summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYuanjie Huang <yuanjie.huang@windriver.com>2016-08-26 09:57:33 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-20 15:11:08 +0100
commitb2a6f9a97d3749a9a8a9aef59e8a28a95d1181a4 (patch)
treef3bc9cdce24176f55d1482cdb4685b0e0a942353
parent69005ae65c95976d41ebb377a80433cb32d53b37 (diff)
downloadpoky-b2a6f9a97d3749a9a8a9aef59e8a28a95d1181a4.tar.gz
openssh: fix potential signed overflow to enable compilation with -ftrapv
Pointer arithmatic results in implementation defined signed integer type, so that 's - src' in strlcpy and others may trigger signed overflow. In case of compilation by gcc or clang with -ftrapv option, the overflow would lead to program abort. Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608] (From OE-Core rev: 2ce02941300aa3e826df0c59fd8d4ce19950028e) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch99
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.3p1.bb1
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
new file mode 100644
index 0000000000..df64a140d3
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -0,0 +1,99 @@
1From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
2From: Yuanjie Huang <yuanjie.huang@windriver.com>
3Date: Wed, 24 Aug 2016 03:15:43 +0000
4Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
5
6Pointer arithmatic results in implementation defined signed integer
7type, so that 's - src' in strlcpy and others may trigger signed overflow.
8In case of compilation by gcc or clang with -ftrapv option, the overflow
9would lead to program abort.
10
11Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
12
13Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
14---
15 openbsd-compat/strlcat.c | 8 ++++++--
16 openbsd-compat/strlcpy.c | 8 ++++++--
17 openbsd-compat/strnlen.c | 8 ++++++--
18 3 files changed, 18 insertions(+), 6 deletions(-)
19
20diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
21index bcc1b61..e758ebf 100644
22--- a/openbsd-compat/strlcat.c
23+++ b/openbsd-compat/strlcat.c
24@@ -23,6 +23,7 @@
25
26 #include <sys/types.h>
27 #include <string.h>
28+#include <stdint.h>
29
30 /*
31 * Appends src to string dst of size siz (unlike strncat, siz is the
32@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
33 s++;
34 }
35 *d = '\0';
36-
37- return(dlen + (s - src)); /* count does not include NUL */
38+ /*
39+ * Cast pointers to unsigned type before calculation, to avoid signed
40+ * overflow when the string ends where the MSB has changed.
41+ */
42+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
43 }
44
45 #endif /* !HAVE_STRLCAT */
46diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
47index b4b1b60..b06f374 100644
48--- a/openbsd-compat/strlcpy.c
49+++ b/openbsd-compat/strlcpy.c
50@@ -23,6 +23,7 @@
51
52 #include <sys/types.h>
53 #include <string.h>
54+#include <stdint.h>
55
56 /*
57 * Copy src to string dst of size siz. At most siz-1 characters
58@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
59 while (*s++)
60 ;
61 }
62-
63- return(s - src - 1); /* count does not include NUL */
64+ /*
65+ * Cast pointers to unsigned type before calculation, to avoid signed
66+ * overflow when the string ends where the MSB has changed.
67+ */
68+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
69 }
70
71 #endif /* !HAVE_STRLCPY */
72diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
73index 93d5155..9b8de5d 100644
74--- a/openbsd-compat/strnlen.c
75+++ b/openbsd-compat/strnlen.c
76@@ -23,6 +23,7 @@
77 #include <sys/types.h>
78
79 #include <string.h>
80+#include <stdint.h>
81
82 size_t
83 strnlen(const char *str, size_t maxlen)
84@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
85
86 for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
87 ;
88-
89- return (size_t)(cp - str);
90+ /*
91+ * Cast pointers to unsigned type before calculation, to avoid signed
92+ * overflow when the string ends where the MSB has changed.
93+ */
94+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
95 }
96 #endif
97--
981.9.1
99
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index b31972649d..039b0ffdde 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24 file://run-ptest \ 24 file://run-ptest \
25 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ 25 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
26 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ 26 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
27 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
27 " 28 "
28 29
29PAM_SRC_URI = "file://sshd" 30PAM_SRC_URI = "file://sshd"