diff options
author | Armin Kuster <akuster808@gmail.com> | 2015-12-16 20:32:06 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-30 12:03:15 +0000 |
commit | faf6ada4f27a280e60ba72096f54cc5d2351fa16 (patch) | |
tree | a9c637d27803aa30a6c5afc0de75f01a9f66bc54 /meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch | |
parent | a779191033f3fd1afcdcb7d4aeb4911ce48b13ed (diff) | |
download | poky-faf6ada4f27a280e60ba72096f54cc5d2351fa16.tar.gz |
glibc: Fixes a heap buffer overflow in glibc wscanf.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
http://openwall.com/lists/oss-security/2015/02/04/1
Reference to upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
(From OE-Core rev: 5aa90eef9b503ba0ffb138e146add6f430dea917)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Hand applied.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000000..ab513aafb5 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | CVE-2015-1472: wscanf allocates too little memory | ||
2 | |||
3 | BZ #16618 | ||
4 | |||
5 | Under certain conditions wscanf can allocate too little memory for the | ||
6 | to-be-scanned arguments and overflow the allocated buffer. The | ||
7 | implementation now correctly computes the required buffer size when | ||
8 | using malloc. | ||
9 | |||
10 | A regression test was added to tst-sscanf. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>): | ||
15 | [https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06] | ||
16 | |||
17 | diff -ruN a/ChangeLog b/ChangeLog | ||
18 | --- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200 | ||
19 | +++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200 | ||
20 | @@ -1,3 +1,12 @@ | ||
21 | +2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
22 | + | ||
23 | + [BZ #16618] CVE-2015-1472 | ||
24 | + * stdio-common/tst-sscanf.c (main): Test for buffer overflow. | ||
25 | + * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed | ||
26 | + size in bytes. Store needed elements in wpmax. Use needed size | ||
27 | + in bytes for extend_alloca. | ||
28 | + | ||
29 | + | ||
30 | 2014-12-16 Florian Weimer <fweimer@redhat.com> | ||
31 | |||
32 | [BZ #17630] | ||
33 | diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c | ||
34 | --- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200 | ||
35 | +++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200 | ||
36 | @@ -233,5 +233,38 @@ | ||
37 | } | ||
38 | } | ||
39 | |||
40 | + /* BZ #16618 | ||
41 | + The test will segfault during SSCANF if the buffer overflow | ||
42 | + is not fixed. The size of `s` is such that it forces the use | ||
43 | + of malloc internally and this triggers the incorrect computation. | ||
44 | + Thus the value for SIZE is arbitrariy high enough that malloc | ||
45 | + is used. */ | ||
46 | + { | ||
47 | +#define SIZE 131072 | ||
48 | + CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); | ||
49 | + if (s == NULL) | ||
50 | + abort (); | ||
51 | + for (size_t i = 0; i < SIZE; i++) | ||
52 | + s[i] = L('0'); | ||
53 | + s[SIZE] = L('\0'); | ||
54 | + int i = 42; | ||
55 | + /* Scan multi-digit zero into `i`. */ | ||
56 | + if (SSCANF (s, L("%d"), &i) != 1) | ||
57 | + { | ||
58 | + printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); | ||
59 | + result = 1; | ||
60 | + } | ||
61 | + if (i != 0) | ||
62 | + { | ||
63 | + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); | ||
64 | + result = 1; | ||
65 | + } | ||
66 | + free (s); | ||
67 | + if (result != 1) | ||
68 | + printf ("PASS: bug16618: Did not crash.\n"); | ||
69 | +#undef SIZE | ||
70 | + } | ||
71 | + | ||
72 | + | ||
73 | return result; | ||
74 | } | ||
75 | diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c | ||
76 | --- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200 | ||
77 | +++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200 | ||
78 | @@ -279,9 +279,10 @@ | ||
79 | if (__glibc_unlikely (wpsize == wpmax)) \ | ||
80 | { \ | ||
81 | CHAR_T *old = wp; \ | ||
82 | - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ | ||
83 | - ? UCHAR_MAX + 1 : 2 * wpmax); \ | ||
84 | - if (use_malloc || !__libc_use_alloca (newsize)) \ | ||
85 | + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ | ||
86 | + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ | ||
87 | + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ | ||
88 | + if (!__libc_use_alloca (newsize)) \ | ||
89 | { \ | ||
90 | wp = realloc (use_malloc ? wp : NULL, newsize); \ | ||
91 | if (wp == NULL) \ | ||
92 | @@ -293,14 +294,13 @@ | ||
93 | } \ | ||
94 | if (! use_malloc) \ | ||
95 | MEMCPY (wp, old, wpsize); \ | ||
96 | - wpmax = newsize; \ | ||
97 | + wpmax = wpneed; \ | ||
98 | use_malloc = true; \ | ||
99 | } \ | ||
100 | else \ | ||
101 | { \ | ||
102 | size_t s = wpmax * sizeof (CHAR_T); \ | ||
103 | - wp = (CHAR_T *) extend_alloca (wp, s, \ | ||
104 | - newsize * sizeof (CHAR_T)); \ | ||
105 | + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ | ||
106 | wpmax = s / sizeof (CHAR_T); \ | ||
107 | if (old != NULL) \ | ||
108 | MEMCPY (wp, old, wpsize); \ | ||