summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-02-03 10:59:17 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-02-04 00:07:53 (GMT)
commitc15130e80eb40e80dccc140ca79cae8b01324e04 (patch)
tree66bebdbfd7c1c9edadee64d814b78463fdd004d7
parent1ad606237b61bc851e25976ba69f458374287f78 (diff)
downloadpoky-c15130e80eb40e80dccc140ca79cae8b01324e04.tar.gz
glibc: CVE-2015-8778
Fixes integer overflow in hcreate and hcreate_r. References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8778 Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18240 CVE assignment: http://seclists.org/oss-sec/2016/q1/153 Upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=287de30e170cb765ed326d23d22791a81aab6e0f Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8778.patch187
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
new file mode 100644
index 0000000..d374b77
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
@@ -0,0 +1,187 @@
1From 287de30e170cb765ed326d23d22791a81aab6e0f Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 28 Jan 2016 13:59:11 +0100
4Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ
5#18240]
6
7Upstream-Status: Backport
8CVE: CVE-2015-8778
9[Yocto # 8980]
10
11(cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb)
12
13Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
14---
15 ChangeLog | 13 ++++++++++
16 misc/Makefile | 2 +-
17 misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
18 misc/hsearch_r.c | 28 ++++++++++++---------
19 4 files changed, 106 insertions(+), 12 deletions(-)
20 create mode 100644 misc/bug18240.c
21
22diff --git a/ChangeLog b/ChangeLog
23index ed4a5fa..d86dc22 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,3 +1,16 @@
27+2016-01-27 Paul Eggert <eggert@cs.ucla.edu>
28+
29+ [BZ #18240]
30+ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against
31+ unsigned int wraparound.
32+
33+2016-01-27 Florian Weimer <fweimer@redhat.com>
34+
35+ [BZ #18240]
36+ * misc/bug18240.c: New test.
37+ * misc/Makefile (tests): Add it.
38+
39+
40 2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
41
42 [BZ #18985]
43diff --git a/misc/Makefile b/misc/Makefile
44index 95da2cd..db09d12 100644
45--- a/misc/Makefile
46+++ b/misc/Makefile
47@@ -83,7 +83,7 @@ install-lib := libg.a
48 gpl2lgpl := error.c error.h
49
50 tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \
51- tst-pselect tst-insremque tst-mntent2 bug-hsearch1
52+ tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240
53 tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1
54 tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt
55 ifeq ($(run-built-tests),yes)
56diff --git a/misc/bug18240.c b/misc/bug18240.c
57new file mode 100644
58index 0000000..4b26865
59--- /dev/null
60+++ b/misc/bug18240.c
61@@ -0,0 +1,75 @@
62+/* Test integer wraparound in hcreate.
63+ Copyright (C) 2016 Free Software Foundation, Inc.
64+ This file is part of the GNU C Library.
65+
66+ The GNU C Library is free software; you can redistribute it and/or
67+ modify it under the terms of the GNU Lesser General Public
68+ License as published by the Free Software Foundation; either
69+ version 2.1 of the License, or (at your option) any later version.
70+
71+ The GNU C Library is distributed in the hope that it will be useful,
72+ but WITHOUT ANY WARRANTY; without even the implied warranty of
73+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
74+ Lesser General Public License for more details.
75+
76+ You should have received a copy of the GNU Lesser General Public
77+ License along with the GNU C Library; if not, see
78+ <http://www.gnu.org/licenses/>. */
79+
80+#include <errno.h>
81+#include <limits.h>
82+#include <search.h>
83+#include <stdbool.h>
84+#include <stdio.h>
85+#include <stdlib.h>
86+
87+static void
88+test_size (size_t size)
89+{
90+ int res = hcreate (size);
91+ if (res == 0)
92+ {
93+ if (errno == ENOMEM)
94+ return;
95+ printf ("error: hcreate (%zu): %m\n", size);
96+ exit (1);
97+ }
98+ char *keys[100];
99+ for (int i = 0; i < 100; ++i)
100+ {
101+ if (asprintf (keys + i, "%d", i) < 0)
102+ {
103+ printf ("error: asprintf: %m\n");
104+ exit (1);
105+ }
106+ ENTRY e = { keys[i], (char *) "value" };
107+ if (hsearch (e, ENTER) == NULL)
108+ {
109+ printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
110+ exit (1);
111+ }
112+ }
113+ hdestroy ();
114+
115+ for (int i = 0; i < 100; ++i)
116+ free (keys[i]);
117+}
118+
119+static int
120+do_test (void)
121+{
122+ test_size (500);
123+ test_size (-1);
124+ test_size (-3);
125+ test_size (INT_MAX - 2);
126+ test_size (INT_MAX - 1);
127+ test_size (INT_MAX);
128+ test_size (((unsigned) INT_MAX) + 1);
129+ test_size (UINT_MAX - 2);
130+ test_size (UINT_MAX - 1);
131+ test_size (UINT_MAX);
132+ return 0;
133+}
134+
135+#define TEST_FUNCTION do_test ()
136+#include "../test-skeleton.c"
137diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
138index 81c27d8..746fcaa 100644
139--- a/misc/hsearch_r.c
140+++ b/misc/hsearch_r.c
141@@ -46,15 +46,12 @@ static int
142 isprime (unsigned int number)
143 {
144 /* no even number will be passed */
145- unsigned int div = 3;
146-
147- while (div * div < number && number % div != 0)
148- div += 2;
149-
150- return number % div != 0;
151+ for (unsigned int div = 3; div <= number / div; div += 2)
152+ if (number % div == 0)
153+ return 0;
154+ return 1;
155 }
156
157-
158 /* Before using the hash table we must allocate memory for it.
159 Test for an existing table are done. We allocate one element
160 more as the found prime number says. This is done for more effective
161@@ -81,10 +78,19 @@ hcreate_r (nel, htab)
162 use will not work. */
163 if (nel < 3)
164 nel = 3;
165- /* Change nel to the first prime number not smaller as nel. */
166- nel |= 1; /* make odd */
167- while (!isprime (nel))
168- nel += 2;
169+
170+ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
171+ The '- 2' means 'nel += 2' cannot overflow. */
172+ for (nel |= 1; ; nel += 2)
173+ {
174+ if (UINT_MAX - 2 < nel)
175+ {
176+ __set_errno (ENOMEM);
177+ return 0;
178+ }
179+ if (isprime (nel))
180+ break;
181+ }
182
183 htab->size = nel;
184 htab->filled = 0;
185--
1861.9.1
187
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 7bf4dba..b9891d8 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -53,6 +53,7 @@ CVEPATCHES = "\
53 file://CVE-2014-9761_2.patch \ 53 file://CVE-2014-9761_2.patch \
54 file://CVE-2015-8776.patch \ 54 file://CVE-2015-8776.patch \
55 file://CVE-2015-8777.patch \ 55 file://CVE-2015-8777.patch \
56 file://CVE-2015-8778.patch \
56 " 57 "
57LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 58LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
58 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 59 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \