summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2015-12-17 04:32:06 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-30 12:03:15 (GMT)
commitfaf6ada4f27a280e60ba72096f54cc5d2351fa16 (patch)
treea9c637d27803aa30a6c5afc0de75f01a9f66bc54
parenta779191033f3fd1afcdcb7d4aeb4911ce48b13ed (diff)
downloadpoky-faf6ada4f27a280e60ba72096f54cc5d2351fa16.tar.gz
glibc: Fixes a heap buffer overflow in glibc wscanf.
References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472 https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html http://openwall.com/lists/oss-security/2015/02/04/1 Reference to upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit; h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 (From OE-Core rev: 5aa90eef9b503ba0ffb138e146add6f430dea917) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com> Hand applied. Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch108
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 0000000..ab513aa
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
1CVE-2015-1472: wscanf allocates too little memory
2
3BZ #16618
4
5Under certain conditions wscanf can allocate too little memory for the
6to-be-scanned arguments and overflow the allocated buffer. The
7implementation now correctly computes the required buffer size when
8using malloc.
9
10A regression test was added to tst-sscanf.
11
12Upstream-Status: Backport
13
14The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
15[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
16
17diff -ruN a/ChangeLog b/ChangeLog
18--- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200
19+++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200
20@@ -1,3 +1,12 @@
21+2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
22+
23+ [BZ #16618] CVE-2015-1472
24+ * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
25+ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
26+ size in bytes. Store needed elements in wpmax. Use needed size
27+ in bytes for extend_alloca.
28+
29+
30 2014-12-16 Florian Weimer <fweimer@redhat.com>
31
32 [BZ #17630]
33diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
34--- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200
35+++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200
36@@ -233,5 +233,38 @@
37 }
38 }
39
40+ /* BZ #16618
41+ The test will segfault during SSCANF if the buffer overflow
42+ is not fixed. The size of `s` is such that it forces the use
43+ of malloc internally and this triggers the incorrect computation.
44+ Thus the value for SIZE is arbitrariy high enough that malloc
45+ is used. */
46+ {
47+#define SIZE 131072
48+ CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
49+ if (s == NULL)
50+ abort ();
51+ for (size_t i = 0; i < SIZE; i++)
52+ s[i] = L('0');
53+ s[SIZE] = L('\0');
54+ int i = 42;
55+ /* Scan multi-digit zero into `i`. */
56+ if (SSCANF (s, L("%d"), &i) != 1)
57+ {
58+ printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
59+ result = 1;
60+ }
61+ if (i != 0)
62+ {
63+ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
64+ result = 1;
65+ }
66+ free (s);
67+ if (result != 1)
68+ printf ("PASS: bug16618: Did not crash.\n");
69+#undef SIZE
70+ }
71+
72+
73 return result;
74 }
75diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
76--- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200
77+++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200
78@@ -279,9 +279,10 @@
79 if (__glibc_unlikely (wpsize == wpmax)) \
80 { \
81 CHAR_T *old = wp; \
82- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
83- ? UCHAR_MAX + 1 : 2 * wpmax); \
84- if (use_malloc || !__libc_use_alloca (newsize)) \
85+ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
86+ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
87+ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
88+ if (!__libc_use_alloca (newsize)) \
89 { \
90 wp = realloc (use_malloc ? wp : NULL, newsize); \
91 if (wp == NULL) \
92@@ -293,14 +294,13 @@
93 } \
94 if (! use_malloc) \
95 MEMCPY (wp, old, wpsize); \
96- wpmax = newsize; \
97+ wpmax = wpneed; \
98 use_malloc = true; \
99 } \
100 else \
101 { \
102 size_t s = wpmax * sizeof (CHAR_T); \
103- wp = (CHAR_T *) extend_alloca (wp, s, \
104- newsize * sizeof (CHAR_T)); \
105+ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
106 wpmax = s / sizeof (CHAR_T); \
107 if (old != NULL) \
108 MEMCPY (wp, old, wpsize); \
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 2ab4083..bfd8c64 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -46,6 +46,7 @@ CVEPATCHES = "\
46 file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ 46 file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
47 file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ 47 file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
48 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ 48 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
49 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
49 " 50 "
50LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 51LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
51 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 52 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \