glibc: Backport fix for CVE-2021-43396

Backport the fix for CVE-2021-43396. It is disputed that this is a security issue however the fix applies easily so we may as well. (From OE-Core rev: 8d7a88bdee734df527a0ed954a25f27ac975071f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e8de9b01c6b305b2498c5f942397a49ae2af0cde) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-15 11:49:06 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-24 21:12:50 +0000
commit: 10a700c094a2ef693f0b4ee0de374a42112dfef3 (patch)
tree: 36ae207961df504a76d43e45f3967e7ef0d7f99f
parent: fb09b37f2afef6294a56cef6ea27d775534c9a6c (diff)
download: poky-10a700c094a2ef693f0b4ee0de374a42112dfef3.tar.gz
2 files changed, 185 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch b/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch
new file mode 100644
index 0000000000..ebea5efd34
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch
@@ -0,0 +1,184 @@
+From ff012870b2c02a62598c04daa1e54632e020fd7d Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Tue, 2 Nov 2021 13:21:42 +0500
+Subject: [PATCH] gconv: Do not emit spurious NUL character in ISO-2022-JP-3
+ (bug 28524)
+Bugfix 27256 has introduced another issue:
+In conversion from ISO-2022-JP-3 encoding, it is possible
+to force iconv to emit extra NUL character on internal state reset.
+To do this, it is sufficient to feed iconv with escape sequence
+which switches active character set.
+The simplified check 'data->__statep->__count != ASCII_set'
+introduced by the aforementioned bugfix picks that case and
+behaves as if '\0' character has been queued thus emitting it.
+To eliminate this issue, these steps are taken:
+* Restore original condition
+'(data->__statep->__count & ~7) != ASCII_set'.
+It is necessary since bits 0-2 may contain
+number of buffered input characters.
+* Check that queued character is not NUL.
+Similar step is taken for main conversion loop.
+Bundled test case follows following logic:
+* Try to convert ISO-2022-JP-3 escape sequence
+switching active character set
+* Reset internal state by providing NULL as input buffer
+* Ensure that nothing has been converted.
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+CVE: CVE-2021-43396
+Upstream-Status: Backport [ff012870b2c02a62598c04daa1e54632e020fd7d]
+---
+ iconvdata/Makefile        |  5 +++-
+ iconvdata/bug-iconv15.c   | 60 +++++++++++++++++++++++++++++++++++++++
+ iconvdata/iso-2022-jp-3.c | 28 ++++++++++++------
+ 3 files changed, 84 insertions(+), 9 deletions(-)
+ create mode 100644 iconvdata/bug-iconv15.c
+Index: git/iconvdata/Makefile
+===================================================================
+--- git.orig/iconvdata/Makefile
+++ git/iconvdata/Makefile
+@@ -1,4 +1,5 @@
+ # Copyright (C) 1997-2021 Free Software Foundation, Inc.
+# Copyright (C) The GNU Toolchain Authors.
+ # This file is part of the GNU C Library.
+ 
+ # The GNU C Library is free software; you can redistribute it and/or
+@@ -74,7 +75,7 @@ ifeq (yes,$(build-shared))
+ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
+        tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
+        bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
+-       bug-iconv13 bug-iconv14
+       bug-iconv13 bug-iconv14 bug-iconv15
+ ifeq ($(have-thread-library),yes)
+ tests += bug-iconv3
+ endif
+@@ -327,6 +328,8 @@ $(objpfx)bug-iconv12.out: $(addprefix $(
+                          $(addprefix $(objpfx),$(modules.so))
+ $(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \
+                          $(addprefix $(objpfx),$(modules.so))
+$(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \
+                         $(addprefix $(objpfx),$(modules.so))
+ 
+ $(objpfx)iconv-test.out: run-iconv-test.sh \
+                         $(addprefix $(objpfx), $(gconv-modules)) \
+Index: git/iconvdata/bug-iconv15.c
+===================================================================
+--- /dev/null
+++ git/iconvdata/bug-iconv15.c
+@@ -0,0 +1,60 @@
+/* Bug 28524: Conversion from ISO-2022-JP-3 with iconv
+   may emit spurious NUL character on state reset.
+   Copyright (C) The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stddef.h>
+#include <iconv.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  char in[] = "\x1b(I";
+  char *inbuf = in;
+  size_t inleft = sizeof (in) - 1;
+  char out[1];
+  char *outbuf = out;
+  size_t outleft = sizeof (out);
+  iconv_t cd;
+
+  cd = iconv_open ("UTF8", "ISO-2022-JP-3");
+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+  /* First call to iconv should alter internal state.
+     Now, JISX0201_Kana_set is selected and
+     state value != ASCII_set.  */
+  TEST_VERIFY (iconv (cd, &inbuf, &inleft, &outbuf, &outleft) != (size_t) -1);
+
+  /* No bytes should have been added to
+     the output buffer at this point.  */
+  TEST_VERIFY (outbuf == out);
+  TEST_VERIFY (outleft == sizeof (out));
+
+  /* Second call shall emit spurious NUL character in unpatched glibc.  */
+  TEST_VERIFY (iconv (cd, NULL, NULL, &outbuf, &outleft) != (size_t) -1);
+
+  /* No characters are expected to be produced.  */
+  TEST_VERIFY (outbuf == out);
+  TEST_VERIFY (outleft == sizeof (out));
+
+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+Index: git/iconvdata/iso-2022-jp-3.c
+===================================================================
+--- git.orig/iconvdata/iso-2022-jp-3.c
+++ git/iconvdata/iso-2022-jp-3.c
+@@ -1,5 +1,6 @@
+ /* Conversion module for ISO-2022-JP-3.
+    Copyright (C) 1998-2021 Free Software Foundation, Inc.
+   Copyright (C) The GNU Toolchain Authors.
+    This file is part of the GNU C Library.
+    Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998,
+    and Bruno Haible <bruno@clisp.org>, 2002.
+@@ -81,20 +82,31 @@ enum
+    the output state to the initial state.  This has to be done during the
+    flushing.  */
+ #define EMIT_SHIFT_TO_INIT \
+-  if (data->__statep->__count != ASCII_set)                          \
+  if ((data->__statep->__count & ~7) != ASCII_set)                           \
+     {                                                                        \
+       if (FROM_DIRECTION)                                                    \
+        {                                                                     \
+-         if (__glibc_likely (outbuf + 4 <= outend))                          \
+         uint32_t ch = data->__statep->__count >> 6;                         \
+                                                                             \
+         if (__glibc_unlikely (ch != 0))                                     \
+            {                                                                 \
+-             /* Write out the last character.  */                            \
+-             *((uint32_t *) outbuf) = data->__statep->__count >> 6;          \
+-             outbuf += sizeof (uint32_t);                                    \
+-             data->__statep->__count = ASCII_set;                      \
+             if (__glibc_likely (outbuf + 4 <= outend))                      \
+               {                                                             \
+                 /* Write out the last character.  */                        \
+                 put32u (outbuf, ch);                                        \
+                 outbuf += 4;                                                \
+                 data->__statep->__count &= 7;                               \
+                 data->__statep->__count |= ASCII_set;                       \
+               }                                                             \
+             else                                                            \
+               /* We don't have enough room in the output buffer.  */        \
+               status = __GCONV_FULL_OUTPUT;                                 \
+            }                                                                 \
+          else                                                                \
+-           /* We don't have enough room in the output buffer.  */            \
+-           status = __GCONV_FULL_OUTPUT;                                     \
+           {                                                                 \
+             data->__statep->__count &= 7;                                   \
+             data->__statep->__count |= ASCII_set;                           \
+           }                                                                 \
+        }                                                                     \
+       else                                                                   \
+        {                                                                     \
diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb
index 6dc315c349..7206477278 100644
--- a/meta/recipes-core/glibc/glibc_2.34.bb
+++ b/meta/recipes-core/glibc/glibc_2.34.bb
@@ -58,6 +58,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0001-CVE-2021-38604.patch \
           file://0002-CVE-2021-38604.patch \
           file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
+           file://CVE-2021-43396.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-15 11:49:06 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-24 21:12:50 +0000
commit	10a700c094a2ef693f0b4ee0de374a42112dfef3 (patch)
tree	36ae207961df504a76d43e45f3967e7ef0d7f99f
parent	fb09b37f2afef6294a56cef6ea27d775534c9a6c (diff)
download	poky-10a700c094a2ef693f0b4ee0de374a42112dfef3.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch b/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch new file mode 100644 index 0000000000..ebea5efd34 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-43396.patch
@@ -0,0 +1,184 @@
		1	From ff012870b2c02a62598c04daa1e54632e020fd7d Mon Sep 17 00:00:00 2001
		2	From: Nikita Popov <npv1310@gmail.com>
		3	Date: Tue, 2 Nov 2021 13:21:42 +0500
		4	Subject: [PATCH] gconv: Do not emit spurious NUL character in ISO-2022-JP-3
		5	(bug 28524)
		6
		7	Bugfix 27256 has introduced another issue:
		8	In conversion from ISO-2022-JP-3 encoding, it is possible
		9	to force iconv to emit extra NUL character on internal state reset.
		10	To do this, it is sufficient to feed iconv with escape sequence
		11	which switches active character set.
		12	The simplified check 'data->__statep->__count != ASCII_set'
		13	introduced by the aforementioned bugfix picks that case and
		14	behaves as if '\0' character has been queued thus emitting it.
		15
		16	To eliminate this issue, these steps are taken:
		17	* Restore original condition
		18	'(data->__statep->__count & ~7) != ASCII_set'.
		19	It is necessary since bits 0-2 may contain
		20	number of buffered input characters.
		21	* Check that queued character is not NUL.
		22	Similar step is taken for main conversion loop.
		23
		24	Bundled test case follows following logic:
		25	* Try to convert ISO-2022-JP-3 escape sequence
		26	switching active character set
		27	* Reset internal state by providing NULL as input buffer
		28	* Ensure that nothing has been converted.
		29
		30	Signed-off-by: Nikita Popov <npv1310@gmail.com>
		31
		32	CVE: CVE-2021-43396
		33	Upstream-Status: Backport [ff012870b2c02a62598c04daa1e54632e020fd7d]
		34	---
		35	iconvdata/Makefile \| 5 +++-
		36	iconvdata/bug-iconv15.c \| 60 +++++++++++++++++++++++++++++++++++++++
		37	iconvdata/iso-2022-jp-3.c \| 28 ++++++++++++------
		38	3 files changed, 84 insertions(+), 9 deletions(-)
		39	create mode 100644 iconvdata/bug-iconv15.c
		40
		41	Index: git/iconvdata/Makefile
		42	===================================================================
		43	--- git.orig/iconvdata/Makefile
		44	+++ git/iconvdata/Makefile
		45	@@ -1,4 +1,5 @@
		46	# Copyright (C) 1997-2021 Free Software Foundation, Inc.
		47	+# Copyright (C) The GNU Toolchain Authors.
		48	# This file is part of the GNU C Library.
		49
		50	# The GNU C Library is free software; you can redistribute it and/or
		51	@@ -74,7 +75,7 @@ ifeq (yes,$(build-shared))
		52	tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
		53	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
		54	bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
		55	- bug-iconv13 bug-iconv14
		56	+ bug-iconv13 bug-iconv14 bug-iconv15
		57	ifeq ($(have-thread-library),yes)
		58	tests += bug-iconv3
		59	endif
		60	@@ -327,6 +328,8 @@ $(objpfx)bug-iconv12.out: $(addprefix $(
		61	$(addprefix $(objpfx),$(modules.so))
		62	$(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \
		63	$(addprefix $(objpfx),$(modules.so))
		64	+$(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \
		65	+ $(addprefix $(objpfx),$(modules.so))
		66
		67	$(objpfx)iconv-test.out: run-iconv-test.sh \
		68	$(addprefix $(objpfx), $(gconv-modules)) \
		69	Index: git/iconvdata/bug-iconv15.c
		70	===================================================================
		71	--- /dev/null
		72	+++ git/iconvdata/bug-iconv15.c
		73	@@ -0,0 +1,60 @@
		74	+/* Bug 28524: Conversion from ISO-2022-JP-3 with iconv
		75	+ may emit spurious NUL character on state reset.
		76	+ Copyright (C) The GNU Toolchain Authors.
		77	+ This file is part of the GNU C Library.
		78	+
		79	+ The GNU C Library is free software; you can redistribute it and/or
		80	+ modify it under the terms of the GNU Lesser General Public
		81	+ License as published by the Free Software Foundation; either
		82	+ version 2.1 of the License, or (at your option) any later version.
		83	+
		84	+ The GNU C Library is distributed in the hope that it will be useful,
		85	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		86	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		87	+ Lesser General Public License for more details.
		88	+
		89	+ You should have received a copy of the GNU Lesser General Public
		90	+ License along with the GNU C Library; if not, see
		91	+ <https://www.gnu.org/licenses/>. */
		92	+
		93	+#include <stddef.h>
		94	+#include <iconv.h>
		95	+#include <support/check.h>
		96	+
		97	+static int
		98	+do_test (void)
		99	+{
		100	+ char in[] = "\x1b(I";
		101	+ char *inbuf = in;
		102	+ size_t inleft = sizeof (in) - 1;
		103	+ char out[1];
		104	+ char *outbuf = out;
		105	+ size_t outleft = sizeof (out);
		106	+ iconv_t cd;
		107	+
		108	+ cd = iconv_open ("UTF8", "ISO-2022-JP-3");
		109	+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
		110	+
		111	+ /* First call to iconv should alter internal state.
		112	+ Now, JISX0201_Kana_set is selected and
		113	+ state value != ASCII_set. */
		114	+ TEST_VERIFY (iconv (cd, &inbuf, &inleft, &outbuf, &outleft) != (size_t) -1);
		115	+
		116	+ /* No bytes should have been added to
		117	+ the output buffer at this point. */
		118	+ TEST_VERIFY (outbuf == out);
		119	+ TEST_VERIFY (outleft == sizeof (out));
		120	+
		121	+ /* Second call shall emit spurious NUL character in unpatched glibc. */
		122	+ TEST_VERIFY (iconv (cd, NULL, NULL, &outbuf, &outleft) != (size_t) -1);
		123	+
		124	+ /* No characters are expected to be produced. */
		125	+ TEST_VERIFY (outbuf == out);
		126	+ TEST_VERIFY (outleft == sizeof (out));
		127	+
		128	+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
		129	+
		130	+ return 0;
		131	+}
		132	+
		133	+#include <support/test-driver.c>
		134	Index: git/iconvdata/iso-2022-jp-3.c
		135	===================================================================
		136	--- git.orig/iconvdata/iso-2022-jp-3.c
		137	+++ git/iconvdata/iso-2022-jp-3.c
		138	@@ -1,5 +1,6 @@
		139	/* Conversion module for ISO-2022-JP-3.
		140	Copyright (C) 1998-2021 Free Software Foundation, Inc.
		141	+ Copyright (C) The GNU Toolchain Authors.
		142	This file is part of the GNU C Library.
		143	Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998,
		144	and Bruno Haible <bruno@clisp.org>, 2002.
		145	@@ -81,20 +82,31 @@ enum
		146	the output state to the initial state. This has to be done during the
		147	flushing. */
		148	#define EMIT_SHIFT_TO_INIT \
		149	- if (data->__statep->__count != ASCII_set) \
		150	+ if ((data->__statep->__count & ~7) != ASCII_set) \
		151	{ \
		152	if (FROM_DIRECTION) \
		153	{ \
		154	- if (__glibc_likely (outbuf + 4 <= outend)) \
		155	+ uint32_t ch = data->__statep->__count >> 6; \
		156	+ \
		157	+ if (__glibc_unlikely (ch != 0)) \
		158	{ \
		159	- /* Write out the last character. */ \
		160	- ((uint32_t ) outbuf) = data->__statep->__count >> 6; \
		161	- outbuf += sizeof (uint32_t); \
		162	- data->__statep->__count = ASCII_set; \
		163	+ if (__glibc_likely (outbuf + 4 <= outend)) \
		164	+ { \
		165	+ /* Write out the last character. */ \
		166	+ put32u (outbuf, ch); \
		167	+ outbuf += 4; \
		168	+ data->__statep->__count &= 7; \
		169	+ data->__statep->__count \|= ASCII_set; \
		170	+ } \
		171	+ else \
		172	+ /* We don't have enough room in the output buffer. */ \
		173	+ status = __GCONV_FULL_OUTPUT; \
		174	} \
		175	else \
		176	- /* We don't have enough room in the output buffer. */ \
		177	- status = __GCONV_FULL_OUTPUT; \
		178	+ { \
		179	+ data->__statep->__count &= 7; \
		180	+ data->__statep->__count \|= ASCII_set; \
		181	+ } \
		182	} \
		183	else \
		184	{ \


diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb index 6dc315c349..7206477278 100644 --- a/meta/recipes-core/glibc/glibc_2.34.bb +++ b/meta/recipes-core/glibc/glibc_2.34.bb
@@ -58,6 +58,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
58	file://0001-CVE-2021-38604.patch \	58	file://0001-CVE-2021-38604.patch \
59	file://0002-CVE-2021-38604.patch \	59	file://0002-CVE-2021-38604.patch \
60	file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \	60	file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
		61	file://CVE-2021-43396.patch \
61	"	62	"
62	S = "${WORKDIR}/git"	63	S = "${WORKDIR}/git"
63	B = "${WORKDIR}/build-${TARGET_SYS}"	64	B = "${WORKDIR}/build-${TARGET_SYS}"