glibc: Security fix for CVE-2017-8804

Source: https://sourceware.org MR: 74337 Type: Security Fix Disposition: Backport from https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html ChangeID: c8c51220e40185dd0ac3d657046e70b82cb94bee Description: CVE-2017-8804 sunrpc: xdr_bytes/xdr_string need to free buffer on error [BZ #21461] Affects: glibc < 2.25 (From OE-Core rev: b7099c48641f5db6ec7831a48c9d9c5e9e9de6f9) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-09-22 21:01:23 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-12-09 14:34:35 +0000
commit: b6a0e9dd646501e5dc477f73180d6db1153aa004 (patch)
tree: 4ff2d85070444c9b95135d51800cad0da21c3218 /meta/recipes-core/glibc
parent: bc8d34a327c50cb2ced295aa1105300783de322c (diff)
download: poky-b6a0e9dd646501e5dc477f73180d6db1153aa004.tar.gz
2 files changed, 233 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch b/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch
new file mode 100644
index 0000000000..5e5bbe278c
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch
@@ -0,0 +1,232 @@
+From: fweimer at redhat dot com (Florian Weimer)
+Date: Fri, 05 May 2017 15:18:28 +0200
+Subject: [PATCH] sunrpc: xdr_bytes/xdr_string need to free buffer on error [BZ #21461]
+[BZ #21461]
+Upstream-Status: Backport
+CVE: CVE-2017-8804
+Signed-off-by: Rajkumar Veer<rveer@mvista.
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -20,6 +20,9 @@ using `glibc' in the "product" field.
+   [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
+ Version 2.24
+ 
+* The xdr_bytes and xdr_string routines free the internally allocated buffer
+  if deserialization of the buffer contents fails for any reason.
+
+ * The minimum Linux kernel version that this version of the GNU C Library
+   can be used with is 3.2, except on i[4567]86 and x86_64, where Linux
+   kernel version 2.6.32 or later suffices (on architectures that already
+Index: git/sunrpc/Makefile
+===================================================================
+--- git.orig/sunrpc/Makefile
+++ git/sunrpc/Makefile
+@@ -96,9 +96,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_
+ extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
+ others += rpcgen
+ 
+-tests = tst-xdrmem tst-xdrmem2 test-rpcent
+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
+ xtests := tst-getmyaddr
+ 
+tests-special += $(objpfx)mtrace-tst-xdrmem3.out
+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace
+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace
+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out
+       $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \
+       $(evaluate-test)
+
+ ifeq ($(have-thread-library),yes)
+ xtests += thrsvc
+ endif
+@@ -153,6 +160,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
+ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+$(objpfx)tst-xdrmem3: $(common-objpfx)linkobj/libc.so
+ 
+ $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
+ 
+Index: git/sunrpc/tst-xdrmem3.c
+===================================================================
+--- /dev/null
+++ git/sunrpc/tst-xdrmem3.c
+@@ -0,0 +1,83 @@
+/* Test xdr_bytes, xdr_string behavior on deserialization failure.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <mcheck.h>
+#include <rpc/rpc.h>
+#include <support/check.h>
+#include <support/support.h>
+
+static int
+do_test (void)
+{
+  mtrace ();
+
+  /* If do_own_buffer, allocate the buffer and pass it to the
+     deserialization routine.  Otherwise the routine is requested to
+     allocate the buffer.  */
+  for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer)
+    {
+      /* Length 16 MiB, but only 2 bytes of data in the packet.  */
+      unsigned char buf[] = "\x01\x00\x00\x00\xff";
+      XDR xdrs;
+      char *result;
+      unsigned int result_len;
+
+      /* Test xdr_bytes.  */
+      xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+      result_len = 0;
+      if (do_own_buffer)
+        {
+          char *own_buffer = xmalloc (10);
+          result = own_buffer;
+          TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10));
+          TEST_VERIFY (result == own_buffer);
+          free (own_buffer);
+        }
+      else
+        {
+          result = NULL;
+          TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1));
+          TEST_VERIFY (result == NULL);
+        }
+      TEST_VERIFY (result_len == 16 * 1024 * 1024);
+      xdr_destroy (&xdrs);
+
+      /* Test xdr_string.  */
+      xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+      if (do_own_buffer)
+        {
+          char *own_buffer = xmalloc (10);
+          result = own_buffer;
+          TEST_VERIFY (!xdr_string (&xdrs, &result, 10));
+          TEST_VERIFY (result == own_buffer);
+          free (own_buffer);
+        }
+      else
+        {
+          result = NULL;
+          TEST_VERIFY (!xdr_string (&xdrs, &result, -1));
+          TEST_VERIFY (result == NULL);
+        }
+      xdr_destroy (&xdrs);
+    }
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+
+Index: git/sunrpc/xdr.c
+===================================================================
+--- git.orig/sunrpc/xdr.c
+++ git/sunrpc/xdr.c
+@@ -620,14 +620,24 @@ xdr_bytes (XDR *xdrs, char **cpp, u_int
+        }
+       if (sp == NULL)
+        {
+-         *cpp = sp = (char *) mem_alloc (nodesize);
+-       }
+-      if (sp == NULL)
+-       {
+-         (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
+         sp = (char *) mem_alloc (nodesize);
+         if (sp == NULL)
+           {
+             (void) __fxprintf (NULL, "%s: %s", __func__,
+                                _("out of memory\n"));
+             return FALSE;
+           }
+       }
+      if (!xdr_opaque (xdrs, sp, nodesize))
+       {
+         if (sp != *cpp)
+           /* *cpp was NULL, so this function allocated a new
+              buffer.  */
+           free (sp);
+          return FALSE;
+        }
+-      /* fall into ... */
+      *cpp = sp;
+      return TRUE;
+ 
+     case XDR_ENCODE:
+       return xdr_opaque (xdrs, sp, nodesize);
+@@ -781,14 +791,27 @@ xdr_string (XDR *xdrs, char **cpp, u_int
+     {
+     case XDR_DECODE:
+       if (sp == NULL)
+-       *cpp = sp = (char *) mem_alloc (nodesize);
+-      if (sp == NULL)
+        {
+-         (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
+-         return FALSE;
+         sp = (char *) mem_alloc (nodesize);
+         if (sp == NULL)
+           {
+             (void) __fxprintf (NULL, "%s: %s", __func__,
+                                _("out of memory\n"));
+             return FALSE;
+           }
+        }
+       sp[size] = 0;
+-      /* fall into ... */
+
+      if (!xdr_opaque (xdrs, sp, size))
+       {
+         if (sp != *cpp)
+           /* *cpp was NULL, so this function allocated a new
+              buffer.  */
+           free (sp);
+         return FALSE;
+       }
+      *cpp = sp;
+      return TRUE;
+ 
+     case XDR_ENCODE:
+       return xdr_opaque (xdrs, sp, size);
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,16 @@
+2017-05-05  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #21461]
+       * sunrpc/xdr.c (xdr_bytes): Deallocate allocated buffer on error.
+       (xdr_string): Likewise.
+       * sunrpc/Makefile (tests): Add tst-xdrmem3.
+       (tests-special): Add mtrace-tst-xdrmem3.out.
+       (generated): Add mtrace-tst-xdrmem3.out, tst-xdrmem3.mtrace.
+       (tst-xdrmem3-ENV): Set MALLOC_TRACE.
+       (mtrace-tst-xdrmem3.out): Run mtrace.
+       (tst-xdrmem3): Link against full libc.
+       * sunrpc/tst-xdrmem3.c: New file.
+
+ 2017-06-14  Florian Weimer  <fweimer@redhat.com>
+ 
+        * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
index 359379bac5..966be34405 100644
--- a/meta/recipes-core/glibc/glibc_2.24.bb
+++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -56,6 +56,7 @@ SRC_URI += "\
           file://etc/ld.so.conf \
           file://generate-supported.mk \
           file://0001-locale-fix-hard-coded-reference-to-gcc-E.patch \
+           file://CVE-2017-8804.patch \
           "
 SRC_URI_append_class-nativesdk = "\
author	Rajkumar Veer <rveer@mvista.com>	2017-09-22 21:01:23 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-12-09 14:34:35 +0000
commit	b6a0e9dd646501e5dc477f73180d6db1153aa004 (patch)
tree	4ff2d85070444c9b95135d51800cad0da21c3218 /meta/recipes-core/glibc
parent	bc8d34a327c50cb2ced295aa1105300783de322c (diff)
download	poky-b6a0e9dd646501e5dc477f73180d6db1153aa004.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch b/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch new file mode 100644 index 0000000000..5e5bbe278c --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-8804.patch
@@ -0,0 +1,232 @@
		1	From: fweimer at redhat dot com (Florian Weimer)
		2	Date: Fri, 05 May 2017 15:18:28 +0200
		3	Subject: [PATCH] sunrpc: xdr_bytes/xdr_string need to free buffer on error [BZ #21461]
		4
		5	[BZ #21461]
		6
		7	Upstream-Status: Backport
		8
		9	CVE: CVE-2017-8804
		10	Signed-off-by: Rajkumar Veer<rveer@mvista.
		11
		12	Index: git/NEWS
		13	===================================================================
		14	--- git.orig/NEWS
		15	+++ git/NEWS
		16	@@ -20,6 +20,9 @@ using `glibc' in the "product" field.
		17	[21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
		18	Version 2.24
		19
		20	+* The xdr_bytes and xdr_string routines free the internally allocated buffer
		21	+ if deserialization of the buffer contents fails for any reason.
		22	+
		23	* The minimum Linux kernel version that this version of the GNU C Library
		24	can be used with is 3.2, except on i[4567]86 and x86_64, where Linux
		25	kernel version 2.6.32 or later suffices (on architectures that already
		26	Index: git/sunrpc/Makefile
		27	===================================================================
		28	--- git.orig/sunrpc/Makefile
		29	+++ git/sunrpc/Makefile
		30	@@ -96,9 +96,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_
		31	extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
		32	others += rpcgen
		33
		34	-tests = tst-xdrmem tst-xdrmem2 test-rpcent
		35	+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
		36	xtests := tst-getmyaddr
		37
		38	+tests-special += $(objpfx)mtrace-tst-xdrmem3.out
		39	+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace
		40	+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace
		41	+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out
		42	+ $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \
		43	+ $(evaluate-test)
		44	+
		45	ifeq ($(have-thread-library),yes)
		46	xtests += thrsvc
		47	endif
		48	@@ -153,6 +160,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
		49	$(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
		50	$(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
		51	$(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
		52	+$(objpfx)tst-xdrmem3: $(common-objpfx)linkobj/libc.so
		53
		54	$(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
		55
		56	Index: git/sunrpc/tst-xdrmem3.c
		57	===================================================================
		58	--- /dev/null
		59	+++ git/sunrpc/tst-xdrmem3.c
		60	@@ -0,0 +1,83 @@
		61	+/* Test xdr_bytes, xdr_string behavior on deserialization failure.
		62	+ Copyright (C) 2017 Free Software Foundation, Inc.
		63	+ This file is part of the GNU C Library.
		64	+
		65	+ The GNU C Library is free software; you can redistribute it and/or
		66	+ modify it under the terms of the GNU Lesser General Public
		67	+ License as published by the Free Software Foundation; either
		68	+ version 2.1 of the License, or (at your option) any later version.
		69	+
		70	+ The GNU C Library is distributed in the hope that it will be useful,
		71	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		72	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		73	+ Lesser General Public License for more details.
		74	+
		75	+ You should have received a copy of the GNU Lesser General Public
		76	+ License along with the GNU C Library; if not, see
		77	+ <http://www.gnu.org/licenses/>. */
		78	+
		79	+#include <mcheck.h>
		80	+#include <rpc/rpc.h>
		81	+#include <support/check.h>
		82	+#include <support/support.h>
		83	+
		84	+static int
		85	+do_test (void)
		86	+{
		87	+ mtrace ();
		88	+
		89	+ /* If do_own_buffer, allocate the buffer and pass it to the
		90	+ deserialization routine. Otherwise the routine is requested to
		91	+ allocate the buffer. */
		92	+ for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer)
		93	+ {
		94	+ /* Length 16 MiB, but only 2 bytes of data in the packet. */
		95	+ unsigned char buf[] = "\x01\x00\x00\x00\xff";
		96	+ XDR xdrs;
		97	+ char *result;
		98	+ unsigned int result_len;
		99	+
		100	+ /* Test xdr_bytes. */
		101	+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
		102	+ result_len = 0;
		103	+ if (do_own_buffer)
		104	+ {
		105	+ char *own_buffer = xmalloc (10);
		106	+ result = own_buffer;
		107	+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10));
		108	+ TEST_VERIFY (result == own_buffer);
		109	+ free (own_buffer);
		110	+ }
		111	+ else
		112	+ {
		113	+ result = NULL;
		114	+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1));
		115	+ TEST_VERIFY (result == NULL);
		116	+ }
		117	+ TEST_VERIFY (result_len == 16 * 1024 * 1024);
		118	+ xdr_destroy (&xdrs);
		119	+
		120	+ /* Test xdr_string. */
		121	+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
		122	+ if (do_own_buffer)
		123	+ {
		124	+ char *own_buffer = xmalloc (10);
		125	+ result = own_buffer;
		126	+ TEST_VERIFY (!xdr_string (&xdrs, &result, 10));
		127	+ TEST_VERIFY (result == own_buffer);
		128	+ free (own_buffer);
		129	+ }
		130	+ else
		131	+ {
		132	+ result = NULL;
		133	+ TEST_VERIFY (!xdr_string (&xdrs, &result, -1));
		134	+ TEST_VERIFY (result == NULL);
		135	+ }
		136	+ xdr_destroy (&xdrs);
		137	+ }
		138	+
		139	+ return 0;
		140	+}
		141	+
		142	+#include <support/test-driver.c>
		143	+
		144	Index: git/sunrpc/xdr.c
		145	===================================================================
		146	--- git.orig/sunrpc/xdr.c
		147	+++ git/sunrpc/xdr.c
		148	@@ -620,14 +620,24 @@ xdr_bytes (XDR xdrs, char *cpp, u_int
		149	}
		150	if (sp == NULL)
		151	{
		152	- cpp = sp = (char ) mem_alloc (nodesize);
		153	- }
		154	- if (sp == NULL)
		155	- {
		156	- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
		157	+ sp = (char *) mem_alloc (nodesize);
		158	+ if (sp == NULL)
		159	+ {
		160	+ (void) __fxprintf (NULL, "%s: %s", __func__,
		161	+ _("out of memory\n"));
		162	+ return FALSE;
		163	+ }
		164	+ }
		165	+ if (!xdr_opaque (xdrs, sp, nodesize))
		166	+ {
		167	+ if (sp != *cpp)
		168	+ /* *cpp was NULL, so this function allocated a new
		169	+ buffer. */
		170	+ free (sp);
		171	return FALSE;
		172	}
		173	- /* fall into ... */
		174	+ *cpp = sp;
		175	+ return TRUE;
		176
		177	case XDR_ENCODE:
		178	return xdr_opaque (xdrs, sp, nodesize);
		179	@@ -781,14 +791,27 @@ xdr_string (XDR xdrs, char *cpp, u_int
		180	{
		181	case XDR_DECODE:
		182	if (sp == NULL)
		183	- cpp = sp = (char ) mem_alloc (nodesize);
		184	- if (sp == NULL)
		185	{
		186	- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
		187	- return FALSE;
		188	+ sp = (char *) mem_alloc (nodesize);
		189	+ if (sp == NULL)
		190	+ {
		191	+ (void) __fxprintf (NULL, "%s: %s", __func__,
		192	+ _("out of memory\n"));
		193	+ return FALSE;
		194	+ }
		195	}
		196	sp[size] = 0;
		197	- /* fall into ... */
		198	+
		199	+ if (!xdr_opaque (xdrs, sp, size))
		200	+ {
		201	+ if (sp != *cpp)
		202	+ /* *cpp was NULL, so this function allocated a new
		203	+ buffer. */
		204	+ free (sp);
		205	+ return FALSE;
		206	+ }
		207	+ *cpp = sp;
		208	+ return TRUE;
		209
		210	case XDR_ENCODE:
		211	return xdr_opaque (xdrs, sp, size);
		212	Index: git/ChangeLog
		213	===================================================================
		214	--- git.orig/ChangeLog
		215	+++ git/ChangeLog
		216	@@ -1,3 +1,16 @@
		217	+2017-05-05 Florian Weimer <fweimer@redhat.com>
		218	+
		219	+ [BZ #21461]
		220	+ * sunrpc/xdr.c (xdr_bytes): Deallocate allocated buffer on error.
		221	+ (xdr_string): Likewise.
		222	+ * sunrpc/Makefile (tests): Add tst-xdrmem3.
		223	+ (tests-special): Add mtrace-tst-xdrmem3.out.
		224	+ (generated): Add mtrace-tst-xdrmem3.out, tst-xdrmem3.mtrace.
		225	+ (tst-xdrmem3-ENV): Set MALLOC_TRACE.
		226	+ (mtrace-tst-xdrmem3.out): Run mtrace.
		227	+ (tst-xdrmem3): Link against full libc.
		228	+ * sunrpc/tst-xdrmem3.c: New file.
		229	+
		230	2017-06-14 Florian Weimer <fweimer@redhat.com>
		231
		232	* sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.


diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb index 359379bac5..966be34405 100644 --- a/meta/recipes-core/glibc/glibc_2.24.bb +++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -56,6 +56,7 @@ SRC_URI += "\
56	file://etc/ld.so.conf \	56	file://etc/ld.so.conf \
57	file://generate-supported.mk \	57	file://generate-supported.mk \
58	file://0001-locale-fix-hard-coded-reference-to-gcc-E.patch \	58	file://0001-locale-fix-hard-coded-reference-to-gcc-E.patch \
		59	file://CVE-2017-8804.patch \
59	"	60	"
60		61
61	SRC_URI_append_class-nativesdk = "\	62	SRC_URI_append_class-nativesdk = "\