diff options
author | Michael Olbrich <m.olbrich@pengutronix.de> | 2014-09-10 10:33:54 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2014-12-12 08:15:35 +0100 |
commit | f93e4506937afafa325bd530de3fc39c7399963a (patch) | |
tree | c2d5b6a24769e649c4c9a6e8d5e0ac30cb2d5f9b /patches | |
parent | fc513961e38f5307df71d171b084aba171ff462e (diff) | |
download | OSELAS.Toolchain-f93e4506937afafa325bd530de3fc39c7399963a.tar.gz OSELAS.Toolchain-f93e4506937afafa325bd530de3fc39c7399963a.tar.xz |
glibc: update patches 2.18 -> 2.20
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches')
21 files changed, 31 insertions, 2067 deletions
diff --git a/patches/glibc-2.18/0001-ARM-Fix-clone-code-when-built-for-Thumb.patch b/patches/glibc-2.18/0001-ARM-Fix-clone-code-when-built-for-Thumb.patch deleted file mode 100644 index 78bf5f9..0000000 --- a/patches/glibc-2.18/0001-ARM-Fix-clone-code-when-built-for-Thumb.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Will Newton <will.newton@linaro.org> -Date: Thu, 29 Aug 2013 20:10:26 +0100 -Subject: [PATCH] ARM: Fix clone code when built for Thumb. - -The mov lr, pc instruction will lose the Thumb bit from the return address -so use blx lr instead. - -ports/ChangeLog.arm: - -2013-08-30 Will Newton <will.newton@linaro.org> - - [BZ #15909] - * sysdeps/unix/sysv/linux/arm/clone.S (__clone): Use blx - instead of mov lr, pc. - -(cherry picked from commit 6b06ac56cdfc9293908724e51e827534e97819aa) ---- - ports/sysdeps/unix/sysv/linux/arm/clone.S | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ports/sysdeps/unix/sysv/linux/arm/clone.S b/ports/sysdeps/unix/sysv/linux/arm/clone.S -index ce9c2a5..6e74fa7 100644 ---- a/ports/sysdeps/unix/sysv/linux/arm/clone.S -+++ b/ports/sysdeps/unix/sysv/linux/arm/clone.S -@@ -93,8 +93,8 @@ PSEUDO_END (__clone) - mov lr, pc - bx ip - #else -- mov lr, pc -- ldr pc, [sp], #8 -+ ldr lr, [sp], #8 -+ blx lr - #endif - - @ and we are done, passing the return value through r0 diff --git a/patches/glibc-2.18/0002-Fix-PI-mutex-check-in-pthread_cond_broadcast-and-pth.patch b/patches/glibc-2.18/0002-Fix-PI-mutex-check-in-pthread_cond_broadcast-and-pth.patch deleted file mode 100644 index a255632..0000000 --- a/patches/glibc-2.18/0002-Fix-PI-mutex-check-in-pthread_cond_broadcast-and-pth.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Siddhesh Poyarekar <siddhesh@redhat.com> -Date: Thu, 3 Oct 2013 08:26:21 +0530 -Subject: [PATCH] Fix PI mutex check in pthread_cond_broadcast and - pthread_cond_signal - -Fixes BZ #15996. - -The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead -of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the -already existing convenience macro USE_REQUEUE_PI. ---- - nptl/pthread_cond_broadcast.c | 5 +---- - nptl/pthread_cond_signal.c | 7 +------ - 2 files changed, 2 insertions(+), 10 deletions(-) - -diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c -index 0702ec0..7ba9efa 100644 ---- a/nptl/pthread_cond_broadcast.c -+++ b/nptl/pthread_cond_broadcast.c -@@ -63,10 +63,7 @@ __pthread_cond_broadcast (cond) - - #if (defined lll_futex_cmp_requeue_pi \ - && defined __ASSUME_REQUEUE_PI) -- int pi_flag = PTHREAD_MUTEX_PRIO_INHERIT_NP | PTHREAD_MUTEX_ROBUST_NP; -- pi_flag &= mut->__data.__kind; -- -- if (pi_flag == PTHREAD_MUTEX_PRIO_INHERIT_NP) -+ if (USE_REQUEUE_PI (mut)) - { - if (lll_futex_cmp_requeue_pi (&cond->__data.__futex, 1, INT_MAX, - &mut->__data.__lock, futex_val, -diff --git a/nptl/pthread_cond_signal.c b/nptl/pthread_cond_signal.c -index 102d0b3..ffc35dc 100644 ---- a/nptl/pthread_cond_signal.c -+++ b/nptl/pthread_cond_signal.c -@@ -49,14 +49,9 @@ __pthread_cond_signal (cond) - - #if (defined lll_futex_cmp_requeue_pi \ - && defined __ASSUME_REQUEUE_PI) -- int pi_flag = PTHREAD_MUTEX_PRIO_INHERIT_NP | PTHREAD_MUTEX_ROBUST_NP; - pthread_mutex_t *mut = cond->__data.__mutex; - -- /* Do not use requeue for pshared condvars. */ -- if (mut != (void *) ~0l) -- pi_flag &= mut->__data.__kind; -- -- if (__builtin_expect (pi_flag == PTHREAD_MUTEX_PRIO_INHERIT_NP, 0) -+ if (USE_REQUEUE_PI (mut) - /* This can only really fail with a ENOSYS, since nobody can modify - futex while we have the cond_lock. */ - && lll_futex_cmp_requeue_pi (&cond->__data.__futex, 1, 0, diff --git a/patches/glibc-2.18/0003-ARM-Fix-memcpy-computed-jump-calculations-for-ARM_AL.patch b/patches/glibc-2.18/0003-ARM-Fix-memcpy-computed-jump-calculations-for-ARM_AL.patch deleted file mode 100644 index e02a24d..0000000 --- a/patches/glibc-2.18/0003-ARM-Fix-memcpy-computed-jump-calculations-for-ARM_AL.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Roland McGrath <roland@hack.frob.com> -Date: Fri, 22 Nov 2013 11:39:20 -0800 -Subject: [PATCH] ARM: Fix memcpy computed-jump calculations for ARM_ALWAYS_BX - case. - ---- - ports/sysdeps/arm/arm-features.h | 8 -------- - ports/sysdeps/arm/armv7/multiarch/memcpy_impl.S | 21 +++++++++++---------- - 2 files changed, 11 insertions(+), 18 deletions(-) - -diff --git a/ports/sysdeps/arm/arm-features.h b/ports/sysdeps/arm/arm-features.h -index 1d4b0f1..336b690 100644 ---- a/ports/sysdeps/arm/arm-features.h -+++ b/ports/sysdeps/arm/arm-features.h -@@ -53,14 +53,6 @@ - # define ARM_BX_ALIGN_LOG2 2 - #endif - --/* The number of instructions that 'bx' expands to. A more-specific -- arm-features.h that defines 'bx' as a macro should define this to the -- number instructions it expands to. This is used only in a context -- where the 'bx' expansion won't cross an ARM_BX_ALIGN_LOG2 boundary. */ --#ifndef ARM_BX_NINSNS --# define ARM_BX_NINSNS 1 --#endif -- - /* An OS-specific arm-features.h file may define ARM_NO_INDEX_REGISTER to - indicate that the two-register addressing modes must never be used. */ - -diff --git a/ports/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/ports/sysdeps/arm/armv7/multiarch/memcpy_impl.S -index 3decad6..5ed076e 100644 ---- a/ports/sysdeps/arm/armv7/multiarch/memcpy_impl.S -+++ b/ports/sysdeps/arm/armv7/multiarch/memcpy_impl.S -@@ -128,25 +128,26 @@ - .purgem dispatch_step - .endm - #else --# if ARM_BX_ALIGN_LOG2 < 4 -+# if ARM_BX_ALIGN_LOG2 < 3 - # error case not handled - # endif - .macro dispatch_helper steps, log2_bytes_per_step -- .p2align ARM_BX_ALIGN_LOG2 - /* TMP1 gets (max_bytes - bytes_to_copy), where max_bytes is - (STEPS << LOG2_BYTES_PER_STEP). -- So this is (steps_to_skip << LOG2_BYTES_PER_STEP). */ -- rsb tmp1, tmp1, #(\steps << \log2_bytes_per_step) -- /* Pad so that the add;bx pair immediately precedes an alignment -- boundary. Hence, TMP1=0 will run all the steps. */ -- .rept (1 << (ARM_BX_ALIGN_LOG2 - 2)) - (2 + ARM_BX_NINSNS) -- nop -- .endr -+ So this is (steps_to_skip << LOG2_BYTES_PER_STEP). -+ Then it needs further adjustment to compensate for the -+ distance between the PC value taken below (0f + PC_OFS) -+ and the first step's instructions (1f). */ -+ rsb tmp1, tmp1, #((\steps << \log2_bytes_per_step) \ -+ + ((1f - PC_OFS - 0f) \ -+ >> (ARM_BX_ALIGN_LOG2 - \log2_bytes_per_step))) - /* Shifting down LOG2_BYTES_PER_STEP gives us the number of - steps to skip, then shifting up ARM_BX_ALIGN_LOG2 gives us - the (byte) distance to add to the PC. */ -- add tmp1, pc, tmp1, lsl #(ARM_BX_ALIGN_LOG2 - \log2_bytes_per_step) -+0: add tmp1, pc, tmp1, lsl #(ARM_BX_ALIGN_LOG2 - \log2_bytes_per_step) - bx tmp1 -+ .p2align ARM_BX_ALIGN_LOG2 -+1: - .endm - - .macro dispatch_7_dword diff --git a/patches/glibc-2.18/0004-Accept-make-versions-4.0-and-greater.patch b/patches/glibc-2.18/0004-Accept-make-versions-4.0-and-greater.patch deleted file mode 100644 index 3206a74..0000000 --- a/patches/glibc-2.18/0004-Accept-make-versions-4.0-and-greater.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Marc-Antoine Perennou <Marc-Antoine@Perennou.com> -Date: Thu, 31 Oct 2013 12:37:50 +1000 -Subject: [PATCH] Accept make versions 4.0 and greater - ---- - configure | 2 +- - configure.in | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure b/configure -index 1ee4c42..804fd7e 100755 ---- a/configure -+++ b/configure -@@ -4772,7 +4772,7 @@ $as_echo_n "checking version of $MAKE... " >&6; } - ac_prog_version=`$MAKE --version 2>&1 | sed -n 's/^.*GNU Make[^0-9]*\([0-9][0-9.]*\).*$/\1/p'` - case $ac_prog_version in - '') ac_prog_version="v. ?.??, bad"; ac_verc_fail=yes;; -- 3.79* | 3.[89]*) -+ 3.79* | 3.[89]* | [4-9].* | [1-9][0-9]*) - ac_prog_version="$ac_prog_version, ok"; ac_verc_fail=no;; - *) ac_prog_version="$ac_prog_version, bad"; ac_verc_fail=yes;; - -diff --git a/configure.in b/configure.in -index 769e8ef..2364142 100644 ---- a/configure.in -+++ b/configure.in -@@ -989,7 +989,7 @@ AC_CHECK_PROG_VER(CC, ${ac_tool_prefix}gcc ${ac_tool_prefix}cc, -v, - critic_missing="$critic_missing gcc") - AC_CHECK_PROG_VER(MAKE, gnumake gmake make, --version, - [GNU Make[^0-9]*\([0-9][0-9.]*\)], -- [3.79* | 3.[89]*], critic_missing="$critic_missing make") -+ [3.79* | 3.[89]* | [4-9].* | [1-9][0-9]*], critic_missing="$critic_missing make") - - AC_CHECK_PROG_VER(MSGFMT, gnumsgfmt gmsgfmt msgfmt, --version, - [GNU gettext.* \([0-9]*\.[0-9.]*\)], diff --git a/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch b/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch deleted file mode 100644 index e715b38..0000000 --- a/patches/glibc-2.18/0005-Simplify-strcoll-implementation.patch +++ /dev/null @@ -1,795 +0,0 @@ -From: Siddhesh Poyarekar <siddhesh@redhat.com> -Date: Tue, 20 Aug 2013 08:40:05 +0530 -Subject: [PATCH] Simplify strcoll implementation - -Break up strcoll into simpler functions so that the logic is easier to -follow and maintain. ---- - string/strcoll_l.c | 701 ++++++++++++++++++++++------------------------------- - 1 file changed, 295 insertions(+), 406 deletions(-) - -diff --git a/string/strcoll_l.c b/string/strcoll_l.c -index ecda08f..50ed84d 100644 ---- a/string/strcoll_l.c -+++ b/string/strcoll_l.c -@@ -41,11 +41,244 @@ - - #include "../locale/localeinfo.h" - -+/* Track status while looking for sequences in a string. */ -+typedef struct -+{ -+ int len; /* Length of the current sequence. */ -+ int val; /* Position of the sequence relative to the -+ previous non-ignored sequence. */ -+ size_t idxnow; /* Current index in sequences. */ -+ size_t idxmax; /* Maximum index in sequences. */ -+ size_t idxcnt; /* Current count of indices. */ -+ size_t backw; /* Current Backward sequence index. */ -+ size_t backw_stop; /* Index where the backward sequences stop. */ -+ const USTRING_TYPE *us; /* The string. */ -+ int32_t *idxarr; /* Array to cache weight indices. */ -+ unsigned char *rulearr; /* Array to cache rules. */ -+} coll_seq; -+ -+/* Get next sequence. The weight indices are cached, so we don't need to -+ traverse the string. */ -+static void -+get_next_seq_cached (coll_seq *seq, int nrules, int pass, -+ const unsigned char *rulesets, -+ const USTRING_TYPE *weights) -+{ -+ int val = seq->val = 0; -+ int len = seq->len; -+ size_t backw_stop = seq->backw_stop; -+ size_t backw = seq->backw; -+ size_t idxcnt = seq->idxcnt; -+ size_t idxmax = seq->idxmax; -+ size_t idxnow = seq->idxnow; -+ unsigned char *rulearr = seq->rulearr; -+ int32_t *idxarr = seq->idxarr; -+ -+ while (len == 0) -+ { -+ ++val; -+ if (backw_stop != ~0ul) -+ { -+ /* There is something pushed. */ -+ if (backw == backw_stop) -+ { -+ /* The last pushed character was handled. Continue -+ with forward characters. */ -+ if (idxcnt < idxmax) -+ { -+ idxnow = idxcnt; -+ backw_stop = ~0ul; -+ } -+ else -+ { -+ /* Nothing any more. The backward sequence -+ ended with the last sequence in the string. */ -+ idxnow = ~0ul; -+ break; -+ } -+ } -+ else -+ idxnow = --backw; -+ } -+ else -+ { -+ backw_stop = idxcnt; -+ -+ while (idxcnt < idxmax) -+ { -+ if ((rulesets[rulearr[idxcnt] * nrules + pass] -+ & sort_backward) == 0) -+ /* No more backward characters to push. */ -+ break; -+ ++idxcnt; -+ } -+ -+ if (backw_stop == idxcnt) -+ { -+ /* No sequence at all or just one. */ -+ if (idxcnt == idxmax) -+ /* Note that LEN is still zero. */ -+ break; -+ -+ backw_stop = ~0ul; -+ idxnow = idxcnt++; -+ } -+ else -+ /* We pushed backward sequences. */ -+ idxnow = backw = idxcnt - 1; -+ } -+ len = weights[idxarr[idxnow]++]; -+ } -+ -+ /* Update the structure. */ -+ seq->val = val; -+ seq->len = len; -+ seq->backw_stop = backw_stop; -+ seq->backw = backw; -+ seq->idxcnt = idxcnt; -+ seq->idxnow = idxnow; -+} -+ -+/* Get next sequence. Traverse the string as required. */ -+static void -+get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, -+ const USTRING_TYPE *weights, const int32_t *table, -+ const USTRING_TYPE *extra, const int32_t *indirect) -+{ -+#include WEIGHT_H -+ int val = seq->val = 0; -+ int len = seq->len; -+ size_t backw_stop = seq->backw_stop; -+ size_t backw = seq->backw; -+ size_t idxcnt = seq->idxcnt; -+ size_t idxmax = seq->idxmax; -+ size_t idxnow = seq->idxnow; -+ unsigned char *rulearr = seq->rulearr; -+ int32_t *idxarr = seq->idxarr; -+ const USTRING_TYPE *us = seq->us; -+ -+ while (len == 0) -+ { -+ ++val; -+ if (backw_stop != ~0ul) -+ { -+ /* The is something pushed. */ -+ if (backw == backw_stop) -+ { -+ /* The last pushed character was handled. Continue -+ with forward characters. */ -+ if (idxcnt < idxmax) -+ { -+ idxnow = idxcnt; -+ backw_stop = ~0ul; -+ } -+ else -+ /* Nothing any more. The backward sequence ended with -+ the last sequence in the string. Note that LEN -+ is still zero. */ -+ break; -+ } -+ else -+ idxnow = --backw; -+ } -+ else -+ { -+ backw_stop = idxmax; -+ -+ while (*us != L('\0')) -+ { -+ int32_t tmp = findidx (&us, -1); -+ rulearr[idxmax] = tmp >> 24; -+ idxarr[idxmax] = tmp & 0xffffff; -+ idxcnt = idxmax++; -+ -+ if ((rulesets[rulearr[idxcnt] * nrules] -+ & sort_backward) == 0) -+ /* No more backward characters to push. */ -+ break; -+ ++idxcnt; -+ } -+ -+ if (backw_stop >= idxcnt) -+ { -+ /* No sequence at all or just one. */ -+ if (idxcnt == idxmax || backw_stop > idxcnt) -+ /* Note that LEN is still zero. */ -+ break; -+ -+ backw_stop = ~0ul; -+ idxnow = idxcnt; -+ } -+ else -+ /* We pushed backward sequences. */ -+ idxnow = backw = idxcnt - 1; -+ } -+ len = weights[idxarr[idxnow]++]; -+ } -+ -+ /* Update the structure. */ -+ seq->val = val; -+ seq->len = len; -+ seq->backw_stop = backw_stop; -+ seq->backw = backw; -+ seq->idxcnt = idxcnt; -+ seq->idxmax = idxmax; -+ seq->idxnow = idxnow; -+ seq->us = us; -+} -+ -+/* Compare two sequences. */ -+static int -+do_compare (coll_seq *seq1, coll_seq *seq2, int position, -+ const USTRING_TYPE *weights) -+{ -+ int seq1len = seq1->len; -+ int seq2len = seq2->len; -+ int val1 = seq1->val; -+ int val2 = seq2->val; -+ int32_t *idx1arr = seq1->idxarr; -+ int32_t *idx2arr = seq2->idxarr; -+ int idx1now = seq1->idxnow; -+ int idx2now = seq2->idxnow; -+ int result = 0; -+ -+ /* Test for position if necessary. */ -+ if (position && val1 != val2) -+ { -+ result = val1 - val2; -+ goto out; -+ } -+ -+ /* Compare the two sequences. */ -+ do -+ { -+ if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) -+ { -+ /* The sequences differ. */ -+ result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; -+ goto out; -+ } -+ -+ /* Increment the offsets. */ -+ ++idx1arr[idx1now]; -+ ++idx2arr[idx2now]; -+ -+ --seq1len; -+ --seq2len; -+ } -+ while (seq1len > 0 && seq2len > 0); -+ -+ if (position && seq1len != seq2len) -+ result = seq1len - seq2len; -+ -+out: -+ seq1->len = seq1len; -+ seq2->len = seq2len; -+ return result; -+} -+ - int --STRCOLL (s1, s2, l) -- const STRING_TYPE *s1; -- const STRING_TYPE *s2; -- __locale_t l; -+STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - { - struct __locale_data *current = l->__locales[LC_COLLATE]; - uint_fast32_t nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word; -@@ -56,34 +289,6 @@ STRCOLL (s1, s2, l) - const USTRING_TYPE *weights; - const USTRING_TYPE *extra; - const int32_t *indirect; -- uint_fast32_t pass; -- int result = 0; -- const USTRING_TYPE *us1; -- const USTRING_TYPE *us2; -- size_t s1len; -- size_t s2len; -- int32_t *idx1arr; -- int32_t *idx2arr; -- unsigned char *rule1arr; -- unsigned char *rule2arr; -- size_t idx1max; -- size_t idx2max; -- size_t idx1cnt; -- size_t idx2cnt; -- size_t idx1now; -- size_t idx2now; -- size_t backw1_stop; -- size_t backw2_stop; -- size_t backw1; -- size_t backw2; -- int val1; -- int val2; -- int position; -- int seq1len; -- int seq2len; -- int use_malloc; -- --#include WEIGHT_H - - if (nrules == 0) - return STRCMP (s1, s2); -@@ -98,7 +303,6 @@ STRCOLL (s1, s2, l) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string; - indirect = (const int32_t *) - current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string; -- use_malloc = 0; - - assert (((uintptr_t) table) % __alignof__ (table[0]) == 0); - assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0); -@@ -106,18 +310,13 @@ STRCOLL (s1, s2, l) - assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0); - - /* We need this a few times. */ -- s1len = STRLEN (s1); -- s2len = STRLEN (s2); -+ size_t s1len = STRLEN (s1); -+ size_t s2len = STRLEN (s2); - - /* Catch empty strings. */ -- if (__builtin_expect (s1len == 0, 0) || __builtin_expect (s2len == 0, 0)) -+ if (__glibc_unlikely (s1len == 0) || __glibc_unlikely (s2len == 0)) - return (s1len != 0) - (s2len != 0); - -- /* We need the elements of the strings as unsigned values since they -- are used as indeces. */ -- us1 = (const USTRING_TYPE *) s1; -- us2 = (const USTRING_TYPE *) s2; -- - /* Perform the first pass over the string and while doing this find - and store the weights for each character. Since we want this to - be as fast as possible we are using `alloca' to store the temporary -@@ -127,411 +326,101 @@ STRCOLL (s1, s2, l) - - Please note that the localedef programs makes sure that `position' - is not used at the first level. */ -+ -+ coll_seq seq1, seq2; -+ bool use_malloc = false; -+ int result = 0; -+ -+ memset (&seq1, 0, sizeof (seq1)); -+ seq2 = seq1; -+ -+ /* We need the elements of the strings as unsigned values since they -+ are used as indices. */ -+ seq1.us = (const USTRING_TYPE *) s1; -+ seq2.us = (const USTRING_TYPE *) s2; -+ - if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) - { -- idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); -- idx2arr = &idx1arr[s1len]; -- rule1arr = (unsigned char *) &idx2arr[s2len]; -- rule2arr = &rule1arr[s1len]; -+ seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); -+ seq2.idxarr = &seq1.idxarr[s1len]; -+ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; -+ seq2.rulearr = &seq1.rulearr[s1len]; - -- if (idx1arr == NULL) -+ if (seq1.idxarr == NULL) - /* No memory. Well, go with the stack then. - - XXX Once this implementation is stable we will handle this -- differently. Instead of precomputing the indeces we will -+ differently. Instead of precomputing the indices we will - do this in time. This means, though, that this happens for - every pass again. */ - goto try_stack; -- use_malloc = 1; -+ use_malloc = true; - } - else - { - try_stack: -- idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t)); -- idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t)); -- rule1arr = (unsigned char *) alloca (s1len); -- rule2arr = (unsigned char *) alloca (s2len); -+ seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); -+ seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); -+ seq1.rulearr = (unsigned char *) alloca (s1len); -+ seq2.rulearr = (unsigned char *) alloca (s2len); - } - -- idx1cnt = 0; -- idx2cnt = 0; -- idx1max = 0; -- idx2max = 0; -- idx1now = 0; -- idx2now = 0; -- backw1_stop = ~0ul; -- backw2_stop = ~0ul; -- backw1 = ~0ul; -- backw2 = ~0ul; -- seq1len = 0; -- seq2len = 0; -- position = rulesets[0] & sort_position; -- while (1) -- { -- val1 = 0; -- val2 = 0; -- -- /* Get the next non-IGNOREd element for string `s1'. */ -- if (seq1len == 0) -- do -- { -- ++val1; -- -- if (backw1_stop != ~0ul) -- { -- /* The is something pushed. */ -- if (backw1 == backw1_stop) -- { -- /* The last pushed character was handled. Continue -- with forward characters. */ -- if (idx1cnt < idx1max) -- { -- idx1now = idx1cnt; -- backw1_stop = ~0ul; -- } -- else -- /* Nothing anymore. The backward sequence ended with -- the last sequence in the string. Note that seq1len -- is still zero. */ -- break; -- } -- else -- idx1now = --backw1; -- } -- else -- { -- backw1_stop = idx1max; -- -- while (*us1 != L('\0')) -- { -- int32_t tmp = findidx (&us1, -1); -- rule1arr[idx1max] = tmp >> 24; -- idx1arr[idx1max] = tmp & 0xffffff; -- idx1cnt = idx1max++; -- -- if ((rulesets[rule1arr[idx1cnt] * nrules] -- & sort_backward) == 0) -- /* No more backward characters to push. */ -- break; -- ++idx1cnt; -- } -- -- if (backw1_stop >= idx1cnt) -- { -- /* No sequence at all or just one. */ -- if (idx1cnt == idx1max || backw1_stop > idx1cnt) -- /* Note that seq1len is still zero. */ -- break; -- -- backw1_stop = ~0ul; -- idx1now = idx1cnt; -- } -- else -- /* We pushed backward sequences. */ -- idx1now = backw1 = idx1cnt - 1; -- } -- } -- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); -- -- /* And the same for string `s2'. */ -- if (seq2len == 0) -- do -- { -- ++val2; -- -- if (backw2_stop != ~0ul) -- { -- /* The is something pushed. */ -- if (backw2 == backw2_stop) -- { -- /* The last pushed character was handled. Continue -- with forward characters. */ -- if (idx2cnt < idx2max) -- { -- idx2now = idx2cnt; -- backw2_stop = ~0ul; -- } -- else -- /* Nothing anymore. The backward sequence ended with -- the last sequence in the string. Note that seq2len -- is still zero. */ -- break; -- } -- else -- idx2now = --backw2; -- } -- else -- { -- backw2_stop = idx2max; -- -- while (*us2 != L('\0')) -- { -- int32_t tmp = findidx (&us2, -1); -- rule2arr[idx2max] = tmp >> 24; -- idx2arr[idx2max] = tmp & 0xffffff; -- idx2cnt = idx2max++; -- -- if ((rulesets[rule2arr[idx2cnt] * nrules] -- & sort_backward) == 0) -- /* No more backward characters to push. */ -- break; -- ++idx2cnt; -- } -- -- if (backw2_stop >= idx2cnt) -- { -- /* No sequence at all or just one. */ -- if (idx2cnt == idx2max || backw2_stop > idx2cnt) -- /* Note that seq1len is still zero. */ -- break; -- -- backw2_stop = ~0ul; -- idx2now = idx2cnt; -- } -- else -- /* We pushed backward sequences. */ -- idx2now = backw2 = idx2cnt - 1; -- } -- } -- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); -- -- /* See whether any or both strings are empty. */ -- if (seq1len == 0 || seq2len == 0) -- { -- if (seq1len == seq2len) -- /* Both ended. So far so good, both strings are equal at the -- first level. */ -- break; -- -- /* This means one string is shorter than the other. Find out -- which one and return an appropriate value. */ -- result = seq1len == 0 ? -1 : 1; -- goto free_and_return; -- } -- -- /* Test for position if necessary. */ -- if (position && val1 != val2) -- { -- result = val1 - val2; -- goto free_and_return; -- } -- -- /* Compare the two sequences. */ -- do -- { -- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) -- { -- /* The sequences differ. */ -- result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; -- goto free_and_return; -- } -- -- /* Increment the offsets. */ -- ++idx1arr[idx1now]; -- ++idx2arr[idx2now]; -+ seq1.rulearr[0] = 0; - -- --seq1len; -- --seq2len; -- } -- while (seq1len > 0 && seq2len > 0); -- -- if (position && seq1len != seq2len) -- { -- result = seq1len - seq2len; -- goto free_and_return; -- } -- } -- -- /* Now the remaining passes over the weights. We now use the -- indeces we found before. */ -- for (pass = 1; pass < nrules; ++pass) -+ /* Cache values in the first pass and if needed, use them in subsequent -+ passes. */ -+ for (int pass = 0; pass < nrules; ++pass) - { -+ seq1.idxcnt = 0; -+ seq1.backw_stop = ~0ul; -+ seq1.backw = ~0ul; -+ seq2.idxcnt = 0; -+ seq2.backw_stop = ~0ul; -+ seq2.backw = ~0ul; -+ - /* We assume that if a rule has defined `position' in one section - this is true for all of them. */ -- idx1cnt = 0; -- idx2cnt = 0; -- backw1_stop = ~0ul; -- backw2_stop = ~0ul; -- backw1 = ~0ul; -- backw2 = ~0ul; -- position = rulesets[rule1arr[0] * nrules + pass] & sort_position; -+ int position = rulesets[seq1.rulearr[0] * nrules + pass] & sort_position; - - while (1) - { -- val1 = 0; -- val2 = 0; -- -- /* Get the next non-IGNOREd element for string `s1'. */ -- if (seq1len == 0) -- do -- { -- ++val1; -- -- if (backw1_stop != ~0ul) -- { -- /* The is something pushed. */ -- if (backw1 == backw1_stop) -- { -- /* The last pushed character was handled. Continue -- with forward characters. */ -- if (idx1cnt < idx1max) -- { -- idx1now = idx1cnt; -- backw1_stop = ~0ul; -- } -- else -- { -- /* Nothing anymore. The backward sequence -- ended with the last sequence in the string. */ -- idx1now = ~0ul; -- break; -- } -- } -- else -- idx1now = --backw1; -- } -- else -- { -- backw1_stop = idx1cnt; -- -- while (idx1cnt < idx1max) -- { -- if ((rulesets[rule1arr[idx1cnt] * nrules + pass] -- & sort_backward) == 0) -- /* No more backward characters to push. */ -- break; -- ++idx1cnt; -- } -- -- if (backw1_stop == idx1cnt) -- { -- /* No sequence at all or just one. */ -- if (idx1cnt == idx1max) -- /* Note that seq1len is still zero. */ -- break; -- -- backw1_stop = ~0ul; -- idx1now = idx1cnt++; -- } -- else -- /* We pushed backward sequences. */ -- idx1now = backw1 = idx1cnt - 1; -- } -- } -- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); -- -- /* And the same for string `s2'. */ -- if (seq2len == 0) -- do -- { -- ++val2; -- -- if (backw2_stop != ~0ul) -- { -- /* The is something pushed. */ -- if (backw2 == backw2_stop) -- { -- /* The last pushed character was handled. Continue -- with forward characters. */ -- if (idx2cnt < idx2max) -- { -- idx2now = idx2cnt; -- backw2_stop = ~0ul; -- } -- else -- { -- /* Nothing anymore. The backward sequence -- ended with the last sequence in the string. */ -- idx2now = ~0ul; -- break; -- } -- } -- else -- idx2now = --backw2; -- } -- else -- { -- backw2_stop = idx2cnt; -- -- while (idx2cnt < idx2max) -- { -- if ((rulesets[rule2arr[idx2cnt] * nrules + pass] -- & sort_backward) == 0) -- /* No more backward characters to push. */ -- break; -- ++idx2cnt; -- } -- -- if (backw2_stop == idx2cnt) -- { -- /* No sequence at all or just one. */ -- if (idx2cnt == idx2max) -- /* Note that seq2len is still zero. */ -- break; -- -- backw2_stop = ~0ul; -- idx2now = idx2cnt++; -- } -- else -- /* We pushed backward sequences. */ -- idx2now = backw2 = idx2cnt - 1; -- } -- } -- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); -+ if (pass == 0) -+ { -+ get_next_seq (&seq1, nrules, rulesets, weights, table, extra, -+ indirect); -+ get_next_seq (&seq2, nrules, rulesets, weights, table, extra, -+ indirect); -+ } -+ else -+ { -+ get_next_seq_cached (&seq1, nrules, pass, rulesets, weights); -+ get_next_seq_cached (&seq2, nrules, pass, rulesets, weights); -+ } - - /* See whether any or both strings are empty. */ -- if (seq1len == 0 || seq2len == 0) -+ if (seq1.len == 0 || seq2.len == 0) - { -- if (seq1len == seq2len) -+ if (seq1.len == seq2.len) - /* Both ended. So far so good, both strings are equal - at this level. */ - break; - - /* This means one string is shorter than the other. Find out - which one and return an appropriate value. */ -- result = seq1len == 0 ? -1 : 1; -+ result = seq1.len == 0 ? -1 : 1; - goto free_and_return; - } - -- /* Test for position if necessary. */ -- if (position && val1 != val2) -- { -- result = val1 - val2; -- goto free_and_return; -- } -- -- /* Compare the two sequences. */ -- do -- { -- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) -- { -- /* The sequences differ. */ -- result = (weights[idx1arr[idx1now]] -- - weights[idx2arr[idx2now]]); -- goto free_and_return; -- } -- -- /* Increment the offsets. */ -- ++idx1arr[idx1now]; -- ++idx2arr[idx2now]; -- -- --seq1len; -- --seq2len; -- } -- while (seq1len > 0 && seq2len > 0); -- -- if (position && seq1len != seq2len) -- { -- result = seq1len - seq2len; -- goto free_and_return; -- } -+ result = do_compare (&seq1, &seq2, position, weights); -+ if (result != 0) -+ goto free_and_return; - } - } - - /* Free the memory if needed. */ - free_and_return: - if (use_malloc) -- free (idx1arr); -+ free (seq1.idxarr); - - return result; - } diff --git a/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch b/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch deleted file mode 100644 index b7f1c22..0000000 --- a/patches/glibc-2.18/0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch +++ /dev/null @@ -1,384 +0,0 @@ -From: Siddhesh Poyarekar <siddhesh@redhat.com> -Date: Mon, 23 Sep 2013 11:20:02 +0530 -Subject: [PATCH] Fall back to non-cached sequence traversal and comparison on - malloc fail - -strcoll currently falls back to alloca if malloc fails, resulting in a -possible stack overflow. This patch implements sequence traversal and -comparison without caching indices and rules. - -Fixes CVE-2012-4424. ---- - string/strcoll_l.c | 265 ++++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 234 insertions(+), 31 deletions(-) - -diff --git a/string/strcoll_l.c b/string/strcoll_l.c -index 50ed84d..eb042ff 100644 ---- a/string/strcoll_l.c -+++ b/string/strcoll_l.c -@@ -45,7 +45,7 @@ - typedef struct - { - int len; /* Length of the current sequence. */ -- int val; /* Position of the sequence relative to the -+ size_t val; /* Position of the sequence relative to the - previous non-ignored sequence. */ - size_t idxnow; /* Current index in sequences. */ - size_t idxmax; /* Maximum index in sequences. */ -@@ -55,6 +55,12 @@ typedef struct - const USTRING_TYPE *us; /* The string. */ - int32_t *idxarr; /* Array to cache weight indices. */ - unsigned char *rulearr; /* Array to cache rules. */ -+ unsigned char rule; /* Saved rule for the first sequence. */ -+ int32_t idx; /* Index to weight of the current sequence. */ -+ int32_t save_idx; /* Save looked up index of a forward -+ sequence after the last backward -+ sequence. */ -+ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */ - } coll_seq; - - /* Get next sequence. The weight indices are cached, so we don't need to -@@ -64,7 +70,7 @@ get_next_seq_cached (coll_seq *seq, int nrules, int pass, - const unsigned char *rulesets, - const USTRING_TYPE *weights) - { -- int val = seq->val = 0; -+ size_t val = seq->val = 0; - int len = seq->len; - size_t backw_stop = seq->backw_stop; - size_t backw = seq->backw; -@@ -146,7 +152,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - const USTRING_TYPE *extra, const int32_t *indirect) - { - #include WEIGHT_H -- int val = seq->val = 0; -+ size_t val = seq->val = 0; - int len = seq->len; - size_t backw_stop = seq->backw_stop; - size_t backw = seq->backw; -@@ -162,7 +168,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - ++val; - if (backw_stop != ~0ul) - { -- /* The is something pushed. */ -+ /* There is something pushed. */ - if (backw == backw_stop) - { - /* The last pushed character was handled. Continue -@@ -227,15 +233,199 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - seq->us = us; - } - --/* Compare two sequences. */ -+/* Get next sequence. Traverse the string as required. This function does not -+ set or use any index or rule cache. */ -+static void -+get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, -+ const USTRING_TYPE *weights, const int32_t *table, -+ const USTRING_TYPE *extra, const int32_t *indirect, -+ int pass) -+{ -+#include WEIGHT_H -+ size_t val = seq->val = 0; -+ int len = seq->len; -+ size_t backw_stop = seq->backw_stop; -+ size_t backw = seq->backw; -+ size_t idxcnt = seq->idxcnt; -+ size_t idxmax = seq->idxmax; -+ int32_t idx = seq->idx; -+ const USTRING_TYPE *us = seq->us; -+ -+ while (len == 0) -+ { -+ ++val; -+ if (backw_stop != ~0ul) -+ { -+ /* There is something pushed. */ -+ if (backw == backw_stop) -+ { -+ /* The last pushed character was handled. Continue -+ with forward characters. */ -+ if (idxcnt < idxmax) -+ { -+ idx = seq->save_idx; -+ backw_stop = ~0ul; -+ } -+ else -+ { -+ /* Nothing anymore. The backward sequence ended with -+ the last sequence in the string. Note that len is -+ still zero. */ -+ idx = 0; -+ break; -+ } -+ } -+ else -+ { -+ /* XXX Traverse BACKW sequences from the beginning of -+ BACKW_STOP to get the next sequence. Is ther a quicker way -+ to do this? */ -+ size_t i = backw_stop; -+ us = seq->back_us; -+ while (i < backw) -+ { -+ int32_t tmp = findidx (&us, -1); -+ idx = tmp & 0xffffff; -+ i++; -+ } -+ --backw; -+ us = seq->us; -+ } -+ } -+ else -+ { -+ backw_stop = idxmax; -+ int32_t prev_idx = idx; -+ -+ while (*us != L('\0')) -+ { -+ int32_t tmp = findidx (&us, -1); -+ unsigned char rule = tmp >> 24; -+ prev_idx = idx; -+ idx = tmp & 0xffffff; -+ idxcnt = idxmax++; -+ -+ /* Save the rule for the first sequence. */ -+ if (__glibc_unlikely (idxcnt == 0)) -+ seq->rule = rule; -+ -+ if ((rulesets[rule * nrules + pass] -+ & sort_backward) == 0) -+ /* No more backward characters to push. */ -+ break; -+ ++idxcnt; -+ } -+ -+ if (backw_stop >= idxcnt) -+ { -+ /* No sequence at all or just one. */ -+ if (idxcnt == idxmax || backw_stop > idxcnt) -+ /* Note that len is still zero. */ -+ break; -+ -+ backw_stop = ~0ul; -+ } -+ else -+ { -+ /* We pushed backward sequences. If the stream ended with the -+ backward sequence, then we process the last sequence we -+ found. Otherwise we process the sequence before the last -+ one since the last one was a forward sequence. */ -+ seq->back_us = seq->us; -+ seq->us = us; -+ backw = idxcnt; -+ if (idxmax > idxcnt) -+ { -+ backw--; -+ seq->save_idx = idx; -+ idx = prev_idx; -+ } -+ if (backw > backw_stop) -+ backw--; -+ } -+ } -+ -+ len = weights[idx++]; -+ /* Skip over indices of previous levels. */ -+ for (int i = 0; i < pass; i++) -+ { -+ idx += len; -+ len = weights[idx]; -+ idx++; -+ } -+ } -+ -+ /* Update the structure. */ -+ seq->val = val; -+ seq->len = len; -+ seq->backw_stop = backw_stop; -+ seq->backw = backw; -+ seq->idxcnt = idxcnt; -+ seq->idxmax = idxmax; -+ seq->us = us; -+ seq->idx = idx; -+} -+ -+/* Compare two sequences. This version does not use the index and rules -+ cache. */ -+static int -+do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position, -+ const USTRING_TYPE *weights) -+{ -+ int seq1len = seq1->len; -+ int seq2len = seq2->len; -+ size_t val1 = seq1->val; -+ size_t val2 = seq2->val; -+ int idx1 = seq1->idx; -+ int idx2 = seq2->idx; -+ int result = 0; -+ -+ /* Test for position if necessary. */ -+ if (position && val1 != val2) -+ { -+ result = val1 > val2 ? 1 : -1; -+ goto out; -+ } -+ -+ /* Compare the two sequences. */ -+ do -+ { -+ if (weights[idx1] != weights[idx2]) -+ { -+ /* The sequences differ. */ -+ result = weights[idx1] - weights[idx2]; -+ goto out; -+ } -+ -+ /* Increment the offsets. */ -+ ++idx1; -+ ++idx2; -+ -+ --seq1len; -+ --seq2len; -+ } -+ while (seq1len > 0 && seq2len > 0); -+ -+ if (position && seq1len != seq2len) -+ result = seq1len - seq2len; -+ -+out: -+ seq1->len = seq1len; -+ seq2->len = seq2len; -+ seq1->idx = idx1; -+ seq2->idx = idx2; -+ return result; -+} -+ -+/* Compare two sequences using the index cache. */ - static int - do_compare (coll_seq *seq1, coll_seq *seq2, int position, - const USTRING_TYPE *weights) - { - int seq1len = seq1->len; - int seq2len = seq2->len; -- int val1 = seq1->val; -- int val2 = seq2->val; -+ size_t val1 = seq1->val; -+ size_t val2 = seq2->val; - int32_t *idx1arr = seq1->idxarr; - int32_t *idx2arr = seq2->idxarr; - int idx1now = seq1->idxnow; -@@ -245,7 +435,7 @@ do_compare (coll_seq *seq1, coll_seq *seq2, int position, - /* Test for position if necessary. */ - if (position && val1 != val2) - { -- result = val1 - val2; -+ result = val1 > val2 ? 1 : -1; - goto out; - } - -@@ -334,57 +524,62 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - memset (&seq1, 0, sizeof (seq1)); - seq2 = seq1; - -- /* We need the elements of the strings as unsigned values since they -- are used as indices. */ -- seq1.us = (const USTRING_TYPE *) s1; -- seq2.us = (const USTRING_TYPE *) s2; -- - if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) - { - seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); -- seq2.idxarr = &seq1.idxarr[s1len]; -- seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; -- seq2.rulearr = &seq1.rulearr[s1len]; -- -- if (seq1.idxarr == NULL) -- /* No memory. Well, go with the stack then. -- -- XXX Once this implementation is stable we will handle this -- differently. Instead of precomputing the indices we will -- do this in time. This means, though, that this happens for -- every pass again. */ -- goto try_stack; -- use_malloc = true; -+ -+ /* If we failed to allocate memory, we leave everything as NULL so that -+ we use the nocache version of traversal and comparison functions. */ -+ if (seq1.idxarr != NULL) -+ { -+ seq2.idxarr = &seq1.idxarr[s1len]; -+ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; -+ seq2.rulearr = &seq1.rulearr[s1len]; -+ use_malloc = true; -+ } - } - else - { -- try_stack: - seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); - seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); - seq1.rulearr = (unsigned char *) alloca (s1len); - seq2.rulearr = (unsigned char *) alloca (s2len); - } - -- seq1.rulearr[0] = 0; -+ int rule = 0; - - /* Cache values in the first pass and if needed, use them in subsequent - passes. */ - for (int pass = 0; pass < nrules; ++pass) - { - seq1.idxcnt = 0; -+ seq1.idx = 0; -+ seq2.idx = 0; - seq1.backw_stop = ~0ul; - seq1.backw = ~0ul; - seq2.idxcnt = 0; - seq2.backw_stop = ~0ul; - seq2.backw = ~0ul; - -+ /* We need the elements of the strings as unsigned values since they -+ are used as indices. */ -+ seq1.us = (const USTRING_TYPE *) s1; -+ seq2.us = (const USTRING_TYPE *) s2; -+ - /* We assume that if a rule has defined `position' in one section - this is true for all of them. */ -- int position = rulesets[seq1.rulearr[0] * nrules + pass] & sort_position; -+ int position = rulesets[rule * nrules + pass] & sort_position; - - while (1) - { -- if (pass == 0) -+ if (__glibc_unlikely (seq1.idxarr == NULL)) -+ { -+ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table, -+ extra, indirect, pass); -+ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table, -+ extra, indirect, pass); -+ } -+ else if (pass == 0) - { - get_next_seq (&seq1, nrules, rulesets, weights, table, extra, - indirect); -@@ -411,10 +606,18 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - goto free_and_return; - } - -- result = do_compare (&seq1, &seq2, position, weights); -+ if (__glibc_unlikely (seq1.idxarr == NULL)) -+ result = do_compare_nocache (&seq1, &seq2, position, weights); -+ else -+ result = do_compare (&seq1, &seq2, position, weights); - if (result != 0) - goto free_and_return; - } -+ -+ if (__glibc_likely (seq1.rulearr != NULL)) -+ rule = seq1.rulearr[0]; -+ else -+ rule = seq1.rule; - } - - /* Free the memory if needed. */ diff --git a/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch b/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch deleted file mode 100644 index 549e3e2..0000000 --- a/patches/glibc-2.18/0007-Check-for-integer-overflow-in-cache-size-computation.patch +++ /dev/null @@ -1,121 +0,0 @@ -From: Siddhesh Poyarekar <siddhesh@redhat.com> -Date: Mon, 23 Sep 2013 11:24:30 +0530 -Subject: [PATCH] Check for integer overflow in cache size computation in - strcoll - -strcoll is implemented using a cache for indices and weights of -collation sequences in the strings so that subsequent passes do not -have to search through collation data again. For very large string -inputs, the cache size computation could overflow. In such a case, -use the fallback function that does not cache indices and weights of -collation sequences. - -Fixes CVE-2012-4412. ---- - string/Makefile | 2 ++ - string/strcoll_l.c | 10 ++++++- - string/tst-strcoll-overflow.c | 61 +++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 72 insertions(+), 1 deletion(-) - create mode 100644 string/tst-strcoll-overflow.c - -diff --git a/string/Makefile b/string/Makefile -index 0237edd..59c658f 100644 ---- a/string/Makefile -+++ b/string/Makefile -@@ -57,6 +57,8 @@ tests := tester inl-tester noinl-tester testcopy test-ffs \ - tests-ifunc := $(strop-tests:%=test-%-ifunc) - tests += $(tests-ifunc) - -+xtests = tst-strcoll-overflow -+ - include ../Rules - - tester-ENV = LANGUAGE=C -diff --git a/string/strcoll_l.c b/string/strcoll_l.c -index eb042ff..4ee101a 100644 ---- a/string/strcoll_l.c -+++ b/string/strcoll_l.c -@@ -524,7 +524,15 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - memset (&seq1, 0, sizeof (seq1)); - seq2 = seq1; - -- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) -+ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1); -+ -+ if (MIN (s1len, s2len) > size_max -+ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len)) -+ { -+ /* If the strings are long enough to cause overflow in the size request, -+ then skip the allocation and proceed with the non-cached routines. */ -+ } -+ else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) - { - seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); - -diff --git a/string/tst-strcoll-overflow.c b/string/tst-strcoll-overflow.c -new file mode 100644 -index 0000000..bb665ac ---- /dev/null -+++ b/string/tst-strcoll-overflow.c -@@ -0,0 +1,61 @@ -+/* Copyright (C) 2013 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ <http://www.gnu.org/licenses/>. */ -+ -+#include <locale.h> -+#include <stdio.h> -+#include <stdint.h> -+#include <stdlib.h> -+#include <string.h> -+ -+/* Verify that strcoll does not crash for large strings for which it cannot -+ cache weight lookup results. The size is large enough to cause integer -+ overflows on 32-bit as well as buffer overflows on 64-bit. The test should -+ work reasonably reliably when overcommit is disabled, but it obviously -+ depends on how much memory the system has. There's a limitation to this -+ test in that it does not run to completion. Actually collating such a -+ large string can take days and we can't have xcheck running that long. For -+ that reason, we run the test for about 5 minutes and then assume that -+ everything is fine if there are no crashes. */ -+#define SIZE 0x40000000ul -+ -+int -+do_test (void) -+{ -+ if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL) -+ { -+ puts ("setlocale failed, cannot test for overflow"); -+ return 0; -+ } -+ -+ char *p = malloc (SIZE); -+ -+ if (p == NULL) -+ { -+ puts ("could not allocate memory"); -+ return 1; -+ } -+ -+ memset (p, 'x', SIZE - 1); -+ p[SIZE - 1] = 0; -+ printf ("%d\n", strcoll (p, p)); -+ return 0; -+} -+ -+#define TIMEOUT 300 -+#define EXPECTED_SIGNAL SIGALRM -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c" diff --git a/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch b/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch deleted file mode 100644 index d027f7e..0000000 --- a/patches/glibc-2.18/0008-BZ-15754-CVE-2013-4788.patch +++ /dev/null @@ -1,199 +0,0 @@ -From: Carlos O'Donell <carlos@redhat.com> -Date: Mon, 23 Sep 2013 00:52:09 -0400 -Subject: [PATCH] BZ #15754: CVE-2013-4788 - -The pointer guard used for pointer mangling was not initialized for -static applications resulting in the security feature being disabled. -The pointer guard is now correctly initialized to a random value for -static applications. Existing static applications need to be -recompiled to take advantage of the fix. - -The test tst-ptrguard1-static and tst-ptrguard1 add regression -coverage to ensure the pointer guards are sufficiently random -and initialized to a default value. ---- - ports/sysdeps/ia64/stackguard-macros.h | 3 +++ - ports/sysdeps/tile/stackguard-macros.h | 6 ++++++ - sysdeps/generic/stackguard-macros.h | 3 +++ - sysdeps/i386/stackguard-macros.h | 8 ++++++++ - sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 ++++++++++ - sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 ++++++++++ - sysdeps/s390/s390-32/stackguard-macros.h | 11 +++++++++++ - sysdeps/s390/s390-64/stackguard-macros.h | 14 ++++++++++++++ - sysdeps/sparc/sparc32/stackguard-macros.h | 3 +++ - sysdeps/sparc/sparc64/stackguard-macros.h | 3 +++ - sysdeps/x86_64/stackguard-macros.h | 5 +++++ - 11 files changed, 76 insertions(+) - -diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h -index dc683c2..3907293 100644 ---- a/ports/sysdeps/ia64/stackguard-macros.h -+++ b/ports/sysdeps/ia64/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) -diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h -index 589ea2b..f2e041b 100644 ---- a/ports/sysdeps/tile/stackguard-macros.h -+++ b/ports/sysdeps/tile/stackguard-macros.h -@@ -4,11 +4,17 @@ - # if __WORDSIZE == 64 - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; }) - # else - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; }) - # endif - #else - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; }) - #endif -diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h -index ababf65..4fa3d96 100644 ---- a/sysdeps/generic/stackguard-macros.h -+++ b/sysdeps/generic/stackguard-macros.h -@@ -2,3 +2,6 @@ - - extern uintptr_t __stack_chk_guard; - #define STACK_CHK_GUARD __stack_chk_guard -+ -+extern uintptr_t __pointer_chk_guard_local; -+#define POINTER_CHK_GUARD __pointer_chk_guard_local -diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h -index 8c31e19..0397629 100644 ---- a/sysdeps/i386/stackguard-macros.h -+++ b/sysdeps/i386/stackguard-macros.h -@@ -2,3 +2,11 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("movl %%gs:%c1, %0" : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h -index 839f6a4..b3d0af8 100644 ---- a/sysdeps/powerpc/powerpc32/stackguard-macros.h -+++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h -@@ -2,3 +2,13 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("lwz %0,%1(2)" \ -+ : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ -+ ); \ -+ x; \ -+ }) -diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h -index 9da879c..4620f96 100644 ---- a/sysdeps/powerpc/powerpc64/stackguard-macros.h -+++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h -@@ -2,3 +2,13 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ld %0,%1(2)" \ -+ : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ -+ ); \ -+ x; \ -+ }) -diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h -index b74c579..449e8d4 100644 ---- a/sysdeps/s390/s390-32/stackguard-macros.h -+++ b/sysdeps/s390/s390-32/stackguard-macros.h -@@ -2,3 +2,14 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) -+ -+/* On s390/s390x there is no unique pointer guard, instead we use the -+ same value as the stack guard. */ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ear %0,%%a0; l %0,%1(%0)" \ -+ : "=a" (x) \ -+ : "i" (offsetof (tcbhead_t, stack_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h -index 0cebb5f..c8270fb 100644 ---- a/sysdeps/s390/s390-64/stackguard-macros.h -+++ b/sysdeps/s390/s390-64/stackguard-macros.h -@@ -2,3 +2,17 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) -+ -+/* On s390/s390x there is no unique pointer guard, instead we use the -+ same value as the stack guard. */ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ear %0,%%a0;" \ -+ "sllg %0,%0,32;" \ -+ "ear %0,%%a1;" \ -+ "lg %0,%1(%0)" \ -+ : "=a" (x) \ -+ : "i" (offsetof (tcbhead_t, stack_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h -index c0b02b0..1eef0f1 100644 ---- a/sysdeps/sparc/sparc32/stackguard-macros.h -+++ b/sysdeps/sparc/sparc32/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; }) -diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h -index 80f0635..cc0c12c 100644 ---- a/sysdeps/sparc/sparc64/stackguard-macros.h -+++ b/sysdeps/sparc/sparc64/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; }) -diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h -index d7fedb3..1948800 100644 ---- a/sysdeps/x86_64/stackguard-macros.h -+++ b/sysdeps/x86_64/stackguard-macros.h -@@ -4,3 +4,8 @@ - ({ uintptr_t x; \ - asm ("mov %%fs:%c1, %0" : "=r" (x) \ - : "i" (offsetof (tcbhead_t, stack_guard))); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; \ -+ asm ("mov %%fs:%c1, %0" : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard))); x; }) diff --git a/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch b/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch deleted file mode 100644 index 526775b..0000000 --- a/patches/glibc-2.18/0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: Florian Weimer <fweimer@redhat.com> -Date: Fri, 16 Aug 2013 09:38:52 +0200 -Subject: [PATCH] CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r - - * sysdeps/posix/dirstream.h (struct __dirstream): Add errcode - member. - * sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode - member. - * sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member. - * sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit. - Return delayed error code. Remove GETDENTS_64BIT_ALIGNED - conditional. - * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define - GETDENTS_64BIT_ALIGNED. - * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise. - * manual/filesys.texi (Reading/Closing Directory): Document - ENAMETOOLONG return value of readdir_r. Recommend readdir more - strongly. - * manual/conf.texi (Limits for Files): Add portability note to - NAME_MAX, PATH_MAX. - (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX. ---- - sysdeps/posix/dirstream.h | 2 ++ - sysdeps/posix/opendir.c | 1 + - sysdeps/posix/readdir_r.c | 42 ++++++++++++++++++------- - sysdeps/posix/rewinddir.c | 1 + - sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 - - sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 - - 6 files changed, 34 insertions(+), 14 deletions(-) - -diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h -index a7a074d..8e8570d 100644 ---- a/sysdeps/posix/dirstream.h -+++ b/sysdeps/posix/dirstream.h -@@ -39,6 +39,8 @@ struct __dirstream - - off_t filepos; /* Position of next entry to read. */ - -+ int errcode; /* Delayed error code. */ -+ - /* Directory block. */ - char data[0] __attribute__ ((aligned (__alignof__ (void*)))); - }; -diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c -index ddfc3a7..fc05b0f 100644 ---- a/sysdeps/posix/opendir.c -+++ b/sysdeps/posix/opendir.c -@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp) - dirp->size = 0; - dirp->offset = 0; - dirp->filepos = 0; -+ dirp->errcode = 0; - - return dirp; - } -diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c -index b5a8e2e..8ed5c3f 100644 ---- a/sysdeps/posix/readdir_r.c -+++ b/sysdeps/posix/readdir_r.c -@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) - DIRENT_TYPE *dp; - size_t reclen; - const int saved_errno = errno; -+ int ret; - - __libc_lock_lock (dirp->lock); - -@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) - bytes = 0; - __set_errno (saved_errno); - } -+ if (bytes < 0) -+ dirp->errcode = errno; - - dp = NULL; -- /* Reclen != 0 signals that an error occurred. */ -- reclen = bytes != 0; - break; - } - dirp->size = (size_t) bytes; -@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result) - dirp->filepos += reclen; - #endif - -- /* Skip deleted files. */ -+#ifdef NAME_MAX -+ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1) -+ { -+ /* The record is very long. It could still fit into the -+ caller-supplied buffer if we can skip padding at the -+ end. */ -+ size_t namelen = _D_EXACT_NAMLEN (dp); -+ if (namelen <= NAME_MAX) -+ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1; -+ else -+ { -+ /* The name is too long. Ignore this file. */ -+ dirp->errcode = ENAMETOOLONG; -+ dp->d_ino = 0; -+ continue; -+ } -+ } -+#endif -+ -+ /* Skip deleted and ignored files. */ - } - while (dp->d_ino == 0); - - if (dp != NULL) - { --#ifdef GETDENTS_64BIT_ALIGNED -- /* The d_reclen value might include padding which is not part of -- the DIRENT_TYPE data structure. */ -- reclen = MIN (reclen, -- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name)); --#endif - *result = memcpy (entry, dp, reclen); --#ifdef GETDENTS_64BIT_ALIGNED -+#ifdef _DIRENT_HAVE_D_RECLEN - entry->d_reclen = reclen; - #endif -+ ret = 0; - } - else -- *result = NULL; -+ { -+ *result = NULL; -+ ret = dirp->errcode; -+ } - - __libc_lock_unlock (dirp->lock); - -- return dp != NULL ? 0 : reclen ? errno : 0; -+ return ret; - } - - #ifdef __READDIR_R_ALIAS -diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c -index 2935a8e..d4991ad 100644 ---- a/sysdeps/posix/rewinddir.c -+++ b/sysdeps/posix/rewinddir.c -@@ -33,6 +33,7 @@ rewinddir (dirp) - dirp->filepos = 0; - dirp->offset = 0; - dirp->size = 0; -+ dirp->errcode = 0; - #ifndef NOT_IN_libc - __libc_lock_unlock (dirp->lock); - #endif -diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c -index 8ebbcfd..a7d114e 100644 ---- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c -+++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c -@@ -18,7 +18,6 @@ - #define __READDIR_R __readdir64_r - #define __GETDENTS __getdents64 - #define DIRENT_TYPE struct dirent64 --#define GETDENTS_64BIT_ALIGNED 1 - - #include <sysdeps/posix/readdir_r.c> - -diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c -index 5ed8e95..290f2c8 100644 ---- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c -+++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c -@@ -1,5 +1,4 @@ - #define readdir64_r __no_readdir64_r_decl --#define GETDENTS_64BIT_ALIGNED 1 - #include <sysdeps/posix/readdir_r.c> - #undef readdir64_r - weak_alias (__readdir_r, readdir64_r) diff --git a/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch b/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch deleted file mode 100644 index 9331ceb..0000000 --- a/patches/glibc-2.18/0010-malloc-Check-for-integer-overflow-in-pvalloc.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Will Newton <will.newton@linaro.org> -Date: Mon, 12 Aug 2013 15:08:02 +0100 -Subject: [PATCH] malloc: Check for integer overflow in pvalloc. - -A large bytes parameter to pvalloc could cause an integer overflow -and corrupt allocator internals. Check the overflow does not occur -before continuing with the allocation. - -ChangeLog: - -2013-09-11 Will Newton <will.newton@linaro.org> - - [BZ #15855] - * malloc/malloc.c (__libc_pvalloc): Check the value of bytes - does not overflow. ---- - malloc/malloc.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index be472b2..bcc08c4 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) - size_t page_mask = GLRO(dl_pagesize) - 1; - size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - void *(*hook) (size_t, size_t, const void *) = - force_reg (__memalign_hook); - if (__builtin_expect (hook != NULL, 0)) diff --git a/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch b/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch deleted file mode 100644 index 1a29ffb..0000000 --- a/patches/glibc-2.18/0011-malloc-Check-for-integer-overflow-in-valloc.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Will Newton <will.newton@linaro.org> -Date: Fri, 16 Aug 2013 11:59:37 +0100 -Subject: [PATCH] malloc: Check for integer overflow in valloc. - -A large bytes parameter to valloc could cause an integer overflow -and corrupt allocator internals. Check the overflow does not occur -before continuing with the allocation. - -ChangeLog: - -2013-09-11 Will Newton <will.newton@linaro.org> - - [BZ #15856] - * malloc/malloc.c (__libc_valloc): Check the value of bytes - does not overflow. ---- - malloc/malloc.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index bcc08c4..31e2dfa 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) - - size_t pagesz = GLRO(dl_pagesize); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - void *(*hook) (size_t, size_t, const void *) = - force_reg (__memalign_hook); - if (__builtin_expect (hook != NULL, 0)) diff --git a/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch b/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch deleted file mode 100644 index 8bc5718..0000000 --- a/patches/glibc-2.18/0012-malloc-Check-for-integer-overflow-in-memalign.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Will Newton <will.newton@linaro.org> -Date: Fri, 16 Aug 2013 12:54:29 +0100 -Subject: [PATCH] malloc: Check for integer overflow in memalign. - -A large bytes parameter to memalign could cause an integer overflow -and corrupt allocator internals. Check the overflow does not occur -before continuing with the allocation. - -ChangeLog: - -2013-09-11 Will Newton <will.newton@linaro.org> - - [BZ #15857] - * malloc/malloc.c (__libc_memalign): Check the value of bytes - does not overflow. ---- - malloc/malloc.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index 31e2dfa..ebbe86d 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) - /* Otherwise, ensure that it is at least a minimum chunk size */ - if (alignment < MINSIZE) alignment = MINSIZE; - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - alignment - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - arena_get(ar_ptr, bytes + alignment + MINSIZE); - if(!ar_ptr) - return 0; diff --git a/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch b/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch deleted file mode 100644 index c59df8c..0000000 --- a/patches/glibc-2.18/0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Siddhesh Poyarekar <siddhesh@redhat.com> -Date: Fri, 25 Oct 2013 10:22:12 +0530 -Subject: [PATCH] Fix stack overflow due to large AF_INET6 requests - -Resolves #16072 (CVE-2013-4458). - -This patch fixes another stack overflow in getaddrinfo when it is -called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914, -but the AF_INET6 case went undetected back then. ---- - sysdeps/posix/getaddrinfo.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c -index 7bb3ded..2e97255 100644 ---- a/sysdeps/posix/getaddrinfo.c -+++ b/sysdeps/posix/getaddrinfo.c -@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, - &rc, &herrno, NULL, &localcanon)); \ - if (rc != ERANGE || herrno != NETDB_INTERNAL) \ - break; \ -- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \ -+ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \ -+ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \ -+ alloca_used); \ -+ else \ -+ { \ -+ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \ -+ 2 * tmpbuflen); \ -+ if (newp == NULL) \ -+ { \ -+ result = -EAI_MEMORY; \ -+ goto free_and_return; \ -+ } \ -+ tmpbuf = newp; \ -+ malloc_tmpbuf = true; \ -+ tmpbuflen = 2 * tmpbuflen; \ -+ } \ - } \ - if (status == NSS_STATUS_SUCCESS && rc == 0) \ - h = &th; \ -@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, - { \ - __set_h_errno (herrno); \ - _res.options |= old_res_options & RES_USE_INET6; \ -- return -EAI_SYSTEM; \ -+ result = -EAI_SYSTEM; \ -+ goto free_and_return; \ - } \ - if (herrno == TRY_AGAIN) \ - no_data = EAI_AGAIN; \ diff --git a/patches/glibc-2.18/series b/patches/glibc-2.18/series deleted file mode 100644 index ba8f90c..0000000 --- a/patches/glibc-2.18/series +++ /dev/null @@ -1,27 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -#tag:upstream --start-number 1 -0001-ARM-Fix-clone-code-when-built-for-Thumb.patch -0002-Fix-PI-mutex-check-in-pthread_cond_broadcast-and-pth.patch -0003-ARM-Fix-memcpy-computed-jump-calculations-for-ARM_AL.patch -0004-Accept-make-versions-4.0-and-greater.patch -0005-Simplify-strcoll-implementation.patch -0006-Fall-back-to-non-cached-sequence-traversal-and-compa.patch -0007-Check-for-integer-overflow-in-cache-size-computation.patch -0008-BZ-15754-CVE-2013-4788.patch -0009-CVE-2013-4237-BZ-14699-Buffer-overflow-in-readdir_r.patch -0010-malloc-Check-for-integer-overflow-in-pvalloc.patch -0011-malloc-Check-for-integer-overflow-in-valloc.patch -0012-malloc-Check-for-integer-overflow-in-memalign.patch -0013-Fix-stack-overflow-due-to-large-AF_INET6-requests.patch -#tag:build-system --start-number 100 -0100-add-install-lib-all-target.patch -0101-don-t-regen-docs-if-perl-is-not-found.patch -#tag:debian --start-number 200 -0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch -#tag:gentoo --start-number 300 -0300-resolv-dynamic.patch -#tag:linaro --start-number 400 -0400-optimized-string-functions-for-NEON-from-Linaro.patch -0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch -# c7c37d04f6d7c2fc5e7140d9570db200 - git-ptx-patches magic diff --git a/patches/glibc-2.18/0100-add-install-lib-all-target.patch b/patches/glibc-2.20/0100-add-install-lib-all-target.patch index 078aba9..45971cc 100644 --- a/patches/glibc-2.18/0100-add-install-lib-all-target.patch +++ b/patches/glibc-2.20/0100-add-install-lib-all-target.patch @@ -16,10 +16,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 1 file changed, 7 insertions(+) diff --git a/Makerules b/Makerules -index 03eafb0..5d7effd 100644 +index 6b30e8ce58d0..16b24ad2b20a 100644 --- a/Makerules +++ b/Makerules -@@ -801,6 +801,13 @@ endef +@@ -834,6 +834,13 @@ endef installed-libcs := $(foreach o,$(filter-out .os,$(object-suffixes-for-libc)),\ $(inst_libdir)/$(patsubst %,$(libtype$o),\ $(libprefix)$(libc-name))) diff --git a/patches/glibc-2.18/0101-don-t-regen-docs-if-perl-is-not-found.patch b/patches/glibc-2.20/0101-don-t-regen-docs-if-perl-is-not-found.patch index f89304d..653aee3 100644 --- a/patches/glibc-2.18/0101-don-t-regen-docs-if-perl-is-not-found.patch +++ b/patches/glibc-2.20/0101-don-t-regen-docs-if-perl-is-not-found.patch @@ -15,10 +15,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 1 file changed, 5 insertions(+) diff --git a/manual/Makefile b/manual/Makefile -index 44c0fd4..54217e0 100644 +index 62217a2d7a71..4a726edc215a 100644 --- a/manual/Makefile +++ b/manual/Makefile -@@ -107,9 +107,14 @@ $(objpfx)dir-add.texi: xtract-typefun.awk $(texis-path) +@@ -104,9 +104,14 @@ $(objpfx)dir-add.texi: xtract-typefun.awk $(texis-path) $(objpfx)libm-err.texi: $(objpfx)stamp-libm-err $(objpfx)stamp-libm-err: libm-err-tab.pl $(wildcard $(foreach dir,$(sysdirs),\ $(dir)/libm-test-ulps)) diff --git a/patches/glibc-2.18/0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch b/patches/glibc-2.20/0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch index 02c87ef..f898798 100644 --- a/patches/glibc-2.18/0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch +++ b/patches/glibc-2.20/0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch @@ -19,7 +19,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 1 file changed, 36 insertions(+) diff --git a/locale/programs/3level.h b/locale/programs/3level.h -index 9b8b1b9..93b643c 100644 +index c83cdf205e40..1d4553e512a5 100644 --- a/locale/programs/3level.h +++ b/locale/programs/3level.h @@ -204,6 +204,42 @@ CONCAT(TABLE,_iterate) (struct TABLE *t, @@ -64,4 +64,4 @@ index 9b8b1b9..93b643c 100644 + #endif - #ifndef NO_FINALIZE + #ifndef NO_ADD_LOCALE diff --git a/patches/glibc-2.18/0300-resolv-dynamic.patch b/patches/glibc-2.20/0300-resolv-dynamic.patch index efe056e..8865e25 100644 --- a/patches/glibc-2.18/0300-resolv-dynamic.patch +++ b/patches/glibc-2.20/0300-resolv-dynamic.patch @@ -13,7 +13,7 @@ http://bugs.gentoo.org/177416 1 file changed, 15 insertions(+) diff --git a/resolv/res_libc.c b/resolv/res_libc.c -index 48d3200..a443345 100644 +index ee3fa2114b70..10cb08bdd9be 100644 --- a/resolv/res_libc.c +++ b/resolv/res_libc.c @@ -22,6 +22,7 @@ diff --git a/patches/glibc-2.18/0400-optimized-string-functions-for-NEON-from-Linaro.patch b/patches/glibc-2.20/0400-optimized-string-functions-for-NEON-from-Linaro.patch index 4795949..f823c45 100644 --- a/patches/glibc-2.18/0400-optimized-string-functions-for-NEON-from-Linaro.patch +++ b/patches/glibc-2.20/0400-optimized-string-functions-for-NEON-from-Linaro.patch @@ -18,7 +18,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> diff --git a/cortex-strings/sysdeps/arm/armv7/memchr.S b/cortex-strings/sysdeps/arm/armv7/memchr.S new file mode 100644 -index 0000000..92a2d9f +index 000000000000..92a2d9f0967d --- /dev/null +++ b/cortex-strings/sysdeps/arm/armv7/memchr.S @@ -0,0 +1,155 @@ @@ -179,7 +179,7 @@ index 0000000..92a2d9f + bx lr diff --git a/cortex-strings/sysdeps/arm/armv7/memcpy.S b/cortex-strings/sysdeps/arm/armv7/memcpy.S new file mode 100644 -index 0000000..3be24ca +index 000000000000..3be24cad2c8d --- /dev/null +++ b/cortex-strings/sysdeps/arm/armv7/memcpy.S @@ -0,0 +1,152 @@ @@ -337,7 +337,7 @@ index 0000000..3be24ca + b 4b diff --git a/cortex-strings/sysdeps/arm/armv7/memset.S b/cortex-strings/sysdeps/arm/armv7/memset.S new file mode 100644 -index 0000000..921cb75 +index 000000000000..921cb7535cc8 --- /dev/null +++ b/cortex-strings/sysdeps/arm/armv7/memset.S @@ -0,0 +1,118 @@ @@ -461,7 +461,7 @@ index 0000000..921cb75 + bx lr @ goodbye diff --git a/cortex-strings/sysdeps/arm/armv7/strchr.S b/cortex-strings/sysdeps/arm/armv7/strchr.S new file mode 100644 -index 0000000..8875dbf +index 000000000000..8875dbfce6da --- /dev/null +++ b/cortex-strings/sysdeps/arm/armv7/strchr.S @@ -0,0 +1,76 @@ @@ -543,7 +543,7 @@ index 0000000..8875dbf + bx lr diff --git a/cortex-strings/sysdeps/arm/armv7/strlen.S b/cortex-strings/sysdeps/arm/armv7/strlen.S new file mode 100644 -index 0000000..8efa235 +index 000000000000..8efa2356fdd1 --- /dev/null +++ b/cortex-strings/sysdeps/arm/armv7/strlen.S @@ -0,0 +1,150 @@ diff --git a/patches/glibc-2.18/0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch b/patches/glibc-2.20/0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch index 363ee0d..2ffcdbb 100644 --- a/patches/glibc-2.18/0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch +++ b/patches/glibc-2.20/0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch @@ -12,7 +12,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 5 files changed, 11 insertions(+) diff --git a/cortex-strings/sysdeps/arm/armv7/memchr.S b/cortex-strings/sysdeps/arm/armv7/memchr.S -index 92a2d9f..6e41953 100644 +index 92a2d9f0967d..6e4195325c82 100644 --- a/cortex-strings/sysdeps/arm/armv7/memchr.S +++ b/cortex-strings/sysdeps/arm/armv7/memchr.S @@ -153,3 +153,6 @@ memchr: @@ -23,7 +23,7 @@ index 92a2d9f..6e41953 100644 +strong_alias (memchr, __memchr) +libc_hidden_builtin_def (memchr) diff --git a/cortex-strings/sysdeps/arm/armv7/memcpy.S b/cortex-strings/sysdeps/arm/armv7/memcpy.S -index 3be24ca..c274207 100644 +index 3be24cad2c8d..c2742073a329 100644 --- a/cortex-strings/sysdeps/arm/armv7/memcpy.S +++ b/cortex-strings/sysdeps/arm/armv7/memcpy.S @@ -150,3 +150,5 @@ memcpy: @@ -33,7 +33,7 @@ index 3be24ca..c274207 100644 + +libc_hidden_builtin_def (memcpy) diff --git a/cortex-strings/sysdeps/arm/armv7/memset.S b/cortex-strings/sysdeps/arm/armv7/memset.S -index 921cb75..d4c12a4 100644 +index 921cb7535cc8..d4c12a4d1243 100644 --- a/cortex-strings/sysdeps/arm/armv7/memset.S +++ b/cortex-strings/sysdeps/arm/armv7/memset.S @@ -116,3 +116,5 @@ memset: @@ -43,7 +43,7 @@ index 921cb75..d4c12a4 100644 + +libc_hidden_builtin_def (memset) diff --git a/cortex-strings/sysdeps/arm/armv7/strchr.S b/cortex-strings/sysdeps/arm/armv7/strchr.S -index 8875dbf..05c832f 100644 +index 8875dbfce6da..05c832f1faf4 100644 --- a/cortex-strings/sysdeps/arm/armv7/strchr.S +++ b/cortex-strings/sysdeps/arm/armv7/strchr.S @@ -74,3 +74,6 @@ strchr: @@ -54,7 +54,7 @@ index 8875dbf..05c832f 100644 +weak_alias (strchr, index) +libc_hidden_builtin_def (strchr) diff --git a/cortex-strings/sysdeps/arm/armv7/strlen.S b/cortex-strings/sysdeps/arm/armv7/strlen.S -index 8efa235..1445d8e 100644 +index 8efa2356fdd1..1445d8e8118e 100644 --- a/cortex-strings/sysdeps/arm/armv7/strlen.S +++ b/cortex-strings/sysdeps/arm/armv7/strlen.S @@ -148,3 +148,4 @@ def_fn strlen p2align=6 diff --git a/patches/glibc-2.20/series b/patches/glibc-2.20/series new file mode 100644 index 0000000..d573f03 --- /dev/null +++ b/patches/glibc-2.20/series @@ -0,0 +1,14 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +#tag:upstream --start-number 1 +#tag:build-system --start-number 100 +0100-add-install-lib-all-target.patch +0101-don-t-regen-docs-if-perl-is-not-found.patch +#tag:debian --start-number 200 +0200-Fix-localedef-segfault-when-run-under-exec-shield-Pa.patch +#tag:gentoo --start-number 300 +0300-resolv-dynamic.patch +#tag:linaro --start-number 400 +0400-optimized-string-functions-for-NEON-from-Linaro.patch +0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch +# 9424473d0c6432ce5c5a28abd362c91c - git-ptx-patches magic |