glibc: CVE-2020-10029

Backport the CVE patch from upstream: [https://sourceware.org/git/gitweb.cgi?p=glibc.git; a=patch;h=9333498794cde1d5cca518badf79533a24114b6f] (From OE-Core rev: bc0b66c584116635940364fdc2740b8b6ce3d384) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2020-03-09 00:43:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-03-10 23:20:34 +0000
commit: a67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8 (patch)
tree: 2692ba18ee2d5877c04fe631b9998e1e92d71b15 /meta/recipes-core
parent: 116e45ae3339da6f069350fa833ee995143b10f0 (diff)
download: poky-a67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8.tar.gz
2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
new file mode 100644
index 0000000000..22a15f5fdc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
+From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Wed, 12 Feb 2020 23:31:56 +0000
+Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
+ pseudo-zero (bug 25487).
+Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
+argument (an representation where all the significand bits, including
+the explicit high bit, are zero, but the exponent is not zero, which
+is not a valid representation for the long double type).
+Although this is not a valid long double representation, existing
+practice in this area (see bug 4586, originally marked invalid but
+subsequently fixed) is that we still seek to avoid invalid memory
+accesses as a result, in case of programs that treat arbitrary binary
+data as long double representations, although the invalid
+representations of the ldbl-96 format do not need to be consistently
+handled the same as any particular valid representation.
+This patch makes the range reduction detect pseudo-zero and unnormal
+representations that would otherwise go to __kernel_rem_pio2, and
+returns a NaN for them instead of continuing with the range reduction
+process.  (Pseudo-zero and unnormal representations whose unbiased
+exponent is less than -1 have already been safely returned from the
+function before this point without going through the rest of range
+reduction.)  Pseudo-zero representations would previously result in
+the value passed to __kernel_rem_pio2 being all-zero, which is
+definitely unsafe; unnormal representations would previously result in
+a value passed whose high bit is zero, which might well be unsafe
+since that is not a form of input expected by __kernel_rem_pio2.
+Tested for x86_64.
+CVE: CVE-2020-10029
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
+a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ sysdeps/ieee754/ldbl-96/Makefile           |  3 ++-
+ sysdeps/ieee754/ldbl-96/e_rem_pio2l.c      | 12 +++++++++
+ sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 1 deletion(-)
+ create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
+index b103254..052c1c7 100644
+--- a/sysdeps/ieee754/ldbl-96/Makefile
+++ b/sysdeps/ieee754/ldbl-96/Makefile
+@@ -17,5 +17,6 @@
+ # <https://www.gnu.org/licenses/>.
+ 
+ ifeq ($(subdir),math)
+-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
+ endif
+diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+index 805de22..1aeccb4 100644
+--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
+       return 0;
+     }
+ 
+  if ((i0 & 0x80000000) == 0)
+    {
+      /* Pseudo-zero and unnormal representations are not valid
+        representations of long double.  We need to avoid stack
+        corruption in __kernel_rem_pio2, which expects input in a
+        particular normal form, but those representations do not need
+        to be consistently handled like any particular floating-point
+        value.  */
+      y[1] = y[0] = __builtin_nanl ("");
+      return 0;
+    }
+
+   /* Split the 64 bits of the mantissa into three 24-bit integers
+      stored in a double array.  */
+   exp = j0 - 23;
+diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+new file mode 100644
+index 0000000..f59b977
+--- /dev/null
+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+@@ -0,0 +1,41 @@
+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <math.h>
+#include <math_ldbl.h>
+#include <stdint.h>
+
+static int
+do_test (void)
+{
+  for (int i = 0; i < 64; i++)
+    {
+      uint64_t sig = i == 63 ? 0 : 1ULL << i;
+      long double ld;
+      SET_LDOUBLE_WORDS (ld, 0x4141,
+                        sig >> 32, sig & 0xffffffffULL);
+      /* The requirement is that no stack overflow occurs when the
+        pseudo-zero or unnormal goes through range reduction.  */
+      volatile long double ldr;
+      ldr = sinl (ld);
+      (void) ldr;
+    }
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 2032311b27..6dd9415f6b 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -40,6 +40,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
           file://0028-inject-file-assembly-directives.patch \
           file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+           file://CVE-2020-10029.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2020-03-09 00:43:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-03-10 23:20:34 +0000
commit	a67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8 (patch)
tree	2692ba18ee2d5877c04fe631b9998e1e92d71b15 /meta/recipes-core
parent	116e45ae3339da6f069350fa833ee995143b10f0 (diff)
download	poky-a67e91b1ba3687b6ebb0c96b2a7a490ec458ecc8.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch new file mode 100644 index 0000000000..22a15f5fdc --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
		1	From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
		2	From: Joseph Myers <joseph@codesourcery.com>
		3	Date: Wed, 12 Feb 2020 23:31:56 +0000
		4	Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
		5
		6	pseudo-zero (bug 25487).
		7
		8	Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
		9	argument (an representation where all the significand bits, including
		10	the explicit high bit, are zero, but the exponent is not zero, which
		11	is not a valid representation for the long double type).
		12
		13	Although this is not a valid long double representation, existing
		14	practice in this area (see bug 4586, originally marked invalid but
		15	subsequently fixed) is that we still seek to avoid invalid memory
		16	accesses as a result, in case of programs that treat arbitrary binary
		17	data as long double representations, although the invalid
		18	representations of the ldbl-96 format do not need to be consistently
		19	handled the same as any particular valid representation.
		20
		21	This patch makes the range reduction detect pseudo-zero and unnormal
		22	representations that would otherwise go to __kernel_rem_pio2, and
		23	returns a NaN for them instead of continuing with the range reduction
		24	process. (Pseudo-zero and unnormal representations whose unbiased
		25	exponent is less than -1 have already been safely returned from the
		26	function before this point without going through the rest of range
		27	reduction.) Pseudo-zero representations would previously result in
		28	the value passed to __kernel_rem_pio2 being all-zero, which is
		29	definitely unsafe; unnormal representations would previously result in
		30	a value passed whose high bit is zero, which might well be unsafe
		31	since that is not a form of input expected by __kernel_rem_pio2.
		32
		33	Tested for x86_64.
		34
		35	CVE: CVE-2020-10029
		36	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
		37	a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
		38	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		39
		40	---
		41	sysdeps/ieee754/ldbl-96/Makefile \| 3 ++-
		42	sysdeps/ieee754/ldbl-96/e_rem_pio2l.c \| 12 +++++++++
		43	sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c \| 41 ++++++++++++++++++++++++++++++
		44	3 files changed, 55 insertions(+), 1 deletion(-)
		45	create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
		46
		47	diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
		48	index b103254..052c1c7 100644
		49	--- a/sysdeps/ieee754/ldbl-96/Makefile
		50	+++ b/sysdeps/ieee754/ldbl-96/Makefile
		51	@@ -17,5 +17,6 @@
		52	# <https://www.gnu.org/licenses/>.
		53
		54	ifeq ($(subdir),math)
		55	-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
		56	+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
		57	+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
		58	endif
		59	diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
		60	index 805de22..1aeccb4 100644
		61	--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
		62	+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
		63	@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
		64	return 0;
		65	}
		66
		67	+ if ((i0 & 0x80000000) == 0)
		68	+ {
		69	+ /* Pseudo-zero and unnormal representations are not valid
		70	+ representations of long double. We need to avoid stack
		71	+ corruption in __kernel_rem_pio2, which expects input in a
		72	+ particular normal form, but those representations do not need
		73	+ to be consistently handled like any particular floating-point
		74	+ value. */
		75	+ y[1] = y[0] = __builtin_nanl ("");
		76	+ return 0;
		77	+ }
		78	+
		79	/* Split the 64 bits of the mantissa into three 24-bit integers
		80	stored in a double array. */
		81	exp = j0 - 23;
		82	diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
		83	new file mode 100644
		84	index 0000000..f59b977
		85	--- /dev/null
		86	+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
		87	@@ -0,0 +1,41 @@
		88	+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
		89	+ Copyright (C) 2020 Free Software Foundation, Inc.
		90	+ This file is part of the GNU C Library.
		91	+
		92	+ The GNU C Library is free software; you can redistribute it and/or
		93	+ modify it under the terms of the GNU Lesser General Public
		94	+ License as published by the Free Software Foundation; either
		95	+ version 2.1 of the License, or (at your option) any later version.
		96	+
		97	+ The GNU C Library is distributed in the hope that it will be useful,
		98	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		99	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		100	+ Lesser General Public License for more details.
		101	+
		102	+ You should have received a copy of the GNU Lesser General Public
		103	+ License along with the GNU C Library; if not, see
		104	+ <https://www.gnu.org/licenses/>. */
		105	+
		106	+#include <math.h>
		107	+#include <math_ldbl.h>
		108	+#include <stdint.h>
		109	+
		110	+static int
		111	+do_test (void)
		112	+{
		113	+ for (int i = 0; i < 64; i++)
		114	+ {
		115	+ uint64_t sig = i == 63 ? 0 : 1ULL << i;
		116	+ long double ld;
		117	+ SET_LDOUBLE_WORDS (ld, 0x4141,
		118	+ sig >> 32, sig & 0xffffffffULL);
		119	+ /* The requirement is that no stack overflow occurs when the
		120	+ pseudo-zero or unnormal goes through range reduction. */
		121	+ volatile long double ldr;
		122	+ ldr = sinl (ld);
		123	+ (void) ldr;
		124	+ }
		125	+ return 0;
		126	+}
		127	+
		128	+#include <support/test-driver.c>


diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 2032311b27..6dd9415f6b 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -40,6 +40,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
40	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \	40	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
41	file://0028-inject-file-assembly-directives.patch \	41	file://0028-inject-file-assembly-directives.patch \
42	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	42	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
		43	file://CVE-2020-10029.patch \
43	"	44	"
44	S = "${WORKDIR}/git"	45	S = "${WORKDIR}/git"
45	B = "${WORKDIR}/build-${TARGET_SYS}"	46	B = "${WORKDIR}/build-${TARGET_SYS}"