glibc: Security fix for CVE-2016-4429

Master will a have fix after pending update (From OE-Core rev: c14f2ba7ae1ddef3dc7bb837454e51469bead948) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-07-09 10:07:17 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-07-27 08:33:37 +0100
commit: d79f5a98f7218ff96e2a9cd3c191e8d47fb4fe67 (patch)
tree: c41b8266a96bd0ed72d5c176840954fc53096226 /meta/recipes-core
parent: 22198f07af771d2841ffb97859574b4dc6e14d57 (diff)
download: poky-d79f5a98f7218ff96e2a9cd3c191e8d47fb4fe67.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
new file mode 100644
index 0000000000..56fcc0e580
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
@@ -0,0 +1,89 @@
+From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 23 May 2016 20:18:34 +0200
+Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
+ #20112]
+The call is technically in a loop, and under certain circumstances
+(which are quite difficult to reproduce in a test case), alloca
+can be invoked repeatedly during a single call to clntudp_call.
+As a result, the available stack space can be exhausted (even
+though individual alloca sizes are bounded implicitly by what
+can fit into a UDP packet, as a side effect of the earlier
+successful send operation).
+Upstream-Status: Backport
+CVE: CVE-2016-4429
+Signed-off-by: Armin Kuster <akuster@mvsita.com>
+---
+ ChangeLog         |  7 +++++++
+ NEWS              |  4 ++++
+ sunrpc/clnt_udp.c | 10 +++++++++-
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -110,6 +110,10 @@ Security related changes:
+   reporting the security impact of this issue, and Robert Holiday of
+   Ciena for reporting the related bug 18665. (CVE-2015-7547)
+ 
+* The Sun RPC UDP client could exhaust all available stack space when
+  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
+  alloca plugin for GCC.  (CVE-2016-4429)
+
+ The following bugs are resolved with this release:
+ 
+   [89] localedata: Locales nb_NO and nn_NO should transliterate æøå
+Index: git/sunrpc/clnt_udp.c
+===================================================================
+--- git.orig/sunrpc/clnt_udp.c
+++ git/sunrpc/clnt_udp.c
+@@ -388,9 +388,15 @@ send_again:
+          struct sock_extended_err *e;
+          struct sockaddr_in err_addr;
+          struct iovec iov;
+-         char *cbuf = (char *) alloca (outlen + 256);
+         char *cbuf = malloc (outlen + 256);
+          int ret;
+ 
+         if (cbuf == NULL)
+           {
+             cu->cu_error.re_errno = errno;
+             return (cu->cu_error.re_status = RPC_CANTRECV);
+           }
+
+          iov.iov_base = cbuf + 256;
+          iov.iov_len = outlen;
+          msg.msg_name = (void *) &err_addr;
+@@ -415,10 +421,12 @@ send_again:
+                 cmsg = CMSG_NXTHDR (&msg, cmsg))
+              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+                {
+                 free (cbuf);
+                  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+                  cu->cu_error.re_errno = e->ee_errno;
+                  return (cu->cu_error.re_status = RPC_CANTRECV);
+                }
+         free (cbuf);
+        }
+ #endif
+       do
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+   CVE-2016-4429
+   [BZ #20112]
+   * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+   payload.
+
+ 2016-04-29  Florian Weimer  <fweimer@redhat.com>
+ 
+    [BZ #20010]
diff --git a/meta/recipes-core/glibc/glibc_2.23.bb b/meta/recipes-core/glibc/glibc_2.23.bb
index 44923797d6..b71018b25b 100644
--- a/meta/recipes-core/glibc/glibc_2.23.bb
+++ b/meta/recipes-core/glibc/glibc_2.23.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0025-eglibc-Forward-port-cross-locale-generation-support.patch \
           file://0026-When-disabling-SSE-make-sure-fpmath-is-not-set-to-us.patch \
           file://CVE-2016-3706.patch \
+           file://CVE-2016-4429.patch \
 "
 SRC_URI += "\
author	Armin Kuster <akuster@mvista.com>	2016-07-09 10:07:17 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-07-27 08:33:37 +0100
commit	d79f5a98f7218ff96e2a9cd3c191e8d47fb4fe67 (patch)
tree	c41b8266a96bd0ed72d5c176840954fc53096226 /meta/recipes-core
parent	22198f07af771d2841ffb97859574b4dc6e14d57 (diff)
download	poky-d79f5a98f7218ff96e2a9cd3c191e8d47fb4fe67.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch new file mode 100644 index 0000000000..56fcc0e580 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2016-4429.patch
@@ -0,0 +1,89 @@
		1	From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Mon, 23 May 2016 20:18:34 +0200
		4	Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
		5	#20112]
		6
		7	The call is technically in a loop, and under certain circumstances
		8	(which are quite difficult to reproduce in a test case), alloca
		9	can be invoked repeatedly during a single call to clntudp_call.
		10	As a result, the available stack space can be exhausted (even
		11	though individual alloca sizes are bounded implicitly by what
		12	can fit into a UDP packet, as a side effect of the earlier
		13	successful send operation).
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2016-4429
		17
		18	Signed-off-by: Armin Kuster <akuster@mvsita.com>
		19
		20	---
		21	ChangeLog \| 7 +++++++
		22	NEWS \| 4 ++++
		23	sunrpc/clnt_udp.c \| 10 +++++++++-
		24	3 files changed, 20 insertions(+), 1 deletion(-)
		25
		26	Index: git/NEWS
		27	===================================================================
		28	--- git.orig/NEWS
		29	+++ git/NEWS
		30	@@ -110,6 +110,10 @@ Security related changes:
		31	reporting the security impact of this issue, and Robert Holiday of
		32	Ciena for reporting the related bug 18665. (CVE-2015-7547)
		33
		34	+* The Sun RPC UDP client could exhaust all available stack space when
		35	+ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
		36	+ alloca plugin for GCC. (CVE-2016-4429)
		37	+
		38	The following bugs are resolved with this release:
		39
		40	[89] localedata: Locales nb_NO and nn_NO should transliterate æøå
		41	Index: git/sunrpc/clnt_udp.c
		42	===================================================================
		43	--- git.orig/sunrpc/clnt_udp.c
		44	+++ git/sunrpc/clnt_udp.c
		45	@@ -388,9 +388,15 @@ send_again:
		46	struct sock_extended_err *e;
		47	struct sockaddr_in err_addr;
		48	struct iovec iov;
		49	- char cbuf = (char ) alloca (outlen + 256);
		50	+ char *cbuf = malloc (outlen + 256);
		51	int ret;
		52
		53	+ if (cbuf == NULL)
		54	+ {
		55	+ cu->cu_error.re_errno = errno;
		56	+ return (cu->cu_error.re_status = RPC_CANTRECV);
		57	+ }
		58	+
		59	iov.iov_base = cbuf + 256;
		60	iov.iov_len = outlen;
		61	msg.msg_name = (void *) &err_addr;
		62	@@ -415,10 +421,12 @@ send_again:
		63	cmsg = CMSG_NXTHDR (&msg, cmsg))
		64	if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
		65	{
		66	+ free (cbuf);
		67	e = (struct sock_extended_err *) CMSG_DATA(cmsg);
		68	cu->cu_error.re_errno = e->ee_errno;
		69	return (cu->cu_error.re_status = RPC_CANTRECV);
		70	}
		71	+ free (cbuf);
		72	}
		73	#endif
		74	do
		75	Index: git/ChangeLog
		76	===================================================================
		77	--- git.orig/ChangeLog
		78	+++ git/ChangeLog
		79	@@ -1,3 +1,10 @@
		80	+2016-05-23 Florian Weimer <fweimer@redhat.com>
		81	+
		82	+ CVE-2016-4429
		83	+ [BZ #20112]
		84	+ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
		85	+ payload.
		86	+
		87	2016-04-29 Florian Weimer <fweimer@redhat.com>
		88
		89	[BZ #20010]


diff --git a/meta/recipes-core/glibc/glibc_2.23.bb b/meta/recipes-core/glibc/glibc_2.23.bb index 44923797d6..b71018b25b 100644 --- a/meta/recipes-core/glibc/glibc_2.23.bb +++ b/meta/recipes-core/glibc/glibc_2.23.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
37	file://0025-eglibc-Forward-port-cross-locale-generation-support.patch \	37	file://0025-eglibc-Forward-port-cross-locale-generation-support.patch \
38	file://0026-When-disabling-SSE-make-sure-fpmath-is-not-set-to-us.patch \	38	file://0026-When-disabling-SSE-make-sure-fpmath-is-not-set-to-us.patch \
39	file://CVE-2016-3706.patch \	39	file://CVE-2016-3706.patch \
		40	file://CVE-2016-4429.patch \
40	"	41	"
41		42
42	SRC_URI += "\	43	SRC_URI += "\