diff options
author | Michael Olbrich <m.olbrich@pengutronix.de> | 2015-02-21 18:22:04 +0100 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2015-02-21 18:22:04 +0100 |
commit | 957cde19adbb9e865e58fab7b550a0df4b749e77 (patch) | |
tree | 3033c383d0f7a39c5104765c5457aeef62b88ec5 | |
parent | 52ad40a25e3f2fe7b897b7fcd7acfebe13ca5c89 (diff) | |
download | OSELAS.Toolchain-957cde19adbb9e865e58fab7b550a0df4b749e77.tar.gz OSELAS.Toolchain-957cde19adbb9e865e58fab7b550a0df4b749e77.tar.xz |
glibc: add security fixes from glibc 2.21
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
-rw-r--r-- | patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch | 24 | ||||
-rw-r--r-- | patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch | 277 | ||||
-rw-r--r-- | patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch (renamed from patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch) | 0 | ||||
-rw-r--r-- | patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch | 95 | ||||
-rw-r--r-- | patches/glibc-2.20/series | 7 |
5 files changed, 401 insertions, 2 deletions
diff --git a/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch b/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch new file mode 100644 index 0000000..323ee72 --- /dev/null +++ b/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch @@ -0,0 +1,24 @@ +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 15 Dec 2014 17:41:13 +0100 +Subject: [PATCH] CVE-2014-9402: Avoid infinite loop in nss_dns getnetbyname + [BZ #17630] + +--- + resolv/nss_dns/dns-network.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 0a77c8bc4808..08cf0a6462ce 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result, + + case BYNAME: + { +- char **ap = result->n_aliases++; +- while (*ap != NULL) ++ char **ap; ++ for (ap = result->n_aliases; *ap != NULL; ++ap) + { + /* Check each alias name for being of the forms: + 4.3.2.1.in-addr.arpa = net 1.2.3.4 diff --git a/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch b/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch new file mode 100644 index 0000000..5dc8a07 --- /dev/null +++ b/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch @@ -0,0 +1,277 @@ +From: Jeff Law <law@redhat.com> +Date: Mon, 15 Dec 2014 10:09:32 +0100 +Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] + +A larger number of format specifiers coudld cause a stack overflow, +potentially allowing to bypass _FORTIFY_SOURCE format string +protection. +--- + stdio-common/Makefile | 2 +- + stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ + stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++ + stdio-common/bug23-4.c | 31 ++++++++++++++++++++++ + stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++-- + 5 files changed, 190 insertions(+), 3 deletions(-) + create mode 100644 stdio-common/bug23-2.c + create mode 100644 stdio-common/bug23-3.c + create mode 100644 stdio-common/bug23-4.c + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 5f8e5341a5c3..24e8496f7521 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ + bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \ + scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \ + bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \ +- bug25 tst-printf-round bug26 ++ bug25 tst-printf-round bug23-2 bug23-3 bug23-4 + + test-srcs = tst-unbputc tst-printf + +diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c +new file mode 100644 +index 000000000000..9e0cfe6860d0 +--- /dev/null ++++ b/stdio-common/bug23-2.c +@@ -0,0 +1,70 @@ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++ ++static const char expected[] = "\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; ++ ++static int ++do_test (void) ++{ ++ char *buf = malloc (strlen (expected) + 1); ++ snprintf (buf, strlen (expected) + 1, ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", ++ "a", "b", "c", "d", 5); ++ return strcmp (buf, expected) != 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c +new file mode 100644 +index 000000000000..57c8cef195a8 +--- /dev/null ++++ b/stdio-common/bug23-3.c +@@ -0,0 +1,50 @@ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++ ++int ++do_test (void) ++{ ++ size_t instances = 16384; ++#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ const char *item = "\na\nabbcd55"; ++#define X3 X0 X0 X0 X0 X0 X0 X0 X0 ++#define X6 X3 X3 X3 X3 X3 X3 X3 X3 ++#define X9 X6 X6 X6 X6 X6 X6 X6 X6 ++#define X12 X9 X9 X9 X9 X9 X9 X9 X9 ++#define X14 X12 X12 X12 X12 ++#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%" ++#define TRAILER2 TRAILER TRAILER ++ size_t length = instances * strlen (item) + strlen (TRAILER) + 1; ++ ++ char *buf = malloc (length + 1); ++ snprintf (buf, length + 1, ++ X14 TRAILER2 "\n", ++ "a", "b", "c", "d", 5); ++ ++ const char *p = buf; ++ size_t i; ++ for (i = 0; i < instances; ++i) ++ { ++ const char *expected; ++ for (expected = item; *expected; ++expected) ++ { ++ if (*p != *expected) ++ { ++ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n", ++ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF); ++ return 1; ++ } ++ ++p; ++ } ++ } ++ if (strcmp (p, TRAILER "\n") != 0) ++ { ++ printf ("mismatch at trailer: [%s]\n", p); ++ return 1; ++ } ++ free (buf); ++ return 0; ++} ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c +new file mode 100644 +index 000000000000..a4785640dee0 +--- /dev/null ++++ b/stdio-common/bug23-4.c +@@ -0,0 +1,31 @@ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/resource.h> ++ ++#define LIMIT 1000000 ++ ++int ++main (void) ++{ ++ struct rlimit lim; ++ getrlimit (RLIMIT_STACK, &lim); ++ lim.rlim_cur = 1048576; ++ setrlimit (RLIMIT_STACK, &lim); ++ char *fmtstr = malloc (4 * LIMIT + 1); ++ if (fmtstr == NULL) ++ abort (); ++ char *output = malloc (LIMIT + 1); ++ if (output == NULL) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ memcpy (fmtstr + 4 * i, "%1$d", 4); ++ fmtstr[4 * LIMIT] = '\0'; ++ int ret = snprintf (output, LIMIT + 1, fmtstr, 0); ++ if (ret != LIMIT) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ if (output[i] != '0') ++ abort (); ++ return 0; ++} +diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c +index c4ff8334b206..429a3d1a83ca 100644 +--- a/stdio-common/vfprintf.c ++++ b/stdio-common/vfprintf.c +@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) + /* For the argument descriptions, which may be allocated on the heap. */ + void *args_malloced = NULL; + ++ /* For positional argument handling. */ ++ struct printf_spec *specs; ++ ++ /* Track if we malloced the SPECS array and thus must free it. */ ++ bool specs_malloced = false; ++ + /* This table maps a character into a number representing a + class. In each step there is a destination label for each + class. */ +@@ -1679,8 +1685,8 @@ do_positional: + size_t nspecs = 0; + /* A more or less arbitrary start value. */ + size_t nspecs_size = 32 * sizeof (struct printf_spec); +- struct printf_spec *specs = alloca (nspecs_size); + ++ specs = alloca (nspecs_size); + /* The number of arguments the format string requests. This will + determine the size of the array needed to store the argument + attributes. */ +@@ -1721,11 +1727,39 @@ do_positional: + if (nspecs * sizeof (*specs) >= nspecs_size) + { + /* Extend the array of format specifiers. */ ++ if (nspecs_size * 2 < nspecs_size) ++ { ++ __set_errno (ENOMEM); ++ done = -1; ++ goto all_done; ++ } + struct printf_spec *old = specs; +- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ if (__libc_use_alloca (2 * nspecs_size)) ++ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ else ++ { ++ nspecs_size *= 2; ++ specs = malloc (nspecs_size); ++ if (specs == NULL) ++ { ++ __set_errno (ENOMEM); ++ specs = old; ++ done = -1; ++ goto all_done; ++ } ++ } + + /* Copy the old array's elements to the new space. */ + memmove (specs, old, nspecs * sizeof (*specs)); ++ ++ /* If we had previously malloc'd space for SPECS, then ++ release it after the copy is complete. */ ++ if (specs_malloced) ++ free (old); ++ ++ /* Now set SPECS_MALLOCED if needed. */ ++ if (!__libc_use_alloca (nspecs_size)) ++ specs_malloced = true; + } + + /* Parse the format specifier. */ +@@ -2046,6 +2080,8 @@ do_positional: + } + + all_done: ++ if (specs_malloced) ++ free (specs); + if (__glibc_unlikely (args_malloced != NULL)) + free (args_malloced); + if (__glibc_unlikely (workstart != NULL)) diff --git a/patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch b/patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch index 41afda4..41afda4 100644 --- a/patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch +++ b/patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch diff --git a/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000..4ff5a63 --- /dev/null +++ b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch @@ -0,0 +1,95 @@ +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Fri, 6 Feb 2015 00:30:42 -0500 +Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory + +BZ #16618 + +Under certain conditions wscanf can allocate too little memory for the +to-be-scanned arguments and overflow the allocated buffer. The +implementation now correctly computes the required buffer size when +using malloc. + +A regression test was added to tst-sscanf. +--- + stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++ + stdio-common/vfscanf.c | 12 ++++++------ + 2 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c +index 9fef93a53578..6394fe1cccd1 100644 +--- a/stdio-common/tst-sscanf.c ++++ b/stdio-common/tst-sscanf.c +@@ -233,5 +233,38 @@ main (void) + } + } + ++ /* BZ #16618 ++ The test will segfault during SSCANF if the buffer overflow ++ is not fixed. The size of `s` is such that it forces the use ++ of malloc internally and this triggers the incorrect computation. ++ Thus the value for SIZE is arbitrariy high enough that malloc ++ is used. */ ++ { ++#define SIZE 131072 ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); ++ if (s == NULL) ++ abort (); ++ for (size_t i = 0; i < SIZE; i++) ++ s[i] = L('0'); ++ s[SIZE] = L('\0'); ++ int i = 42; ++ /* Scan multi-digit zero into `i`. */ ++ if (SSCANF (s, L("%d"), &i) != 1) ++ { ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); ++ result = 1; ++ } ++ if (i != 0) ++ { ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); ++ result = 1; ++ } ++ free (s); ++ if (result != 1) ++ printf ("PASS: bug16618: Did not crash.\n"); ++#undef SIZE ++ } ++ ++ + return result; + } +diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c +index e0d224530cc6..a4f06b44e576 100644 +--- a/stdio-common/vfscanf.c ++++ b/stdio-common/vfscanf.c +@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + if (__glibc_unlikely (wpsize == wpmax)) \ + { \ + CHAR_T *old = wp; \ +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ +- ? UCHAR_MAX + 1 : 2 * wpmax); \ +- if (use_malloc || !__libc_use_alloca (newsize)) \ ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ ++ if (!__libc_use_alloca (newsize)) \ + { \ + wp = realloc (use_malloc ? wp : NULL, newsize); \ + if (wp == NULL) \ +@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + } \ + if (! use_malloc) \ + MEMCPY (wp, old, wpsize); \ +- wpmax = newsize; \ ++ wpmax = wpneed; \ + use_malloc = true; \ + } \ + else \ + { \ + size_t s = wpmax * sizeof (CHAR_T); \ +- wp = (CHAR_T *) extend_alloca (wp, s, \ +- newsize * sizeof (CHAR_T)); \ ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ + wpmax = s / sizeof (CHAR_T); \ + if (old != NULL) \ + MEMCPY (wp, old, wpsize); \ diff --git a/patches/glibc-2.20/series b/patches/glibc-2.20/series index 8eb023a..89005f0 100644 --- a/patches/glibc-2.20/series +++ b/patches/glibc-2.20/series @@ -1,7 +1,10 @@ # generated by git-ptx-patches #tag:base --start-number 1 #tag:upstream --start-number 1 -0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch +0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch +0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch +0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch +0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch #tag:build-system --start-number 100 0100-add-install-lib-all-target.patch 0101-don-t-regen-docs-if-perl-is-not-found.patch @@ -14,4 +17,4 @@ 0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch #tag:hacks --start-number 500 0500-Hack-around-mips-args-to-host-gcc.patch -# d9cd5ae91332d084ae07ad4d0589ae36 - git-ptx-patches magic +# abbdf6f06cd2fc7e40618e8c66cf8875 - git-ptx-patches magic |