summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-28 10:53:33 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-21 15:48:47 +0000
commit14a42e27195a100ca5edc551007a6a120b10c398 (patch)
tree92dccbf97faab8209fb0255bafdc6a0cb0a8446f
parentdae5ee4e5e41b9bbfb2d0f22521247efa5cadeb0 (diff)
downloadpoky-14a42e27195a100ca5edc551007a6a120b10c398.tar.gz
glibc: CVE-2015-8779
A stack overflow vulnerability in the catopen function was found, causing applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (From OE-Core rev: af20e323932caba8883c91dac610e1ba2b3d4ab5) (From OE-Core rev: 01e9f306e0af4ea2d9fe611c1592b0f19d83f487) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8779.patch261
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 262 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000000..50e7f5b2d4
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,261 @@
1From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
2From: Paul Pluzhnikov <ppluzhnikov@google.com>
3Date: Sat, 8 Aug 2015 15:53:03 -0700
4Subject: [PATCH] Fix BZ #17905
5
6Upstream-Status: Backport
7CVE: CVE-2015-8779
8[Yocto # 8980]
9
10https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
11
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 ChangeLog | 8 ++++++++
16 NEWS | 2 +-
17 catgets/Makefile | 9 ++++++++-
18 catgets/catgets.c | 19 ++++++++++++-------
19 catgets/open_catalog.c | 23 ++++++++++++++---------
20 catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
21 6 files changed, 74 insertions(+), 18 deletions(-)
22
23Index: git/catgets/Makefile
24===================================================================
25--- git.orig/catgets/Makefile
26+++ git/catgets/Makefile
27@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
28 ifeq ($(run-built-tests),yes)
29 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
30 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
31+tests-special += $(objpfx)tst-catgets-mem.out
32 endif
33 endif
34 gencat-modules = xmalloc
35@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
36
37 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
38 test-gencat.h
39+generated += tst-catgets.mtrace tst-catgets-mem.out
40+
41 generated-dirs += de
42
43-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
44+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
45
46 ifeq ($(run-built-tests),yes)
47 # This test just checks whether the program produces any error or not.
48@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
49 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
50 $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
51 $(evaluate-test)
52+
53+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
54+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
55+ $(evaluate-test)
56 endif
57Index: git/catgets/catgets.c
58===================================================================
59--- git.orig/catgets/catgets.c
60+++ git/catgets/catgets.c
61@@ -16,7 +16,6 @@
62 License along with the GNU C Library; if not, see
63 <http://www.gnu.org/licenses/>. */
64
65-#include <alloca.h>
66 #include <errno.h>
67 #include <locale.h>
68 #include <nl_types.h>
69@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
70 __nl_catd result;
71 const char *env_var = NULL;
72 const char *nlspath = NULL;
73+ char *tmp = NULL;
74
75 if (strchr (cat_name, '/') == NULL)
76 {
77@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
78 {
79 /* Append the system dependent directory. */
80 size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
81- char *tmp = alloca (len);
82+ tmp = malloc (len);
83+
84+ if (__glibc_unlikely (tmp == NULL))
85+ return (nl_catd) -1;
86
87 __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
88 nlspath = tmp;
89@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
90
91 result = (__nl_catd) malloc (sizeof (*result));
92 if (result == NULL)
93- /* We cannot get enough memory. */
94- return (nl_catd) -1;
95-
96- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
97+ {
98+ /* We cannot get enough memory. */
99+ result = (nl_catd) -1;
100+ }
101+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
102 {
103 /* Couldn't open the file. */
104 free ((void *) result);
105- return (nl_catd) -1;
106+ result = (nl_catd) -1;
107 }
108
109+ free (tmp);
110 return (nl_catd) result;
111 }
112
113Index: git/catgets/open_catalog.c
114===================================================================
115--- git.orig/catgets/open_catalog.c
116+++ git/catgets/open_catalog.c
117@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
118 size_t tab_size;
119 const char *lastp;
120 int result = -1;
121+ char *buf = NULL;
122
123 if (strchr (cat_name, '/') != NULL || nlspath == NULL)
124 fd = open_not_cancel_2 (cat_name, O_RDONLY);
125@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
126 if (__glibc_unlikely (bufact + (n) >= bufmax)) \
127 { \
128 char *old_buf = buf; \
129- bufmax += 256 + (n); \
130- buf = (char *) alloca (bufmax); \
131- memcpy (buf, old_buf, bufact); \
132+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
133+ buf = realloc (buf, bufmax); \
134+ if (__glibc_unlikely (buf == NULL)) \
135+ { \
136+ free (old_buf); \
137+ return -1; \
138+ } \
139 }
140
141 /* The RUN_NLSPATH variable contains a colon separated list of
142 descriptions where we expect to find catalogs. We have to
143 recognize certain % substitutions and stop when we found the
144 first existing file. */
145- char *buf;
146 size_t bufact;
147- size_t bufmax;
148+ size_t bufmax = 0;
149 size_t len;
150
151- buf = NULL;
152- bufmax = 0;
153-
154 fd = -1;
155 while (*run_nlspath != '\0')
156 {
157@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
158
159 /* Avoid dealing with directories and block devices */
160 if (__builtin_expect (fd, 0) < 0)
161- return -1;
162+ {
163+ free (buf);
164+ return -1;
165+ }
166
167 if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
168 goto close_unlock_return;
169@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
170 /* Release the lock again. */
171 close_unlock_return:
172 close_not_cancel_no_status (fd);
173+ free (buf);
174
175 return result;
176 }
177Index: git/catgets/tst-catgets.c
178===================================================================
179--- git.orig/catgets/tst-catgets.c
180+++ git/catgets/tst-catgets.c
181@@ -1,7 +1,10 @@
182+#include <assert.h>
183 #include <mcheck.h>
184 #include <nl_types.h>
185 #include <stdio.h>
186+#include <stdlib.h>
187 #include <string.h>
188+#include <sys/resource.h>
189
190
191 static const char *msgs[] =
192@@ -12,6 +15,33 @@ static const char *msgs[] =
193 };
194 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
195
196+
197+/* Test for unbounded alloca. */
198+static int
199+do_bz17905 (void)
200+{
201+ char *buf;
202+ struct rlimit rl;
203+ nl_catd result;
204+
205+ const int sz = 1024 * 1024;
206+
207+ getrlimit (RLIMIT_STACK, &rl);
208+ rl.rlim_cur = sz;
209+ setrlimit (RLIMIT_STACK, &rl);
210+
211+ buf = malloc (sz + 1);
212+ memset (buf, 'A', sz);
213+ buf[sz] = '\0';
214+ setenv ("NLSPATH", buf, 1);
215+
216+ result = catopen (buf, NL_CAT_LOCALE);
217+ assert (result == (nl_catd) -1);
218+
219+ free (buf);
220+ return 0;
221+}
222+
223 #define ROUNDS 5
224
225 int
226@@ -62,5 +92,6 @@ main (void)
227 }
228 }
229
230+ result += do_bz17905 ();
231 return result;
232 }
233Index: git/ChangeLog
234===================================================================
235--- git.orig/ChangeLog
236+++ git/ChangeLog
237@@ -1,3 +1,11 @@
238+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
239+
240+ [BZ #17905]
241+ * catgets/Makefile (tst-catgets-mem): New test.
242+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
243+ * catgets/open_catalog.c (__open_catalog): Likewise.
244+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
245+
246 2015-10-15 Florian Weimer <fweimer@redhat.com>
247
248 [BZ #18928]
249Index: git/NEWS
250===================================================================
251--- git.orig/NEWS
252+++ git/NEWS
253@@ -24,7 +24,7 @@ Version 2.20
254 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
255 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
256 17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
257- 17625, 17630, 18928.
258+ 17625, 17630, 18928, 17905.
259
260 * The LD_POINTER_GUARD environment variable can no longer be used to
261 disable the pointer guard feature. It is always enabled.
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 5e03570cf3..af568d9f4c 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -49,6 +49,7 @@ CVEPATCHES = "\
49 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ 49 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
50 file://CVE-2015-7547.patch \ 50 file://CVE-2015-7547.patch \
51 file://CVE-2015-8777.patch \ 51 file://CVE-2015-8777.patch \
52 file://CVE-2015-8779.patch \
52" 53"
53 54
54LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 55LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \