summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2020-03-09 00:43:41 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-03-10 23:20:34 +0000
commita67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8 (patch)
tree2692ba18ee2d5877c04fe631b9998e1e92d71b15 /meta/recipes-core
parent116e45ae3339da6f069350fa833ee995143b10f0 (diff)
downloadpoky-a67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8.tar.gz
glibc: CVE-2020-10029
Backport the CVE patch from upstream: [https://sourceware.org/git/gitweb.cgi?p=glibc.git; a=patch;h=9333498794cde1d5cca518badf79533a24114b6f] (From OE-Core rev: bc0b66c584116635940364fdc2740b8b6ce3d384) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-10029.patch128
-rw-r--r--meta/recipes-core/glibc/glibc_2.31.bb1
2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
new file mode 100644
index 0000000000..22a15f5fdc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
1From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
2From: Joseph Myers <joseph@codesourcery.com>
3Date: Wed, 12 Feb 2020 23:31:56 +0000
4Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
5
6 pseudo-zero (bug 25487).
7
8Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
9argument (an representation where all the significand bits, including
10the explicit high bit, are zero, but the exponent is not zero, which
11is not a valid representation for the long double type).
12
13Although this is not a valid long double representation, existing
14practice in this area (see bug 4586, originally marked invalid but
15subsequently fixed) is that we still seek to avoid invalid memory
16accesses as a result, in case of programs that treat arbitrary binary
17data as long double representations, although the invalid
18representations of the ldbl-96 format do not need to be consistently
19handled the same as any particular valid representation.
20
21This patch makes the range reduction detect pseudo-zero and unnormal
22representations that would otherwise go to __kernel_rem_pio2, and
23returns a NaN for them instead of continuing with the range reduction
24process. (Pseudo-zero and unnormal representations whose unbiased
25exponent is less than -1 have already been safely returned from the
26function before this point without going through the rest of range
27reduction.) Pseudo-zero representations would previously result in
28the value passed to __kernel_rem_pio2 being all-zero, which is
29definitely unsafe; unnormal representations would previously result in
30a value passed whose high bit is zero, which might well be unsafe
31since that is not a form of input expected by __kernel_rem_pio2.
32
33Tested for x86_64.
34
35CVE: CVE-2020-10029
36Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
37a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
38Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
39
40---
41 sysdeps/ieee754/ldbl-96/Makefile | 3 ++-
42 sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++++
43 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++
44 3 files changed, 55 insertions(+), 1 deletion(-)
45 create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
46
47diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
48index b103254..052c1c7 100644
49--- a/sysdeps/ieee754/ldbl-96/Makefile
50+++ b/sysdeps/ieee754/ldbl-96/Makefile
51@@ -17,5 +17,6 @@
52 # <https://www.gnu.org/licenses/>.
53
54 ifeq ($(subdir),math)
55-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
56+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
57+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
58 endif
59diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
60index 805de22..1aeccb4 100644
61--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
62+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
63@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
64 return 0;
65 }
66
67+ if ((i0 & 0x80000000) == 0)
68+ {
69+ /* Pseudo-zero and unnormal representations are not valid
70+ representations of long double. We need to avoid stack
71+ corruption in __kernel_rem_pio2, which expects input in a
72+ particular normal form, but those representations do not need
73+ to be consistently handled like any particular floating-point
74+ value. */
75+ y[1] = y[0] = __builtin_nanl ("");
76+ return 0;
77+ }
78+
79 /* Split the 64 bits of the mantissa into three 24-bit integers
80 stored in a double array. */
81 exp = j0 - 23;
82diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
83new file mode 100644
84index 0000000..f59b977
85--- /dev/null
86+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
87@@ -0,0 +1,41 @@
88+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
89+ Copyright (C) 2020 Free Software Foundation, Inc.
90+ This file is part of the GNU C Library.
91+
92+ The GNU C Library is free software; you can redistribute it and/or
93+ modify it under the terms of the GNU Lesser General Public
94+ License as published by the Free Software Foundation; either
95+ version 2.1 of the License, or (at your option) any later version.
96+
97+ The GNU C Library is distributed in the hope that it will be useful,
98+ but WITHOUT ANY WARRANTY; without even the implied warranty of
99+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
100+ Lesser General Public License for more details.
101+
102+ You should have received a copy of the GNU Lesser General Public
103+ License along with the GNU C Library; if not, see
104+ <https://www.gnu.org/licenses/>. */
105+
106+#include <math.h>
107+#include <math_ldbl.h>
108+#include <stdint.h>
109+
110+static int
111+do_test (void)
112+{
113+ for (int i = 0; i < 64; i++)
114+ {
115+ uint64_t sig = i == 63 ? 0 : 1ULL << i;
116+ long double ld;
117+ SET_LDOUBLE_WORDS (ld, 0x4141,
118+ sig >> 32, sig & 0xffffffffULL);
119+ /* The requirement is that no stack overflow occurs when the
120+ pseudo-zero or unnormal goes through range reduction. */
121+ volatile long double ldr;
122+ ldr = sinl (ld);
123+ (void) ldr;
124+ }
125+ return 0;
126+}
127+
128+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 2032311b27..6dd9415f6b 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -40,6 +40,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
40 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \ 40 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
41 file://0028-inject-file-assembly-directives.patch \ 41 file://0028-inject-file-assembly-directives.patch \
42 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 42 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
43 file://CVE-2020-10029.patch \
43 " 44 "
44S = "${WORKDIR}/git" 45S = "${WORKDIR}/git"
45B = "${WORKDIR}/build-${TARGET_SYS}" 46B = "${WORKDIR}/build-${TARGET_SYS}"