glibc: Pull latest 2.31 HEAD

The relevant commit log: $ git log --format="%h %s" df31c7ca927242d5d4eee97f93a01e23ff47e332..f84949f1c4bbf20e6a1d9a5859cf012cde060ede f84949f1c4 powerpc64: Workaround sigtramp vdso return call 5e43566f0f nscd: Fix double free in netgroupcache [BZ #27462] d0c84d22b6 gconv: Fix assertion failure in ISO-2022-JP-3 module (bug 27256) af316e4627 x86: Check IFUNC definition in unrelocated executable [BZ #20019] 36eb01dd85 x86: Set header.feature_1 in TCB for always-on CET [BZ #27177] 8b7be87aa2 x86-64: Avoid rep movsb with short distance [BZ #27130] c4f5e32aae Fix buffer overrun in EUC-KR conversion module (bz #24973) 0858f46440 Add NEWS entry for CVE-2020-29562 (BZ #26923) 1e40391de2 iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923) 568c86274a tests-mcheck: New variable to run tests with MALLOC_CHECK_=3 (From OE-Core rev: 83be9ed671de2433ea6dc4017a9bb471aa322ea7) Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anatol Belski <anbelski@linux.microsoft.com> 2021-03-20 16:34:27 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-03-28 22:31:47 +0100
commit: 8aa97a314d5ce53a60d20ec09e00546cfba86efd (patch)
tree: ff13d9f719399711448e25aa1045d5213c5ebbe7 /meta
parent: aba2c5f6462c2c8beca6ae401c5d53cd1cc68fa9 (diff)
download: poky-8aa97a314d5ce53a60d20ec09e00546cfba86efd.tar.gz
4 files changed, 4 insertions, 295 deletions
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 5f726537ff..7ae64a190f 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.31/master"
 PV = "2.31+git${SRCPV}"
-SRCREV_glibc ?= "df31c7ca927242d5d4eee97f93a01e23ff47e332"
+SRCREV_glibc ?= "f84949f1c4bbf20e6a1d9a5859cf012cde060ede"
 SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
deleted file mode 100644
index 73df1da868..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@suse.de>
-Date: Mon, 21 Dec 2020 08:56:43 +0530
-Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
-The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
-area and is not allowed.  The from_euc_kr function used to skip two bytes
-when told to skip over the unknown designation, potentially running over
-the buffer end.
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
-CVE: CVE-2019-25013
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-[Refreshed for Dundell context; Makefile changes]
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- iconvdata/Makefile      |  3 ++-
- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
- iconvdata/euc-kr.c      |  6 +----
- iconvdata/ksc5601.h     |  6 ++---
- 4 files changed, 59 insertions(+), 9 deletions(-)
- create mode 100644 iconvdata/bug-iconv13.c
-Index: git/iconvdata/Makefile
-===================================================================
--- git.orig/iconvdata/Makefile
-+++ git/iconvdata/Makefile
-@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
- ifeq (yes,$(build-shared))
- tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
-        tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
-       bug-iconv10 bug-iconv11 bug-iconv12
-+       bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
- ifeq ($(have-thread-library),yes)
- tests += bug-iconv3
- endif
-Index: git/iconvdata/bug-iconv13.c
-===================================================================
--- /dev/null
-+++ git/iconvdata/bug-iconv13.c
-@@ -0,0 +1,53 @@
-+/* bug 24973: Test EUC-KR module
-+   Copyright (C) 2020 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <errno.h>
-+#include <iconv.h>
-+#include <stdio.h>
-+#include <support/check.h>
-+
-+static int
-+do_test (void)
-+{
-+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
-+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
-+
-+  /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
-+     areas, which are not allowed and should be skipped over due to
-+     //IGNORE.  The trailing 0xfe also is an incomplete sequence, which
-+     should be checked first.  */
-+  char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
-+  char *inptr = input;
-+  size_t insize = sizeof (input);
-+  char output[4];
-+  char *outptr = output;
-+  size_t outsize = sizeof (output);
-+
-+  /* This used to crash due to buffer overrun.  */
-+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
-+  TEST_VERIFY (errno == EINVAL);
-+  /* The conversion should produce one character, the converted null
-+     character.  */
-+  TEST_VERIFY (sizeof (output) - outsize == 1);
-+
-+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
-+
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
-Index: git/iconvdata/euc-kr.c
-===================================================================
--- git.orig/iconvdata/euc-kr.c
-+++ git/iconvdata/euc-kr.c
-@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
-                                                                              \
-     if (ch <= 0x9f)                                                          \
-       ++inptr;                                                               \
-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are                   \
-       user-defined areas.  */                                               \
-    else if (__builtin_expect (ch == 0xa0, 0)                                \
-            || __builtin_expect (ch > 0xfe, 0)                               \
-            || __builtin_expect (ch == 0xc9, 0))                             \
-+    else if (__glibc_unlikely (ch == 0xa0))                                  \
-       {                                                                              \
-        /* This is illegal.  */                                               \
-        STANDARD_FROM_LOOP_ERR_HANDLER (1);                                   \
-Index: git/iconvdata/ksc5601.h
-===================================================================
--- git.orig/iconvdata/ksc5601.h
-+++ git/iconvdata/ksc5601.h
-@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
-   unsigned char ch2;
-   int idx;
- 
-+  if (avail < 2)
-+    return 0;
-+
-   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
- 
-   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
-       || (ch - offset) == 0x49)
-     return __UNKNOWN_10646_CHAR;
- 
-  if (avail < 2)
-    return 0;
-
-   ch2 = (*s)[1];
-   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
-     return __UNKNOWN_10646_CHAR;
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
deleted file mode 100644
index c51fb3223a..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
-From: Michael Colavita <mcolavita@fb.com>
-Date: Thu, 19 Nov 2020 11:44:40 -0500
-Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
-Previously, in UCS4 conversion routines we limit the number of
-characters we examine to the minimum of the number of characters in the
-input and the number of characters in the output. This is not the
-correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
-an output character when we skip a code unit. Instead, track the input
-and output pointers and terminate the loop when either reaches its
-limit.
-This resolves assertion failures when resetting the input buffer in a step of
-iconv, which assumes that the input will be fully consumed given sufficient
-output space.
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
-CVE: CVE-2020-29562
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- iconv/Makefile       |  2 +-
- iconv/gconv_simple.c | 16 ++++----------
- iconv/tst-iconv8.c   | 50 ++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 55 insertions(+), 13 deletions(-)
- create mode 100644 iconv/tst-iconv8.c
-diff --git a/iconv/Makefile b/iconv/Makefile
-index 30bf996d3a..f9b51e23ec 100644
--- a/iconv/Makefile
-+++ b/iconv/Makefile
-@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
- CFLAGS-simple-hash.c += -I../locale
- 
- tests  = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
-         tst-iconv7 tst-iconv-mt tst-iconv-opt
-+         tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
- 
- others         = iconv_prog iconvconfig
- install-others-programs        = $(inst_bindir)/iconv
-diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
-index d4797fba17..963b29f246 100644
--- a/iconv/gconv_simple.c
-+++ b/iconv/gconv_simple.c
-@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
-   int flags = step_data->__flags;
-   const unsigned char *inptr = *inptrp;
-   unsigned char *outptr = *outptrp;
-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
-   int result;
-  size_t cnt;
- 
-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
-+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
-     {
-       uint32_t inval;
- 
-@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
-   int flags = step_data->__flags;
-   const unsigned char *inptr = *inptrp;
-   unsigned char *outptr = *outptrp;
-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
-   int result;
-  size_t cnt;
- 
-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
-+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
-     {
-       if (__glibc_unlikely (inptr[0] > 0x80))
-        {
-@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
-   int flags = step_data->__flags;
-   const unsigned char *inptr = *inptrp;
-   unsigned char *outptr = *outptrp;
-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
-   int result;
-  size_t cnt;
- 
-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
-+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
-     {
-       uint32_t inval;
- 
-@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
-   int flags = step_data->__flags;
-   const unsigned char *inptr = *inptrp;
-   unsigned char *outptr = *outptrp;
-  size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
-   int result;
-  size_t cnt;
- 
-  for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
-+  for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
-     {
-       if (__glibc_unlikely (inptr[3] > 0x80))
-        {
-diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
-new file mode 100644
-index 0000000000..0b92b19f66
--- /dev/null
-+++ b/iconv/tst-iconv8.c
-@@ -0,0 +1,50 @@
-+/* Test iconv behavior on UCS4 conversions with //IGNORE.
-+   Copyright (C) 2020 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
-+/* Derived from BZ #26923 */
-+#include <errno.h>
-+#include <iconv.h>
-+#include <stdio.h>
-+#include <support/check.h>
-+
-+static int
-+do_test (void)
-+{
-+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
-+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
-+
-+  /*
-+   * Convert sequence beginning with an irreversible character into buffer that
-+   * is too small.
-+   */
-+  char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
-+  char *inptr = input;
-+  size_t insize = sizeof (input);
-+  char output[6];
-+  char *outptr = output;
-+  size_t outsize = sizeof (output);
-+
-+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
-+  TEST_VERIFY (errno == E2BIG);
-+
-+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
-+
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
-- 
-2.27.0
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index b75bbb4196..22858bc563 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -1,7 +1,9 @@
 require glibc.inc
 require glibc-version.inc
-CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752"
+CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752 \
+                        CVE-2021-27645 CVE-2021-3326 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 \
+"
 DEPENDS += "gperf-native bison-native make-native"
@@ -41,9 +43,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
           file://0028-inject-file-assembly-directives.patch \
           file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
-           file://CVE-2020-29562.patch \
           file://CVE-2020-29573.patch \
-           file://CVE-2019-25013.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Anatol Belski <anbelski@linux.microsoft.com>	2021-03-20 16:34:27 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-03-28 22:31:47 +0100
commit	8aa97a314d5ce53a60d20ec09e00546cfba86efd (patch)
tree	ff13d9f719399711448e25aa1045d5213c5ebbe7 /meta
parent	aba2c5f6462c2c8beca6ae401c5d53cd1cc68fa9 (diff)
download	poky-8aa97a314d5ce53a60d20ec09e00546cfba86efd.tar.gz

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 5f726537ff..7ae64a190f 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
1	SRCBRANCH ?= "release/2.31/master"	1	SRCBRANCH ?= "release/2.31/master"
2	PV = "2.31+git${SRCPV}"	2	PV = "2.31+git${SRCPV}"
3	SRCREV_glibc ?= "df31c7ca927242d5d4eee97f93a01e23ff47e332"	3	SRCREV_glibc ?= "f84949f1c4bbf20e6a1d9a5859cf012cde060ede"
4	SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"	4	SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
5		5
6	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"	6	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"


diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch deleted file mode 100644 index 73df1da868..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch +++ /dev/null
@@ -1,135 +0,0 @@
1	From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
2	From: Andreas Schwab <schwab@suse.de>
3	Date: Mon, 21 Dec 2020 08:56:43 +0530
4	Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
5
6	The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
7	area and is not allowed. The from_euc_kr function used to skip two bytes
8	when told to skip over the unknown designation, potentially running over
9	the buffer end.
10
11	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
12	CVE: CVE-2019-25013
13	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
14	[Refreshed for Dundell context; Makefile changes]
15	Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17	---
18	iconvdata/Makefile \| 3 ++-
19	iconvdata/bug-iconv13.c \| 53 +++++++++++++++++++++++++++++++++++++++++
20	iconvdata/euc-kr.c \| 6 +----
21	iconvdata/ksc5601.h \| 6 ++---
22	4 files changed, 59 insertions(+), 9 deletions(-)
23	create mode 100644 iconvdata/bug-iconv13.c
24
25	Index: git/iconvdata/Makefile
26	===================================================================
27	--- git.orig/iconvdata/Makefile
28	+++ git/iconvdata/Makefile
29	@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
30	ifeq (yes,$(build-shared))
31	tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
32	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
33	- bug-iconv10 bug-iconv11 bug-iconv12
34	+ bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
35	ifeq ($(have-thread-library),yes)
36	tests += bug-iconv3
37	endif
38	Index: git/iconvdata/bug-iconv13.c
39	===================================================================
40	--- /dev/null
41	+++ git/iconvdata/bug-iconv13.c
42	@@ -0,0 +1,53 @@
43	+/* bug 24973: Test EUC-KR module
44	+ Copyright (C) 2020 Free Software Foundation, Inc.
45	+ This file is part of the GNU C Library.
46	+
47	+ The GNU C Library is free software; you can redistribute it and/or
48	+ modify it under the terms of the GNU Lesser General Public
49	+ License as published by the Free Software Foundation; either
50	+ version 2.1 of the License, or (at your option) any later version.
51	+
52	+ The GNU C Library is distributed in the hope that it will be useful,
53	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
54	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
55	+ Lesser General Public License for more details.
56	+
57	+ You should have received a copy of the GNU Lesser General Public
58	+ License along with the GNU C Library; if not, see
59	+ <https://www.gnu.org/licenses/>. */
60	+
61	+#include <errno.h>
62	+#include <iconv.h>
63	+#include <stdio.h>
64	+#include <support/check.h>
65	+
66	+static int
67	+do_test (void)
68	+{
69	+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
70	+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
71	+
72	+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
73	+ areas, which are not allowed and should be skipped over due to
74	+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
75	+ should be checked first. */
76	+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
77	+ char *inptr = input;
78	+ size_t insize = sizeof (input);
79	+ char output[4];
80	+ char *outptr = output;
81	+ size_t outsize = sizeof (output);
82	+
83	+ /* This used to crash due to buffer overrun. */
84	+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
85	+ TEST_VERIFY (errno == EINVAL);
86	+ /* The conversion should produce one character, the converted null
87	+ character. */
88	+ TEST_VERIFY (sizeof (output) - outsize == 1);
89	+
90	+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
91	+
92	+ return 0;
93	+}
94	+
95	+#include <support/test-driver.c>
96	Index: git/iconvdata/euc-kr.c
97	===================================================================
98	--- git.orig/iconvdata/euc-kr.c
99	+++ git/iconvdata/euc-kr.c
100	@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
101	\
102	if (ch <= 0x9f) \
103	++inptr; \
104	- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
105	- user-defined areas. */ \
106	- else if (__builtin_expect (ch == 0xa0, 0) \
107	- \|\| __builtin_expect (ch > 0xfe, 0) \
108	- \|\| __builtin_expect (ch == 0xc9, 0)) \
109	+ else if (__glibc_unlikely (ch == 0xa0)) \
110	{ \
111	/* This is illegal. */ \
112	STANDARD_FROM_LOOP_ERR_HANDLER (1); \
113	Index: git/iconvdata/ksc5601.h
114	===================================================================
115	--- git.orig/iconvdata/ksc5601.h
116	+++ git/iconvdata/ksc5601.h
117	@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
118	unsigned char ch2;
119	int idx;
120
121	+ if (avail < 2)
122	+ return 0;
123	+
124	/* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
125
126	if (ch < offset \|\| (ch - offset) <= 0x20 \|\| (ch - offset) >= 0x7e
127	\|\| (ch - offset) == 0x49)
128	return __UNKNOWN_10646_CHAR;
129
130	- if (avail < 2)
131	- return 0;
132	-
133	ch2 = (*s)[1];
134	if (ch2 < offset \|\| (ch2 - offset) <= 0x20 \|\| (ch2 - offset) >= 0x7f)
135	return __UNKNOWN_10646_CHAR;


diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch deleted file mode 100644 index c51fb3223a..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch +++ /dev/null
@@ -1,156 +0,0 @@
1	From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
2	From: Michael Colavita <mcolavita@fb.com>
3	Date: Thu, 19 Nov 2020 11:44:40 -0500
4	Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
5
6	Previously, in UCS4 conversion routines we limit the number of
7	characters we examine to the minimum of the number of characters in the
8	input and the number of characters in the output. This is not the
9	correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
10	an output character when we skip a code unit. Instead, track the input
11	and output pointers and terminate the loop when either reaches its
12	limit.
13
14	This resolves assertion failures when resetting the input buffer in a step of
15	iconv, which assumes that the input will be fully consumed given sufficient
16	output space.
17
18	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
19	CVE: CVE-2020-29562
20	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21
22	---
23	iconv/Makefile \| 2 +-
24	iconv/gconv_simple.c \| 16 ++++----------
25	iconv/tst-iconv8.c \| 50 ++++++++++++++++++++++++++++++++++++++++++++
26	3 files changed, 55 insertions(+), 13 deletions(-)
27	create mode 100644 iconv/tst-iconv8.c
28
29	diff --git a/iconv/Makefile b/iconv/Makefile
30	index 30bf996d3a..f9b51e23ec 100644
31	--- a/iconv/Makefile
32	+++ b/iconv/Makefile
33	@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
34	CFLAGS-simple-hash.c += -I../locale
35
36	tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
37	- tst-iconv7 tst-iconv-mt tst-iconv-opt
38	+ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
39
40	others = iconv_prog iconvconfig
41	install-others-programs = $(inst_bindir)/iconv
42	diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
43	index d4797fba17..963b29f246 100644
44	--- a/iconv/gconv_simple.c
45	+++ b/iconv/gconv_simple.c
46	@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
47	int flags = step_data->__flags;
48	const unsigned char inptr = inptrp;
49	unsigned char outptr = outptrp;
50	- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
51	int result;
52	- size_t cnt;
53
54	- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
55	+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
56	{
57	uint32_t inval;
58
59	@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
60	int flags = step_data->__flags;
61	const unsigned char inptr = inptrp;
62	unsigned char outptr = outptrp;
63	- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
64	int result;
65	- size_t cnt;
66
67	- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
68	+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
69	{
70	if (__glibc_unlikely (inptr[0] > 0x80))
71	{
72	@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
73	int flags = step_data->__flags;
74	const unsigned char inptr = inptrp;
75	unsigned char outptr = outptrp;
76	- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
77	int result;
78	- size_t cnt;
79
80	- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
81	+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
82	{
83	uint32_t inval;
84
85	@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
86	int flags = step_data->__flags;
87	const unsigned char inptr = inptrp;
88	unsigned char outptr = outptrp;
89	- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
90	int result;
91	- size_t cnt;
92
93	- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
94	+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
95	{
96	if (__glibc_unlikely (inptr[3] > 0x80))
97	{
98	diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
99	new file mode 100644
100	index 0000000000..0b92b19f66
101	--- /dev/null
102	+++ b/iconv/tst-iconv8.c
103	@@ -0,0 +1,50 @@
104	+/* Test iconv behavior on UCS4 conversions with //IGNORE.
105	+ Copyright (C) 2020 Free Software Foundation, Inc.
106	+ This file is part of the GNU C Library.
107	+
108	+ The GNU C Library is free software; you can redistribute it and/or
109	+ modify it under the terms of the GNU Lesser General Public
110	+ License as published by the Free Software Foundation; either
111	+ version 2.1 of the License, or (at your option) any later version.
112	+
113	+ The GNU C Library is distributed in the hope that it will be useful,
114	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
115	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
116	+ Lesser General Public License for more details.
117	+
118	+ You should have received a copy of the GNU Lesser General Public
119	+ License along with the GNU C Library; if not, see
120	+ <http://www.gnu.org/licenses/>. */
121	+
122	+/* Derived from BZ #26923 */
123	+#include <errno.h>
124	+#include <iconv.h>
125	+#include <stdio.h>
126	+#include <support/check.h>
127	+
128	+static int
129	+do_test (void)
130	+{
131	+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
132	+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
133	+
134	+ /*
135	+ * Convert sequence beginning with an irreversible character into buffer that
136	+ * is too small.
137	+ */
138	+ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
139	+ char *inptr = input;
140	+ size_t insize = sizeof (input);
141	+ char output[6];
142	+ char *outptr = output;
143	+ size_t outsize = sizeof (output);
144	+
145	+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
146	+ TEST_VERIFY (errno == E2BIG);
147	+
148	+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
149	+
150	+ return 0;
151	+}
152	+
153	+#include <support/test-driver.c>
154	--
155	2.27.0
156


diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index b75bbb4196..22858bc563 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -1,7 +1,9 @@
1	require glibc.inc	1	require glibc.inc
2	require glibc-version.inc	2	require glibc-version.inc
3		3
4	CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752"	4	CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752 \
		5	CVE-2021-27645 CVE-2021-3326 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 \
		6	"
5		7
6	DEPENDS += "gperf-native bison-native make-native"	8	DEPENDS += "gperf-native bison-native make-native"
7		9
@@ -41,9 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
41	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \	43	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
42	file://0028-inject-file-assembly-directives.patch \	44	file://0028-inject-file-assembly-directives.patch \
43	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	45	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
44	file://CVE-2020-29562.patch \
45	file://CVE-2020-29573.patch \	46	file://CVE-2020-29573.patch \
46	file://CVE-2019-25013.patch \
47	"	47	"
48	S = "${WORKDIR}/git"	48	S = "${WORKDIR}/git"
49	B = "${WORKDIR}/build-${TARGET_SYS}"	49	B = "${WORKDIR}/build-${TARGET_SYS}"