diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2016-08-26 09:57:33 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-20 15:11:08 +0100 |
commit | b2a6f9a97d3749a9a8a9aef59e8a28a95d1181a4 (patch) | |
tree | f3bc9cdce24176f55d1482cdb4685b0e0a942353 | |
parent | 69005ae65c95976d41ebb377a80433cb32d53b37 (diff) | |
download | poky-b2a6f9a97d3749a9a8a9aef59e8a28a95d1181a4.tar.gz |
openssh: fix potential signed overflow to enable compilation with -ftrapv
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed overflow.
In case of compilation by gcc or clang with -ftrapv option, the overflow
would lead to program abort.
Upstream-status: Submitted [https://bugzilla.mindrot.org/show_bug.cgi?id=2608]
(From OE-Core rev: 2ce02941300aa3e826df0c59fd8d4ce19950028e)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch | 99 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 |
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch new file mode 100644 index 0000000000..df64a140d3 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001 | ||
2 | From: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
3 | Date: Wed, 24 Aug 2016 03:15:43 +0000 | ||
4 | Subject: [PATCH] Fix potential signed overflow in pointer arithmatic | ||
5 | |||
6 | Pointer arithmatic results in implementation defined signed integer | ||
7 | type, so that 's - src' in strlcpy and others may trigger signed overflow. | ||
8 | In case of compilation by gcc or clang with -ftrapv option, the overflow | ||
9 | would lead to program abort. | ||
10 | |||
11 | Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] | ||
12 | |||
13 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
14 | --- | ||
15 | openbsd-compat/strlcat.c | 8 ++++++-- | ||
16 | openbsd-compat/strlcpy.c | 8 ++++++-- | ||
17 | openbsd-compat/strnlen.c | 8 ++++++-- | ||
18 | 3 files changed, 18 insertions(+), 6 deletions(-) | ||
19 | |||
20 | diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c | ||
21 | index bcc1b61..e758ebf 100644 | ||
22 | --- a/openbsd-compat/strlcat.c | ||
23 | +++ b/openbsd-compat/strlcat.c | ||
24 | @@ -23,6 +23,7 @@ | ||
25 | |||
26 | #include <sys/types.h> | ||
27 | #include <string.h> | ||
28 | +#include <stdint.h> | ||
29 | |||
30 | /* | ||
31 | * Appends src to string dst of size siz (unlike strncat, siz is the | ||
32 | @@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) | ||
33 | s++; | ||
34 | } | ||
35 | *d = '\0'; | ||
36 | - | ||
37 | - return(dlen + (s - src)); /* count does not include NUL */ | ||
38 | + /* | ||
39 | + * Cast pointers to unsigned type before calculation, to avoid signed | ||
40 | + * overflow when the string ends where the MSB has changed. | ||
41 | + */ | ||
42 | + return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */ | ||
43 | } | ||
44 | |||
45 | #endif /* !HAVE_STRLCAT */ | ||
46 | diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c | ||
47 | index b4b1b60..b06f374 100644 | ||
48 | --- a/openbsd-compat/strlcpy.c | ||
49 | +++ b/openbsd-compat/strlcpy.c | ||
50 | @@ -23,6 +23,7 @@ | ||
51 | |||
52 | #include <sys/types.h> | ||
53 | #include <string.h> | ||
54 | +#include <stdint.h> | ||
55 | |||
56 | /* | ||
57 | * Copy src to string dst of size siz. At most siz-1 characters | ||
58 | @@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz) | ||
59 | while (*s++) | ||
60 | ; | ||
61 | } | ||
62 | - | ||
63 | - return(s - src - 1); /* count does not include NUL */ | ||
64 | + /* | ||
65 | + * Cast pointers to unsigned type before calculation, to avoid signed | ||
66 | + * overflow when the string ends where the MSB has changed. | ||
67 | + */ | ||
68 | + return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */ | ||
69 | } | ||
70 | |||
71 | #endif /* !HAVE_STRLCPY */ | ||
72 | diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c | ||
73 | index 93d5155..9b8de5d 100644 | ||
74 | --- a/openbsd-compat/strnlen.c | ||
75 | +++ b/openbsd-compat/strnlen.c | ||
76 | @@ -23,6 +23,7 @@ | ||
77 | #include <sys/types.h> | ||
78 | |||
79 | #include <string.h> | ||
80 | +#include <stdint.h> | ||
81 | |||
82 | size_t | ||
83 | strnlen(const char *str, size_t maxlen) | ||
84 | @@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen) | ||
85 | |||
86 | for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) | ||
87 | ; | ||
88 | - | ||
89 | - return (size_t)(cp - str); | ||
90 | + /* | ||
91 | + * Cast pointers to unsigned type before calculation, to avoid signed | ||
92 | + * overflow when the string ends where the MSB has changed. | ||
93 | + */ | ||
94 | + return (size_t)((uintptr_t)cp - (uintptr_t)str); | ||
95 | } | ||
96 | #endif | ||
97 | -- | ||
98 | 1.9.1 | ||
99 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index b31972649d..039b0ffdde 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://run-ptest \ | 24 | file://run-ptest \ |
25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ | 25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ |
26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ | 26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ |
27 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | PAM_SRC_URI = "file://sshd" | 30 | PAM_SRC_URI = "file://sshd" |