diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-03 11:59:17 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-02-04 01:07:53 +0100 |
commit | c15130e80eb40e80dccc140ca79cae8b01324e04 (patch) | |
tree | 66bebdbfd7c1c9edadee64d814b78463fdd004d7 /meta/recipes-core/glibc | |
parent | 1ad606237b61bc851e25976ba69f458374287f78 (diff) | |
download | poky-c15130e80eb40e80dccc140ca79cae8b01324e04.tar.gz |
glibc: CVE-2015-8778
Fixes integer overflow in hcreate and hcreate_r.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8778
Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18240
CVE assignment: http://seclists.org/oss-sec/2016/q1/153
Upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=287de30e170cb765ed326d23d22791a81aab6e0f
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-8778.patch | 187 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.20.bb | 1 |
2 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch new file mode 100644 index 0000000000..d374b77173 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch | |||
@@ -0,0 +1,187 @@ | |||
1 | From 287de30e170cb765ed326d23d22791a81aab6e0f Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Thu, 28 Jan 2016 13:59:11 +0100 | ||
4 | Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ | ||
5 | #18240] | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2015-8778 | ||
9 | [Yocto # 8980] | ||
10 | |||
11 | (cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb) | ||
12 | |||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | ChangeLog | 13 ++++++++++ | ||
16 | misc/Makefile | 2 +- | ||
17 | misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
18 | misc/hsearch_r.c | 28 ++++++++++++--------- | ||
19 | 4 files changed, 106 insertions(+), 12 deletions(-) | ||
20 | create mode 100644 misc/bug18240.c | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index ed4a5fa..d86dc22 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,3 +1,16 @@ | ||
27 | +2016-01-27 Paul Eggert <eggert@cs.ucla.edu> | ||
28 | + | ||
29 | + [BZ #18240] | ||
30 | + * misc/hsearch_r.c (isprime, __hcreate_r): Protect against | ||
31 | + unsigned int wraparound. | ||
32 | + | ||
33 | +2016-01-27 Florian Weimer <fweimer@redhat.com> | ||
34 | + | ||
35 | + [BZ #18240] | ||
36 | + * misc/bug18240.c: New test. | ||
37 | + * misc/Makefile (tests): Add it. | ||
38 | + | ||
39 | + | ||
40 | 2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
41 | |||
42 | [BZ #18985] | ||
43 | diff --git a/misc/Makefile b/misc/Makefile | ||
44 | index 95da2cd..db09d12 100644 | ||
45 | --- a/misc/Makefile | ||
46 | +++ b/misc/Makefile | ||
47 | @@ -83,7 +83,7 @@ install-lib := libg.a | ||
48 | gpl2lgpl := error.c error.h | ||
49 | |||
50 | tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \ | ||
51 | - tst-pselect tst-insremque tst-mntent2 bug-hsearch1 | ||
52 | + tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240 | ||
53 | tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1 | ||
54 | tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt | ||
55 | ifeq ($(run-built-tests),yes) | ||
56 | diff --git a/misc/bug18240.c b/misc/bug18240.c | ||
57 | new file mode 100644 | ||
58 | index 0000000..4b26865 | ||
59 | --- /dev/null | ||
60 | +++ b/misc/bug18240.c | ||
61 | @@ -0,0 +1,75 @@ | ||
62 | +/* Test integer wraparound in hcreate. | ||
63 | + Copyright (C) 2016 Free Software Foundation, Inc. | ||
64 | + This file is part of the GNU C Library. | ||
65 | + | ||
66 | + The GNU C Library is free software; you can redistribute it and/or | ||
67 | + modify it under the terms of the GNU Lesser General Public | ||
68 | + License as published by the Free Software Foundation; either | ||
69 | + version 2.1 of the License, or (at your option) any later version. | ||
70 | + | ||
71 | + The GNU C Library is distributed in the hope that it will be useful, | ||
72 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
73 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
74 | + Lesser General Public License for more details. | ||
75 | + | ||
76 | + You should have received a copy of the GNU Lesser General Public | ||
77 | + License along with the GNU C Library; if not, see | ||
78 | + <http://www.gnu.org/licenses/>. */ | ||
79 | + | ||
80 | +#include <errno.h> | ||
81 | +#include <limits.h> | ||
82 | +#include <search.h> | ||
83 | +#include <stdbool.h> | ||
84 | +#include <stdio.h> | ||
85 | +#include <stdlib.h> | ||
86 | + | ||
87 | +static void | ||
88 | +test_size (size_t size) | ||
89 | +{ | ||
90 | + int res = hcreate (size); | ||
91 | + if (res == 0) | ||
92 | + { | ||
93 | + if (errno == ENOMEM) | ||
94 | + return; | ||
95 | + printf ("error: hcreate (%zu): %m\n", size); | ||
96 | + exit (1); | ||
97 | + } | ||
98 | + char *keys[100]; | ||
99 | + for (int i = 0; i < 100; ++i) | ||
100 | + { | ||
101 | + if (asprintf (keys + i, "%d", i) < 0) | ||
102 | + { | ||
103 | + printf ("error: asprintf: %m\n"); | ||
104 | + exit (1); | ||
105 | + } | ||
106 | + ENTRY e = { keys[i], (char *) "value" }; | ||
107 | + if (hsearch (e, ENTER) == NULL) | ||
108 | + { | ||
109 | + printf ("error: hsearch (\"%s\"): %m\n", keys[i]); | ||
110 | + exit (1); | ||
111 | + } | ||
112 | + } | ||
113 | + hdestroy (); | ||
114 | + | ||
115 | + for (int i = 0; i < 100; ++i) | ||
116 | + free (keys[i]); | ||
117 | +} | ||
118 | + | ||
119 | +static int | ||
120 | +do_test (void) | ||
121 | +{ | ||
122 | + test_size (500); | ||
123 | + test_size (-1); | ||
124 | + test_size (-3); | ||
125 | + test_size (INT_MAX - 2); | ||
126 | + test_size (INT_MAX - 1); | ||
127 | + test_size (INT_MAX); | ||
128 | + test_size (((unsigned) INT_MAX) + 1); | ||
129 | + test_size (UINT_MAX - 2); | ||
130 | + test_size (UINT_MAX - 1); | ||
131 | + test_size (UINT_MAX); | ||
132 | + return 0; | ||
133 | +} | ||
134 | + | ||
135 | +#define TEST_FUNCTION do_test () | ||
136 | +#include "../test-skeleton.c" | ||
137 | diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c | ||
138 | index 81c27d8..746fcaa 100644 | ||
139 | --- a/misc/hsearch_r.c | ||
140 | +++ b/misc/hsearch_r.c | ||
141 | @@ -46,15 +46,12 @@ static int | ||
142 | isprime (unsigned int number) | ||
143 | { | ||
144 | /* no even number will be passed */ | ||
145 | - unsigned int div = 3; | ||
146 | - | ||
147 | - while (div * div < number && number % div != 0) | ||
148 | - div += 2; | ||
149 | - | ||
150 | - return number % div != 0; | ||
151 | + for (unsigned int div = 3; div <= number / div; div += 2) | ||
152 | + if (number % div == 0) | ||
153 | + return 0; | ||
154 | + return 1; | ||
155 | } | ||
156 | |||
157 | - | ||
158 | /* Before using the hash table we must allocate memory for it. | ||
159 | Test for an existing table are done. We allocate one element | ||
160 | more as the found prime number says. This is done for more effective | ||
161 | @@ -81,10 +78,19 @@ hcreate_r (nel, htab) | ||
162 | use will not work. */ | ||
163 | if (nel < 3) | ||
164 | nel = 3; | ||
165 | - /* Change nel to the first prime number not smaller as nel. */ | ||
166 | - nel |= 1; /* make odd */ | ||
167 | - while (!isprime (nel)) | ||
168 | - nel += 2; | ||
169 | + | ||
170 | + /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], | ||
171 | + The '- 2' means 'nel += 2' cannot overflow. */ | ||
172 | + for (nel |= 1; ; nel += 2) | ||
173 | + { | ||
174 | + if (UINT_MAX - 2 < nel) | ||
175 | + { | ||
176 | + __set_errno (ENOMEM); | ||
177 | + return 0; | ||
178 | + } | ||
179 | + if (isprime (nel)) | ||
180 | + break; | ||
181 | + } | ||
182 | |||
183 | htab->size = nel; | ||
184 | htab->filled = 0; | ||
185 | -- | ||
186 | 1.9.1 | ||
187 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index 7bf4dbabf7..b9891d85ce 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb | |||
@@ -53,6 +53,7 @@ CVEPATCHES = "\ | |||
53 | file://CVE-2014-9761_2.patch \ | 53 | file://CVE-2014-9761_2.patch \ |
54 | file://CVE-2015-8776.patch \ | 54 | file://CVE-2015-8776.patch \ |
55 | file://CVE-2015-8777.patch \ | 55 | file://CVE-2015-8777.patch \ |
56 | file://CVE-2015-8778.patch \ | ||
56 | " | 57 | " |
57 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ | 58 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ |
58 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ | 59 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ |