summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorYuanjie Huang <yuanjie.huang@windriver.com>2016-04-27 02:32:55 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-05-11 12:37:06 +0100
commit49ce0e7d4a7bb3223aa33188fc987d651334ffe5 (patch)
treebb17b1ff2e9b415b1f6601a8a3df91e488f7aa58 /meta/recipes-core
parent6b2102cd59c1ac48b8550dbbea0b83eada7e7b32 (diff)
downloadpoky-49ce0e7d4a7bb3223aa33188fc987d651334ffe5.tar.gz
glibc: Fix CVE-2015-8778
CVE: CVE-2015-8778 Improve check against integer wraparound in hcreate_r [BZ #18240] This is an integer overflow in hcreate and hcreate_r which can result in an out-of-bound memory access. This could lead to application crashes or, potentially, arbitrary code execution. Upstream-Status: Backport [2.23] (cherry-picked from commit bae7c7c7, 4bd228c8) (From OE-Core rev: 71b051f51a44dad1fdca7ca6b3552d0aebdc91d3) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8778.patch199
-rw-r--r--meta/recipes-core/glibc/glibc_2.22.bb1
2 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
new file mode 100644
index 0000000000..c505c10c89
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
@@ -0,0 +1,199 @@
1From d0f05d1e39adb336a8bbccbc276a344e6ff427e3 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 28 Jan 2016 13:59:11 +0100
4Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ
5 #18240]
6
7CVE: CVE-2015-8778
8
9Improve check against integer wraparound in hcreate_r [BZ #18240]
10
11This is an integer overflow in hcreate and hcreate_r which can result in
12an out-of-bound memory access. This could lead to application crashes
13or, potentially, arbitrary code execution.
14
15Upstream-Status: Backport [2.23]
16(cherry-picked from commit bae7c7c7, 4bd228c8)
17
18Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
19---
20 ChangeLog | 6 +++++
21 NEWS | 2 +-
22 misc/Makefile | 2 +-
23 misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
24 misc/hsearch_r.c | 28 ++++++++++++---------
25 5 files changed, 100 insertions(+), 13 deletions(-)
26 create mode 100644 misc/bug18240.c
27
28diff --git a/ChangeLog b/ChangeLog
29index b7701d1..a9dc8a2 100644
30--- a/ChangeLog
31+++ b/ChangeLog
32@@ -1,3 +1,9 @@
33+2016-01-27 Paul Eggert <eggert@cs.ucla.edu>
34+
35+ [BZ #18240]
36+ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against
37+ unsigned int wraparound.
38+
39 2016-02-15 Carlos O'Donell <carlos@redhat.com>
40
41 [BZ #18665]
42diff --git a/NEWS b/NEWS
43index cda7a73..fd77c27 100644
44--- a/NEWS
45+++ b/NEWS
46@@ -9,7 +9,7 @@ Version 2.22.1
47
48 * The following bugs are resolved with this release:
49
50- 18778, 18781, 18787, 17905.
51+ 18240, 18778, 18781, 18787, 17905.
52
53 Version 2.22
54
55diff --git a/misc/Makefile b/misc/Makefile
56index e6b7c23..463a238 100644
57--- a/misc/Makefile
58+++ b/misc/Makefile
59@@ -83,7 +83,7 @@ install-lib := libg.a
60 gpl2lgpl := error.c error.h
61
62 tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \
63- tst-pselect tst-insremque tst-mntent2 bug-hsearch1
64+ tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240
65 tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1
66 tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt
67 ifeq ($(run-built-tests),yes)
68diff --git a/misc/bug18240.c b/misc/bug18240.c
69new file mode 100644
70index 0000000..4b26865
71--- /dev/null
72+++ b/misc/bug18240.c
73@@ -0,0 +1,75 @@
74+/* Test integer wraparound in hcreate.
75+ Copyright (C) 2016 Free Software Foundation, Inc.
76+ This file is part of the GNU C Library.
77+
78+ The GNU C Library is free software; you can redistribute it and/or
79+ modify it under the terms of the GNU Lesser General Public
80+ License as published by the Free Software Foundation; either
81+ version 2.1 of the License, or (at your option) any later version.
82+
83+ The GNU C Library is distributed in the hope that it will be useful,
84+ but WITHOUT ANY WARRANTY; without even the implied warranty of
85+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
86+ Lesser General Public License for more details.
87+
88+ You should have received a copy of the GNU Lesser General Public
89+ License along with the GNU C Library; if not, see
90+ <http://www.gnu.org/licenses/>. */
91+
92+#include <errno.h>
93+#include <limits.h>
94+#include <search.h>
95+#include <stdbool.h>
96+#include <stdio.h>
97+#include <stdlib.h>
98+
99+static void
100+test_size (size_t size)
101+{
102+ int res = hcreate (size);
103+ if (res == 0)
104+ {
105+ if (errno == ENOMEM)
106+ return;
107+ printf ("error: hcreate (%zu): %m\n", size);
108+ exit (1);
109+ }
110+ char *keys[100];
111+ for (int i = 0; i < 100; ++i)
112+ {
113+ if (asprintf (keys + i, "%d", i) < 0)
114+ {
115+ printf ("error: asprintf: %m\n");
116+ exit (1);
117+ }
118+ ENTRY e = { keys[i], (char *) "value" };
119+ if (hsearch (e, ENTER) == NULL)
120+ {
121+ printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
122+ exit (1);
123+ }
124+ }
125+ hdestroy ();
126+
127+ for (int i = 0; i < 100; ++i)
128+ free (keys[i]);
129+}
130+
131+static int
132+do_test (void)
133+{
134+ test_size (500);
135+ test_size (-1);
136+ test_size (-3);
137+ test_size (INT_MAX - 2);
138+ test_size (INT_MAX - 1);
139+ test_size (INT_MAX);
140+ test_size (((unsigned) INT_MAX) + 1);
141+ test_size (UINT_MAX - 2);
142+ test_size (UINT_MAX - 1);
143+ test_size (UINT_MAX);
144+ return 0;
145+}
146+
147+#define TEST_FUNCTION do_test ()
148+#include "../test-skeleton.c"
149diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
150index 9f55e84..6000ce2 100644
151--- a/misc/hsearch_r.c
152+++ b/misc/hsearch_r.c
153@@ -46,15 +46,12 @@ static int
154 isprime (unsigned int number)
155 {
156 /* no even number will be passed */
157- unsigned int div = 3;
158-
159- while (div * div < number && number % div != 0)
160- div += 2;
161-
162- return number % div != 0;
163+ for (unsigned int div = 3; div <= number / div; div += 2)
164+ if (number % div == 0)
165+ return 0;
166+ return 1;
167 }
168
169-
170 /* Before using the hash table we must allocate memory for it.
171 Test for an existing table are done. We allocate one element
172 more as the found prime number says. This is done for more effective
173@@ -81,10 +78,19 @@ __hcreate_r (nel, htab)
174 use will not work. */
175 if (nel < 3)
176 nel = 3;
177- /* Change nel to the first prime number not smaller as nel. */
178- nel |= 1; /* make odd */
179- while (!isprime (nel))
180- nel += 2;
181+
182+ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
183+ The '- 2' means 'nel += 2' cannot overflow. */
184+ for (nel |= 1; ; nel += 2)
185+ {
186+ if (UINT_MAX - 2 < nel)
187+ {
188+ __set_errno (ENOMEM);
189+ return 0;
190+ }
191+ if (isprime (nel))
192+ break;
193+ }
194
195 htab->size = nel;
196 htab->filled = 0;
197--
1982.7.4
199
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index a13b7f94bb..7b25847392 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
47 file://CVE-2015-9761_2.patch \ 47 file://CVE-2015-9761_2.patch \
48 file://CVE-2015-8776.patch \ 48 file://CVE-2015-8776.patch \
49 file://CVE-2015-7547.patch \ 49 file://CVE-2015-7547.patch \
50 file://CVE-2015-8778.patch \
50" 51"
51 52
52SRC_URI += "\ 53SRC_URI += "\