glibc: Security fix for CVE-2023-0687

Backport from https://sourceware.org/git/?p=glibc.git;a=patch;h=801af9fafd4689337ebf27260aa115335a0cb2bc (From OE-Core rev: d7c7e9acd5b5699e4a0c2c7f2664cce7a5a08641) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Shubham Kulkarni <skulkarni@mvista.com> 2023-03-06 16:48:05 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-14 14:59:10 +0000
commit: 770bb4a64a7862385420bd7e4aa4112d53951218 (patch)
tree: 3a04964e62e583ac2f8e65abac185da13944ad52
parent: d7fa5a35aae38687444e720ffdad649e096abaf9 (diff)
download: poky-770bb4a64a7862385420bd7e4aa4112d53951218.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
new file mode 100644
index 0000000000..10c7e5666d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
@@ -0,0 +1,82 @@
+From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
+ =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
+Date: Sat, 4 Feb 2023 14:41:38 +0300
+Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The `__monstartup()` allocates a buffer used to store all the data
+accumulated by the monitor.
+The size of this buffer depends on the size of the internal structures
+used and the address range for which the monitor is activated, as well
+as on the maximum density of call instructions and/or callable functions
+that could be potentially on a segment of executable code.
+In particular a hash table of arcs is placed at the end of this buffer.
+The size of this hash table is calculated in bytes as
+   p->fromssize = p->textsize / HASHFRACTION;
+but actually should be
+   p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
+This results in writing beyond the end of the allocated buffer when an
+added arc corresponds to a call near from the end of the monitored
+address range, since `_mcount()` check the incoming caller address for
+monitored range but not the intermediate result hash-like index that
+uses to write into the table.
+It should be noted that when the results are output to `gmon.out`, the
+table is read to the last element calculated from the allocated size in
+bytes, so the arcs stored outside the buffer boundary did not fall into
+`gprof` for analysis. Thus this "feature" help me to found this bug
+during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
+Just in case, I will explicitly note that the problem breaks the
+`make test t=gmon/tst-gmon-dso` added for Bug 29438.
+There, the arc of the `f3()` call disappears from the output, since in
+the DSO case, the call to `f3` is located close to the end of the
+monitored range.
+Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
+Another minor error seems a related typo in the calculation of
+`kcountsize`, but since kcounts are smaller than froms, this is
+actually to align the p->froms data.
+Co-authored-by: DJ Delorie <dj@redhat.com>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
+CVE: CVE-2023-0687
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ gmon/gmon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/gmon/gmon.c b/gmon/gmon.c
+index dee6480..bf76358 100644
+--- a/gmon/gmon.c
+++ b/gmon/gmon.c
+@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
+   p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
+   p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
+   p->textsize = p->highpc - p->lowpc;
+  /* This looks like a typo, but it's here to align the p->froms
+     section.  */
+   p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
+   p->hashfraction = HASHFRACTION;
+   p->log_hashfraction = -1;
+@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
+         instead of integer division.  Precompute shift amount. */
+       p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
+   }
+-  p->fromssize = p->textsize / HASHFRACTION;
+  p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
+   p->tolimit = p->textsize * ARCDENSITY / 100;
+   if (p->tolimit < MINARCS)
+     p->tolimit = MINARCS;
+--
+2.7.4
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 0c37467fe4..8d216f6ed1 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -79,6 +79,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
           file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
           file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
+           file://CVE-2023-0687.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Shubham Kulkarni <skulkarni@mvista.com>	2023-03-06 16:48:05 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-14 14:59:10 +0000
commit	770bb4a64a7862385420bd7e4aa4112d53951218 (patch)
tree	3a04964e62e583ac2f8e65abac185da13944ad52
parent	d7fa5a35aae38687444e720ffdad649e096abaf9 (diff)
download	poky-770bb4a64a7862385420bd7e4aa4112d53951218.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 0000000000..10c7e5666d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
@@ -0,0 +1,82 @@
		1	From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
		3	=?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
		4	Date: Sat, 4 Feb 2023 14:41:38 +0300
		5	Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	The `__monstartup()` allocates a buffer used to store all the data
		11	accumulated by the monitor.
		12
		13	The size of this buffer depends on the size of the internal structures
		14	used and the address range for which the monitor is activated, as well
		15	as on the maximum density of call instructions and/or callable functions
		16	that could be potentially on a segment of executable code.
		17
		18	In particular a hash table of arcs is placed at the end of this buffer.
		19	The size of this hash table is calculated in bytes as
		20	p->fromssize = p->textsize / HASHFRACTION;
		21
		22	but actually should be
		23	p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
		24
		25	This results in writing beyond the end of the allocated buffer when an
		26	added arc corresponds to a call near from the end of the monitored
		27	address range, since `_mcount()` check the incoming caller address for
		28	monitored range but not the intermediate result hash-like index that
		29	uses to write into the table.
		30
		31	It should be noted that when the results are output to `gmon.out`, the
		32	table is read to the last element calculated from the allocated size in
		33	bytes, so the arcs stored outside the buffer boundary did not fall into
		34	`gprof` for analysis. Thus this "feature" help me to found this bug
		35	during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
		36
		37	Just in case, I will explicitly note that the problem breaks the
		38	`make test t=gmon/tst-gmon-dso` added for Bug 29438.
		39	There, the arc of the `f3()` call disappears from the output, since in
		40	the DSO case, the call to `f3` is located close to the end of the
		41	monitored range.
		42
		43	Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
		44
		45	Another minor error seems a related typo in the calculation of
		46	`kcountsize`, but since kcounts are smaller than froms, this is
		47	actually to align the p->froms data.
		48
		49	Co-authored-by: DJ Delorie <dj@redhat.com>
		50	Reviewed-by: Carlos O'Donell <carlos@redhat.com>
		51
		52	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
		53	CVE: CVE-2023-0687
		54	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		55	---
		56	gmon/gmon.c \| 4 +++-
		57	1 file changed, 3 insertions(+), 1 deletion(-)
		58
		59	diff --git a/gmon/gmon.c b/gmon/gmon.c
		60	index dee6480..bf76358 100644
		61	--- a/gmon/gmon.c
		62	+++ b/gmon/gmon.c
		63	@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
		64	p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
		65	p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
		66	p->textsize = p->highpc - p->lowpc;
		67	+ /* This looks like a typo, but it's here to align the p->froms
		68	+ section. */
		69	p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
		70	p->hashfraction = HASHFRACTION;
		71	p->log_hashfraction = -1;
		72	@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
		73	instead of integer division. Precompute shift amount. */
		74	p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
		75	}
		76	- p->fromssize = p->textsize / HASHFRACTION;
		77	+ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
		78	p->tolimit = p->textsize * ARCDENSITY / 100;
		79	if (p->tolimit < MINARCS)
		80	p->tolimit = MINARCS;
		81	--
		82	2.7.4


diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 0c37467fe4..8d216f6ed1 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -79,6 +79,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
79	file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \	79	file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
80	file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \	80	file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
81	file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \	81	file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
		82	file://CVE-2023-0687.patch \
82	"	83	"
83	S = "${WORKDIR}/git"	84	S = "${WORKDIR}/git"
84	B = "${WORKDIR}/build-${TARGET_SYS}"	85	B = "${WORKDIR}/build-${TARGET_SYS}"