summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-02-03 10:59:14 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-02-03 21:21:39 (GMT)
commita0b44f4563515377fa4944d220f7e0f948729872 (patch)
treecdf7dbe29b00928dc673bef9349868d95200a76a
parent7273dba2c5f6c834560cd84853a1df358221b469 (diff)
downloadpoky-a0b44f4563515377fa4944d220f7e0f948729872.tar.gz
glibc: CVE-2014-9761
A stack overflow vulnerability was found in nan* functions that could cause applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (From OE-Core rev: fd3da8178c8c06b549dbc19ecec40e98ab934d49) References: Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 CVE assignment: http://seclists.org/oss-sec/2016/q1/153 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2014-9761_1.patch977
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch351
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb2
3 files changed, 1330 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9761_1.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9761_1.patch
new file mode 100644
index 0000000..6c885d1
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2014-9761_1.patch
@@ -0,0 +1,977 @@
1From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
2From: Joseph Myers <joseph@codesourcery.com>
3Date: Tue, 24 Nov 2015 22:24:52 +0000
4Subject: [PATCH] Refactor strtod parsing of NaN payloads.
5
6The nan* functions handle their string argument by constructing a
7NAN(...) string on the stack as a VLA and passing it to strtod
8functions.
9
10This approach has problems discussed in bug 16961 and bug 16962: the
11stack usage is unbounded, and it gives incorrect results in certain
12cases where the argument is not a valid n-char-sequence.
13
14The natural fix for both issues is to refactor the NaN payload parsing
15out of strtod into a separate function that the nan* functions can
16call directly, so that no temporary string needs constructing on the
17stack at all. This patch does that refactoring in preparation for
18fixing those bugs (but without actually using the new functions from
19nan* - which will also require exporting them from libc at version
20GLIBC_PRIVATE). This patch is not intended to change any user-visible
21behavior, so no tests are added (fixes for the above bugs will of
22course add tests for them).
23
24This patch builds on my recent fixes for strtol and strtod issues in
25Turkish locales. Given those fixes, the parsing of NaN payloads is
26locale-independent; thus, the new functions do not need to take a
27locale_t argument.
28
29Tested for x86_64, x86, mips64 and powerpc.
30
31 * stdlib/strtod_nan.c: New file.
32 * stdlib/strtod_nan_double.h: Likewise.
33 * stdlib/strtod_nan_float.h: Likewise.
34 * stdlib/strtod_nan_main.c: Likewise.
35 * stdlib/strtod_nan_narrow.h: Likewise.
36 * stdlib/strtod_nan_wide.h: Likewise.
37 * stdlib/strtof_nan.c: Likewise.
38 * stdlib/strtold_nan.c: Likewise.
39 * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
40 * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
41 * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
42 * wcsmbs/wcstod_nan.c: Likewise.
43 * wcsmbs/wcstof_nan.c: Likewise.
44 * wcsmbs/wcstold_nan.c: Likewise.
45 * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
46 strtold_nan.
47 * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
48 wcstof_nan.
49 * include/stdlib.h (__strtof_nan): Declare and use
50 libc_hidden_proto.
51 (__strtod_nan): Likewise.
52 (__strtold_nan): Likewise.
53 (__wcstof_nan): Likewise.
54 (__wcstod_nan): Likewise.
55 (__wcstold_nan): Likewise.
56 * include/wchar.h (____wcstoull_l_internal): Declare.
57 * stdlib/strtod_l.c: Do not include <ieee754.h>.
58 (____strtoull_l_internal): Remove declaration.
59 (STRTOF_NAN): Define macro.
60 (SET_MANTISSA): Remove macro.
61 (STRTOULL): Likewise.
62 (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
63 * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
64 (STRTOF_NAN): Define macro.
65 (SET_MANTISSA): Remove macro.
66 * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
67 (SET_MANTISSA): Remove macro.
68 * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
69 macro.
70 (SET_MANTISSA): Remove macro.
71 * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
72 macro.
73 (SET_MANTISSA): Remove macro.
74 * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
75 (SET_MANTISSA): Remove macro.
76 * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
77 * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
78 * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
79
80Upstream-Status: Backport
81CVE: CVE-2014-9761 patch #1
82[Yocto # 8980]
83
84https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
85
86Signed-off-by: Armin Kuster <akuster@mvista.com>
87Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
88---
89 ChangeLog | 49 ++++++++++++++++++
90 include/stdlib.h | 18 +++++++
91 include/wchar.h | 3 ++
92 stdlib/Makefile | 1 +
93 stdlib/strtod_l.c | 48 ++++--------------
94 stdlib/strtod_nan.c | 24 +++++++++
95 stdlib/strtod_nan_double.h | 30 +++++++++++
96 stdlib/strtod_nan_float.h | 29 +++++++++++
97 stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++
98 stdlib/strtod_nan_narrow.h | 22 +++++++++
99 stdlib/strtod_nan_wide.h | 22 +++++++++
100 stdlib/strtof_l.c | 11 +----
101 stdlib/strtof_nan.c | 24 +++++++++
102 stdlib/strtold_nan.c | 30 +++++++++++
103 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++
104 sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +----
105 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
106 sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +---
107 sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +----
108 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++
109 sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +---
110 wcsmbs/Makefile | 1 +
111 wcsmbs/wcstod_l.c | 3 --
112 wcsmbs/wcstod_nan.c | 23 +++++++++
113 wcsmbs/wcstof_l.c | 3 --
114 wcsmbs/wcstof_nan.c | 23 +++++++++
115 wcsmbs/wcstold_l.c | 3 --
116 wcsmbs/wcstold_nan.c | 30 +++++++++++
117 28 files changed, 504 insertions(+), 95 deletions(-)
118 create mode 100644 stdlib/strtod_nan.c
119 create mode 100644 stdlib/strtod_nan_double.h
120 create mode 100644 stdlib/strtod_nan_float.h
121 create mode 100644 stdlib/strtod_nan_main.c
122 create mode 100644 stdlib/strtod_nan_narrow.h
123 create mode 100644 stdlib/strtod_nan_wide.h
124 create mode 100644 stdlib/strtof_nan.c
125 create mode 100644 stdlib/strtold_nan.c
126 create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
127 create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
128 create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
129 create mode 100644 wcsmbs/wcstod_nan.c
130 create mode 100644 wcsmbs/wcstof_nan.c
131 create mode 100644 wcsmbs/wcstold_nan.c
132
133Index: git/include/stdlib.h
134===================================================================
135--- git.orig/include/stdlib.h
136+++ git/include/stdlib.h
137@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
138 libc_hidden_proto (strtoul)
139 libc_hidden_proto (strtoull)
140
141+extern float __strtof_nan (const char *, char **, char) internal_function;
142+extern double __strtod_nan (const char *, char **, char) internal_function;
143+extern long double __strtold_nan (const char *, char **, char)
144+ internal_function;
145+extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
146+ internal_function;
147+extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
148+ internal_function;
149+extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
150+ internal_function;
151+
152+libc_hidden_proto (__strtof_nan)
153+libc_hidden_proto (__strtod_nan)
154+libc_hidden_proto (__strtold_nan)
155+libc_hidden_proto (__wcstof_nan)
156+libc_hidden_proto (__wcstod_nan)
157+libc_hidden_proto (__wcstold_nan)
158+
159 extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
160 int *__restrict __sign);
161 extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
162Index: git/include/wchar.h
163===================================================================
164--- git.orig/include/wchar.h
165+++ git/include/wchar.h
166@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
167 __restrict __endptr,
168 int __base,
169 int __group) __THROW;
170+extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
171+ wchar_t **, int, int,
172+ __locale_t);
173 libc_hidden_proto (__wcstof_internal)
174 libc_hidden_proto (__wcstod_internal)
175 libc_hidden_proto (__wcstold_internal)
176Index: git/stdlib/Makefile
177===================================================================
178--- git.orig/stdlib/Makefile
179+++ git/stdlib/Makefile
180@@ -51,6 +51,7 @@ routines-y := \
181 strtol_l strtoul_l strtoll_l strtoull_l \
182 strtof strtod strtold \
183 strtof_l strtod_l strtold_l \
184+ strtof_nan strtod_nan strtold_nan \
185 system canonicalize \
186 a64l l64a \
187 getsubopt xpg_basename \
188Index: git/stdlib/strtod_l.c
189===================================================================
190--- git.orig/stdlib/strtod_l.c
191+++ git/stdlib/strtod_l.c
192@@ -21,8 +21,6 @@
193 #include <xlocale.h>
194
195 extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
196-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
197- int, int, __locale_t);
198
199 /* Configuration part. These macros are defined by `strtold.c',
200 `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
201@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
202 # ifdef USE_WIDE_CHAR
203 # define STRTOF wcstod_l
204 # define __STRTOF __wcstod_l
205+# define STRTOF_NAN __wcstod_nan
206 # else
207 # define STRTOF strtod_l
208 # define __STRTOF __strtod_l
209+# define STRTOF_NAN __strtod_nan
210 # endif
211 # define MPN2FLOAT __mpn_construct_double
212 # define FLOAT_HUGE_VAL HUGE_VAL
213-# define SET_MANTISSA(flt, mant) \
214- do { union ieee754_double u; \
215- u.d = (flt); \
216- u.ieee_nan.mantissa0 = (mant) >> 32; \
217- u.ieee_nan.mantissa1 = (mant); \
218- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
219- (flt) = u.d; \
220- } while (0)
221 #endif
222 /* End of configuration part. */
223
224 #include <ctype.h>
225 #include <errno.h>
226 #include <float.h>
227-#include <ieee754.h>
228 #include "../locale/localeinfo.h"
229 #include <locale.h>
230 #include <math.h>
231@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
232 # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
233 # define STRNCASECMP(S1, S2, N) \
234 __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
235-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
236 #else
237 # define STRING_TYPE char
238 # define CHAR_TYPE char
239@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
240 # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
241 # define STRNCASECMP(S1, S2, N) \
242 __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
243-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
244 #endif
245
246
247@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
248 if (*cp == L_('('))
249 {
250 const STRING_TYPE *startp = cp;
251- do
252- ++cp;
253- while ((*cp >= L_('0') && *cp <= L_('9'))
254- || ({ CHAR_TYPE lo = TOLOWER (*cp);
255- lo >= L_('a') && lo <= L_('z'); })
256- || *cp == L_('_'));
257-
258- if (*cp != L_(')'))
259- /* The closing brace is missing. Only match the NAN
260- part. */
261- cp = startp;
262+ STRING_TYPE *endp;
263+ retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
264+ if (*endp == L_(')'))
265+ /* Consume the closing parenthesis. */
266+ cp = endp + 1;
267 else
268- {
269- /* This is a system-dependent way to specify the
270- bitmask used for the NaN. We expect it to be
271- a number which is put in the mantissa of the
272- number. */
273- STRING_TYPE *endp;
274- unsigned long long int mant;
275-
276- mant = STRTOULL (startp + 1, &endp, 0);
277- if (endp == cp)
278- SET_MANTISSA (retval, mant);
279-
280- /* Consume the closing brace. */
281- ++cp;
282- }
283+ /* Only match the NAN part. */
284+ cp = startp;
285 }
286
287 if (endptr != NULL)
288Index: git/stdlib/strtod_nan.c
289===================================================================
290--- /dev/null
291+++ git/stdlib/strtod_nan.c
292@@ -0,0 +1,24 @@
293+/* Convert string for NaN payload to corresponding NaN. Narrow
294+ strings, double.
295+ Copyright (C) 2015 Free Software Foundation, Inc.
296+ This file is part of the GNU C Library.
297+
298+ The GNU C Library is free software; you can redistribute it and/or
299+ modify it under the terms of the GNU Lesser General Public
300+ License as published by the Free Software Foundation; either
301+ version 2.1 of the License, or (at your option) any later version.
302+
303+ The GNU C Library is distributed in the hope that it will be useful,
304+ but WITHOUT ANY WARRANTY; without even the implied warranty of
305+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
306+ Lesser General Public License for more details.
307+
308+ You should have received a copy of the GNU Lesser General Public
309+ License along with the GNU C Library; if not, see
310+ <http://www.gnu.org/licenses/>. */
311+
312+#include <strtod_nan_narrow.h>
313+#include <strtod_nan_double.h>
314+
315+#define STRTOD_NAN __strtod_nan
316+#include <strtod_nan_main.c>
317Index: git/stdlib/strtod_nan_double.h
318===================================================================
319--- /dev/null
320+++ git/stdlib/strtod_nan_double.h
321@@ -0,0 +1,30 @@
322+/* Convert string for NaN payload to corresponding NaN. For double.
323+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
324+ This file is part of the GNU C Library.
325+
326+ The GNU C Library is free software; you can redistribute it and/or
327+ modify it under the terms of the GNU Lesser General Public
328+ License as published by the Free Software Foundation; either
329+ version 2.1 of the License, or (at your option) any later version.
330+
331+ The GNU C Library is distributed in the hope that it will be useful,
332+ but WITHOUT ANY WARRANTY; without even the implied warranty of
333+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
334+ Lesser General Public License for more details.
335+
336+ You should have received a copy of the GNU Lesser General Public
337+ License along with the GNU C Library; if not, see
338+ <http://www.gnu.org/licenses/>. */
339+
340+#define FLOAT double
341+#define SET_MANTISSA(flt, mant) \
342+ do \
343+ { \
344+ union ieee754_double u; \
345+ u.d = (flt); \
346+ u.ieee_nan.mantissa0 = (mant) >> 32; \
347+ u.ieee_nan.mantissa1 = (mant); \
348+ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
349+ (flt) = u.d; \
350+ } \
351+ while (0)
352Index: git/stdlib/strtod_nan_float.h
353===================================================================
354--- /dev/null
355+++ git/stdlib/strtod_nan_float.h
356@@ -0,0 +1,29 @@
357+/* Convert string for NaN payload to corresponding NaN. For float.
358+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
359+ This file is part of the GNU C Library.
360+
361+ The GNU C Library is free software; you can redistribute it and/or
362+ modify it under the terms of the GNU Lesser General Public
363+ License as published by the Free Software Foundation; either
364+ version 2.1 of the License, or (at your option) any later version.
365+
366+ The GNU C Library is distributed in the hope that it will be useful,
367+ but WITHOUT ANY WARRANTY; without even the implied warranty of
368+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
369+ Lesser General Public License for more details.
370+
371+ You should have received a copy of the GNU Lesser General Public
372+ License along with the GNU C Library; if not, see
373+ <http://www.gnu.org/licenses/>. */
374+
375+#define FLOAT float
376+#define SET_MANTISSA(flt, mant) \
377+ do \
378+ { \
379+ union ieee754_float u; \
380+ u.f = (flt); \
381+ u.ieee_nan.mantissa = (mant); \
382+ if (u.ieee.mantissa != 0) \
383+ (flt) = u.f; \
384+ } \
385+ while (0)
386Index: git/stdlib/strtod_nan_main.c
387===================================================================
388--- /dev/null
389+++ git/stdlib/strtod_nan_main.c
390@@ -0,0 +1,63 @@
391+/* Convert string for NaN payload to corresponding NaN.
392+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
393+ This file is part of the GNU C Library.
394+
395+ The GNU C Library is free software; you can redistribute it and/or
396+ modify it under the terms of the GNU Lesser General Public
397+ License as published by the Free Software Foundation; either
398+ version 2.1 of the License, or (at your option) any later version.
399+
400+ The GNU C Library is distributed in the hope that it will be useful,
401+ but WITHOUT ANY WARRANTY; without even the implied warranty of
402+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
403+ Lesser General Public License for more details.
404+
405+ You should have received a copy of the GNU Lesser General Public
406+ License along with the GNU C Library; if not, see
407+ <http://www.gnu.org/licenses/>. */
408+
409+#include <ieee754.h>
410+#include <locale.h>
411+#include <math.h>
412+#include <stdlib.h>
413+#include <wchar.h>
414+
415+
416+/* If STR starts with an optional n-char-sequence as defined by ISO C
417+ (a sequence of ASCII letters, digits and underscores), followed by
418+ ENDC, return a NaN whose payload is set based on STR. Otherwise,
419+ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point
420+ to the character after the initial n-char-sequence. */
421+
422+internal_function
423+FLOAT
424+STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc)
425+{
426+ const STRING_TYPE *cp = str;
427+
428+ while ((*cp >= L_('0') && *cp <= L_('9'))
429+ || (*cp >= L_('A') && *cp <= L_('Z'))
430+ || (*cp >= L_('a') && *cp <= L_('z'))
431+ || *cp == L_('_'))
432+ ++cp;
433+
434+ FLOAT retval = NAN;
435+ if (*cp != endc)
436+ goto out;
437+
438+ /* This is a system-dependent way to specify the bitmask used for
439+ the NaN. We expect it to be a number which is put in the
440+ mantissa of the number. */
441+ STRING_TYPE *endp;
442+ unsigned long long int mant;
443+
444+ mant = STRTOULL (str, &endp, 0);
445+ if (endp == cp)
446+ SET_MANTISSA (retval, mant);
447+
448+ out:
449+ if (endptr != NULL)
450+ *endptr = (STRING_TYPE *) cp;
451+ return retval;
452+}
453+libc_hidden_def (STRTOD_NAN)
454Index: git/stdlib/strtod_nan_narrow.h
455===================================================================
456--- /dev/null
457+++ git/stdlib/strtod_nan_narrow.h
458@@ -0,0 +1,22 @@
459+/* Convert string for NaN payload to corresponding NaN. Narrow strings.
460+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
461+ This file is part of the GNU C Library.
462+
463+ The GNU C Library is free software; you can redistribute it and/or
464+ modify it under the terms of the GNU Lesser General Public
465+ License as published by the Free Software Foundation; either
466+ version 2.1 of the License, or (at your option) any later version.
467+
468+ The GNU C Library is distributed in the hope that it will be useful,
469+ but WITHOUT ANY WARRANTY; without even the implied warranty of
470+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
471+ Lesser General Public License for more details.
472+
473+ You should have received a copy of the GNU Lesser General Public
474+ License along with the GNU C Library; if not, see
475+ <http://www.gnu.org/licenses/>. */
476+
477+#define STRING_TYPE char
478+#define L_(Ch) Ch
479+#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \
480+ _nl_C_locobj_ptr)
481Index: git/stdlib/strtod_nan_wide.h
482===================================================================
483--- /dev/null
484+++ git/stdlib/strtod_nan_wide.h
485@@ -0,0 +1,22 @@
486+/* Convert string for NaN payload to corresponding NaN. Wide strings.
487+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
488+ This file is part of the GNU C Library.
489+
490+ The GNU C Library is free software; you can redistribute it and/or
491+ modify it under the terms of the GNU Lesser General Public
492+ License as published by the Free Software Foundation; either
493+ version 2.1 of the License, or (at your option) any later version.
494+
495+ The GNU C Library is distributed in the hope that it will be useful,
496+ but WITHOUT ANY WARRANTY; without even the implied warranty of
497+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
498+ Lesser General Public License for more details.
499+
500+ You should have received a copy of the GNU Lesser General Public
501+ License along with the GNU C Library; if not, see
502+ <http://www.gnu.org/licenses/>. */
503+
504+#define STRING_TYPE wchar_t
505+#define L_(Ch) L##Ch
506+#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \
507+ _nl_C_locobj_ptr)
508Index: git/stdlib/strtof_l.c
509===================================================================
510--- git.orig/stdlib/strtof_l.c
511+++ git/stdlib/strtof_l.c
512@@ -20,26 +20,19 @@
513 #include <xlocale.h>
514
515 extern float ____strtof_l_internal (const char *, char **, int, __locale_t);
516-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
517- int, int, __locale_t);
518
519 #define FLOAT float
520 #define FLT FLT
521 #ifdef USE_WIDE_CHAR
522 # define STRTOF wcstof_l
523 # define __STRTOF __wcstof_l
524+# define STRTOF_NAN __wcstof_nan
525 #else
526 # define STRTOF strtof_l
527 # define __STRTOF __strtof_l
528+# define STRTOF_NAN __strtof_nan
529 #endif
530 #define MPN2FLOAT __mpn_construct_float
531 #define FLOAT_HUGE_VAL HUGE_VALF
532-#define SET_MANTISSA(flt, mant) \
533- do { union ieee754_float u; \
534- u.f = (flt); \
535- u.ieee_nan.mantissa = (mant); \
536- if (u.ieee.mantissa != 0) \
537- (flt) = u.f; \
538- } while (0)
539
540 #include "strtod_l.c"
541Index: git/stdlib/strtof_nan.c
542===================================================================
543--- /dev/null
544+++ git/stdlib/strtof_nan.c
545@@ -0,0 +1,24 @@
546+/* Convert string for NaN payload to corresponding NaN. Narrow
547+ strings, float.
548+ Copyright (C) 2015 Free Software Foundation, Inc.
549+ This file is part of the GNU C Library.
550+
551+ The GNU C Library is free software; you can redistribute it and/or
552+ modify it under the terms of the GNU Lesser General Public
553+ License as published by the Free Software Foundation; either
554+ version 2.1 of the License, or (at your option) any later version.
555+
556+ The GNU C Library is distributed in the hope that it will be useful,
557+ but WITHOUT ANY WARRANTY; without even the implied warranty of
558+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
559+ Lesser General Public License for more details.
560+
561+ You should have received a copy of the GNU Lesser General Public
562+ License along with the GNU C Library; if not, see
563+ <http://www.gnu.org/licenses/>. */
564+
565+#include <strtod_nan_narrow.h>
566+#include <strtod_nan_float.h>
567+
568+#define STRTOD_NAN __strtof_nan
569+#include <strtod_nan_main.c>
570Index: git/stdlib/strtold_nan.c
571===================================================================
572--- /dev/null
573+++ git/stdlib/strtold_nan.c
574@@ -0,0 +1,30 @@
575+/* Convert string for NaN payload to corresponding NaN. Narrow
576+ strings, long double.
577+ Copyright (C) 2015 Free Software Foundation, Inc.
578+ This file is part of the GNU C Library.
579+
580+ The GNU C Library is free software; you can redistribute it and/or
581+ modify it under the terms of the GNU Lesser General Public
582+ License as published by the Free Software Foundation; either
583+ version 2.1 of the License, or (at your option) any later version.
584+
585+ The GNU C Library is distributed in the hope that it will be useful,
586+ but WITHOUT ANY WARRANTY; without even the implied warranty of
587+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
588+ Lesser General Public License for more details.
589+
590+ You should have received a copy of the GNU Lesser General Public
591+ License along with the GNU C Library; if not, see
592+ <http://www.gnu.org/licenses/>. */
593+
594+#include <math.h>
595+
596+/* This function is unused if long double and double have the same
597+ representation. */
598+#ifndef __NO_LONG_DOUBLE_MATH
599+# include <strtod_nan_narrow.h>
600+# include <strtod_nan_ldouble.h>
601+
602+# define STRTOD_NAN __strtold_nan
603+# include <strtod_nan_main.c>
604+#endif
605Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
606===================================================================
607--- /dev/null
608+++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
609@@ -0,0 +1,33 @@
610+/* Convert string for NaN payload to corresponding NaN. For ldbl-128.
611+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
612+ This file is part of the GNU C Library.
613+
614+ The GNU C Library is free software; you can redistribute it and/or
615+ modify it under the terms of the GNU Lesser General Public
616+ License as published by the Free Software Foundation; either
617+ version 2.1 of the License, or (at your option) any later version.
618+
619+ The GNU C Library is distributed in the hope that it will be useful,
620+ but WITHOUT ANY WARRANTY; without even the implied warranty of
621+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
622+ Lesser General Public License for more details.
623+
624+ You should have received a copy of the GNU Lesser General Public
625+ License along with the GNU C Library; if not, see
626+ <http://www.gnu.org/licenses/>. */
627+
628+#define FLOAT long double
629+#define SET_MANTISSA(flt, mant) \
630+ do \
631+ { \
632+ union ieee854_long_double u; \
633+ u.d = (flt); \
634+ u.ieee_nan.mantissa0 = 0; \
635+ u.ieee_nan.mantissa1 = 0; \
636+ u.ieee_nan.mantissa2 = (mant) >> 32; \
637+ u.ieee_nan.mantissa3 = (mant); \
638+ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
639+ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
640+ (flt) = u.d; \
641+ } \
642+ while (0)
643Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c
644===================================================================
645--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c
646+++ git/sysdeps/ieee754/ldbl-128/strtold_l.c
647@@ -25,22 +25,13 @@
648 #ifdef USE_WIDE_CHAR
649 # define STRTOF wcstold_l
650 # define __STRTOF __wcstold_l
651+# define STRTOF_NAN __wcstold_nan
652 #else
653 # define STRTOF strtold_l
654 # define __STRTOF __strtold_l
655+# define STRTOF_NAN __strtold_nan
656 #endif
657 #define MPN2FLOAT __mpn_construct_long_double
658 #define FLOAT_HUGE_VAL HUGE_VALL
659-#define SET_MANTISSA(flt, mant) \
660- do { union ieee854_long_double u; \
661- u.d = (flt); \
662- u.ieee_nan.mantissa0 = 0; \
663- u.ieee_nan.mantissa1 = 0; \
664- u.ieee_nan.mantissa2 = (mant) >> 32; \
665- u.ieee_nan.mantissa3 = (mant); \
666- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
667- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
668- (flt) = u.d; \
669- } while (0)
670
671 #include <strtod_l.c>
672Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
673===================================================================
674--- /dev/null
675+++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
676@@ -0,0 +1,30 @@
677+/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm.
678+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
679+ This file is part of the GNU C Library.
680+
681+ The GNU C Library is free software; you can redistribute it and/or
682+ modify it under the terms of the GNU Lesser General Public
683+ License as published by the Free Software Foundation; either
684+ version 2.1 of the License, or (at your option) any later version.
685+
686+ The GNU C Library is distributed in the hope that it will be useful,
687+ but WITHOUT ANY WARRANTY; without even the implied warranty of
688+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
689+ Lesser General Public License for more details.
690+
691+ You should have received a copy of the GNU Lesser General Public
692+ License along with the GNU C Library; if not, see
693+ <http://www.gnu.org/licenses/>. */
694+
695+#define FLOAT long double
696+#define SET_MANTISSA(flt, mant) \
697+ do \
698+ { \
699+ union ibm_extended_long_double u; \
700+ u.ld = (flt); \
701+ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
702+ u.d[0].ieee_nan.mantissa1 = (mant); \
703+ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
704+ (flt) = u.ld; \
705+ } \
706+ while (0)
707Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
708===================================================================
709--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
710+++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
711@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co
712 # define STRTOF __new_wcstold_l
713 # define __STRTOF ____new_wcstold_l
714 # define ____STRTOF_INTERNAL ____wcstold_l_internal
715+# define STRTOF_NAN __wcstold_nan
716 #else
717 extern long double ____new_strtold_l (const char *, char **, __locale_t);
718 # define STRTOF __new_strtold_l
719 # define __STRTOF ____new_strtold_l
720 # define ____STRTOF_INTERNAL ____strtold_l_internal
721+# define STRTOF_NAN __strtold_nan
722 #endif
723 extern __typeof (__STRTOF) STRTOF;
724 libc_hidden_proto (__STRTOF)
725 libc_hidden_proto (STRTOF)
726 #define MPN2FLOAT __mpn_construct_long_double
727 #define FLOAT_HUGE_VAL HUGE_VALL
728-# define SET_MANTISSA(flt, mant) \
729- do { union ibm_extended_long_double u; \
730- u.ld = (flt); \
731- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
732- u.d[0].ieee_nan.mantissa1 = (mant); \
733- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
734- (flt) = u.ld; \
735- } while (0)
736
737 #include <strtod_l.c>
738
739Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
740===================================================================
741--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c
742+++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
743@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co
744 # define STRTOF __new_wcstold_l
745 # define __STRTOF ____new_wcstold_l
746 # define ____STRTOF_INTERNAL ____wcstold_l_internal
747+# define STRTOF_NAN __wcstold_nan
748 #else
749 extern long double ____new_strtold_l (const char *, char **, __locale_t);
750 # define STRTOF __new_strtold_l
751 # define __STRTOF ____new_strtold_l
752 # define ____STRTOF_INTERNAL ____strtold_l_internal
753+# define STRTOF_NAN __strtold_nan
754 #endif
755 extern __typeof (__STRTOF) STRTOF;
756 libc_hidden_proto (__STRTOF)
757 libc_hidden_proto (STRTOF)
758 #define MPN2FLOAT __mpn_construct_long_double
759 #define FLOAT_HUGE_VAL HUGE_VALL
760-#define SET_MANTISSA(flt, mant) \
761- do { union ieee854_long_double u; \
762- u.d = (flt); \
763- u.ieee_nan.mantissa0 = 0; \
764- u.ieee_nan.mantissa1 = 0; \
765- u.ieee_nan.mantissa2 = (mant) >> 32; \
766- u.ieee_nan.mantissa3 = (mant); \
767- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
768- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
769- (flt) = u.d; \
770- } while (0)
771
772 #include <strtod_l.c>
773
774Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
775===================================================================
776--- /dev/null
777+++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
778@@ -0,0 +1,30 @@
779+/* Convert string for NaN payload to corresponding NaN. For ldbl-96.
780+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
781+ This file is part of the GNU C Library.
782+
783+ The GNU C Library is free software; you can redistribute it and/or
784+ modify it under the terms of the GNU Lesser General Public
785+ License as published by the Free Software Foundation; either
786+ version 2.1 of the License, or (at your option) any later version.
787+
788+ The GNU C Library is distributed in the hope that it will be useful,
789+ but WITHOUT ANY WARRANTY; without even the implied warranty of
790+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
791+ Lesser General Public License for more details.
792+
793+ You should have received a copy of the GNU Lesser General Public
794+ License along with the GNU C Library; if not, see
795+ <http://www.gnu.org/licenses/>. */
796+
797+#define FLOAT long double
798+#define SET_MANTISSA(flt, mant) \
799+ do \
800+ { \
801+ union ieee854_long_double u; \
802+ u.d = (flt); \
803+ u.ieee_nan.mantissa0 = (mant) >> 32; \
804+ u.ieee_nan.mantissa1 = (mant); \
805+ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
806+ (flt) = u.d; \
807+ } \
808+ while (0)
809Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c
810===================================================================
811--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c
812+++ git/sysdeps/ieee754/ldbl-96/strtold_l.c
813@@ -25,19 +25,13 @@
814 #ifdef USE_WIDE_CHAR
815 # define STRTOF wcstold_l
816 # define __STRTOF __wcstold_l
817+# define STRTOF_NAN __wcstold_nan
818 #else
819 # define STRTOF strtold_l
820 # define __STRTOF __strtold_l
821+# define STRTOF_NAN __strtold_nan
822 #endif
823 #define MPN2FLOAT __mpn_construct_long_double
824 #define FLOAT_HUGE_VAL HUGE_VALL
825-#define SET_MANTISSA(flt, mant) \
826- do { union ieee854_long_double u; \
827- u.d = (flt); \
828- u.ieee_nan.mantissa0 = (mant) >> 32; \
829- u.ieee_nan.mantissa1 = (mant); \
830- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
831- (flt) = u.d; \
832- } while (0)
833
834 #include <stdlib/strtod_l.c>
835Index: git/wcsmbs/Makefile
836===================================================================
837--- git.orig/wcsmbs/Makefile
838+++ git/wcsmbs/Makefile
839@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR
840 wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \
841 wcstol_l wcstoul_l wcstoll_l wcstoull_l \
842 wcstod_l wcstold_l wcstof_l \
843+ wcstod_nan wcstold_nan wcstof_nan \
844 wcscoll wcsxfrm \
845 wcwidth wcswidth \
846 wcscoll_l wcsxfrm_l \
847Index: git/wcsmbs/wcstod_l.c
848===================================================================
849--- git.orig/wcsmbs/wcstod_l.c
850+++ git/wcsmbs/wcstod_l.c
851@@ -23,9 +23,6 @@
852
853 extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int,
854 __locale_t);
855-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
856- wchar_t **, int, int,
857- __locale_t);
858
859 #define USE_WIDE_CHAR 1
860
861Index: git/wcsmbs/wcstod_nan.c
862===================================================================
863--- /dev/null
864+++ git/wcsmbs/wcstod_nan.c
865@@ -0,0 +1,23 @@
866+/* Convert string for NaN payload to corresponding NaN. Wide strings, double.
867+ Copyright (C) 2015 Free Software Foundation, Inc.
868+ This file is part of the GNU C Library.
869+
870+ The GNU C Library is free software; you can redistribute it and/or
871+ modify it under the terms of the GNU Lesser General Public
872+ License as published by the Free Software Foundation; either
873+ version 2.1 of the License, or (at your option) any later version.
874+
875+ The GNU C Library is distributed in the hope that it will be useful,
876+ but WITHOUT ANY WARRANTY; without even the implied warranty of
877+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
878+ Lesser General Public License for more details.
879+
880+ You should have received a copy of the GNU Lesser General Public
881+ License along with the GNU C Library; if not, see
882+ <http://www.gnu.org/licenses/>. */
883+
884+#include "../stdlib/strtod_nan_wide.h"
885+#include "../stdlib/strtod_nan_double.h"
886+
887+#define STRTOD_NAN __wcstod_nan
888+#include "../stdlib/strtod_nan_main.c"
889Index: git/wcsmbs/wcstof_l.c
890===================================================================
891--- git.orig/wcsmbs/wcstof_l.c
892+++ git/wcsmbs/wcstof_l.c
893@@ -25,8 +25,5 @@
894
895 extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int,
896 __locale_t);
897-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
898- wchar_t **, int, int,
899- __locale_t);
900
901 #include <stdlib/strtof_l.c>
902Index: git/wcsmbs/wcstof_nan.c
903===================================================================
904--- /dev/null
905+++ git/wcsmbs/wcstof_nan.c
906@@ -0,0 +1,23 @@
907+/* Convert string for NaN payload to corresponding NaN. Wide strings, float.
908+ Copyright (C) 2015 Free Software Foundation, Inc.
909+ This file is part of the GNU C Library.
910+
911+ The GNU C Library is free software; you can redistribute it and/or
912+ modify it under the terms of the GNU Lesser General Public
913+ License as published by the Free Software Foundation; either
914+ version 2.1 of the License, or (at your option) any later version.
915+
916+ The GNU C Library is distributed in the hope that it will be useful,
917+ but WITHOUT ANY WARRANTY; without even the implied warranty of
918+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
919+ Lesser General Public License for more details.
920+
921+ You should have received a copy of the GNU Lesser General Public
922+ License along with the GNU C Library; if not, see
923+ <http://www.gnu.org/licenses/>. */
924+
925+#include "../stdlib/strtod_nan_wide.h"
926+#include "../stdlib/strtod_nan_float.h"
927+
928+#define STRTOD_NAN __wcstof_nan
929+#include "../stdlib/strtod_nan_main.c"
930Index: git/wcsmbs/wcstold_l.c
931===================================================================
932--- git.orig/wcsmbs/wcstold_l.c
933+++ git/wcsmbs/wcstold_l.c
934@@ -24,8 +24,5 @@
935
936 extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int,
937 __locale_t);
938-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
939- wchar_t **, int, int,
940- __locale_t);
941
942 #include <strtold_l.c>
943Index: git/wcsmbs/wcstold_nan.c
944===================================================================
945--- /dev/null
946+++ git/wcsmbs/wcstold_nan.c
947@@ -0,0 +1,30 @@
948+/* Convert string for NaN payload to corresponding NaN. Wide strings,
949+ long double.
950+ Copyright (C) 2015 Free Software Foundation, Inc.
951+ This file is part of the GNU C Library.
952+
953+ The GNU C Library is free software; you can redistribute it and/or
954+ modify it under the terms of the GNU Lesser General Public
955+ License as published by the Free Software Foundation; either
956+ version 2.1 of the License, or (at your option) any later version.
957+
958+ The GNU C Library is distributed in the hope that it will be useful,
959+ but WITHOUT ANY WARRANTY; without even the implied warranty of
960+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
961+ Lesser General Public License for more details.
962+
963+ You should have received a copy of the GNU Lesser General Public
964+ License along with the GNU C Library; if not, see
965+ <http://www.gnu.org/licenses/>. */
966+
967+#include <math.h>
968+
969+/* This function is unused if long double and double have the same
970+ representation. */
971+#ifndef __NO_LONG_DOUBLE_MATH
972+# include "../stdlib/strtod_nan_wide.h"
973+# include <strtod_nan_ldouble.h>
974+
975+# define STRTOD_NAN __wcstold_nan
976+# include "../stdlib/strtod_nan_main.c"
977+#endif
diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch
new file mode 100644
index 0000000..bafb5ea
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch
@@ -0,0 +1,351 @@
1From 49a60a3411b86df1e555acfe7e7a80754c5c6c69 Mon Sep 17 00:00:00 2001
2From: Sona Sarmadi <sona.sarmadi@enea.com>
3Date: Tue, 2 Feb 2016 13:46:37 +0100
4Subject: [PATCH] From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17
5 00:00:00 2001 From: Joseph Myers <joseph@codesourcery.com> Date: Fri, 4 Dec
6 2015 20:36:28 +0000 Subject: [PATCH] Fix nan functions handling of payload
7 strings (bug 16961, bug 16962).
8
9The nan, nanf and nanl functions handle payload strings by doing e.g.:
10
11 if (tagp[0] != '\0')
12 {
13 char buf[6 + strlen (tagp)];
14 sprintf (buf, "NAN(%s)", tagp);
15 return strtod (buf, NULL);
16 }
17
18This is an unbounded stack allocation based on the length of the
19argument. Furthermore, if the argument starts with an n-char-sequence
20followed by ')', that n-char-sequence is wrongly treated as
21significant for determining the payload of the resulting NaN, when ISO
22C says the call should be equivalent to strtod ("NAN", NULL), without
23being affected by that initial n-char-sequence. This patch fixes both
24those problems by using the __strtod_nan etc. functions recently
25factored out of strtod etc. for that purpose, with those functions
26being exported from libc at version GLIBC_PRIVATE.
27
28Tested for x86_64, x86, mips64 and powerpc.
29
30 [BZ #16961]
31 [BZ #16962]
32 * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
33 string on the stack for strtod.
34 * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
35 a string on the stack for strtof.
36 * math/s_nanl.c (__nanl): Use __strtold_nan instead of
37 constructing a string on the stack for strtold.
38 * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
39 __strtold_nan to GLIBC_PRIVATE.
40 * math/test-nan-overflow.c: New file.
41 * math/test-nan-payload.c: Likewise.
42 * math/Makefile (tests): Add test-nan-overflow and
43 test-nan-payload.
44
45Upstream-Status: Backport
46CVE: CVE-2014-9761 patch #2
47[Yocto # 8980]
48
49https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
50
51Signed-off-by: Armin Kuster <akuster@mvista.com>
52Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
53---
54 math/Makefile | 4 +-
55 math/s_nan.c | 9 +---
56 math/s_nanf.c | 9 +---
57 math/s_nanl.c | 9 +---
58 math/test-nan-overflow.c | 66 +++++++++++++++++++++++++
59 math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
60 stdlib/Versions | 1 +
61 7 files changed, 195 insertions(+), 25 deletions(-)
62 create mode 100644 math/test-nan-overflow.c
63 create mode 100644 math/test-nan-payload.c
64
65diff --git a/math/Makefile b/math/Makefile
66index 05250c0..acb0007 100644
67--- a/math/Makefile
68+++ b/math/Makefile
69@@ -92,7 +92,9 @@ tests = test-matherr test-fenv atest-exp atest-sincos atest-exp2 basic-test \
70 test-misc test-fpucw test-fpucw-ieee tst-definitions test-tgmath \
71 test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
72 test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
73- test-fenv-tls test-fenv-preserve test-fenv-return $(tests-static)
74+ test-fenv-tls test-fenv-preserve test-fenv-return \
75+ test-nan-overflow test-nan-payload \
76+ $(tests-static)
77 tests-static = test-fpucw-static test-fpucw-ieee-static
78 # We do the `long double' tests only if this data type is available and
79 # distinct from `double'.
80diff --git a/math/s_nan.c b/math/s_nan.c
81index c01085f..3dc9f77 100644
82--- a/math/s_nan.c
83+++ b/math/s_nan.c
84@@ -28,14 +28,7 @@
85 double
86 __nan (const char *tagp)
87 {
88- if (tagp[0] != '\0')
89- {
90- char buf[6 + strlen (tagp)];
91- sprintf (buf, "NAN(%s)", tagp);
92- return strtod (buf, NULL);
93- }
94-
95- return NAN;
96+ return __strtod_nan (tagp, NULL, 0);
97 }
98 weak_alias (__nan, nan)
99 #ifdef NO_LONG_DOUBLE
100diff --git a/math/s_nanf.c b/math/s_nanf.c
101index a16fdbf..103fb8c 100644
102--- a/math/s_nanf.c
103+++ b/math/s_nanf.c
104@@ -28,13 +28,6 @@
105 float
106 __nanf (const char *tagp)
107 {
108- if (tagp[0] != '\0')
109- {
110- char buf[6 + strlen (tagp)];
111- sprintf (buf, "NAN(%s)", tagp);
112- return strtof (buf, NULL);
113- }
114-
115- return NAN;
116+ return __strtof_nan (tagp, NULL, 0);
117 }
118 weak_alias (__nanf, nanf)
119diff --git a/math/s_nanl.c b/math/s_nanl.c
120index 3769f17..3ccd3bc 100644
121--- a/math/s_nanl.c
122+++ b/math/s_nanl.c
123@@ -28,13 +28,6 @@
124 long double
125 __nanl (const char *tagp)
126 {
127- if (tagp[0] != '\0')
128- {
129- char buf[6 + strlen (tagp)];
130- sprintf (buf, "NAN(%s)", tagp);
131- return strtold (buf, NULL);
132- }
133-
134- return NAN;
135+ return __strtold_nan (tagp, NULL, 0);
136 }
137 weak_alias (__nanl, nanl)
138diff --git a/math/test-nan-overflow.c b/math/test-nan-overflow.c
139new file mode 100644
140index 0000000..f56aaf3
141--- /dev/null
142+++ b/math/test-nan-overflow.c
143@@ -0,0 +1,66 @@
144+/* Test nan functions stack overflow (bug 16962).
145+ Copyright (C) 2015 Free Software Foundation, Inc.
146+ This file is part of the GNU C Library.
147+
148+ The GNU C Library is free software; you can redistribute it and/or
149+ modify it under the terms of the GNU Lesser General Public
150+ License as published by the Free Software Foundation; either
151+ version 2.1 of the License, or (at your option) any later version.
152+
153+ The GNU C Library is distributed in the hope that it will be useful,
154+ but WITHOUT ANY WARRANTY; without even the implied warranty of
155+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
156+ Lesser General Public License for more details.
157+
158+ You should have received a copy of the GNU Lesser General Public
159+ License along with the GNU C Library; if not, see
160+ <http://www.gnu.org/licenses/>. */
161+
162+#include <math.h>
163+#include <stdio.h>
164+#include <string.h>
165+#include <sys/resource.h>
166+
167+#define STACK_LIM 1048576
168+#define STRING_SIZE (2 * STACK_LIM)
169+
170+static int
171+do_test (void)
172+{
173+ int result = 0;
174+ struct rlimit lim;
175+ getrlimit (RLIMIT_STACK, &lim);
176+ lim.rlim_cur = STACK_LIM;
177+ setrlimit (RLIMIT_STACK, &lim);
178+ char *nanstr = malloc (STRING_SIZE);
179+ if (nanstr == NULL)
180+ {
181+ puts ("malloc failed, cannot test");
182+ return 77;
183+ }
184+ memset (nanstr, '0', STRING_SIZE - 1);
185+ nanstr[STRING_SIZE - 1] = 0;
186+#define NAN_TEST(TYPE, FUNC) \
187+ do \
188+ { \
189+ char *volatile p = nanstr; \
190+ volatile TYPE v = FUNC (p); \
191+ if (isnan (v)) \
192+ puts ("PASS: " #FUNC); \
193+ else \
194+ { \
195+ puts ("FAIL: " #FUNC); \
196+ result = 1; \
197+ } \
198+ } \
199+ while (0)
200+ NAN_TEST (float, nanf);
201+ NAN_TEST (double, nan);
202+#ifndef NO_LONG_DOUBLE
203+ NAN_TEST (long double, nanl);
204+#endif
205+ return result;
206+}
207+
208+#define TEST_FUNCTION do_test ()
209+#include "../test-skeleton.c"
210diff --git a/math/test-nan-payload.c b/math/test-nan-payload.c
211new file mode 100644
212index 0000000..358ff71
213--- /dev/null
214+++ b/math/test-nan-payload.c
215@@ -0,0 +1,122 @@
216+/* Test nan functions payload handling (bug 16961).
217+ Copyright (C) 2015 Free Software Foundation, Inc.
218+ This file is part of the GNU C Library.
219+
220+ The GNU C Library is free software; you can redistribute it and/or
221+ modify it under the terms of the GNU Lesser General Public
222+ License as published by the Free Software Foundation; either
223+ version 2.1 of the License, or (at your option) any later version.
224+
225+ The GNU C Library is distributed in the hope that it will be useful,
226+ but WITHOUT ANY WARRANTY; without even the implied warranty of
227+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
228+ Lesser General Public License for more details.
229+
230+ You should have received a copy of the GNU Lesser General Public
231+ License along with the GNU C Library; if not, see
232+ <http://www.gnu.org/licenses/>. */
233+
234+#include <float.h>
235+#include <math.h>
236+#include <stdio.h>
237+#include <stdlib.h>
238+#include <string.h>
239+
240+/* Avoid built-in functions. */
241+#define WRAP_NAN(FUNC, STR) \
242+ ({ const char *volatile wns = (STR); FUNC (wns); })
243+#define WRAP_STRTO(FUNC, STR) \
244+ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
245+
246+#define CHECK_IS_NAN(TYPE, A) \
247+ do \
248+ { \
249+ if (isnan (A)) \
250+ puts ("PASS: " #TYPE " " #A); \
251+ else \
252+ { \
253+ puts ("FAIL: " #TYPE " " #A); \
254+ result = 1; \
255+ } \
256+ } \
257+ while (0)
258+
259+#define CHECK_SAME_NAN(TYPE, A, B) \
260+ do \
261+ { \
262+ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
263+ puts ("PASS: " #TYPE " " #A " = " #B); \
264+ else \
265+ { \
266+ puts ("FAIL: " #TYPE " " #A " = " #B); \
267+ result = 1; \
268+ } \
269+ } \
270+ while (0)
271+
272+#define CHECK_DIFF_NAN(TYPE, A, B) \
273+ do \
274+ { \
275+ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
276+ puts ("PASS: " #TYPE " " #A " != " #B); \
277+ else \
278+ { \
279+ puts ("FAIL: " #TYPE " " #A " != " #B); \
280+ result = 1; \
281+ } \
282+ } \
283+ while (0)
284+
285+/* Cannot test payloads by memcmp for formats where NaNs have padding
286+ bits. */
287+#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
288+
289+#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
290+ do \
291+ { \
292+ TYPE n123 = WRAP_NAN (FUNC, "123"); \
293+ CHECK_IS_NAN (TYPE, n123); \
294+ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
295+ CHECK_IS_NAN (TYPE, s123); \
296+ TYPE n456 = WRAP_NAN (FUNC, "456"); \
297+ CHECK_IS_NAN (TYPE, n456); \
298+ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
299+ CHECK_IS_NAN (TYPE, s456); \
300+ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
301+ CHECK_IS_NAN (TYPE, n123x); \
302+ TYPE nemp = WRAP_NAN (FUNC, ""); \
303+ CHECK_IS_NAN (TYPE, nemp); \
304+ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
305+ CHECK_IS_NAN (TYPE, semp); \
306+ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
307+ CHECK_IS_NAN (TYPE, sx); \
308+ if (CAN_TEST_EQ (MANT_DIG)) \
309+ CHECK_SAME_NAN (TYPE, n123, s123); \
310+ if (CAN_TEST_EQ (MANT_DIG)) \
311+ CHECK_SAME_NAN (TYPE, n456, s456); \
312+ if (CAN_TEST_EQ (MANT_DIG)) \
313+ CHECK_SAME_NAN (TYPE, nemp, semp); \
314+ if (CAN_TEST_EQ (MANT_DIG)) \
315+ CHECK_SAME_NAN (TYPE, n123x, sx); \
316+ CHECK_DIFF_NAN (TYPE, n123, n456); \
317+ CHECK_DIFF_NAN (TYPE, n123, nemp); \
318+ CHECK_DIFF_NAN (TYPE, n123, n123x); \
319+ CHECK_DIFF_NAN (TYPE, n456, nemp); \
320+ CHECK_DIFF_NAN (TYPE, n456, n123x); \
321+ } \
322+ while (0)
323+
324+static int
325+do_test (void)
326+{
327+ int result = 0;
328+ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
329+ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
330+#ifndef NO_LONG_DOUBLE
331+ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
332+#endif
333+ return result;
334+}
335+
336+#define TEST_FUNCTION do_test ()
337+#include "../test-skeleton.c"
338diff --git a/stdlib/Versions b/stdlib/Versions
339index f1777df..60b628d 100644
340--- a/stdlib/Versions
341+++ b/stdlib/Versions
342@@ -118,5 +118,6 @@ libc {
343 # Used from other libraries
344 __libc_secure_getenv;
345 __call_tls_dtors;
346+ __strtof_nan; __strtod_nan; __strtold_nan;
347 }
348 }
349--
3501.9.1
351
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index cfbc1c2..6544b52 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -49,6 +49,8 @@ CVEPATCHES = "\
49 file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ 49 file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
50 file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ 50 file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
51 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ 51 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
52 file://CVE-2014-9761_1.patch \
53 file://CVE-2014-9761_2.patch \
52 " 54 "
53LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 55LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
54 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 56 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \