glibc: CVE-2015-8779

A stack overflow vulnerability in the catopen function was found, causing applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (From OE-Core rev: e0f71f123147bf4f48cc90c7f26a50164ed4115e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-22 20:19:24 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-18 07:37:49 +0000
commit: efa1ae5e458666eb66dcff93078beb4e21a00fdc (patch)
tree: ec468b312e9faf1d56cfc9c91cfb946ee3bc575f /meta/recipes-core
parent: aefe1fadfa041673360ad31901655ead70c32d75 (diff)
download: poky-efa1ae5e458666eb66dcff93078beb4e21a00fdc.tar.gz
2 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000000..4dc93c769d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,262 @@
+From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Sat, 8 Aug 2015 15:53:03 -0700
+Subject: [PATCH] Fix BZ #17905
+Upstream-Status: Backport
+CVE: CVE-2015-8779
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog              |  8 ++++++++
+ NEWS                   |  2 +-
+ catgets/Makefile       |  9 ++++++++-
+ catgets/catgets.c      | 19 ++++++++++++-------
+ catgets/open_catalog.c | 23 ++++++++++++++---------
+ catgets/tst-catgets.c  | 31 +++++++++++++++++++++++++++++++
+ 6 files changed, 74 insertions(+), 18 deletions(-)
+Index: git/catgets/Makefile
+===================================================================
+--- git.orig/catgets/Makefile
+++ git/catgets/Makefile
+@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
+ ifeq ($(run-built-tests),yes)
+ tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
+                 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+tests-special += $(objpfx)tst-catgets-mem.out
+ endif
+ endif
+ gencat-modules = xmalloc
+@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
+ 
+ generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
+             test-gencat.h
+generated += tst-catgets.mtrace tst-catgets-mem.out
+
+ generated-dirs += de
+ 
+-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
+ 
+ ifeq ($(run-built-tests),yes)
+ # This test just checks whether the program produces any error or not.
+@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
+ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
+        $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
+        $(evaluate-test)
+
+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+       $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+       $(evaluate-test)
+ endif
+Index: git/catgets/catgets.c
+===================================================================
+--- git.orig/catgets/catgets.c
+++ git/catgets/catgets.c
+@@ -16,7 +16,6 @@
+    License along with the GNU C Library; if not, see
+    <http://www.gnu.org/licenses/>.  */
+ 
+-#include <alloca.h>
+ #include <errno.h>
+ #include <locale.h>
+ #include <nl_types.h>
+@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
+   __nl_catd result;
+   const char *env_var = NULL;
+   const char *nlspath = NULL;
+  char *tmp = NULL;
+ 
+   if (strchr (cat_name, '/') == NULL)
+     {
+@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
+        {
+          /* Append the system dependent directory.  */
+          size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
+-         char *tmp = alloca (len);
+         tmp = malloc (len);
+
+         if (__glibc_unlikely (tmp == NULL))
+           return (nl_catd) -1;
+ 
+          __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
+          nlspath = tmp;
+@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
+ 
+   result = (__nl_catd) malloc (sizeof (*result));
+   if (result == NULL)
+-    /* We cannot get enough memory.  */
+-    return (nl_catd) -1;
+-
+-  if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+    {
+      /* We cannot get enough memory.  */
+      result = (nl_catd) -1;
+    }
+  else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+     {
+       /* Couldn't open the file.  */
+       free ((void *) result);
+-      return (nl_catd) -1;
+      result = (nl_catd) -1;
+     }
+ 
+  free (tmp);
+   return (nl_catd) result;
+ }
+ 
+Index: git/catgets/open_catalog.c
+===================================================================
+--- git.orig/catgets/open_catalog.c
+++ git/catgets/open_catalog.c
+@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
+   size_t tab_size;
+   const char *lastp;
+   int result = -1;
+  char *buf = NULL;
+ 
+   if (strchr (cat_name, '/') != NULL || nlspath == NULL)
+     fd = open_not_cancel_2 (cat_name, O_RDONLY);
+@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
+   if (__glibc_unlikely (bufact + (n) >= bufmax))                             \
+     {                                                                        \
+       char *old_buf = buf;                                                   \
+-      bufmax += 256 + (n);                                                   \
+-      buf = (char *) alloca (bufmax);                                        \
+-      memcpy (buf, old_buf, bufact);                                         \
+      bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax;                   \
+      buf = realloc (buf, bufmax);                                           \
+      if (__glibc_unlikely (buf == NULL))                                    \
+       {                                                                     \
+         free (old_buf);                                                     \
+         return -1;                                                          \
+       }                                                                     \
+     }
+ 
+       /* The RUN_NLSPATH variable contains a colon separated list of
+         descriptions where we expect to find catalogs.  We have to
+         recognize certain % substitutions and stop when we found the
+         first existing file.  */
+-      char *buf;
+       size_t bufact;
+-      size_t bufmax;
+      size_t bufmax = 0;
+       size_t len;
+ 
+-      buf = NULL;
+-      bufmax = 0;
+-
+       fd = -1;
+       while (*run_nlspath != '\0')
+        {
+@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
+ 
+   /* Avoid dealing with directories and block devices */
+   if (__builtin_expect (fd, 0) < 0)
+-    return -1;
+    {
+      free (buf);
+      return -1;
+    }
+ 
+   if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
+     goto close_unlock_return;
+@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
+   /* Release the lock again.  */
+  close_unlock_return:
+   close_not_cancel_no_status (fd);
+  free (buf);
+ 
+   return result;
+ }
+Index: git/catgets/tst-catgets.c
+===================================================================
+--- git.orig/catgets/tst-catgets.c
+++ git/catgets/tst-catgets.c
+@@ -1,7 +1,10 @@
+#include <assert.h>
+ #include <mcheck.h>
+ #include <nl_types.h>
+ #include <stdio.h>
+#include <stdlib.h>
+ #include <string.h>
+#include <sys/resource.h>
+ 
+ 
+ static const char *msgs[] =
+@@ -12,6 +15,33 @@ static const char *msgs[] =
+ };
+ #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+ 
+
+/* Test for unbounded alloca.  */
+static int
+do_bz17905 (void)
+{
+  char *buf;
+  struct rlimit rl;
+  nl_catd result;
+
+  const int sz = 1024 * 1024;
+
+  getrlimit (RLIMIT_STACK, &rl);
+  rl.rlim_cur = sz;
+  setrlimit (RLIMIT_STACK, &rl);
+
+  buf = malloc (sz + 1); 
+  memset (buf, 'A', sz);
+  buf[sz] = '\0';
+  setenv ("NLSPATH", buf, 1);
+
+  result = catopen (buf, NL_CAT_LOCALE);
+  assert (result == (nl_catd) -1);
+
+  free (buf);
+  return 0;
+}
+
+ #define ROUNDS 5
+ 
+ static int
+@@ -62,6 +92,7 @@ do_test (void)
+        }
+     }
+ 
+  result += do_bz17905 ();
+   return result;
+ }
+ 
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,11 @@
+2015-08-08  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+   [BZ #17905]
+   * catgets/Makefile (tst-catgets-mem): New test.
+   * catgets/catgets.c (catopen): Don't use unbounded alloca.
+   * catgets/open_catalog.c (__open_catalog): Likewise.
+   * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+
+ 2015-10-15  Florian Weimer  <fweimer@redhat.com>
+ 
+    [BZ #18928]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -9,7 +9,7 @@ Version 2.22.1
+ 
+ * The following bugs are resolved with this release:
+ 
+-  18778, 18781, 18787.
+  18778, 18781, 18787, 17905.
+ 
+ Version 2.22
+ 
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index c828310586..336463a5c3 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
           file://0029-fix-getmntent-empty-lines.patch \
           file://CVE-2015-8777.patch \
+           file://CVE-2015-8779.patch \
 "
 SRC_URI += "\
author	Armin Kuster <akuster@mvista.com>	2016-01-22 20:19:24 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-18 07:37:49 +0000
commit	efa1ae5e458666eb66dcff93078beb4e21a00fdc (patch)
tree	ec468b312e9faf1d56cfc9c91cfb946ee3bc575f /meta/recipes-core
parent	aefe1fadfa041673360ad31901655ead70c32d75 (diff)
download	poky-efa1ae5e458666eb66dcff93078beb4e21a00fdc.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch new file mode 100644 index 0000000000..4dc93c769d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,262 @@
		1	From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
		2	From: Paul Pluzhnikov <ppluzhnikov@google.com>
		3	Date: Sat, 8 Aug 2015 15:53:03 -0700
		4	Subject: [PATCH] Fix BZ #17905
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2015-8779
		8	[Yocto # 8980]
		9
		10	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
		11
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	ChangeLog \| 8 ++++++++
		16	NEWS \| 2 +-
		17	catgets/Makefile \| 9 ++++++++-
		18	catgets/catgets.c \| 19 ++++++++++++-------
		19	catgets/open_catalog.c \| 23 ++++++++++++++---------
		20	catgets/tst-catgets.c \| 31 +++++++++++++++++++++++++++++++
		21	6 files changed, 74 insertions(+), 18 deletions(-)
		22
		23	Index: git/catgets/Makefile
		24	===================================================================
		25	--- git.orig/catgets/Makefile
		26	+++ git/catgets/Makefile
		27	@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
		28	ifeq ($(run-built-tests),yes)
		29	tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
		30	$(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
		31	+tests-special += $(objpfx)tst-catgets-mem.out
		32	endif
		33	endif
		34	gencat-modules = xmalloc
		35	@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
		36
		37	generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
		38	test-gencat.h
		39	+generated += tst-catgets.mtrace tst-catgets-mem.out
		40	+
		41	generated-dirs += de
		42
		43	-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
		44	+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
		45
		46	ifeq ($(run-built-tests),yes)
		47	# This test just checks whether the program produces any error or not.
		48	@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
		49	$(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
		50	$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
		51	$(evaluate-test)
		52	+
		53	+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
		54	+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
		55	+ $(evaluate-test)
		56	endif
		57	Index: git/catgets/catgets.c
		58	===================================================================
		59	--- git.orig/catgets/catgets.c
		60	+++ git/catgets/catgets.c
		61	@@ -16,7 +16,6 @@
		62	License along with the GNU C Library; if not, see
		63	<http://www.gnu.org/licenses/>. */
		64
		65	-#include <alloca.h>
		66	#include <errno.h>
		67	#include <locale.h>
		68	#include <nl_types.h>
		69	@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
		70	__nl_catd result;
		71	const char *env_var = NULL;
		72	const char *nlspath = NULL;
		73	+ char *tmp = NULL;
		74
		75	if (strchr (cat_name, '/') == NULL)
		76	{
		77	@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
		78	{
		79	/* Append the system dependent directory. */
		80	size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
		81	- char *tmp = alloca (len);
		82	+ tmp = malloc (len);
		83	+
		84	+ if (__glibc_unlikely (tmp == NULL))
		85	+ return (nl_catd) -1;
		86
		87	__stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
		88	nlspath = tmp;
		89	@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
		90
		91	result = (__nl_catd) malloc (sizeof (*result));
		92	if (result == NULL)
		93	- /* We cannot get enough memory. */
		94	- return (nl_catd) -1;
		95	-
		96	- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
		97	+ {
		98	+ /* We cannot get enough memory. */
		99	+ result = (nl_catd) -1;
		100	+ }
		101	+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
		102	{
		103	/* Couldn't open the file. */
		104	free ((void *) result);
		105	- return (nl_catd) -1;
		106	+ result = (nl_catd) -1;
		107	}
		108
		109	+ free (tmp);
		110	return (nl_catd) result;
		111	}
		112
		113	Index: git/catgets/open_catalog.c
		114	===================================================================
		115	--- git.orig/catgets/open_catalog.c
		116	+++ git/catgets/open_catalog.c
		117	@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
		118	size_t tab_size;
		119	const char *lastp;
		120	int result = -1;
		121	+ char *buf = NULL;
		122
		123	if (strchr (cat_name, '/') != NULL \|\| nlspath == NULL)
		124	fd = open_not_cancel_2 (cat_name, O_RDONLY);
		125	@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
		126	if (__glibc_unlikely (bufact + (n) >= bufmax)) \
		127	{ \
		128	char *old_buf = buf; \
		129	- bufmax += 256 + (n); \
		130	- buf = (char *) alloca (bufmax); \
		131	- memcpy (buf, old_buf, bufact); \
		132	+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
		133	+ buf = realloc (buf, bufmax); \
		134	+ if (__glibc_unlikely (buf == NULL)) \
		135	+ { \
		136	+ free (old_buf); \
		137	+ return -1; \
		138	+ } \
		139	}
		140
		141	/* The RUN_NLSPATH variable contains a colon separated list of
		142	descriptions where we expect to find catalogs. We have to
		143	recognize certain % substitutions and stop when we found the
		144	first existing file. */
		145	- char *buf;
		146	size_t bufact;
		147	- size_t bufmax;
		148	+ size_t bufmax = 0;
		149	size_t len;
		150
		151	- buf = NULL;
		152	- bufmax = 0;
		153	-
		154	fd = -1;
		155	while (*run_nlspath != '\0')
		156	{
		157	@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
		158
		159	/* Avoid dealing with directories and block devices */
		160	if (__builtin_expect (fd, 0) < 0)
		161	- return -1;
		162	+ {
		163	+ free (buf);
		164	+ return -1;
		165	+ }
		166
		167	if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
		168	goto close_unlock_return;
		169	@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
		170	/* Release the lock again. */
		171	close_unlock_return:
		172	close_not_cancel_no_status (fd);
		173	+ free (buf);
		174
		175	return result;
		176	}
		177	Index: git/catgets/tst-catgets.c
		178	===================================================================
		179	--- git.orig/catgets/tst-catgets.c
		180	+++ git/catgets/tst-catgets.c
		181	@@ -1,7 +1,10 @@
		182	+#include <assert.h>
		183	#include <mcheck.h>
		184	#include <nl_types.h>
		185	#include <stdio.h>
		186	+#include <stdlib.h>
		187	#include <string.h>
		188	+#include <sys/resource.h>
		189
		190
		191	static const char *msgs[] =
		192	@@ -12,6 +15,33 @@ static const char *msgs[] =
		193	};
		194	#define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
		195
		196	+
		197	+/* Test for unbounded alloca. */
		198	+static int
		199	+do_bz17905 (void)
		200	+{
		201	+ char *buf;
		202	+ struct rlimit rl;
		203	+ nl_catd result;
		204	+
		205	+ const int sz = 1024 * 1024;
		206	+
		207	+ getrlimit (RLIMIT_STACK, &rl);
		208	+ rl.rlim_cur = sz;
		209	+ setrlimit (RLIMIT_STACK, &rl);
		210	+
		211	+ buf = malloc (sz + 1);
		212	+ memset (buf, 'A', sz);
		213	+ buf[sz] = '\0';
		214	+ setenv ("NLSPATH", buf, 1);
		215	+
		216	+ result = catopen (buf, NL_CAT_LOCALE);
		217	+ assert (result == (nl_catd) -1);
		218	+
		219	+ free (buf);
		220	+ return 0;
		221	+}
		222	+
		223	#define ROUNDS 5
		224
		225	static int
		226	@@ -62,6 +92,7 @@ do_test (void)
		227	}
		228	}
		229
		230	+ result += do_bz17905 ();
		231	return result;
		232	}
		233
		234	Index: git/ChangeLog
		235	===================================================================
		236	--- git.orig/ChangeLog
		237	+++ git/ChangeLog
		238	@@ -1,3 +1,11 @@
		239	+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
		240	+
		241	+ [BZ #17905]
		242	+ * catgets/Makefile (tst-catgets-mem): New test.
		243	+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
		244	+ * catgets/open_catalog.c (__open_catalog): Likewise.
		245	+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
		246	+
		247	2015-10-15 Florian Weimer <fweimer@redhat.com>
		248
		249	[BZ #18928]
		250	Index: git/NEWS
		251	===================================================================
		252	--- git.orig/NEWS
		253	+++ git/NEWS
		254	@@ -9,7 +9,7 @@ Version 2.22.1
		255
		256	* The following bugs are resolved with this release:
		257
		258	- 18778, 18781, 18787.
		259	+ 18778, 18781, 18787, 17905.
		260
		261	Version 2.22
		262


diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb index c828310586..336463a5c3 100644 --- a/meta/recipes-core/glibc/glibc_2.22.bb +++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
44	file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \	44	file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
45	file://0029-fix-getmntent-empty-lines.patch \	45	file://0029-fix-getmntent-empty-lines.patch \
46	file://CVE-2015-8777.patch \	46	file://CVE-2015-8777.patch \
		47	file://CVE-2015-8779.patch \
47	"	48	"
48		49
49	SRC_URI += "\	50	SRC_URI += "\