diff options
author | Khem Raj <raj.khem@gmail.com> | 2020-08-11 11:01:24 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-21 15:25:33 +0100 |
commit | 73b941cf53f9d8ce540f60c40e714b444933f623 (patch) | |
tree | 5525526659404df02a6bc0fdf9ba288330f6d83d /meta/recipes-core/glibc/glibc/CVE-2020-6096.patch | |
parent | 4b6faa9dada8d0ae7aba3a161429e4c1eab2fe21 (diff) | |
download | poky-73b941cf53f9d8ce540f60c40e714b444933f623.tar.gz |
glibc: Bring in CVE fixes and other bugfixes from 2.31 release branch
Drop 0016-Add-unused-attribute.patch since its fixed by Rewrite iconv
option parsing [BZ #19519] [1]
Upgrade to latest on 2.31 branch which brings following bug fixes
* 6fdf971c9db (origin/release/2.31/master) Add NEWS entry for CVE-2016-10228 (bug 19519)
* 70d585151c0 Rewrite iconv option parsing [BZ #19519]
* 1c8efe848bf powerpc: Fix incorrect cache line size load in memset (bug 26332)
* 7611339a9b5 nptl: Zero-extend arguments to SETXID syscalls [BZ #26248]
* 21b760cc2fa Disable warnings due to deprecated libselinux symbols used by nss and nscd
* 6f3459f9859 Add NEWS entry for CVE-2020-6096 (bug 25620)
* 64246fccafc arm: CVE-2020-6096: Fix multiarch memcpy for negative length [BZ #25620]
* 9bbd2b61729 arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620]
* 4e8a33a9590 NEWS: Mention BZ 25933 fix
* fd15ba932d2 Fix avx2 strncmp offset compare condition check [BZ #25933]
* 3a44844c97a nss_compat: internal_end*ent may clobber errno, hiding ERANGE [BZ #25976]
* c8391752678 aarch64: fix strcpy and strnlen for big-endian [BZ #25824]
* 10947412240 aarch64: Accept PLT calls to __getauxval within libc.so
* a98b8b221cf NEWS: Mention fixes for BZ 25810/25896/25902/25966
* 4c833bbebe3 x86-64: Use RDX_LP on __x86_shared_non_temporal_threshold [BZ #25966]
* 3b9ceb33204 NEWS: Mention bug 25639 fixed in 2.31 branch
* bb44fe7711a oc_FR locale: Fix spelling of April (bug 25639)
* f2ac7920474 oc_FR locale: Fix spelling of Thursday (bug 25639)
* 18fdba553dd Add a C wrapper for prctl [BZ #25896]
* 7c9e054afdd powerpc: Rename argN to _argN in LOADARGS_N [BZ #25902]
* 9c5ae39a644 Add C wrappers for process_vm_readv/process_vm_writev [BZ #25810]
* 63c3696a4ac Mark unsigned long arguments with U in more syscalls [BZ #25810]
* 5b9d49293b7 Add a syscall test for [BZ #25810]
* 496b5963a75 Add SYSCALL_ULONG_ARG_[12] to pass long to syscall [BZ #25810]
* 04330f85263 x32: Properly pass long to syscall [BZ #25810]
* de371d1581f Fix build with GCC 10 when long double = double.
* ece4e11d55d Add new file missed in previous hppa commit.
* 91b909315c4 Fix data race in setting function descriptors during lazy binding on hppa.
* b999c0098ae nios2: delete sysdeps/unix/sysv/linux/nios2/kernel-features.h
* 54ba2541b3a mips: Fix bracktrace result for signal frames
* 83d3eec6728 stdlib: Move tst-system to tests-container
* ad9b0037ccc support/shell-container.c: Add builtin kill
* 2448ba1d724 support/shell-container.c: Add builtin exit
* 5810e6d75ff support/shell-container.c: Return 127 if execve fails
* d39fb022c26 Add NEWS entry for CVE-2020-1751 (bug 25423)
* 46bbbd46223 posix: Fix system error return value [BZ #25715]
* 3937f6806d9 Add NEWS entry for CVE-2020-1752 (bug 25414)
* ab029a2801d Fix use-after-free in glob when expanding ~user (bug 25414)
* a3189fb15b4 Update syscall lists for Linux 5.5.
* 05c08d5aea9 NEWS: update list of bugs fixed on the 2.31 branch
* 123d48b33a5 Add NEWS entry for CVE-2020-10029 (bug 25487)
* 03f44ce0938 math/test-sinl-pseudo: Use stack protector only if available
* e85a88e00c1 sparc: Move sigreturn stub to assembly
* a9ae2062d57 arm: Fix softp-fp Implies (BZ #25635)
* da6ce60e3cb linux/sysipc: Include linux/posix_types.h for __kernel_mode_t
* 9db2970506c linux: Clear mode_t padding bits (BZ#25623)
* 44f2c26ee4f i386: Use comdat instead of .gnu.linkonce for i386 setup pic register (BZ #20543)
* f2d95cf030f Improve IFUNC check [BZ #25506]
* 9f997ceca28 Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487).
[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=70d585151c03ede999bd2ad5a724243914cb5f54
(From OE-Core rev: e03433fd52af298a4b177f36314728f916dd1ac2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2020-6096.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2020-6096.patch | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch deleted file mode 100644 index 9c26f76432..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch +++ /dev/null | |||
@@ -1,112 +0,0 @@ | |||
1 | From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Anisimov <a.anisimov@omprussia.ru> | ||
3 | Date: Wed, 8 Jul 2020 14:18:31 +0200 | ||
4 | Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length | ||
5 | [BZ #25620] | ||
6 | |||
7 | Unsigned branch instructions could be used for r2 to fix the wrong | ||
8 | behavior when a negative length is passed to memcpy. | ||
9 | This commit fixes the armv7 version. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2020-6096 patch #1 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++----------- | ||
17 | 1 file changed, 11 insertions(+), 11 deletions(-) | ||
18 | |||
19 | diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
20 | index bf4ac7077f..379bb56fc9 100644 | ||
21 | --- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
22 | +++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
23 | @@ -268,7 +268,7 @@ ENTRY(memcpy) | ||
24 | |||
25 | mov dst, dstin /* Preserve dstin, we need to return it. */ | ||
26 | cmp count, #64 | ||
27 | - bge .Lcpy_not_short | ||
28 | + bhs .Lcpy_not_short | ||
29 | /* Deal with small copies quickly by dropping straight into the | ||
30 | exit block. */ | ||
31 | |||
32 | @@ -351,10 +351,10 @@ ENTRY(memcpy) | ||
33 | |||
34 | 1: | ||
35 | subs tmp2, count, #64 /* Use tmp2 for count. */ | ||
36 | - blt .Ltail63aligned | ||
37 | + blo .Ltail63aligned | ||
38 | |||
39 | cmp tmp2, #512 | ||
40 | - bge .Lcpy_body_long | ||
41 | + bhs .Lcpy_body_long | ||
42 | |||
43 | .Lcpy_body_medium: /* Count in tmp2. */ | ||
44 | #ifdef USE_VFP | ||
45 | @@ -378,7 +378,7 @@ ENTRY(memcpy) | ||
46 | add src, src, #64 | ||
47 | vstr d1, [dst, #56] | ||
48 | add dst, dst, #64 | ||
49 | - bge 1b | ||
50 | + bhs 1b | ||
51 | tst tmp2, #0x3f | ||
52 | beq .Ldone | ||
53 | |||
54 | @@ -412,7 +412,7 @@ ENTRY(memcpy) | ||
55 | ldrd A_l, A_h, [src, #64]! | ||
56 | strd A_l, A_h, [dst, #64]! | ||
57 | subs tmp2, tmp2, #64 | ||
58 | - bge 1b | ||
59 | + bhs 1b | ||
60 | tst tmp2, #0x3f | ||
61 | bne 1f | ||
62 | ldr tmp2,[sp], #FRAME_SIZE | ||
63 | @@ -482,7 +482,7 @@ ENTRY(memcpy) | ||
64 | add src, src, #32 | ||
65 | |||
66 | subs tmp2, tmp2, #prefetch_lines * 64 * 2 | ||
67 | - blt 2f | ||
68 | + blo 2f | ||
69 | 1: | ||
70 | cpy_line_vfp d3, 0 | ||
71 | cpy_line_vfp d4, 64 | ||
72 | @@ -494,7 +494,7 @@ ENTRY(memcpy) | ||
73 | add dst, dst, #2 * 64 | ||
74 | add src, src, #2 * 64 | ||
75 | subs tmp2, tmp2, #prefetch_lines * 64 | ||
76 | - bge 1b | ||
77 | + bhs 1b | ||
78 | |||
79 | 2: | ||
80 | cpy_tail_vfp d3, 0 | ||
81 | @@ -615,8 +615,8 @@ ENTRY(memcpy) | ||
82 | 1: | ||
83 | pld [src, #(3 * 64)] | ||
84 | subs count, count, #64 | ||
85 | - ldrmi tmp2, [sp], #FRAME_SIZE | ||
86 | - bmi .Ltail63unaligned | ||
87 | + ldrlo tmp2, [sp], #FRAME_SIZE | ||
88 | + blo .Ltail63unaligned | ||
89 | pld [src, #(4 * 64)] | ||
90 | |||
91 | #ifdef USE_NEON | ||
92 | @@ -633,7 +633,7 @@ ENTRY(memcpy) | ||
93 | neon_load_multi d0-d3, src | ||
94 | neon_load_multi d4-d7, src | ||
95 | subs count, count, #64 | ||
96 | - bmi 2f | ||
97 | + blo 2f | ||
98 | 1: | ||
99 | pld [src, #(4 * 64)] | ||
100 | neon_store_multi d0-d3, dst | ||
101 | @@ -641,7 +641,7 @@ ENTRY(memcpy) | ||
102 | neon_store_multi d4-d7, dst | ||
103 | neon_load_multi d4-d7, src | ||
104 | subs count, count, #64 | ||
105 | - bpl 1b | ||
106 | + bhs 1b | ||
107 | 2: | ||
108 | neon_store_multi d0-d3, dst | ||
109 | neon_store_multi d4-d7, dst | ||
110 | -- | ||
111 | 2.17.1 | ||
112 | |||