diff options
author | Shubham Kulkarni <skulkarni@mvista.com> | 2023-03-06 16:48:05 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-14 14:59:10 +0000 |
commit | 770bb4a64a7862385420bd7e4aa4112d53951218 (patch) | |
tree | 3a04964e62e583ac2f8e65abac185da13944ad52 | |
parent | d7fa5a35aae38687444e720ffdad649e096abaf9 (diff) | |
download | poky-770bb4a64a7862385420bd7e4aa4112d53951218.tar.gz |
glibc: Security fix for CVE-2023-0687
Backport from https://sourceware.org/git/?p=glibc.git;a=patch;h=801af9fafd4689337ebf27260aa115335a0cb2bc
(From OE-Core rev: d7c7e9acd5b5699e4a0c2c7f2664cce7a5a08641)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2023-0687.patch | 82 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.31.bb | 1 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 0000000000..10c7e5666d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?= | ||
3 | =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru> | ||
4 | Date: Sat, 4 Feb 2023 14:41:38 +0300 | ||
5 | Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | The `__monstartup()` allocates a buffer used to store all the data | ||
11 | accumulated by the monitor. | ||
12 | |||
13 | The size of this buffer depends on the size of the internal structures | ||
14 | used and the address range for which the monitor is activated, as well | ||
15 | as on the maximum density of call instructions and/or callable functions | ||
16 | that could be potentially on a segment of executable code. | ||
17 | |||
18 | In particular a hash table of arcs is placed at the end of this buffer. | ||
19 | The size of this hash table is calculated in bytes as | ||
20 | p->fromssize = p->textsize / HASHFRACTION; | ||
21 | |||
22 | but actually should be | ||
23 | p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); | ||
24 | |||
25 | This results in writing beyond the end of the allocated buffer when an | ||
26 | added arc corresponds to a call near from the end of the monitored | ||
27 | address range, since `_mcount()` check the incoming caller address for | ||
28 | monitored range but not the intermediate result hash-like index that | ||
29 | uses to write into the table. | ||
30 | |||
31 | It should be noted that when the results are output to `gmon.out`, the | ||
32 | table is read to the last element calculated from the allocated size in | ||
33 | bytes, so the arcs stored outside the buffer boundary did not fall into | ||
34 | `gprof` for analysis. Thus this "feature" help me to found this bug | ||
35 | during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 | ||
36 | |||
37 | Just in case, I will explicitly note that the problem breaks the | ||
38 | `make test t=gmon/tst-gmon-dso` added for Bug 29438. | ||
39 | There, the arc of the `f3()` call disappears from the output, since in | ||
40 | the DSO case, the call to `f3` is located close to the end of the | ||
41 | monitored range. | ||
42 | |||
43 | Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru> | ||
44 | |||
45 | Another minor error seems a related typo in the calculation of | ||
46 | `kcountsize`, but since kcounts are smaller than froms, this is | ||
47 | actually to align the p->froms data. | ||
48 | |||
49 | Co-authored-by: DJ Delorie <dj@redhat.com> | ||
50 | Reviewed-by: Carlos O'Donell <carlos@redhat.com> | ||
51 | |||
52 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc] | ||
53 | CVE: CVE-2023-0687 | ||
54 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
55 | --- | ||
56 | gmon/gmon.c | 4 +++- | ||
57 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
58 | |||
59 | diff --git a/gmon/gmon.c b/gmon/gmon.c | ||
60 | index dee6480..bf76358 100644 | ||
61 | --- a/gmon/gmon.c | ||
62 | +++ b/gmon/gmon.c | ||
63 | @@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc) | ||
64 | p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); | ||
65 | p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); | ||
66 | p->textsize = p->highpc - p->lowpc; | ||
67 | + /* This looks like a typo, but it's here to align the p->froms | ||
68 | + section. */ | ||
69 | p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); | ||
70 | p->hashfraction = HASHFRACTION; | ||
71 | p->log_hashfraction = -1; | ||
72 | @@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc) | ||
73 | instead of integer division. Precompute shift amount. */ | ||
74 | p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; | ||
75 | } | ||
76 | - p->fromssize = p->textsize / HASHFRACTION; | ||
77 | + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); | ||
78 | p->tolimit = p->textsize * ARCDENSITY / 100; | ||
79 | if (p->tolimit < MINARCS) | ||
80 | p->tolimit = MINARCS; | ||
81 | -- | ||
82 | 2.7.4 | ||
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 0c37467fe4..8d216f6ed1 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb | |||
@@ -79,6 +79,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
79 | file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ | 79 | file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ |
80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ | 80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ |
81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ | 81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ |
82 | file://CVE-2023-0687.patch \ | ||
82 | " | 83 | " |
83 | S = "${WORKDIR}/git" | 84 | S = "${WORKDIR}/git" |
84 | B = "${WORKDIR}/build-${TARGET_SYS}" | 85 | B = "${WORKDIR}/build-${TARGET_SYS}" |