diff options
author | Armin Kuster <akuster@mvista.com> | 2016-01-22 20:19:24 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-18 07:37:49 +0000 |
commit | efa1ae5e458666eb66dcff93078beb4e21a00fdc (patch) | |
tree | ec468b312e9faf1d56cfc9c91cfb946ee3bc575f /meta | |
parent | aefe1fadfa041673360ad31901655ead70c32d75 (diff) | |
download | poky-efa1ae5e458666eb66dcff93078beb4e21a00fdc.tar.gz |
glibc: CVE-2015-8779
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.
(From OE-Core rev: e0f71f123147bf4f48cc90c7f26a50164ed4115e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 262 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.22.bb | 1 |
2 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch new file mode 100644 index 0000000000..4dc93c769d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | |||
@@ -0,0 +1,262 @@ | |||
1 | From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Pluzhnikov <ppluzhnikov@google.com> | ||
3 | Date: Sat, 8 Aug 2015 15:53:03 -0700 | ||
4 | Subject: [PATCH] Fix BZ #17905 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2015-8779 | ||
8 | [Yocto # 8980] | ||
9 | |||
10 | https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e | ||
11 | |||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | ChangeLog | 8 ++++++++ | ||
16 | NEWS | 2 +- | ||
17 | catgets/Makefile | 9 ++++++++- | ||
18 | catgets/catgets.c | 19 ++++++++++++------- | ||
19 | catgets/open_catalog.c | 23 ++++++++++++++--------- | ||
20 | catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++ | ||
21 | 6 files changed, 74 insertions(+), 18 deletions(-) | ||
22 | |||
23 | Index: git/catgets/Makefile | ||
24 | =================================================================== | ||
25 | --- git.orig/catgets/Makefile | ||
26 | +++ git/catgets/Makefile | ||
27 | @@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS)) | ||
28 | ifeq ($(run-built-tests),yes) | ||
29 | tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ | ||
30 | $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out | ||
31 | +tests-special += $(objpfx)tst-catgets-mem.out | ||
32 | endif | ||
33 | endif | ||
34 | gencat-modules = xmalloc | ||
35 | @@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat | ||
36 | |||
37 | generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ | ||
38 | test-gencat.h | ||
39 | +generated += tst-catgets.mtrace tst-catgets-mem.out | ||
40 | + | ||
41 | generated-dirs += de | ||
42 | |||
43 | -tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de | ||
44 | +tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace | ||
45 | |||
46 | ifeq ($(run-built-tests),yes) | ||
47 | # This test just checks whether the program produces any error or not. | ||
48 | @@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh | ||
49 | $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat | ||
50 | $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ | ||
51 | $(evaluate-test) | ||
52 | + | ||
53 | +$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out | ||
54 | + $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ | ||
55 | + $(evaluate-test) | ||
56 | endif | ||
57 | Index: git/catgets/catgets.c | ||
58 | =================================================================== | ||
59 | --- git.orig/catgets/catgets.c | ||
60 | +++ git/catgets/catgets.c | ||
61 | @@ -16,7 +16,6 @@ | ||
62 | License along with the GNU C Library; if not, see | ||
63 | <http://www.gnu.org/licenses/>. */ | ||
64 | |||
65 | -#include <alloca.h> | ||
66 | #include <errno.h> | ||
67 | #include <locale.h> | ||
68 | #include <nl_types.h> | ||
69 | @@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) | ||
70 | __nl_catd result; | ||
71 | const char *env_var = NULL; | ||
72 | const char *nlspath = NULL; | ||
73 | + char *tmp = NULL; | ||
74 | |||
75 | if (strchr (cat_name, '/') == NULL) | ||
76 | { | ||
77 | @@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) | ||
78 | { | ||
79 | /* Append the system dependent directory. */ | ||
80 | size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; | ||
81 | - char *tmp = alloca (len); | ||
82 | + tmp = malloc (len); | ||
83 | + | ||
84 | + if (__glibc_unlikely (tmp == NULL)) | ||
85 | + return (nl_catd) -1; | ||
86 | |||
87 | __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); | ||
88 | nlspath = tmp; | ||
89 | @@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) | ||
90 | |||
91 | result = (__nl_catd) malloc (sizeof (*result)); | ||
92 | if (result == NULL) | ||
93 | - /* We cannot get enough memory. */ | ||
94 | - return (nl_catd) -1; | ||
95 | - | ||
96 | - if (__open_catalog (cat_name, nlspath, env_var, result) != 0) | ||
97 | + { | ||
98 | + /* We cannot get enough memory. */ | ||
99 | + result = (nl_catd) -1; | ||
100 | + } | ||
101 | + else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) | ||
102 | { | ||
103 | /* Couldn't open the file. */ | ||
104 | free ((void *) result); | ||
105 | - return (nl_catd) -1; | ||
106 | + result = (nl_catd) -1; | ||
107 | } | ||
108 | |||
109 | + free (tmp); | ||
110 | return (nl_catd) result; | ||
111 | } | ||
112 | |||
113 | Index: git/catgets/open_catalog.c | ||
114 | =================================================================== | ||
115 | --- git.orig/catgets/open_catalog.c | ||
116 | +++ git/catgets/open_catalog.c | ||
117 | @@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co | ||
118 | size_t tab_size; | ||
119 | const char *lastp; | ||
120 | int result = -1; | ||
121 | + char *buf = NULL; | ||
122 | |||
123 | if (strchr (cat_name, '/') != NULL || nlspath == NULL) | ||
124 | fd = open_not_cancel_2 (cat_name, O_RDONLY); | ||
125 | @@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co | ||
126 | if (__glibc_unlikely (bufact + (n) >= bufmax)) \ | ||
127 | { \ | ||
128 | char *old_buf = buf; \ | ||
129 | - bufmax += 256 + (n); \ | ||
130 | - buf = (char *) alloca (bufmax); \ | ||
131 | - memcpy (buf, old_buf, bufact); \ | ||
132 | + bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ | ||
133 | + buf = realloc (buf, bufmax); \ | ||
134 | + if (__glibc_unlikely (buf == NULL)) \ | ||
135 | + { \ | ||
136 | + free (old_buf); \ | ||
137 | + return -1; \ | ||
138 | + } \ | ||
139 | } | ||
140 | |||
141 | /* The RUN_NLSPATH variable contains a colon separated list of | ||
142 | descriptions where we expect to find catalogs. We have to | ||
143 | recognize certain % substitutions and stop when we found the | ||
144 | first existing file. */ | ||
145 | - char *buf; | ||
146 | size_t bufact; | ||
147 | - size_t bufmax; | ||
148 | + size_t bufmax = 0; | ||
149 | size_t len; | ||
150 | |||
151 | - buf = NULL; | ||
152 | - bufmax = 0; | ||
153 | - | ||
154 | fd = -1; | ||
155 | while (*run_nlspath != '\0') | ||
156 | { | ||
157 | @@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co | ||
158 | |||
159 | /* Avoid dealing with directories and block devices */ | ||
160 | if (__builtin_expect (fd, 0) < 0) | ||
161 | - return -1; | ||
162 | + { | ||
163 | + free (buf); | ||
164 | + return -1; | ||
165 | + } | ||
166 | |||
167 | if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) | ||
168 | goto close_unlock_return; | ||
169 | @@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co | ||
170 | /* Release the lock again. */ | ||
171 | close_unlock_return: | ||
172 | close_not_cancel_no_status (fd); | ||
173 | + free (buf); | ||
174 | |||
175 | return result; | ||
176 | } | ||
177 | Index: git/catgets/tst-catgets.c | ||
178 | =================================================================== | ||
179 | --- git.orig/catgets/tst-catgets.c | ||
180 | +++ git/catgets/tst-catgets.c | ||
181 | @@ -1,7 +1,10 @@ | ||
182 | +#include <assert.h> | ||
183 | #include <mcheck.h> | ||
184 | #include <nl_types.h> | ||
185 | #include <stdio.h> | ||
186 | +#include <stdlib.h> | ||
187 | #include <string.h> | ||
188 | +#include <sys/resource.h> | ||
189 | |||
190 | |||
191 | static const char *msgs[] = | ||
192 | @@ -12,6 +15,33 @@ static const char *msgs[] = | ||
193 | }; | ||
194 | #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) | ||
195 | |||
196 | + | ||
197 | +/* Test for unbounded alloca. */ | ||
198 | +static int | ||
199 | +do_bz17905 (void) | ||
200 | +{ | ||
201 | + char *buf; | ||
202 | + struct rlimit rl; | ||
203 | + nl_catd result; | ||
204 | + | ||
205 | + const int sz = 1024 * 1024; | ||
206 | + | ||
207 | + getrlimit (RLIMIT_STACK, &rl); | ||
208 | + rl.rlim_cur = sz; | ||
209 | + setrlimit (RLIMIT_STACK, &rl); | ||
210 | + | ||
211 | + buf = malloc (sz + 1); | ||
212 | + memset (buf, 'A', sz); | ||
213 | + buf[sz] = '\0'; | ||
214 | + setenv ("NLSPATH", buf, 1); | ||
215 | + | ||
216 | + result = catopen (buf, NL_CAT_LOCALE); | ||
217 | + assert (result == (nl_catd) -1); | ||
218 | + | ||
219 | + free (buf); | ||
220 | + return 0; | ||
221 | +} | ||
222 | + | ||
223 | #define ROUNDS 5 | ||
224 | |||
225 | static int | ||
226 | @@ -62,6 +92,7 @@ do_test (void) | ||
227 | } | ||
228 | } | ||
229 | |||
230 | + result += do_bz17905 (); | ||
231 | return result; | ||
232 | } | ||
233 | |||
234 | Index: git/ChangeLog | ||
235 | =================================================================== | ||
236 | --- git.orig/ChangeLog | ||
237 | +++ git/ChangeLog | ||
238 | @@ -1,3 +1,11 @@ | ||
239 | +2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
240 | + | ||
241 | + [BZ #17905] | ||
242 | + * catgets/Makefile (tst-catgets-mem): New test. | ||
243 | + * catgets/catgets.c (catopen): Don't use unbounded alloca. | ||
244 | + * catgets/open_catalog.c (__open_catalog): Likewise. | ||
245 | + * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. | ||
246 | + | ||
247 | 2015-10-15 Florian Weimer <fweimer@redhat.com> | ||
248 | |||
249 | [BZ #18928] | ||
250 | Index: git/NEWS | ||
251 | =================================================================== | ||
252 | --- git.orig/NEWS | ||
253 | +++ git/NEWS | ||
254 | @@ -9,7 +9,7 @@ Version 2.22.1 | ||
255 | |||
256 | * The following bugs are resolved with this release: | ||
257 | |||
258 | - 18778, 18781, 18787. | ||
259 | + 18778, 18781, 18787, 17905. | ||
260 | |||
261 | Version 2.22 | ||
262 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb index c828310586..336463a5c3 100644 --- a/meta/recipes-core/glibc/glibc_2.22.bb +++ b/meta/recipes-core/glibc/glibc_2.22.bb | |||
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
44 | file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ | 44 | file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ |
45 | file://0029-fix-getmntent-empty-lines.patch \ | 45 | file://0029-fix-getmntent-empty-lines.patch \ |
46 | file://CVE-2015-8777.patch \ | 46 | file://CVE-2015-8777.patch \ |
47 | file://CVE-2015-8779.patch \ | ||
47 | " | 48 | " |
48 | 49 | ||
49 | SRC_URI += "\ | 50 | SRC_URI += "\ |