glibc: Security fix for CVE-2016-4429

(From OE-Core rev: 32fd9fed93b896ee50006a95cc9d0209b85268cd) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-07-09 11:56:49 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-07-27 08:29:58 +0100
commit: c9e0efd1f7ea808a37e631eba9715c2b59cc102f (patch)
tree: a92c70a1175686453f36ab73d3f9a5751cd48898
parent: 2596de9179c644d294b7418552f0ed255b7653b0 (diff)
download: poky-c9e0efd1f7ea808a37e631eba9715c2b59cc102f.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
new file mode 100644
index 0000000000..24aa9a41a1
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
@@ -0,0 +1,89 @@
+From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 23 May 2016 20:18:34 +0200
+Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
+ #20112]
+The call is technically in a loop, and under certain circumstances
+(which are quite difficult to reproduce in a test case), alloca
+can be invoked repeatedly during a single call to clntudp_call.
+As a result, the available stack space can be exhausted (even
+though individual alloca sizes are bounded implicitly by what
+can fit into a UDP packet, as a side effect of the earlier
+successful send operation).
+Upstream-Status: Backport
+CVE: CVE-2016-4429
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog         |  7 +++++++
+ NEWS              |  4 ++++
+ sunrpc/clnt_udp.c | 10 +++++++++-
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+   CVE-2016-4429
+   [BZ #20112]
+   * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+   payload.
+
+ 2016-04-29  Florian Weimer  <fweimer@redhat.com>
+ 
+     [BZ #20010]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -5,6 +5,11 @@ See the end for copying conditions.
+ Security related changes:
+ 
+ [Add security related changes here]
+
+* The Sun RPC UDP client could exhaust all available stack space when
+  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
+  alloca plugin for GCC.  (CVE-2016-4429)
+
+  * Previously, getaddrinfo copied large amounts of address data to the stack,
+   even after the fix for CVE-2013-4458 has been applied, potentially
+   resulting in a stack overflow.  getaddrinfo now uses a heap allocation
+Index: git/sunrpc/clnt_udp.c
+===================================================================
+--- git.orig/sunrpc/clnt_udp.c
+++ git/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+          struct sock_extended_err *e;
+          struct sockaddr_in err_addr;
+          struct iovec iov;
+-         char *cbuf = (char *) alloca (outlen + 256);
+         char *cbuf = malloc (outlen + 256);
+          int ret;
+ 
+         if (cbuf == NULL)
+           {
+             cu->cu_error.re_errno = errno;
+             return (cu->cu_error.re_status = RPC_CANTRECV);
+           }
+
+          iov.iov_base = cbuf + 256;
+          iov.iov_len = outlen;
+          msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+                 cmsg = CMSG_NXTHDR (&msg, cmsg))
+              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+                {
+                 free (cbuf);
+                  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+                  cu->cu_error.re_errno = e->ee_errno;
+                  return (cu->cu_error.re_status = RPC_CANTRECV);
+                }
+         free (cbuf);
+        }
+ #endif
+       do
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index 4cf2ed7dbf..a423d3dbb7 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -49,6 +49,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://CVE-2015-7547.patch \
           file://CVE-2015-8778.patch \
           file://CVE-2016-3706.patch \
+           file://CVE-2016-4429.patch \
 "
 SRC_URI += "\
author	Armin Kuster <akuster@mvista.com>	2016-07-09 11:56:49 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-07-27 08:29:58 +0100
commit	c9e0efd1f7ea808a37e631eba9715c2b59cc102f (patch)
tree	a92c70a1175686453f36ab73d3f9a5751cd48898
parent	2596de9179c644d294b7418552f0ed255b7653b0 (diff)
download	poky-c9e0efd1f7ea808a37e631eba9715c2b59cc102f.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch new file mode 100644 index 0000000000..24aa9a41a1 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
@@ -0,0 +1,89 @@
		1	From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Mon, 23 May 2016 20:18:34 +0200
		4	Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
		5	#20112]
		6
		7	The call is technically in a loop, and under certain circumstances
		8	(which are quite difficult to reproduce in a test case), alloca
		9	can be invoked repeatedly during a single call to clntudp_call.
		10	As a result, the available stack space can be exhausted (even
		11	though individual alloca sizes are bounded implicitly by what
		12	can fit into a UDP packet, as a side effect of the earlier
		13	successful send operation).
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2016-4429
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	ChangeLog \| 7 +++++++
		21	NEWS \| 4 ++++
		22	sunrpc/clnt_udp.c \| 10 +++++++++-
		23	3 files changed, 20 insertions(+), 1 deletion(-)
		24
		25	Index: git/ChangeLog
		26	===================================================================
		27	--- git.orig/ChangeLog
		28	+++ git/ChangeLog
		29	@@ -1,3 +1,10 @@
		30	+2016-05-23 Florian Weimer <fweimer@redhat.com>
		31	+
		32	+ CVE-2016-4429
		33	+ [BZ #20112]
		34	+ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
		35	+ payload.
		36	+
		37	2016-04-29 Florian Weimer <fweimer@redhat.com>
		38
		39	[BZ #20010]
		40	Index: git/NEWS
		41	===================================================================
		42	--- git.orig/NEWS
		43	+++ git/NEWS
		44	@@ -5,6 +5,11 @@ See the end for copying conditions.
		45	Security related changes:
		46
		47	[Add security related changes here]
		48	+
		49	+* The Sun RPC UDP client could exhaust all available stack space when
		50	+ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
		51	+ alloca plugin for GCC. (CVE-2016-4429)
		52	+
		53	* Previously, getaddrinfo copied large amounts of address data to the stack,
		54	even after the fix for CVE-2013-4458 has been applied, potentially
		55	resulting in a stack overflow. getaddrinfo now uses a heap allocation
		56	Index: git/sunrpc/clnt_udp.c
		57	===================================================================
		58	--- git.orig/sunrpc/clnt_udp.c
		59	+++ git/sunrpc/clnt_udp.c
		60	@@ -420,9 +420,15 @@ send_again:
		61	struct sock_extended_err *e;
		62	struct sockaddr_in err_addr;
		63	struct iovec iov;
		64	- char cbuf = (char ) alloca (outlen + 256);
		65	+ char *cbuf = malloc (outlen + 256);
		66	int ret;
		67
		68	+ if (cbuf == NULL)
		69	+ {
		70	+ cu->cu_error.re_errno = errno;
		71	+ return (cu->cu_error.re_status = RPC_CANTRECV);
		72	+ }
		73	+
		74	iov.iov_base = cbuf + 256;
		75	iov.iov_len = outlen;
		76	msg.msg_name = (void *) &err_addr;
		77	@@ -447,10 +453,12 @@ send_again:
		78	cmsg = CMSG_NXTHDR (&msg, cmsg))
		79	if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
		80	{
		81	+ free (cbuf);
		82	e = (struct sock_extended_err *) CMSG_DATA(cmsg);
		83	cu->cu_error.re_errno = e->ee_errno;
		84	return (cu->cu_error.re_status = RPC_CANTRECV);
		85	}
		86	+ free (cbuf);
		87	}
		88	#endif
		89	do


diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb index 4cf2ed7dbf..a423d3dbb7 100644 --- a/meta/recipes-core/glibc/glibc_2.22.bb +++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -49,6 +49,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
49	file://CVE-2015-7547.patch \	49	file://CVE-2015-7547.patch \
50	file://CVE-2015-8778.patch \	50	file://CVE-2015-8778.patch \
51	file://CVE-2016-3706.patch \	51	file://CVE-2016-3706.patch \
		52	file://CVE-2016-4429.patch \
52	"	53	"
53		54
54	SRC_URI += "\	55	SRC_URI += "\