glibc: fix CVE-2019-9169

(From OE-Core rev: 966213b3c99d428f2afba3ad3d88189669005eb6) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-03-21 12:31:12 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-24 17:00:52 +0000
commit: e7f81f1959ba0f4ca6daec3628b322767ed92308 (patch)
tree: 5ab79aab310965e9cc4397db6867a766f0eadcc8 /meta/recipes-core/glibc
parent: d956c45baf65f8b28d732ed4dd3ca4b40e36ee66 (diff)
download: poky-e7f81f1959ba0f4ca6daec3628b322767ed92308.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
new file mode 100644
index 0000000000..bc40361c5d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -0,0 +1,36 @@
+CVE: CVE-2019-9169
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 21 Jan 2019 11:08:13 -0800
+Subject: [PATCH] regex: fix read overrun [BZ #24114]
+Problem found by AddressSanitizer, reported by Hongxu Chen in:
+https://debbugs.gnu.org/34140
+* posix/regexec.c (proceed_next_node):
+Do not read past end of input buffer.
+---
+ posix/regexec.c |  6 ++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+diff --git a/posix/regexec.c b/posix/regexec.c
+index 91d5a79..084b122 100644
+--- a/posix/regexec.c
+++ b/posix/regexec.c
+@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
+              else if (naccepted)
+                {
+                  char *buf = (char *) re_string_get_buffer (&mctx->input);
+-                 if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+-                             naccepted) != 0)
+                 if (mctx->input.valid_len - *pidx < naccepted
+                     || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+                                 naccepted)
+                         != 0))
+                    return -1;
+                }
+            }
+-- 
+2.9.3
diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb
index db856c70ad..9184c5932c 100644
--- a/meta/recipes-core/glibc/glibc_2.29.bb
+++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -55,6 +55,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0029-inject-file-assembly-directives.patch \
           file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
           file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \
+           file://CVE-2019-9169.patch \
 "
 S = "${WORKDIR}/git"
author	Ross Burton <ross.burton@intel.com>	2019-03-21 12:31:12 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-24 17:00:52 +0000
commit	e7f81f1959ba0f4ca6daec3628b322767ed92308 (patch)
tree	5ab79aab310965e9cc4397db6867a766f0eadcc8 /meta/recipes-core/glibc
parent	d956c45baf65f8b28d732ed4dd3ca4b40e36ee66 (diff)
download	poky-e7f81f1959ba0f4ca6daec3628b322767ed92308.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch new file mode 100644 index 0000000000..bc40361c5d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -0,0 +1,36 @@
		1	CVE: CVE-2019-9169
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@intel.com>
		4
		5	From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001
		6	From: Paul Eggert <eggert@cs.ucla.edu>
		7	Date: Mon, 21 Jan 2019 11:08:13 -0800
		8	Subject: [PATCH] regex: fix read overrun [BZ #24114]
		9
		10	Problem found by AddressSanitizer, reported by Hongxu Chen in:
		11	https://debbugs.gnu.org/34140
		12	* posix/regexec.c (proceed_next_node):
		13	Do not read past end of input buffer.
		14	---
		15	posix/regexec.c \| 6 ++++--
		16	2 files changed, 13 insertions(+), 3 deletions(-)
		17
		18	diff --git a/posix/regexec.c b/posix/regexec.c
		19	index 91d5a79..084b122 100644
		20	--- a/posix/regexec.c
		21	+++ b/posix/regexec.c
		22	@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t mctx, Idx nregs, regmatch_t regs,
		23	else if (naccepted)
		24	{
		25	char buf = (char ) re_string_get_buffer (&mctx->input);
		26	- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
		27	- naccepted) != 0)
		28	+ if (mctx->input.valid_len - *pidx < naccepted
		29	+ \|\| (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
		30	+ naccepted)
		31	+ != 0))
		32	return -1;
		33	}
		34	}
		35	--
		36	2.9.3


diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb index db856c70ad..9184c5932c 100644 --- a/meta/recipes-core/glibc/glibc_2.29.bb +++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -55,6 +55,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
55	file://0029-inject-file-assembly-directives.patch \	55	file://0029-inject-file-assembly-directives.patch \
56	file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	56	file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
57	file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \	57	file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \
		58	file://CVE-2019-9169.patch \
58	"	59	"
59		60
60	S = "${WORKDIR}/git"	61	S = "${WORKDIR}/git"