summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch24
-rw-r--r--patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch277
-rw-r--r--patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch (renamed from patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch)0
-rw-r--r--patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch95
-rw-r--r--patches/glibc-2.20/series7
5 files changed, 401 insertions, 2 deletions
diff --git a/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch b/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch
new file mode 100644
index 0000000..323ee72
--- /dev/null
+++ b/patches/glibc-2.20/0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch
@@ -0,0 +1,24 @@
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 15 Dec 2014 17:41:13 +0100
+Subject: [PATCH] CVE-2014-9402: Avoid infinite loop in nss_dns getnetbyname
+ [BZ #17630]
+
+---
+ resolv/nss_dns/dns-network.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 0a77c8bc4808..08cf0a6462ce 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result,
+
+ case BYNAME:
+ {
+- char **ap = result->n_aliases++;
+- while (*ap != NULL)
++ char **ap;
++ for (ap = result->n_aliases; *ap != NULL; ++ap)
+ {
+ /* Check each alias name for being of the forms:
+ 4.3.2.1.in-addr.arpa = net 1.2.3.4
diff --git a/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch b/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
new file mode 100644
index 0000000..5dc8a07
--- /dev/null
+++ b/patches/glibc-2.20/0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
@@ -0,0 +1,277 @@
+From: Jeff Law <law@redhat.com>
+Date: Mon, 15 Dec 2014 10:09:32 +0100
+Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
+
+A larger number of format specifiers coudld cause a stack overflow,
+potentially allowing to bypass _FORTIFY_SOURCE format string
+protection.
+---
+ stdio-common/Makefile | 2 +-
+ stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
+ stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++
+ stdio-common/bug23-4.c | 31 ++++++++++++++++++++++
+ stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++--
+ 5 files changed, 190 insertions(+), 3 deletions(-)
+ create mode 100644 stdio-common/bug23-2.c
+ create mode 100644 stdio-common/bug23-3.c
+ create mode 100644 stdio-common/bug23-4.c
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 5f8e5341a5c3..24e8496f7521 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
+ bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
+ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
+ bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
+- bug25 tst-printf-round bug26
++ bug25 tst-printf-round bug23-2 bug23-3 bug23-4
+
+ test-srcs = tst-unbputc tst-printf
+
+diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c
+new file mode 100644
+index 000000000000..9e0cfe6860d0
+--- /dev/null
++++ b/stdio-common/bug23-2.c
+@@ -0,0 +1,70 @@
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++static const char expected[] = "\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55\
++\n\
++a\n\
++abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
++
++static int
++do_test (void)
++{
++ char *buf = malloc (strlen (expected) + 1);
++ snprintf (buf, strlen (expected) + 1,
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
++ "a", "b", "c", "d", 5);
++ return strcmp (buf, expected) != 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c
+new file mode 100644
+index 000000000000..57c8cef195a8
+--- /dev/null
++++ b/stdio-common/bug23-3.c
+@@ -0,0 +1,50 @@
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++
++int
++do_test (void)
++{
++ size_t instances = 16384;
++#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
++ const char *item = "\na\nabbcd55";
++#define X3 X0 X0 X0 X0 X0 X0 X0 X0
++#define X6 X3 X3 X3 X3 X3 X3 X3 X3
++#define X9 X6 X6 X6 X6 X6 X6 X6 X6
++#define X12 X9 X9 X9 X9 X9 X9 X9 X9
++#define X14 X12 X12 X12 X12
++#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
++#define TRAILER2 TRAILER TRAILER
++ size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
++
++ char *buf = malloc (length + 1);
++ snprintf (buf, length + 1,
++ X14 TRAILER2 "\n",
++ "a", "b", "c", "d", 5);
++
++ const char *p = buf;
++ size_t i;
++ for (i = 0; i < instances; ++i)
++ {
++ const char *expected;
++ for (expected = item; *expected; ++expected)
++ {
++ if (*p != *expected)
++ {
++ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
++ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
++ return 1;
++ }
++ ++p;
++ }
++ }
++ if (strcmp (p, TRAILER "\n") != 0)
++ {
++ printf ("mismatch at trailer: [%s]\n", p);
++ return 1;
++ }
++ free (buf);
++ return 0;
++}
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
+new file mode 100644
+index 000000000000..a4785640dee0
+--- /dev/null
++++ b/stdio-common/bug23-4.c
+@@ -0,0 +1,31 @@
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/resource.h>
++
++#define LIMIT 1000000
++
++int
++main (void)
++{
++ struct rlimit lim;
++ getrlimit (RLIMIT_STACK, &lim);
++ lim.rlim_cur = 1048576;
++ setrlimit (RLIMIT_STACK, &lim);
++ char *fmtstr = malloc (4 * LIMIT + 1);
++ if (fmtstr == NULL)
++ abort ();
++ char *output = malloc (LIMIT + 1);
++ if (output == NULL)
++ abort ();
++ for (size_t i = 0; i < LIMIT; i++)
++ memcpy (fmtstr + 4 * i, "%1$d", 4);
++ fmtstr[4 * LIMIT] = '\0';
++ int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
++ if (ret != LIMIT)
++ abort ();
++ for (size_t i = 0; i < LIMIT; i++)
++ if (output[i] != '0')
++ abort ();
++ return 0;
++}
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index c4ff8334b206..429a3d1a83ca 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ /* For the argument descriptions, which may be allocated on the heap. */
+ void *args_malloced = NULL;
+
++ /* For positional argument handling. */
++ struct printf_spec *specs;
++
++ /* Track if we malloced the SPECS array and thus must free it. */
++ bool specs_malloced = false;
++
+ /* This table maps a character into a number representing a
+ class. In each step there is a destination label for each
+ class. */
+@@ -1679,8 +1685,8 @@ do_positional:
+ size_t nspecs = 0;
+ /* A more or less arbitrary start value. */
+ size_t nspecs_size = 32 * sizeof (struct printf_spec);
+- struct printf_spec *specs = alloca (nspecs_size);
+
++ specs = alloca (nspecs_size);
+ /* The number of arguments the format string requests. This will
+ determine the size of the array needed to store the argument
+ attributes. */
+@@ -1721,11 +1727,39 @@ do_positional:
+ if (nspecs * sizeof (*specs) >= nspecs_size)
+ {
+ /* Extend the array of format specifiers. */
++ if (nspecs_size * 2 < nspecs_size)
++ {
++ __set_errno (ENOMEM);
++ done = -1;
++ goto all_done;
++ }
+ struct printf_spec *old = specs;
+- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
++ if (__libc_use_alloca (2 * nspecs_size))
++ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
++ else
++ {
++ nspecs_size *= 2;
++ specs = malloc (nspecs_size);
++ if (specs == NULL)
++ {
++ __set_errno (ENOMEM);
++ specs = old;
++ done = -1;
++ goto all_done;
++ }
++ }
+
+ /* Copy the old array's elements to the new space. */
+ memmove (specs, old, nspecs * sizeof (*specs));
++
++ /* If we had previously malloc'd space for SPECS, then
++ release it after the copy is complete. */
++ if (specs_malloced)
++ free (old);
++
++ /* Now set SPECS_MALLOCED if needed. */
++ if (!__libc_use_alloca (nspecs_size))
++ specs_malloced = true;
+ }
+
+ /* Parse the format specifier. */
+@@ -2046,6 +2080,8 @@ do_positional:
+ }
+
+ all_done:
++ if (specs_malloced)
++ free (specs);
+ if (__glibc_unlikely (args_malloced != NULL))
+ free (args_malloced);
+ if (__glibc_unlikely (workstart != NULL))
diff --git a/patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch b/patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
index 41afda4..41afda4 100644
--- a/patches/glibc-2.20/0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
+++ b/patches/glibc-2.20/0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
diff --git a/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 0000000..4ff5a63
--- /dev/null
+++ b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,95 @@
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Fri, 6 Feb 2015 00:30:42 -0500
+Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory
+
+BZ #16618
+
+Under certain conditions wscanf can allocate too little memory for the
+to-be-scanned arguments and overflow the allocated buffer. The
+implementation now correctly computes the required buffer size when
+using malloc.
+
+A regression test was added to tst-sscanf.
+---
+ stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++
+ stdio-common/vfscanf.c | 12 ++++++------
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+index 9fef93a53578..6394fe1cccd1 100644
+--- a/stdio-common/tst-sscanf.c
++++ b/stdio-common/tst-sscanf.c
+@@ -233,5 +233,38 @@ main (void)
+ }
+ }
+
++ /* BZ #16618
++ The test will segfault during SSCANF if the buffer overflow
++ is not fixed. The size of `s` is such that it forces the use
++ of malloc internally and this triggers the incorrect computation.
++ Thus the value for SIZE is arbitrariy high enough that malloc
++ is used. */
++ {
++#define SIZE 131072
++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
++ if (s == NULL)
++ abort ();
++ for (size_t i = 0; i < SIZE; i++)
++ s[i] = L('0');
++ s[SIZE] = L('\0');
++ int i = 42;
++ /* Scan multi-digit zero into `i`. */
++ if (SSCANF (s, L("%d"), &i) != 1)
++ {
++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
++ result = 1;
++ }
++ if (i != 0)
++ {
++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
++ result = 1;
++ }
++ free (s);
++ if (result != 1)
++ printf ("PASS: bug16618: Did not crash.\n");
++#undef SIZE
++ }
++
++
+ return result;
+ }
+diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+index e0d224530cc6..a4f06b44e576 100644
+--- a/stdio-common/vfscanf.c
++++ b/stdio-common/vfscanf.c
+@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
+ if (__glibc_unlikely (wpsize == wpmax)) \
+ { \
+ CHAR_T *old = wp; \
+- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
+- ? UCHAR_MAX + 1 : 2 * wpmax); \
+- if (use_malloc || !__libc_use_alloca (newsize)) \
++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
++ if (!__libc_use_alloca (newsize)) \
+ { \
+ wp = realloc (use_malloc ? wp : NULL, newsize); \
+ if (wp == NULL) \
+@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
+ } \
+ if (! use_malloc) \
+ MEMCPY (wp, old, wpsize); \
+- wpmax = newsize; \
++ wpmax = wpneed; \
+ use_malloc = true; \
+ } \
+ else \
+ { \
+ size_t s = wpmax * sizeof (CHAR_T); \
+- wp = (CHAR_T *) extend_alloca (wp, s, \
+- newsize * sizeof (CHAR_T)); \
++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
+ wpmax = s / sizeof (CHAR_T); \
+ if (old != NULL) \
+ MEMCPY (wp, old, wpsize); \
diff --git a/patches/glibc-2.20/series b/patches/glibc-2.20/series
index 8eb023a..89005f0 100644
--- a/patches/glibc-2.20/series
+++ b/patches/glibc-2.20/series
@@ -1,7 +1,10 @@
# generated by git-ptx-patches
#tag:base --start-number 1
#tag:upstream --start-number 1
-0001-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
+0001-CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetb.patch
+0002-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
+0003-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
+0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
#tag:build-system --start-number 100
0100-add-install-lib-all-target.patch
0101-don-t-regen-docs-if-perl-is-not-found.patch
@@ -14,4 +17,4 @@
0401-add-libc_hidden_builtin_def-for-all-cortex-functions.patch
#tag:hacks --start-number 500
0500-Hack-around-mips-args-to-host-gcc.patch
-# d9cd5ae91332d084ae07ad4d0589ae36 - git-ptx-patches magic
+# abbdf6f06cd2fc7e40618e8c66cf8875 - git-ptx-patches magic