summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-12-14 18:52:52 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-12-18 14:20:19 +0000
commit93b729ea91c5470451271d4246183d21f2bca6e9 (patch)
treecf28591f903c3160874d2ec78debb5e961ebeeb5
parent31e97c2cae0b54cd8858c8956d97a6d6f51fffdd (diff)
downloadpoky-93b729ea91c5470451271d4246183d21f2bca6e9.tar.gz
glibc: fix CVE-2020-29562
(From OE-Core rev: 6a38db98a4ace620415ce7829ec569c20cca3137) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-29562.patch156
-rw-r--r--meta/recipes-core/glibc/glibc_2.31.bb1
2 files changed, 157 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
new file mode 100644
index 0000000000..c51fb3223a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
@@ -0,0 +1,156 @@
1From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
2From: Michael Colavita <mcolavita@fb.com>
3Date: Thu, 19 Nov 2020 11:44:40 -0500
4Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
5
6Previously, in UCS4 conversion routines we limit the number of
7characters we examine to the minimum of the number of characters in the
8input and the number of characters in the output. This is not the
9correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
10an output character when we skip a code unit. Instead, track the input
11and output pointers and terminate the loop when either reaches its
12limit.
13
14This resolves assertion failures when resetting the input buffer in a step of
15iconv, which assumes that the input will be fully consumed given sufficient
16output space.
17
18Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
19CVE: CVE-2020-29562
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21
22---
23 iconv/Makefile | 2 +-
24 iconv/gconv_simple.c | 16 ++++----------
25 iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
26 3 files changed, 55 insertions(+), 13 deletions(-)
27 create mode 100644 iconv/tst-iconv8.c
28
29diff --git a/iconv/Makefile b/iconv/Makefile
30index 30bf996d3a..f9b51e23ec 100644
31--- a/iconv/Makefile
32+++ b/iconv/Makefile
33@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
34 CFLAGS-simple-hash.c += -I../locale
35
36 tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
37- tst-iconv7 tst-iconv-mt tst-iconv-opt
38+ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
39
40 others = iconv_prog iconvconfig
41 install-others-programs = $(inst_bindir)/iconv
42diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
43index d4797fba17..963b29f246 100644
44--- a/iconv/gconv_simple.c
45+++ b/iconv/gconv_simple.c
46@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
47 int flags = step_data->__flags;
48 const unsigned char *inptr = *inptrp;
49 unsigned char *outptr = *outptrp;
50- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
51 int result;
52- size_t cnt;
53
54- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
55+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
56 {
57 uint32_t inval;
58
59@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
60 int flags = step_data->__flags;
61 const unsigned char *inptr = *inptrp;
62 unsigned char *outptr = *outptrp;
63- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
64 int result;
65- size_t cnt;
66
67- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
68+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
69 {
70 if (__glibc_unlikely (inptr[0] > 0x80))
71 {
72@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
73 int flags = step_data->__flags;
74 const unsigned char *inptr = *inptrp;
75 unsigned char *outptr = *outptrp;
76- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
77 int result;
78- size_t cnt;
79
80- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
81+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
82 {
83 uint32_t inval;
84
85@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
86 int flags = step_data->__flags;
87 const unsigned char *inptr = *inptrp;
88 unsigned char *outptr = *outptrp;
89- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
90 int result;
91- size_t cnt;
92
93- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
94+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
95 {
96 if (__glibc_unlikely (inptr[3] > 0x80))
97 {
98diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
99new file mode 100644
100index 0000000000..0b92b19f66
101--- /dev/null
102+++ b/iconv/tst-iconv8.c
103@@ -0,0 +1,50 @@
104+/* Test iconv behavior on UCS4 conversions with //IGNORE.
105+ Copyright (C) 2020 Free Software Foundation, Inc.
106+ This file is part of the GNU C Library.
107+
108+ The GNU C Library is free software; you can redistribute it and/or
109+ modify it under the terms of the GNU Lesser General Public
110+ License as published by the Free Software Foundation; either
111+ version 2.1 of the License, or (at your option) any later version.
112+
113+ The GNU C Library is distributed in the hope that it will be useful,
114+ but WITHOUT ANY WARRANTY; without even the implied warranty of
115+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
116+ Lesser General Public License for more details.
117+
118+ You should have received a copy of the GNU Lesser General Public
119+ License along with the GNU C Library; if not, see
120+ <http://www.gnu.org/licenses/>. */
121+
122+/* Derived from BZ #26923 */
123+#include <errno.h>
124+#include <iconv.h>
125+#include <stdio.h>
126+#include <support/check.h>
127+
128+static int
129+do_test (void)
130+{
131+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
132+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
133+
134+ /*
135+ * Convert sequence beginning with an irreversible character into buffer that
136+ * is too small.
137+ */
138+ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
139+ char *inptr = input;
140+ size_t insize = sizeof (input);
141+ char output[6];
142+ char *outptr = output;
143+ size_t outsize = sizeof (output);
144+
145+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
146+ TEST_VERIFY (errno == E2BIG);
147+
148+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
149+
150+ return 0;
151+}
152+
153+#include <support/test-driver.c>
154--
1552.27.0
156
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 3d486fbb59..3a0d60abf8 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -41,6 +41,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
41 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \ 41 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
42 file://0028-inject-file-assembly-directives.patch \ 42 file://0028-inject-file-assembly-directives.patch \
43 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 43 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
44 file://CVE-2020-29562.patch \
44 " 45 "
45S = "${WORKDIR}/git" 46S = "${WORKDIR}/git"
46B = "${WORKDIR}/build-${TARGET_SYS}" 47B = "${WORKDIR}/build-${TARGET_SYS}"