diff options
author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2018-06-07 03:01:53 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-06-15 17:56:24 +0100 |
commit | d2efd1f20e5df7ab65497529c9fdb127de92eda4 (patch) | |
tree | 0c1c6fae440a1c2e5fd296027ac5b64cd0e0d54e | |
parent | 15b3b32407b3c9db6b7b58a47c7947dcf165d471 (diff) | |
download | poky-d2efd1f20e5df7ab65497529c9fdb127de92eda4.tar.gz |
glibc: fix CVE-2017-18269 and CVE-2018-11236
Backport two CVE patches from the upstream
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=summary
commit 5460617d1567657621107d895ee2dd83bc1f88f2
commit cd66c0e584c6d692bc8347b5e72723d02b8a8ada
(From OE-Core rev: 398ac946745bbfad55deb382aeafec0be3298819)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-18269.patch | 178 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-11236.patch | 164 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.27.bb | 2 |
3 files changed, 344 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch b/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch new file mode 100644 index 0000000000..d873c51e60 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From cd66c0e584c6d692bc8347b5e72723d02b8a8ada Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Senkevich <andrew.n.senkevich@gmail.com> | ||
3 | Date: Fri, 23 Mar 2018 16:19:45 +0100 | ||
4 | Subject: [PATCH] Fix i386 memmove issue (bug 22644). | ||
5 | |||
6 | [BZ #22644] | ||
7 | * sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed | ||
8 | branch conditions. | ||
9 | * string/test-memmove.c (do_test2): New testcase. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2017-18269 | ||
13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
14 | --- | ||
15 | ChangeLog | 8 +++ | ||
16 | string/test-memmove.c | 58 ++++++++++++++++++++++ | ||
17 | .../i386/i686/multiarch/memcpy-sse2-unaligned.S | 12 ++--- | ||
18 | 3 files changed, 72 insertions(+), 6 deletions(-) | ||
19 | |||
20 | diff --git a/ChangeLog b/ChangeLog | ||
21 | index 18ed09e..afdb766 100644 | ||
22 | --- a/ChangeLog | ||
23 | +++ b/ChangeLog | ||
24 | @@ -1,3 +1,11 @@ | ||
25 | +2018-03-23 Andrew Senkevich <andrew.senkevich@intel.com> | ||
26 | + Max Horn <max@quendi.de> | ||
27 | + | ||
28 | + [BZ #22644] | ||
29 | + * sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed | ||
30 | + branch conditions. | ||
31 | + * string/test-memmove.c (do_test2): New testcase. | ||
32 | + | ||
33 | 2018-02-22 Andrew Waterman <andrew@sifive.com> | ||
34 | |||
35 | [BZ # 22884] | ||
36 | diff --git a/string/test-memmove.c b/string/test-memmove.c | ||
37 | index edc7a4c..64e3651 100644 | ||
38 | --- a/string/test-memmove.c | ||
39 | +++ b/string/test-memmove.c | ||
40 | @@ -24,6 +24,7 @@ | ||
41 | # define TEST_NAME "memmove" | ||
42 | #endif | ||
43 | #include "test-string.h" | ||
44 | +#include <support/test-driver.h> | ||
45 | |||
46 | char *simple_memmove (char *, const char *, size_t); | ||
47 | |||
48 | @@ -245,6 +246,60 @@ do_random_tests (void) | ||
49 | } | ||
50 | } | ||
51 | |||
52 | +static void | ||
53 | +do_test2 (void) | ||
54 | +{ | ||
55 | + size_t size = 0x20000000; | ||
56 | + uint32_t * large_buf; | ||
57 | + | ||
58 | + large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE, | ||
59 | + MAP_PRIVATE | MAP_ANON, -1, 0); | ||
60 | + | ||
61 | + if (large_buf == MAP_FAILED) | ||
62 | + error (EXIT_UNSUPPORTED, errno, "Large mmap failed"); | ||
63 | + | ||
64 | + if ((uintptr_t) large_buf > 0x80000000 - 128 | ||
65 | + || 0x80000000 - (uintptr_t) large_buf > 0x20000000) | ||
66 | + { | ||
67 | + error (0, 0, "Large mmap allocated improperly"); | ||
68 | + ret = EXIT_UNSUPPORTED; | ||
69 | + munmap ((void *) large_buf, size); | ||
70 | + return; | ||
71 | + } | ||
72 | + | ||
73 | + size_t bytes_move = 0x80000000 - (uintptr_t) large_buf; | ||
74 | + size_t arr_size = bytes_move / sizeof (uint32_t); | ||
75 | + size_t i; | ||
76 | + | ||
77 | + FOR_EACH_IMPL (impl, 0) | ||
78 | + { | ||
79 | + for (i = 0; i < arr_size; i++) | ||
80 | + large_buf[i] = (uint32_t) i; | ||
81 | + | ||
82 | + uint32_t * dst = &large_buf[33]; | ||
83 | + | ||
84 | +#ifdef TEST_BCOPY | ||
85 | + CALL (impl, (char *) large_buf, (char *) dst, bytes_move); | ||
86 | +#else | ||
87 | + CALL (impl, (char *) dst, (char *) large_buf, bytes_move); | ||
88 | +#endif | ||
89 | + | ||
90 | + for (i = 0; i < arr_size; i++) | ||
91 | + { | ||
92 | + if (dst[i] != (uint32_t) i) | ||
93 | + { | ||
94 | + error (0, 0, | ||
95 | + "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"", | ||
96 | + impl->name, dst, large_buf, i); | ||
97 | + ret = 1; | ||
98 | + break; | ||
99 | + } | ||
100 | + } | ||
101 | + } | ||
102 | + | ||
103 | + munmap ((void *) large_buf, size); | ||
104 | +} | ||
105 | + | ||
106 | int | ||
107 | test_main (void) | ||
108 | { | ||
109 | @@ -284,6 +339,9 @@ test_main (void) | ||
110 | } | ||
111 | |||
112 | do_random_tests (); | ||
113 | + | ||
114 | + do_test2 (); | ||
115 | + | ||
116 | return ret; | ||
117 | } | ||
118 | |||
119 | diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S | ||
120 | index 9c3bbe7..9aa17de 100644 | ||
121 | --- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S | ||
122 | +++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S | ||
123 | @@ -72,7 +72,7 @@ ENTRY (MEMCPY) | ||
124 | cmp %edx, %eax | ||
125 | |||
126 | # ifdef USE_AS_MEMMOVE | ||
127 | - jg L(check_forward) | ||
128 | + ja L(check_forward) | ||
129 | |||
130 | L(mm_len_0_or_more_backward): | ||
131 | /* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128] | ||
132 | @@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward): | ||
133 | jbe L(mm_len_0_16_bytes_backward) | ||
134 | |||
135 | cmpl $32, %ecx | ||
136 | - jg L(mm_len_32_or_more_backward) | ||
137 | + ja L(mm_len_32_or_more_backward) | ||
138 | |||
139 | /* Copy [0..32] and return. */ | ||
140 | movdqu (%eax), %xmm0 | ||
141 | @@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward): | ||
142 | |||
143 | L(mm_len_32_or_more_backward): | ||
144 | cmpl $64, %ecx | ||
145 | - jg L(mm_len_64_or_more_backward) | ||
146 | + ja L(mm_len_64_or_more_backward) | ||
147 | |||
148 | /* Copy [0..64] and return. */ | ||
149 | movdqu (%eax), %xmm0 | ||
150 | @@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward): | ||
151 | |||
152 | L(mm_len_64_or_more_backward): | ||
153 | cmpl $128, %ecx | ||
154 | - jg L(mm_len_128_or_more_backward) | ||
155 | + ja L(mm_len_128_or_more_backward) | ||
156 | |||
157 | /* Copy [0..128] and return. */ | ||
158 | movdqu (%eax), %xmm0 | ||
159 | @@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward): | ||
160 | add %ecx, %eax | ||
161 | cmp %edx, %eax | ||
162 | movl SRC(%esp), %eax | ||
163 | - jle L(forward) | ||
164 | + jbe L(forward) | ||
165 | PUSH (%esi) | ||
166 | PUSH (%edi) | ||
167 | PUSH (%ebx) | ||
168 | @@ -269,7 +269,7 @@ L(check_forward): | ||
169 | add %edx, %ecx | ||
170 | cmp %eax, %ecx | ||
171 | movl LEN(%esp), %ecx | ||
172 | - jle L(forward) | ||
173 | + jbe L(forward) | ||
174 | |||
175 | /* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128] | ||
176 | separately. */ | ||
177 | -- | ||
178 | 2.9.3 | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch new file mode 100644 index 0000000000..e2bb40b0de --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch | |||
@@ -0,0 +1,164 @@ | |||
1 | From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Pluzhnikov <ppluzhnikov@google.com> | ||
3 | Date: Tue, 8 May 2018 18:12:41 -0700 | ||
4 | Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack | ||
5 | buffer overflow when realpath() input length is close to SSIZE_MAX. | ||
6 | |||
7 | 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
8 | |||
9 | [BZ #22786] | ||
10 | * stdlib/canonicalize.c (__realpath): Fix overflow in path length | ||
11 | computation. | ||
12 | * stdlib/Makefile (test-bz22786): New test. | ||
13 | * stdlib/test-bz22786.c: New test. | ||
14 | |||
15 | CVE: CVE-2018-11236 | ||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
18 | --- | ||
19 | ChangeLog | 8 +++++ | ||
20 | stdlib/Makefile | 2 +- | ||
21 | stdlib/canonicalize.c | 2 +- | ||
22 | stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
23 | 4 files changed, 100 insertions(+), 2 deletions(-) | ||
24 | create mode 100644 stdlib/test-bz22786.c | ||
25 | |||
26 | diff --git a/ChangeLog b/ChangeLog | ||
27 | --- a/ChangeLog | ||
28 | +++ b/ChangeLog | ||
29 | @@ -1,3 +1,11 @@ | ||
30 | +2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
31 | + | ||
32 | + [BZ #22786] | ||
33 | + * stdlib/canonicalize.c (__realpath): Fix overflow in path length | ||
34 | + computation. | ||
35 | + * stdlib/Makefile (test-bz22786): New test. | ||
36 | + * stdlib/test-bz22786.c: New test. | ||
37 | + | ||
38 | 2018-03-23 Andrew Senkevich <andrew.senkevich@intel.com> | ||
39 | Max Horn <max@quendi.de> | ||
40 | |||
41 | diff --git a/stdlib/Makefile b/stdlib/Makefile | ||
42 | index af1643c..1ddb1f9 100644 | ||
43 | --- a/stdlib/Makefile | ||
44 | +++ b/stdlib/Makefile | ||
45 | @@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ | ||
46 | tst-cxa_atexit tst-on_exit test-atexit-race \ | ||
47 | test-at_quick_exit-race test-cxa_atexit-race \ | ||
48 | test-on_exit-race test-dlclose-exit-race \ | ||
49 | - tst-makecontext-align | ||
50 | + tst-makecontext-align test-bz22786 | ||
51 | |||
52 | tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ | ||
53 | tst-tls-atexit tst-tls-atexit-nodelete | ||
54 | diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c | ||
55 | index 4135f3f..390fb43 100644 | ||
56 | --- a/stdlib/canonicalize.c | ||
57 | +++ b/stdlib/canonicalize.c | ||
58 | @@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved) | ||
59 | extra_buf = __alloca (path_max); | ||
60 | |||
61 | len = strlen (end); | ||
62 | - if ((long int) (n + len) >= path_max) | ||
63 | + if (path_max - n <= len) | ||
64 | { | ||
65 | __set_errno (ENAMETOOLONG); | ||
66 | goto error; | ||
67 | diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c | ||
68 | new file mode 100644 | ||
69 | index 0000000..e7837f9 | ||
70 | --- /dev/null | ||
71 | +++ b/stdlib/test-bz22786.c | ||
72 | @@ -0,0 +1,90 @@ | ||
73 | +/* Bug 22786: test for buffer overflow in realpath. | ||
74 | + Copyright (C) 2018 Free Software Foundation, Inc. | ||
75 | + This file is part of the GNU C Library. | ||
76 | + | ||
77 | + The GNU C Library is free software; you can redistribute it and/or | ||
78 | + modify it under the terms of the GNU Lesser General Public | ||
79 | + License as published by the Free Software Foundation; either | ||
80 | + version 2.1 of the License, or (at your option) any later version. | ||
81 | + | ||
82 | + The GNU C Library is distributed in the hope that it will be useful, | ||
83 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
84 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
85 | + Lesser General Public License for more details. | ||
86 | + | ||
87 | + You should have received a copy of the GNU Lesser General Public | ||
88 | + License along with the GNU C Library; if not, see | ||
89 | + <http://www.gnu.org/licenses/>. */ | ||
90 | + | ||
91 | +/* This file must be run from within a directory called "stdlib". */ | ||
92 | + | ||
93 | +#include <errno.h> | ||
94 | +#include <limits.h> | ||
95 | +#include <stdio.h> | ||
96 | +#include <stdlib.h> | ||
97 | +#include <string.h> | ||
98 | +#include <unistd.h> | ||
99 | +#include <sys/stat.h> | ||
100 | +#include <sys/types.h> | ||
101 | +#include <support/test-driver.h> | ||
102 | +#include <libc-diag.h> | ||
103 | + | ||
104 | +static int | ||
105 | +do_test (void) | ||
106 | +{ | ||
107 | + const char dir[] = "bz22786"; | ||
108 | + const char lnk[] = "bz22786/symlink"; | ||
109 | + | ||
110 | + rmdir (dir); | ||
111 | + if (mkdir (dir, 0755) != 0 && errno != EEXIST) | ||
112 | + { | ||
113 | + printf ("mkdir %s: %m\n", dir); | ||
114 | + return EXIT_FAILURE; | ||
115 | + } | ||
116 | + if (symlink (".", lnk) != 0 && errno != EEXIST) | ||
117 | + { | ||
118 | + printf ("symlink (%s, %s): %m\n", dir, lnk); | ||
119 | + return EXIT_FAILURE; | ||
120 | + } | ||
121 | + | ||
122 | + const size_t path_len = (size_t) INT_MAX + 1; | ||
123 | + | ||
124 | + DIAG_PUSH_NEEDS_COMMENT; | ||
125 | +#if __GNUC_PREREQ (7, 0) | ||
126 | + /* GCC 7 warns about too-large allocations; here we need such | ||
127 | + allocation to succeed for the test to work. */ | ||
128 | + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | ||
129 | +#endif | ||
130 | + char *path = malloc (path_len); | ||
131 | + DIAG_POP_NEEDS_COMMENT; | ||
132 | + | ||
133 | + if (path == NULL) | ||
134 | + { | ||
135 | + printf ("malloc (%zu): %m\n", path_len); | ||
136 | + return EXIT_UNSUPPORTED; | ||
137 | + } | ||
138 | + | ||
139 | + /* Construct very long path = "bz22786/symlink/aaaa....." */ | ||
140 | + char *p = mempcpy (path, lnk, sizeof (lnk) - 1); | ||
141 | + *(p++) = '/'; | ||
142 | + memset (p, 'a', path_len - (path - p) - 2); | ||
143 | + p[path_len - (path - p) - 1] = '\0'; | ||
144 | + | ||
145 | + /* This call crashes before the fix for bz22786 on 32-bit platforms. */ | ||
146 | + p = realpath (path, NULL); | ||
147 | + | ||
148 | + if (p != NULL || errno != ENAMETOOLONG) | ||
149 | + { | ||
150 | + printf ("realpath: %s (%m)", p); | ||
151 | + return EXIT_FAILURE; | ||
152 | + } | ||
153 | + | ||
154 | + /* Cleanup. */ | ||
155 | + unlink (lnk); | ||
156 | + rmdir (dir); | ||
157 | + | ||
158 | + return 0; | ||
159 | +} | ||
160 | + | ||
161 | +#define TEST_FUNCTION do_test | ||
162 | +#include <support/test-driver.c> | ||
163 | -- | ||
164 | 2.9.3 | ||
diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb index d3bdeaefc3..fe23eb6653 100644 --- a/meta/recipes-core/glibc/glibc_2.27.bb +++ b/meta/recipes-core/glibc/glibc_2.27.bb | |||
@@ -44,6 +44,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
44 | file://0028-bits-siginfo-consts.h-enum-definition-for-TRAP_HWBKP.patch \ | 44 | file://0028-bits-siginfo-consts.h-enum-definition-for-TRAP_HWBKP.patch \ |
45 | file://0029-Replace-strncpy-with-memccpy-to-fix-Wstringop-trunca.patch \ | 45 | file://0029-Replace-strncpy-with-memccpy-to-fix-Wstringop-trunca.patch \ |
46 | file://0030-plural_c_no_preprocessor_lines.patch \ | 46 | file://0030-plural_c_no_preprocessor_lines.patch \ |
47 | file://CVE-2017-18269.patch \ | ||
48 | file://CVE-2018-11236.patch \ | ||
47 | " | 49 | " |
48 | 50 | ||
49 | NATIVESDKFIXES ?= "" | 51 | NATIVESDKFIXES ?= "" |