diff options
author | Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> | 2022-01-19 19:16:57 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-01-20 11:57:29 +0000 |
commit | 73ff4e0ce1b68ef00fcc5d94e1e356f7f7ba4788 (patch) | |
tree | d215eb8d6726c480ee93de6a2026b367e7669c59 /meta/recipes-core | |
parent | fd4901288a146d33589c4d34249713378805429f (diff) | |
download | poky-73ff4e0ce1b68ef00fcc5d94e1e356f7f7ba4788.tar.gz |
glibc : Fix CVE-2022-23218
Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=e368b12f6c16b6888dda99ba641e999b9c9643c8]
Upstream-Status: Backport
[https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7]
(From OE-Core rev: 83fa93b5fdb10a589bad2a9fc83552df8f1dbf28)
Signed-off-by: pgowda <pgowda.cve@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch | 178 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch | 126 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.34.bb | 2 |
3 files changed, 306 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch new file mode 100644 index 0000000000..4eb1fb7fbe --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From e368b12f6c16b6888dda99ba641e999b9c9643c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Mon, 17 Jan 2022 10:21:34 +0100 | ||
4 | Subject: [PATCH] socket: Add the __sockaddr_un_set function | ||
5 | |||
6 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=e368b12f6c16b6888dda99ba641e999b9c9643c8] | ||
7 | CVE: CVE-2022-23219 | ||
8 | |||
9 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
10 | Signed-off-by: Pgowda <pgowda.cve@gmail.com> | ||
11 | --- | ||
12 | include/sys/un.h | 12 +++++++ | ||
13 | socket/Makefile | 6 +++- | ||
14 | socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ | ||
15 | socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ | ||
16 | 4 files changed, 120 insertions(+), 1 deletion(-) | ||
17 | create mode 100644 socket/sockaddr_un_set.c | ||
18 | create mode 100644 socket/tst-sockaddr_un_set.c | ||
19 | |||
20 | diff --git a/include/sys/un.h b/include/sys/un.h | ||
21 | index bdbee99980..152afd9fc7 100644 | ||
22 | --- a/include/sys/un.h | ||
23 | +++ b/include/sys/un.h | ||
24 | @@ -1 +1,13 @@ | ||
25 | #include <socket/sys/un.h> | ||
26 | + | ||
27 | +#ifndef _ISOMAC | ||
28 | + | ||
29 | +/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME. | ||
30 | + Return 0 on success or -1 on failure (due to overlong PATHNAME). | ||
31 | + The caller should always use sizeof (struct sockaddr_un) as the | ||
32 | + socket address length, disregaring the length of PATHNAME. | ||
33 | + Only concrete (non-abstract) pathnames are supported. */ | ||
34 | +int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) | ||
35 | + attribute_hidden; | ||
36 | + | ||
37 | +#endif /* _ISOMAC */ | ||
38 | diff --git a/socket/Makefile b/socket/Makefile | ||
39 | index 39333e10ca..156eec6c85 100644 | ||
40 | --- a/socket/Makefile | ||
41 | +++ b/socket/Makefile | ||
42 | @@ -29,13 +29,17 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \ | ||
43 | routines := accept bind connect getpeername getsockname getsockopt \ | ||
44 | listen recv recvfrom recvmsg send sendmsg sendto \ | ||
45 | setsockopt shutdown socket socketpair isfdtype opensock \ | ||
46 | - sockatmark accept4 recvmmsg sendmmsg | ||
47 | + sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set | ||
48 | |||
49 | tests := \ | ||
50 | tst-accept4 \ | ||
51 | tst-sockopt \ | ||
52 | # tests | ||
53 | |||
54 | +tests-internal := \ | ||
55 | + tst-sockaddr_un_set \ | ||
56 | + # tests-internal | ||
57 | + | ||
58 | tests-time64 := \ | ||
59 | tst-sockopt-time64 \ | ||
60 | # tests | ||
61 | diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c | ||
62 | new file mode 100644 | ||
63 | index 0000000000..0bd40dc34e | ||
64 | --- /dev/null | ||
65 | +++ b/socket/sockaddr_un_set.c | ||
66 | @@ -0,0 +1,41 @@ | ||
67 | +/* Set the sun_path member of struct sockaddr_un. | ||
68 | + Copyright (C) 2022 Free Software Foundation, Inc. | ||
69 | + This file is part of the GNU C Library. | ||
70 | + | ||
71 | + The GNU C Library is free software; you can redistribute it and/or | ||
72 | + modify it under the terms of the GNU Lesser General Public | ||
73 | + License as published by the Free Software Foundation; either | ||
74 | + version 2.1 of the License, or (at your option) any later version. | ||
75 | + | ||
76 | + The GNU C Library is distributed in the hope that it will be useful, | ||
77 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
78 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
79 | + Lesser General Public License for more details. | ||
80 | + | ||
81 | + You should have received a copy of the GNU Lesser General Public | ||
82 | + License along with the GNU C Library; if not, see | ||
83 | + <https://www.gnu.org/licenses/>. */ | ||
84 | + | ||
85 | +#include <errno.h> | ||
86 | +#include <string.h> | ||
87 | +#include <sys/socket.h> | ||
88 | +#include <sys/un.h> | ||
89 | + | ||
90 | +int | ||
91 | +__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) | ||
92 | +{ | ||
93 | + size_t name_length = strlen (pathname); | ||
94 | + | ||
95 | + /* The kernel supports names of exactly sizeof (addr->sun_path) | ||
96 | + bytes, without a null terminator, but userspace does not; see the | ||
97 | + SUN_LEN macro. */ | ||
98 | + if (name_length >= sizeof (addr->sun_path)) | ||
99 | + { | ||
100 | + __set_errno (EINVAL); /* Error code used by the kernel. */ | ||
101 | + return -1; | ||
102 | + } | ||
103 | + | ||
104 | + addr->sun_family = AF_UNIX; | ||
105 | + memcpy (addr->sun_path, pathname, name_length + 1); | ||
106 | + return 0; | ||
107 | +} | ||
108 | diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c | ||
109 | new file mode 100644 | ||
110 | index 0000000000..29c2a81afd | ||
111 | --- /dev/null | ||
112 | +++ b/socket/tst-sockaddr_un_set.c | ||
113 | @@ -0,0 +1,62 @@ | ||
114 | +/* Test the __sockaddr_un_set function. | ||
115 | + Copyright (C) 2022 Free Software Foundation, Inc. | ||
116 | + This file is part of the GNU C Library. | ||
117 | + | ||
118 | + The GNU C Library is free software; you can redistribute it and/or | ||
119 | + modify it under the terms of the GNU Lesser General Public | ||
120 | + License as published by the Free Software Foundation; either | ||
121 | + version 2.1 of the License, or (at your option) any later version. | ||
122 | + | ||
123 | + The GNU C Library is distributed in the hope that it will be useful, | ||
124 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
125 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
126 | + Lesser General Public License for more details. | ||
127 | + | ||
128 | + You should have received a copy of the GNU Lesser General Public | ||
129 | + License along with the GNU C Library; if not, see | ||
130 | + <https://www.gnu.org/licenses/>. */ | ||
131 | + | ||
132 | +/* Re-compile the function because the version in libc is not | ||
133 | + exported. */ | ||
134 | +#include "sockaddr_un_set.c" | ||
135 | + | ||
136 | +#include <support/check.h> | ||
137 | + | ||
138 | +static int | ||
139 | +do_test (void) | ||
140 | +{ | ||
141 | + struct sockaddr_un sun; | ||
142 | + | ||
143 | + memset (&sun, 0xcc, sizeof (sun)); | ||
144 | + __sockaddr_un_set (&sun, ""); | ||
145 | + TEST_COMPARE (sun.sun_family, AF_UNIX); | ||
146 | + TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0); | ||
147 | + | ||
148 | + memset (&sun, 0xcc, sizeof (sun)); | ||
149 | + TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0); | ||
150 | + TEST_COMPARE_STRING (sun.sun_path, "/example"); | ||
151 | + | ||
152 | + { | ||
153 | + char pathname[108]; /* Length of sun_path (ABI constant). */ | ||
154 | + memset (pathname, 'x', sizeof (pathname)); | ||
155 | + pathname[sizeof (pathname) - 1] = '\0'; | ||
156 | + memset (&sun, 0xcc, sizeof (sun)); | ||
157 | + TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0); | ||
158 | + TEST_COMPARE (sun.sun_family, AF_UNIX); | ||
159 | + TEST_COMPARE_STRING (sun.sun_path, pathname); | ||
160 | + } | ||
161 | + | ||
162 | + { | ||
163 | + char pathname[109]; | ||
164 | + memset (pathname, 'x', sizeof (pathname)); | ||
165 | + pathname[sizeof (pathname) - 1] = '\0'; | ||
166 | + memset (&sun, 0xcc, sizeof (sun)); | ||
167 | + errno = 0; | ||
168 | + TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1); | ||
169 | + TEST_COMPARE (errno, EINVAL); | ||
170 | + } | ||
171 | + | ||
172 | + return 0; | ||
173 | +} | ||
174 | + | ||
175 | +#include <support/test-driver.c> | ||
176 | -- | ||
177 | 2.27.0 | ||
178 | |||
diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch new file mode 100644 index 0000000000..00fb3266c6 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Mon, 17 Jan 2022 10:21:34 +0100 | ||
4 | Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug | ||
5 | 28768) | ||
6 | |||
7 | The sunrpc function svcunix_create suffers from a stack-based buffer | ||
8 | overflow with overlong pathname arguments. | ||
9 | |||
10 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7] | ||
11 | CVE: CVE-2022-23218 | ||
12 | |||
13 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
14 | Signed-off-by: Pgowda <pgowda.cve@gmail.com> | ||
15 | --- | ||
16 | NEWS | 3 +++ | ||
17 | sunrpc/Makefile | 2 +- | ||
18 | sunrpc/svc_unix.c | 11 ++++------- | ||
19 | sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ | ||
20 | 4 files changed, 50 insertions(+), 8 deletions(-) | ||
21 | create mode 100644 sunrpc/tst-bug28768.c | ||
22 | |||
23 | diff --git a/NEWS b/NEWS | ||
24 | index 38a9ddb2cf..38802f0673 100644 | ||
25 | --- a/NEWS | ||
26 | +++ b/NEWS | ||
27 | @@ -203,6 +203,9 @@ Security related changes: | ||
28 | parameter number when processing the expansion resulting in a crash. | ||
29 | Reported by Philippe Antoine. | ||
30 | |||
31 | + CVE-2022-23218: Passing an overlong file name to the svcunix_create | ||
32 | + legacy function could result in a stack-based buffer overflow. | ||
33 | + | ||
34 | The following bugs are resolved with this release: | ||
35 | |||
36 | [4737] libc: fork is not async-signal-safe | ||
37 | diff --git a/sunrpc/Makefile b/sunrpc/Makefile | ||
38 | index 183ef3dc55..a79a7195fc 100644 | ||
39 | --- a/sunrpc/Makefile | ||
40 | +++ b/sunrpc/Makefile | ||
41 | @@ -65,7 +65,7 @@ shared-only-routines = $(routines) | ||
42 | endif | ||
43 | |||
44 | tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ | ||
45 | - tst-udp-nonblocking | ||
46 | + tst-udp-nonblocking tst-bug28768 | ||
47 | xtests := tst-getmyaddr | ||
48 | |||
49 | ifeq ($(have-thread-library),yes) | ||
50 | diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c | ||
51 | index f2280b4c49..67177a2e78 100644 | ||
52 | --- a/sunrpc/svc_unix.c | ||
53 | +++ b/sunrpc/svc_unix.c | ||
54 | @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize | ||
55 | SVCXPRT *xprt; | ||
56 | struct unix_rendezvous *r; | ||
57 | struct sockaddr_un addr; | ||
58 | - socklen_t len = sizeof (struct sockaddr_in); | ||
59 | + socklen_t len = sizeof (addr); | ||
60 | + | ||
61 | + if (__sockaddr_un_set (&addr, path) < 0) | ||
62 | + return NULL; | ||
63 | |||
64 | if (sock == RPC_ANYSOCK) | ||
65 | { | ||
66 | @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize | ||
67 | } | ||
68 | madesock = TRUE; | ||
69 | } | ||
70 | - memset (&addr, '\0', sizeof (addr)); | ||
71 | - addr.sun_family = AF_UNIX; | ||
72 | - len = strlen (path) + 1; | ||
73 | - memcpy (addr.sun_path, path, len); | ||
74 | - len += sizeof (addr.sun_family); | ||
75 | - | ||
76 | __bind (sock, (struct sockaddr *) &addr, len); | ||
77 | |||
78 | if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 | ||
79 | diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c | ||
80 | new file mode 100644 | ||
81 | index 0000000000..35a4b7b0b3 | ||
82 | --- /dev/null | ||
83 | +++ b/sunrpc/tst-bug28768.c | ||
84 | @@ -0,0 +1,42 @@ | ||
85 | +/* Test to verify that long path is rejected by svcunix_create (bug 28768). | ||
86 | + Copyright (C) 2022 Free Software Foundation, Inc. | ||
87 | + This file is part of the GNU C Library. | ||
88 | + | ||
89 | + The GNU C Library is free software; you can redistribute it and/or | ||
90 | + modify it under the terms of the GNU Lesser General Public | ||
91 | + License as published by the Free Software Foundation; either | ||
92 | + version 2.1 of the License, or (at your option) any later version. | ||
93 | + | ||
94 | + The GNU C Library is distributed in the hope that it will be useful, | ||
95 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
96 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
97 | + Lesser General Public License for more details. | ||
98 | + | ||
99 | + You should have received a copy of the GNU Lesser General Public | ||
100 | + License along with the GNU C Library; if not, see | ||
101 | + <http://www.gnu.org/licenses/>. */ | ||
102 | + | ||
103 | +#include <errno.h> | ||
104 | +#include <rpc/svc.h> | ||
105 | +#include <shlib-compat.h> | ||
106 | +#include <string.h> | ||
107 | +#include <support/check.h> | ||
108 | + | ||
109 | +/* svcunix_create does not have a default version in linkobj/libc.so. */ | ||
110 | +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); | ||
111 | + | ||
112 | +static int | ||
113 | +do_test (void) | ||
114 | +{ | ||
115 | + char pathname[109]; | ||
116 | + memset (pathname, 'x', sizeof (pathname)); | ||
117 | + pathname[sizeof (pathname) - 1] = '\0'; | ||
118 | + | ||
119 | + errno = 0; | ||
120 | + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); | ||
121 | + TEST_COMPARE (errno, EINVAL); | ||
122 | + | ||
123 | + return 0; | ||
124 | +} | ||
125 | + | ||
126 | +#include <support/test-driver.c> | ||
diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb index 27a5d5fa2b..f40464c43a 100644 --- a/meta/recipes-core/glibc/glibc_2.34.bb +++ b/meta/recipes-core/glibc/glibc_2.34.bb | |||
@@ -53,6 +53,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
53 | file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ | 53 | file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ |
54 | file://CVE-2021-43396.patch \ | 54 | file://CVE-2021-43396.patch \ |
55 | file://0001-Make-shell-interpreter-overridable-in-tzselect.ksh.patch \ | 55 | file://0001-Make-shell-interpreter-overridable-in-tzselect.ksh.patch \ |
56 | file://0001-CVE-2022-23218.patch \ | ||
57 | file://0002-CVE-2022-23218.patch \ | ||
56 | " | 58 | " |
57 | S = "${WORKDIR}/git" | 59 | S = "${WORKDIR}/git" |
58 | B = "${WORKDIR}/build-${TARGET_SYS}" | 60 | B = "${WORKDIR}/build-${TARGET_SYS}" |