diff options
Diffstat (limited to 'patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch')
-rw-r--r-- | patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000..4ff5a63 --- /dev/null +++ b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch @@ -0,0 +1,95 @@ +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Fri, 6 Feb 2015 00:30:42 -0500 +Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory + +BZ #16618 + +Under certain conditions wscanf can allocate too little memory for the +to-be-scanned arguments and overflow the allocated buffer. The +implementation now correctly computes the required buffer size when +using malloc. + +A regression test was added to tst-sscanf. +--- + stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++ + stdio-common/vfscanf.c | 12 ++++++------ + 2 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c +index 9fef93a53578..6394fe1cccd1 100644 +--- a/stdio-common/tst-sscanf.c ++++ b/stdio-common/tst-sscanf.c +@@ -233,5 +233,38 @@ main (void) + } + } + ++ /* BZ #16618 ++ The test will segfault during SSCANF if the buffer overflow ++ is not fixed. The size of `s` is such that it forces the use ++ of malloc internally and this triggers the incorrect computation. ++ Thus the value for SIZE is arbitrariy high enough that malloc ++ is used. */ ++ { ++#define SIZE 131072 ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); ++ if (s == NULL) ++ abort (); ++ for (size_t i = 0; i < SIZE; i++) ++ s[i] = L('0'); ++ s[SIZE] = L('\0'); ++ int i = 42; ++ /* Scan multi-digit zero into `i`. */ ++ if (SSCANF (s, L("%d"), &i) != 1) ++ { ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); ++ result = 1; ++ } ++ if (i != 0) ++ { ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); ++ result = 1; ++ } ++ free (s); ++ if (result != 1) ++ printf ("PASS: bug16618: Did not crash.\n"); ++#undef SIZE ++ } ++ ++ + return result; + } +diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c +index e0d224530cc6..a4f06b44e576 100644 +--- a/stdio-common/vfscanf.c ++++ b/stdio-common/vfscanf.c +@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + if (__glibc_unlikely (wpsize == wpmax)) \ + { \ + CHAR_T *old = wp; \ +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ +- ? UCHAR_MAX + 1 : 2 * wpmax); \ +- if (use_malloc || !__libc_use_alloca (newsize)) \ ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ ++ if (!__libc_use_alloca (newsize)) \ + { \ + wp = realloc (use_malloc ? wp : NULL, newsize); \ + if (wp == NULL) \ +@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + } \ + if (! use_malloc) \ + MEMCPY (wp, old, wpsize); \ +- wpmax = newsize; \ ++ wpmax = wpneed; \ + use_malloc = true; \ + } \ + else \ + { \ + size_t s = wpmax * sizeof (CHAR_T); \ +- wp = (CHAR_T *) extend_alloca (wp, s, \ +- newsize * sizeof (CHAR_T)); \ ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ + wpmax = s / sizeof (CHAR_T); \ + if (old != NULL) \ + MEMCPY (wp, old, wpsize); \ |