summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-22 20:19:24 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-18 07:37:49 +0000
commitefa1ae5e458666eb66dcff93078beb4e21a00fdc (patch)
treeec468b312e9faf1d56cfc9c91cfb946ee3bc575f /meta/recipes-core
parentaefe1fadfa041673360ad31901655ead70c32d75 (diff)
downloadpoky-efa1ae5e458666eb66dcff93078beb4e21a00fdc.tar.gz
glibc: CVE-2015-8779
A stack overflow vulnerability in the catopen function was found, causing applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (From OE-Core rev: e0f71f123147bf4f48cc90c7f26a50164ed4115e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8779.patch262
-rw-r--r--meta/recipes-core/glibc/glibc_2.22.bb1
2 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000000..4dc93c769d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,262 @@
1From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
2From: Paul Pluzhnikov <ppluzhnikov@google.com>
3Date: Sat, 8 Aug 2015 15:53:03 -0700
4Subject: [PATCH] Fix BZ #17905
5
6Upstream-Status: Backport
7CVE: CVE-2015-8779
8[Yocto # 8980]
9
10https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
11
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 ChangeLog | 8 ++++++++
16 NEWS | 2 +-
17 catgets/Makefile | 9 ++++++++-
18 catgets/catgets.c | 19 ++++++++++++-------
19 catgets/open_catalog.c | 23 ++++++++++++++---------
20 catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
21 6 files changed, 74 insertions(+), 18 deletions(-)
22
23Index: git/catgets/Makefile
24===================================================================
25--- git.orig/catgets/Makefile
26+++ git/catgets/Makefile
27@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
28 ifeq ($(run-built-tests),yes)
29 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
30 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
31+tests-special += $(objpfx)tst-catgets-mem.out
32 endif
33 endif
34 gencat-modules = xmalloc
35@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
36
37 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
38 test-gencat.h
39+generated += tst-catgets.mtrace tst-catgets-mem.out
40+
41 generated-dirs += de
42
43-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
44+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
45
46 ifeq ($(run-built-tests),yes)
47 # This test just checks whether the program produces any error or not.
48@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
49 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
50 $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
51 $(evaluate-test)
52+
53+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
54+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
55+ $(evaluate-test)
56 endif
57Index: git/catgets/catgets.c
58===================================================================
59--- git.orig/catgets/catgets.c
60+++ git/catgets/catgets.c
61@@ -16,7 +16,6 @@
62 License along with the GNU C Library; if not, see
63 <http://www.gnu.org/licenses/>. */
64
65-#include <alloca.h>
66 #include <errno.h>
67 #include <locale.h>
68 #include <nl_types.h>
69@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
70 __nl_catd result;
71 const char *env_var = NULL;
72 const char *nlspath = NULL;
73+ char *tmp = NULL;
74
75 if (strchr (cat_name, '/') == NULL)
76 {
77@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
78 {
79 /* Append the system dependent directory. */
80 size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
81- char *tmp = alloca (len);
82+ tmp = malloc (len);
83+
84+ if (__glibc_unlikely (tmp == NULL))
85+ return (nl_catd) -1;
86
87 __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
88 nlspath = tmp;
89@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
90
91 result = (__nl_catd) malloc (sizeof (*result));
92 if (result == NULL)
93- /* We cannot get enough memory. */
94- return (nl_catd) -1;
95-
96- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
97+ {
98+ /* We cannot get enough memory. */
99+ result = (nl_catd) -1;
100+ }
101+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
102 {
103 /* Couldn't open the file. */
104 free ((void *) result);
105- return (nl_catd) -1;
106+ result = (nl_catd) -1;
107 }
108
109+ free (tmp);
110 return (nl_catd) result;
111 }
112
113Index: git/catgets/open_catalog.c
114===================================================================
115--- git.orig/catgets/open_catalog.c
116+++ git/catgets/open_catalog.c
117@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
118 size_t tab_size;
119 const char *lastp;
120 int result = -1;
121+ char *buf = NULL;
122
123 if (strchr (cat_name, '/') != NULL || nlspath == NULL)
124 fd = open_not_cancel_2 (cat_name, O_RDONLY);
125@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
126 if (__glibc_unlikely (bufact + (n) >= bufmax)) \
127 { \
128 char *old_buf = buf; \
129- bufmax += 256 + (n); \
130- buf = (char *) alloca (bufmax); \
131- memcpy (buf, old_buf, bufact); \
132+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
133+ buf = realloc (buf, bufmax); \
134+ if (__glibc_unlikely (buf == NULL)) \
135+ { \
136+ free (old_buf); \
137+ return -1; \
138+ } \
139 }
140
141 /* The RUN_NLSPATH variable contains a colon separated list of
142 descriptions where we expect to find catalogs. We have to
143 recognize certain % substitutions and stop when we found the
144 first existing file. */
145- char *buf;
146 size_t bufact;
147- size_t bufmax;
148+ size_t bufmax = 0;
149 size_t len;
150
151- buf = NULL;
152- bufmax = 0;
153-
154 fd = -1;
155 while (*run_nlspath != '\0')
156 {
157@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
158
159 /* Avoid dealing with directories and block devices */
160 if (__builtin_expect (fd, 0) < 0)
161- return -1;
162+ {
163+ free (buf);
164+ return -1;
165+ }
166
167 if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
168 goto close_unlock_return;
169@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
170 /* Release the lock again. */
171 close_unlock_return:
172 close_not_cancel_no_status (fd);
173+ free (buf);
174
175 return result;
176 }
177Index: git/catgets/tst-catgets.c
178===================================================================
179--- git.orig/catgets/tst-catgets.c
180+++ git/catgets/tst-catgets.c
181@@ -1,7 +1,10 @@
182+#include <assert.h>
183 #include <mcheck.h>
184 #include <nl_types.h>
185 #include <stdio.h>
186+#include <stdlib.h>
187 #include <string.h>
188+#include <sys/resource.h>
189
190
191 static const char *msgs[] =
192@@ -12,6 +15,33 @@ static const char *msgs[] =
193 };
194 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
195
196+
197+/* Test for unbounded alloca. */
198+static int
199+do_bz17905 (void)
200+{
201+ char *buf;
202+ struct rlimit rl;
203+ nl_catd result;
204+
205+ const int sz = 1024 * 1024;
206+
207+ getrlimit (RLIMIT_STACK, &rl);
208+ rl.rlim_cur = sz;
209+ setrlimit (RLIMIT_STACK, &rl);
210+
211+ buf = malloc (sz + 1);
212+ memset (buf, 'A', sz);
213+ buf[sz] = '\0';
214+ setenv ("NLSPATH", buf, 1);
215+
216+ result = catopen (buf, NL_CAT_LOCALE);
217+ assert (result == (nl_catd) -1);
218+
219+ free (buf);
220+ return 0;
221+}
222+
223 #define ROUNDS 5
224
225 static int
226@@ -62,6 +92,7 @@ do_test (void)
227 }
228 }
229
230+ result += do_bz17905 ();
231 return result;
232 }
233
234Index: git/ChangeLog
235===================================================================
236--- git.orig/ChangeLog
237+++ git/ChangeLog
238@@ -1,3 +1,11 @@
239+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
240+
241+ [BZ #17905]
242+ * catgets/Makefile (tst-catgets-mem): New test.
243+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
244+ * catgets/open_catalog.c (__open_catalog): Likewise.
245+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
246+
247 2015-10-15 Florian Weimer <fweimer@redhat.com>
248
249 [BZ #18928]
250Index: git/NEWS
251===================================================================
252--- git.orig/NEWS
253+++ git/NEWS
254@@ -9,7 +9,7 @@ Version 2.22.1
255
256 * The following bugs are resolved with this release:
257
258- 18778, 18781, 18787.
259+ 18778, 18781, 18787, 17905.
260
261 Version 2.22
262
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index c828310586..336463a5c3 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
44 file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ 44 file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
45 file://0029-fix-getmntent-empty-lines.patch \ 45 file://0029-fix-getmntent-empty-lines.patch \
46 file://CVE-2015-8777.patch \ 46 file://CVE-2015-8777.patch \
47 file://CVE-2015-8779.patch \
47" 48"
48 49
49SRC_URI += "\ 50SRC_URI += "\