and if needed, use them in subsequent ++ passes. */ ++ for (int pass = 0; pass < nrules; ++pass) + { ++ seq1.idxcnt = 0; ++ seq1.backw_stop = ~0ul; ++ seq1.backw = ~0ul; ++ seq2.idxcnt = 0; ++ seq2.backw_stop = ~0ul; ++ seq2.backw = ~0ul; ++ + /* We assume that if a rule has defined `position' in one section + this is true for all of them. */ +- idx1cnt = 0; +- idx2cnt = 0; +- backw1_stop = ~0ul; +- backw2_stop = ~0ul; +- backw1 = ~0ul; +- backw2 = ~0ul; +- position = rulesets[rule1arr[0] * nrules + pass] & sort_position; ++ int position = rulesets[seq1.rulearr[0] * nrules + pass] & sort_position; + + while (1) + { +- val1 = 0; +- val2 = 0; +- +- /* Get the next non-IGNOREd element for string `s1'. */ +- if (seq1len == 0) +- do +- { +- ++val1; +- +- if (backw1_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw1 == backw1_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx1cnt < idx1max) +- { +- idx1now = idx1cnt; +- backw1_stop = ~0ul; +- } +- else +- { +- /* Nothing anymore. The backward sequence +- ended with the last sequence in the string. */ +- idx1now = ~0ul; +- break; +- } +- } +- else +- idx1now = --backw1; +- } +- else +- { +- backw1_stop = idx1cnt; +- +- while (idx1cnt < idx1max) +- { +- if ((rulesets[rule1arr[idx1cnt] * nrules + pass] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx1cnt; +- } +- +- if (backw1_stop == idx1cnt) +- { +- /* No sequence at all or just one. */ +- if (idx1cnt == idx1max) +- /* Note that seq1len is still zero. */ +- break; +- +- backw1_stop = ~0ul; +- idx1now = idx1cnt++; +- } +- else +- /* We pushed backward sequences. */ +- idx1now = backw1 = idx1cnt - 1; +- } +- } +- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); +- +- /* And the same for string `s2'. */ +- if (seq2len == 0) +- do +- { +- ++val2; +- +- if (backw2_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw2 == backw2_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx2cnt < idx2max) +- { +- idx2now = idx2cnt; +- backw2_stop = ~0ul; +- } +- else +- { +- /* Nothing anymore. The backward sequence +- ended with the last sequence in the string. */ +- idx2now = ~0ul; +- break; +- } +- } +- else +- idx2now = --backw2; +- } +- else +- { +- backw2_stop = idx2cnt; +- +- while (idx2cnt < idx2max) +- { +- if ((rulesets[rule2arr[idx2cnt] * nrules + pass] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx2cnt; +- } +- +- if (backw2_stop == idx2cnt) +- { +- /* No sequence at all or just one. */ +- if (idx2cnt == idx2max) +- /* Note that seq2len is still zero. */ +- break; +- +- backw2_stop = ~0ul; +- idx2now = idx2cnt++; +- } +- else +- /* We pushed backward sequences. */ +- idx2now = backw2 = idx2cnt - 1; +- } +- } +- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); ++ if (pass == 0) ++ { ++ get_next_seq (&seq1, nrules, rulesets, weights, table, extra, ++ indirect); ++ get_next_seq (&seq2, nrules, rulesets, weights, table, extra, ++ indirect); ++ } ++ else ++ { ++ get_next_seq_cached (&seq1, nrules, pass, rulesets, weights); ++ get_next_seq_cached (&seq2, nrules, pass, rulesets, weights); ++ } + + /* See whether any or both strings are empty. */ +- if (seq1len == 0 || seq2len == 0) ++ if (seq1.len == 0 || seq2.len == 0) + { +- if (seq1len == seq2len) ++ if (seq1.len == seq2.len) + /* Both ended. So far so good, both strings are equal + at this level. */ + break; + + /* This means one string is shorter than the other. Find out + which one and return an appropriate value. */ +- result = seq1len == 0 ? -1 : 1; ++ result = seq1.len == 0 ? -1 : 1; + goto free_and_return; + } + +- /* Test for position if necessary. */ +- if (position && val1 != val2) +- { +- result = val1 - val2; +- goto free_and_return; +- } +- +- /* Compare the two sequences. */ +- do +- { +- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) +- { +- /* The sequences differ. */ +- result = (weights[idx1arr[idx1now]] +- - weights[idx2arr[idx2now]]); +- goto free_and_return; +- } +- +- /* Increment the offsets. */ +- ++idx1arr[idx1now]; +- ++idx2arr[idx2now]; +- +- --seq1len; +- --seq2len; +- } +- while (seq1len > 0 && seq2len > 0); +- +- if (position && seq1len != seq2len) +- { +- result = seq1len - seq2len; +- goto free_and_return; +- } ++ result = do_compare (&seq1, &seq2, position, weights); ++ if (result != 0) ++ goto free_and_return; + } + } + + /* Free the memory if needed. */ + free_and_return: + if (use_malloc) +- free (idx1arr); ++ free (seq1.idxarr); + + return result; + } diff --git a/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch b/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch new file mode 100644 index 0000000..b7f1c22 --- /dev/null +++ b/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch @@ -0,0 +1,384 @@ +From: Siddhesh Poyarekar <siddhesh@redhat.com> +Date: Mon, 23 Sep 2013 11:20:02 +0530 +Subject: [PATCH] Fall back to non-cached sequence traversal and comparison on + malloc fail + +strcoll currently falls back to alloca if malloc fails, resulting in a +possible stack overflow. This patch implements sequence traversal and +comparison without caching indices and rules. + +Fixes CVE-2012-4424. +--- + string/strcoll_l.c | 265 ++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 234 insertions(+), 31 deletions(-) + +diff --git a/string/strcoll_l.c b/string/strcoll_l.c +index 50ed84d..eb042ff 100644 +--- a/string/strcoll_l.c ++++ b/string/strcoll_l.c +@@ -45,7 +45,7 @@ + typedef struct + { + int len; /* Length of the current sequence. */ +- int val; /* Position of the sequence relative to the ++ size_t val; /* Position of the sequence relative to the + previous non-ignored sequence. */ + size_t idxnow; /* Current index in sequences. */ + size_t idxmax; /* Maximum index in sequences. */ +@@ -55,6 +55,12 @@ typedef struct + const USTRING_TYPE *us; /* The string. */ + int32_t *idxarr; /* Array to cache weight indices. */ + unsigned char *rulearr; /* Array to cache rules. */ ++ unsigned char rule; /* Saved rule for the first sequence. */ ++ int32_t idx; /* Index to weight of the current sequence. */ ++ int32_t save_idx; /* Save looked up index of a forward ++ sequence after the last backward ++ sequence. */ ++ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */ + } coll_seq; + + /* Get next sequence. The weight indices are cached, so we don't need to +@@ -64,7 +70,7 @@ get_next_seq_cached (coll_seq *seq, int nrules, int pass, + const unsigned char *rulesets, + const USTRING_TYPE *weights) + { +- int val = seq->val = 0; ++ size_t val = seq->val = 0; + int len = seq->len; + size_t backw_stop = seq->backw_stop; + size_t backw = seq->backw; +@@ -146,7 +152,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, + const USTRING_TYPE *extra, const int32_t *indirect) + { + #include WEIGHT_H +- int val = seq->val = 0; ++ size_t val = seq->val = 0; + int len = seq->len; + size_t backw_stop = seq->backw_stop; + size_t backw = seq->backw; +@@ -162,7 +168,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, + ++val; + if (backw_stop != ~0ul) + { +- /* The is something pushed. */ ++ /* There is something pushed. */ + if (backw == backw_stop) + { + /* The last pushed character was handled. Continue +@@ -227,15 +233,199 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, + seq->us = us; + } + +-/* Compare two sequences. */ ++/* Get next sequence. Traverse the string as required. This function does not ++ set or use any index or rule cache. */ ++static void ++get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, ++ const USTRING_TYPE *weights, const int32_t *table, ++ const USTRING_TYPE *extra, const int32_t *indirect, ++ int pass) ++{ ++#include WEIGHT_H ++ size_t val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ int32_t idx = seq->idx; ++ const USTRING_TYPE *us = seq->us; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* There is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idx = seq->save_idx; ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* Nothing anymore. The backward sequence ended with ++ the last sequence in the string. Note that len is ++ still zero. */ ++ idx = 0; ++ break; ++ } ++ } ++ else ++ { ++ /* XXX Traverse BACKW sequences from the beginning of ++ BACKW_STOP to get the next sequence. Is ther a quicker way ++ to do this? */ ++ size_t i = backw_stop; ++ us = seq->back_us; ++ while (i < backw) ++ { ++ int32_t tmp = findidx (&us, -1); ++ idx = tmp & 0xffffff; ++ i++; ++ } ++ --backw; ++ us = seq->us; ++ } ++ } ++ else ++ { ++ backw_stop = idxmax; ++ int32_t prev_idx = idx; ++ ++ while (*us != L('\0')) ++ { ++ int32_t tmp = findidx (&us, -1); ++ unsigned char rule = tmp >> 24; ++ prev_idx = idx; ++ idx = tmp & 0xffffff; ++ idxcnt = idxmax++; ++ ++ /* Save the rule for the first sequence. */ ++ if (__glibc_unlikely (idxcnt == 0)) ++ seq->rule = rule; ++ ++ if ((rulesets[rule * nrules + pass] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop >= idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax || backw_stop > idxcnt) ++ /* Note that len is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* We pushed backward sequences. If the stream ended with the ++ backward sequence, then we process the last sequence we ++ found. Otherwise we process the sequence before the last ++ one since the last one was a forward sequence. */ ++ seq->back_us = seq->us; ++ seq->us = us; ++ backw = idxcnt; ++ if (idxmax > idxcnt) ++ { ++ backw--; ++ seq->save_idx = idx; ++ idx = prev_idx; ++ } ++ if (backw > backw_stop) ++ backw--; ++ } ++ } ++ ++ len = weights[idx++]; ++ /* Skip over indices of previous levels. */ ++ for (int i = 0; i < pass; i++) ++ { ++ idx += len; ++ len = weights[idx]; ++ idx++; ++ } ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxmax = idxmax; ++ seq->us = us; ++ seq->idx = idx; ++} ++ ++/* Compare two sequences. This version does not use the index and rules ++ cache. */ ++static int ++do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position, ++ const USTRING_TYPE *weights) ++{ ++ int seq1len = seq1->len; ++ int seq2len = seq2->len; ++ size_t val1 = seq1->val; ++ size_t val2 = seq2->val; ++ int idx1 = seq1->idx; ++ int idx2 = seq2->idx; ++ int result = 0; ++ ++ /* Test for position if necessary. */ ++ if (position && val1 != val2) ++ { ++ result = val1 > val2 ? 1 : -1; ++ goto out; ++ } ++ ++ /* Compare the two sequences. */ ++ do ++ { ++ if (weights[idx1] != weights[idx2]) ++ { ++ /* The sequences differ. */ ++ result = weights[idx1] - weights[idx2]; ++ goto out; ++ } ++ ++ /* Increment the offsets. */ ++ ++idx1; ++ ++idx2; ++ ++ --seq1len; ++ --seq2len; ++ } ++ while (seq1len > 0 && seq2len > 0); ++ ++ if (position && seq1len != seq2len) ++ result = seq1len - seq2len; ++ ++out: ++ seq1->len = seq1len; ++ seq2->len = seq2len; ++ seq1->idx = idx1; ++ seq2->idx = idx2; ++ return result; ++} ++ ++/* Compare two sequences using the index cache. */ + static int + do_compare (coll_seq *seq1, coll_seq *seq2, int position, + const USTRING_TYPE *weights) + { + int seq1len = seq1->len; + int seq2len = seq2->len; +- int val1 = seq1->val; +- int val2 = seq2->val; ++ size_t val1 = seq1->val; ++ size_t val2 = seq2->val; + int32_t *idx1arr = seq1->idxarr; + int32_t *idx2arr = seq2->idxarr; + int idx1now = seq1->idxnow; +@@ -245,7 +435,7 @@ do_compare (coll_seq *seq1, coll_seq *seq2, int position, + /* Test for position if necessary. */ + if (position && val1 != val2) + { +- result = val1 - val2; ++ result = val1 > val2 ? 1 : -1; + goto out; + } + +@@ -334,57 +524,62 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + memset (&seq1, 0, sizeof (seq1)); + seq2 = seq1; + +- /* We need the elements of the strings as unsigned values since they +- are used as indices. */ +- seq1.us = (const USTRING_TYPE *) s1; +- seq2.us = (const USTRING_TYPE *) s2; +- + if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) + { + seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); +- seq2.idxarr = &seq1.idxarr[s1len]; +- seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; +- seq2.rulearr = &seq1.rulearr[s1len]; +- +- if (seq1.idxarr == NULL) +- /* No memory. Well, go with the stack then. +- +- XXX Once this implementation is stable we will handle this +- differently. Instead of precomputing the indices we will +- do this in time. This means, though, that this happens for +- every pass again. */ +- goto try_stack; +- use_malloc = true; ++ ++ /* If we failed to allocate memory, we leave everything as NULL so that ++ we use the nocache version of traversal and comparison functions. */ ++ if (seq1.idxarr != NULL) ++ { ++ seq2.idxarr = &seq1.idxarr[s1len]; ++ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; ++ seq2.rulearr = &seq1.rulearr[s1len]; ++ use_malloc = true; ++ } + } + else + { +- try_stack: + seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); + seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); + seq1.rulearr = (unsigned char *) alloca (s1len); + seq2.rulearr = (unsigned char *) alloca (s2len); + } + +- seq1.rulearr[0] = 0; ++ int rule = 0; + + /* Cache values in the first pass and if needed, use them in subsequent + passes. */ + for (int pass = 0; pass < nrules; ++pass) + { + seq1.idxcnt = 0; ++ seq1.idx = 0; ++ seq2.idx = 0; + seq1.backw_stop = ~0ul; + seq1.backw = ~0ul; + seq2.idxcnt = 0; + seq2.backw_stop = ~0ul; + seq2.backw = ~0ul; + ++ /* We need the elements of the strings as unsigned values since they ++ are used as indices. */ ++ seq1.us = (const USTRING_TYPE *) s1; ++ seq2.us = (const USTRING_TYPE *) s2; ++ + /* We assume that if a rule has defined `position' in one section + this is true for all of them. */ +- int position = rulesets[seq1.rulearr[0] * nrules + pass] & sort_position; ++ int position = rulesets[rule * nrules + pass] & sort_position; + + while (1) + { +- if (pass == 0) ++ if (__glibc_unlikely (seq1.idxarr == NULL)) ++ { ++ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table, ++ extra, indirect, pass); ++ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table, ++ extra, indirect, pass); ++ } ++ else if (pass == 0) + { + get_next_seq (&seq1, nrules, rulesets, weights, table, extra, + indirect); +@@ -411,10 +606,18 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + goto free_and_return; + } + +- result = do_compare (&seq1, &seq2, position, weights); ++ if (__glibc_unlikely (seq1.idxarr == NULL)) ++ result = do_compare_nocache (&seq1, &seq2, position, weights); ++ else ++ result = do_compare (&seq1, &seq2, position, weights); + if (result != 0) + goto free_and_return; + } ++ ++ if (__glibc_likely (seq1.rulearr != NULL)) ++ rule = seq1.rulearr[0]; ++ else ++ rule = seq1.rule; + } + + /* Free the memory if needed. */ diff --git a/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch b/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch new file mode 100644 index 0000000..549e3e2 --- /dev/null +++ b/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch @@ -0,0 +1,121 @@ +From: Siddhesh Poyarekar <siddhesh@redhat.com> +Date: Mon, 23 Sep 2013 11:24:30 +0530 +Subject: [PATCH] Check for integer overflow in cache size computation in + strcoll + +strcoll is implemented using a cache for indices and weights of +collation sequences in the strings so that subsequent passes do not +have to search through collation data again. For very large string +inputs, the cache size computation could overflow. In such a case, +use the fallback function that does not cache indices and weights of +collation sequences. + +Fixes CVE-2012-4412. +--- + string/Makefile | 2 ++ + string/strcoll_l.c | 10 ++++++- + string/tst-strcoll-overflow.c | 61 +++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 string/tst-strcoll-overflow.c + +diff --git a/string/Makefile b/string/Makefile +index 0237edd..59c658f 100644 +--- a/string/Makefile ++++ b/string/Makefile +@@ -57,6 +57,8 @@ tests := tester inl-tester noinl-tester testcopy test-ffs \ + tests-ifunc := $(strop-tests:%=test-%-ifunc) + tests += $(tests-ifunc) + ++xtests = tst-strcoll-overflow ++ + include ../Rules + + tester-ENV = LANGUAGE=C +diff --git a/string/strcoll_l.c b/string/strcoll_l.c +index eb042ff..4ee101a 100644 +--- a/string/strcoll_l.c ++++ b/string/strcoll_l.c +@@ -524,7 +524,15 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + memset (&seq1, 0, sizeof (seq1)); + seq2 = seq1; + +- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) ++ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1); ++ ++ if (MIN (s1len, s2len) > size_max ++ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len)) ++ { ++ /* If the strings are long enough to cause overflow in the size request, ++ then skip the allocation and proceed with the non-cached routines. */ ++ } ++ else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) + { + seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); + +diff --git a/string/tst-strcoll-overflow.c b/string/tst-strcoll-overflow.c +new file mode 100644 +index 0000000..bb665ac +--- /dev/null ++++ b/string/tst-strcoll-overflow.c +@@ -0,0 +1,61 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <locale.h> ++#include <stdio.h> ++#include <stdint.h> ++#include <stdlib.h> ++#include <string.h> ++ ++/* Verify that strcoll does not crash for large strings for which it cannot ++ cache weight lookup results. The size is large enough to cause integer ++ overflows on 32-bit as well as buffer overflows on 64-bit. The test should ++ work reasonably reliably when overcommit is disabled, but it obviously ++ depends on how much memory the system has. There's a limitation to this ++ test in that it does not run to completion. Actually collating such a ++ large string can take days and we can't have xcheck running that long. For ++ that reason, we run the test for about 5 minutes and then assume that ++ everything is fine if there are no crashes. */ ++#define SIZE 0x40000000ul ++ ++int ++do_test (void) ++{ ++ if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL) ++ { ++ puts ("setlocale failed, cannot test for overflow"); ++ return 0; ++ } ++ ++ char *p = malloc (SIZE); ++ ++ if (p == NULL) ++ { ++ puts ("could not allocate memory"); ++ return 1; ++ } ++ ++ memset (p, 'x', SIZE - 1); ++ p[SIZE - 1] = 0; ++ printf ("%d\n", strcoll (p, p)); ++ return 0; ++} ++ ++#define TIMEOUT 300 ++#define EXPECTED_SIGNAL SIGALRM ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" diff --git a/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch b/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch new file mode 100644 index 0000000..d027f7e --- /dev/null +++ b/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch @@ -0,0 +1,199 @@ +From: Carlos O'Donell <carlos@redhat.com> +Date: Mon, 23 Sep 2013 00:52:09 -0400 +Subject: [PATCH] BZ #15754: CVE-2013-4788 + +The pointer guard used for pointer mangling was not initialized for +static applications resulting in the security feature being disabled. +The pointer guard is now correctly initialized to a random value for +static applications. Existing static applications need to be +recompiled to take advantage of the fix. + +The test tst-ptrguard1-static and tst-ptrguard1 add regression +coverage to ensure the pointer guards are sufficiently random +and initialized to a default value. +--- + ports/sysdeps/ia64/stackguard-macros.h | 3 +++ + ports/sysdeps/tile/stackguard-macros.h | 6 ++++++ + sysdeps/generic/stackguard-macros.h | 3 +++ + sysdeps/i386/stackguard-macros.h | 8 ++++++++ + sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 ++++++++++ + sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 ++++++++++ + sysdeps/s390/s390-32/stackguard-macros.h | 11 +++++++++++ + sysdeps/s390/s390-64/stackguard-macros.h | 14 ++++++++++++++ + sysdeps/sparc/sparc32/stackguard-macros.h | 3 +++ + sysdeps/sparc/sparc64/stackguard-macros.h | 3 +++ + sysdeps/x86_64/stackguard-macros.h | 5 +++++ + 11 files changed, 76 insertions(+) + +diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h +index dc683c2..3907293 100644 +--- a/ports/sysdeps/ia64/stackguard-macros.h ++++ b/ports/sysdeps/ia64/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) +diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h +index 589ea2b..f2e041b 100644 +--- a/ports/sysdeps/tile/stackguard-macros.h ++++ b/ports/sysdeps/tile/stackguard-macros.h +@@ -4,11 +4,17 @@ + # if __WORDSIZE == 64 + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; }) + # else + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; }) + # endif + #else + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; }) + #endif +diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h +index ababf65..4fa3d96 100644 +--- a/sysdeps/generic/stackguard-macros.h ++++ b/sysdeps/generic/stackguard-macros.h +@@ -2,3 +2,6 @@ + + extern uintptr_t __stack_chk_guard; + #define STACK_CHK_GUARD __stack_chk_guard ++ ++extern uintptr_t __pointer_chk_guard_local; ++#define POINTER_CHK_GUARD __pointer_chk_guard_local +diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h +index 8c31e19..0397629 100644 +--- a/sysdeps/i386/stackguard-macros.h ++++ b/sysdeps/i386/stackguard-macros.h +@@ -2,3 +2,11 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("movl %%gs:%c1, %0" : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h +index 839f6a4..b3d0af8 100644 +--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h ++++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h +@@ -2,3 +2,13 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("lwz %0,%1(2)" \ ++ : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ ++ ); \ ++ x; \ ++ }) +diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h +index 9da879c..4620f96 100644 +--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h ++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h +@@ -2,3 +2,13 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ld %0,%1(2)" \ ++ : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ ++ ); \ ++ x; \ ++ }) +diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h +index b74c579..449e8d4 100644 +--- a/sysdeps/s390/s390-32/stackguard-macros.h ++++ b/sysdeps/s390/s390-32/stackguard-macros.h +@@ -2,3 +2,14 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) ++ ++/* On s390/s390x there is no unique pointer guard, instead we use the ++ same value as the stack guard. */ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ear %0,%%a0; l %0,%1(%0)" \ ++ : "=a" (x) \ ++ : "i" (offsetof (tcbhead_t, stack_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h +index 0cebb5f..c8270fb 100644 +--- a/sysdeps/s390/s390-64/stackguard-macros.h ++++ b/sysdeps/s390/s390-64/stackguard-macros.h +@@ -2,3 +2,17 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) ++ ++/* On s390/s390x there is no unique pointer guard, instead we use the ++ same value as the stack guard. */ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ear %0,%%a0;" \ ++ "sllg %0,%0,32;" \ ++ "ear %0,%%a1;" \ ++ "lg %0,%1(%0)" \ ++ : "=a" (x) \ ++ : "i" (offsetof (tcbhead_t, stack_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h +index c0b02b0..1eef0f1 100644 +--- a/sysdeps/sparc/sparc32/stackguard-macros.h ++++ b/sysdeps/sparc/sparc32/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; }) +diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h +index 80f0635..cc0c12c 100644 +--- a/sysdeps/sparc/sparc64/stackguard-macros.h ++++ b/sysdeps/sparc/sparc64/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; }) +diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h +index d7fedb3..1948800 100644 +--- a/sysdeps/x86_64/stackguard-macros.h ++++ b/sysdeps/x86_64/stackguard-macros.h +@@ -4,3 +4,8 @@ + ({ uintptr_t x; \ + asm ("mov %%fs:%c1, %0" : "=r" (x) \ + : "i" (offsetof (tcbhead_t, stack_guard))); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; \ ++ asm ("mov %%fs:%c1, %0" : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard))); x; }) diff --git a/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch b/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch new file mode 100644 index 0000000..526775b --- /dev/null +++ b/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch @@ -0,0 +1,171 @@ +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 16 Aug 2013 09:38:52 +0200 +Subject: [PATCH] CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r + + * sysdeps/posix/dirstream.h (struct __dirstream): Add errcode + member. + * sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode + member. + * sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member. + * sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit. + Return delayed error code. Remove GETDENTS_64BIT_ALIGNED + conditional. + * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define + GETDENTS_64BIT_ALIGNED. + * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise. + * manual/filesys.texi (Reading/Closing Directory): Document + ENAMETOOLONG return value of readdir_r. Recommend readdir more + strongly. + * manual/conf.texi (Limits for Files): Add portability note to + NAME_MAX, PATH_MAX. + (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX. +--- + sysdeps/posix/dirstream.h | 2 ++ + sysdeps/posix/opendir.c | 1 + + sysdeps/posix/readdir_r.c | 42 ++++++++++++++++++------- + sysdeps/posix/rewinddir.c | 1 + + sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 - + sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 - + 6 files changed, 34 insertions(+), 14 deletions(-) + +diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h +index a7a074d..8e8570d 100644 +--- a/sysdeps/posix/dirstream.h ++++ b/sysdeps/posix/dirstream.h +@@ -39,6 +39,8 @@ struct __dirstream + + off_t filepos; /* Position of next entry to read. */ + ++ int errcode; /* Delayed error code. */ ++ + /* Directory block. */ + char data[0] __attribute__ ((aligned (__alignof__ (void*)))); + }; +diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c +index ddfc3a7..fc05b0f 100644 +--- a/sysdeps/posix/opendir.c ++++ b/sysdeps/posix/opendir.c +@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp) + dirp->size = 0; + dirp->offset = 0; + dirp->filepos = 0; ++ dirp->errcode = 0; + + return dirp; + } +diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c +index b5a8e2e..8ed5c3f 100644 +--- a/sysdeps/posix/readdir_r.c ++++ b/sysdeps/posix/readdir_r.c +@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) + DIRENT_TYPE *dp; + size_t reclen; + const int saved_errno = errno; ++ int ret; + + __libc_lock_lock (dirp->lock); + +@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) + bytes = 0; + __set_errno (saved_errno); + } ++ if (bytes < 0) ++ dirp->errcode = errno; + + dp = NULL; +- /* Reclen != 0 signals that an error occurred. */ +- reclen = bytes != 0; + break; + } + dirp->size = (size_t) bytes; +@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) + dirp->filepos += reclen; + #endif + +- /* Skip deleted files. */ ++#ifdef NAME_MAX ++ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1) ++ { ++ /* The record is very long. It could still fit into the ++ caller-supplied buffer if we can skip padding at the ++ end. */ ++ size_t namelen = _D_EXACT_NAMLEN (dp); ++ if (namelen <= NAME_MAX) ++ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1; ++ else ++ { ++ /* The name is too long. Ignore this file. */ ++ dirp->errcode = ENAMETOOLONG; ++ dp->d_ino = 0; ++ continue; ++ } ++ } ++#endif ++ ++ /* Skip deleted and ignored files. */ + } + while (dp->d_ino == 0); + + if (dp != NULL) + { +-#ifdef GETDENTS_64BIT_ALIGNED +- /* The d_reclen value might include padding which is not part of +- the DIRENT_TYPE data structure. */ +- reclen = MIN (reclen, +- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name)); +-#endif + *result = memcpy (entry, dp, reclen); +-#ifdef GETDENTS_64BIT_ALIGNED ++#ifdef _DIRENT_HAVE_D_RECLEN + entry->d_reclen = reclen; + #endif ++ ret = 0; + } + else +- *result = NULL; ++ { ++ *result = NULL; ++ ret = dirp->errcode; ++ } + + __libc_lock_unlock (dirp->lock); + +- return dp != NULL ? 0 : reclen ? errno : 0; ++ return ret; + } + + #ifdef __READDIR_R_ALIAS +diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c +index 2935a8e..d4991ad 100644 +--- a/sysdeps/posix/rewinddir.c ++++ b/sysdeps/posix/rewinddir.c +@@ -33,6 +33,7 @@ rewinddir (dirp) + dirp->filepos = 0; + dirp->offset = 0; + dirp->size = 0; ++ dirp->errcode = 0; + #ifndef NOT_IN_libc + __libc_lock_unlock (dirp->lock); + #endif +diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c +index 8ebbcfd..a7d114e 100644 +--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c ++++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c +@@ -18,7 +18,6 @@ + #define __READDIR_R __readdir64_r + #define __GETDENTS __getdents64 + #define DIRENT_TYPE struct dirent64 +-#define GETDENTS_64BIT_ALIGNED 1 + + #include <sysdeps/posix/readdir_r.c> + +diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c +index 5ed8e95..290f2c8 100644 +--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c ++++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c +@@ -1,5 +1,4 @@ + #define readdir64_r __no_readdir64_r_decl +-#define GETDENTS_64BIT_ALIGNED 1 + #include <sysdeps/posix/readdir_r.c> + #undef readdir64_r + weak_alias (__readdir_r, readdir64_r) diff --git a/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch b/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch new file mode 100644 index 0000000..9331ceb --- /dev/null +++ b/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch @@ -0,0 +1,37 @@ +From: Will Newton <will.newton@linaro.org> +Date: Mon, 12 Aug 2013 15:08:02 +0100 +Subject: [PATCH] malloc: Check for integer overflow in pvalloc. + +A large bytes parameter to pvalloc could cause an integer overflow +and corrupt allocator internals. Check the overflow does not occur +before continuing with the allocation. + +ChangeLog: + +2013-09-11 Will Newton <will.newton@linaro.org> + + [BZ #15855] + * malloc/malloc.c (__libc_pvalloc): Check the value of bytes + does not overflow. +--- + malloc/malloc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index be472b2..bcc08c4 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) + size_t page_mask = GLRO(dl_pagesize) - 1; + size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0)) diff --git a/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch b/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch new file mode 100644 index 0000000..1a29ffb --- /dev/null +++ b/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch @@ -0,0 +1,37 @@ +From: Will Newton <will.newton@linaro.org> +Date: Fri, 16 Aug 2013 11:59:37 +0100 +Subject: [PATCH] malloc: Check for integer overflow in valloc. + +A large bytes parameter to valloc could cause an integer overflow +and corrupt allocator internals. Check the overflow does not occur +before continuing with the allocation. + +ChangeLog: + +2013-09-11 Will Newton <will.newton@linaro.org> + + [BZ #15856] + * malloc/malloc.c (__libc_valloc): Check the value of bytes + does not overflow. +--- + malloc/malloc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index bcc08c4..31e2dfa 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) + + size_t pagesz = GLRO(dl_pagesize); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0)) diff --git a/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch b/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch new file mode 100644 index 0000000..8bc5718 --- /dev/null +++ b/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch @@ -0,0 +1,37 @@ +From: Will Newton <will.newton@linaro.org> +Date: Fri, 16 Aug 2013 12:54:29 +0100 +Subject: [PATCH] malloc: Check for integer overflow in memalign. + +A large bytes parameter to memalign could cause an integer overflow +and corrupt allocator internals. Check the overflow does not occur +before continuing with the allocation. + +ChangeLog: + +2013-09-11 Will Newton <will.newton@linaro.org> + + [BZ #15857] + * malloc/malloc.c (__libc_memalign): Check the value of bytes + does not overflow. +--- + malloc/malloc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 31e2dfa..ebbe86d 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; diff --git a/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch b/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch new file mode 100644 index 0000000..c59df8c --- /dev/null +++ b/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch @@ -0,0 +1,51 @@ +From: Siddhesh Poyarekar <siddhesh@redhat.com> +Date: Fri, 25 Oct 2013 10:22:12 +0530 +Subject: [PATCH] Fix stack overflow due to large AF_INET6 requests + +Resolves #16072 (CVE-2013-4458). + +This patch fixes another stack overflow in getaddrinfo when it is +called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914, +but the AF_INET6 case went undetected back then. +--- + sysdeps/posix/getaddrinfo.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 7bb3ded..2e97255 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + &rc, &herrno, NULL, &localcanon)); \ + if (rc != ERANGE || herrno != NETDB_INTERNAL) \ + break; \ +- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \ ++ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \ ++ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \ ++ alloca_used); \ ++ else \ ++ { \ ++ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \ ++ 2 * tmpbuflen); \ ++ if (newp == NULL) \ ++ { \ ++ result = -EAI_MEMORY; \ ++ goto free_and_return; \ ++ } \ ++ tmpbuf = newp; \ ++ malloc_tmpbuf = true; \ ++ tmpbuflen = 2 * tmpbuflen; \ ++ } \ + } \ + if (status == NSS_STATUS_SUCCESS && rc == 0) \ + h = &th; \ +@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + { \ + __set_h_errno (herrno); \ + _res.options |= old_res_options & RES_USE_INET6; \ +- return -EAI_SYSTEM; \ ++ result = -EAI_SYSTEM; \ ++ goto free_and_return; \ + } \ + if (herrno == TRY_AGAIN) \ + no_data = EAI_AGAIN; \ diff --git a/patches/glibc-2.18/series b/patches/glibc-2.18/series index 53c39ad..ba8f90c 100644 --- a/patches/glibc-2.18/series +++ b/patches/glibc-2.18/series @@ -5,6 +5,15 @@ 0002-Fix-PI-mutex-check-in-pthread_cond_broadcast-and-pth.patch 0003-ARM-Fix-memcpy-computed-jump-calculations-for-ARM_AL.patch 0004-Accept-make-versions-4.0-and-greater.patch +0005-Simplify-strcoll-implementation.patch +0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch +0007-Check-for-integer-overflow-in-cache-size-computation.patch +0008-BZ-15754-CVE-2013-4788.patch +0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch +0010-malloc-Check-for-integer-overflow-in-pvalloc.patch +0011-malloc-Check-for-integer-overflow-in-valloc.patch +0012-malloc-Check-for-integer-overflow-in-memalign.patch +0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch #tag:build-system --start-number 100 0100-add-install-lib-all-target.patch 0101-don-t-regen-docs-if-perl-is-not-found.patch @@ -15,4 +24,4 @@ #tag:linaro --start-number 400 0400-optimized-string-functions-for-NEON-from-Linaro.patch 0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch -# 7774ed95c0f12c240b0659960d7c2f7d - git-ptx-patches magic +# c7c37d04f6d7c2fc5e7140d9570db200 - git-ptx-patches magic |