glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

Backport Arjun Shankar's patch for CVE-2015-1781: A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. https://sourceware.org/bugzilla/show_bug.cgi?id=18287 (From OE-Core rev: c0f0b6e6ef1edc0a9f9e1ceffb1cdbbef2e409c6) Signed-off-by: Haris Okanovic <haris.okanovic@ni.com> Reviewed-by: Ben Shelton <ben.shelton@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Haris Okanovic <haris.okanovic@ni.com> 2015-05-15 16:57:11 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-05-18 09:23:03 +0100
commit: 37fe48d801a1ae8e3e79e9d6a96d6b52666c3fc5 (patch)
tree: add0905067488ccc5fbb19a6910d62cc5210db53 /meta
parent: bc162d21dd148252efcf3ed771e04c791ef4d869 (diff)
download: poky-37fe48d801a1ae8e3e79e9d6a96d6b52666c3fc5.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
new file mode 100644
index 0000000000..c02fa127cd
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
@@ -0,0 +1,43 @@
+From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun.is@lostca.se>
+Date: Tue, 21 Apr 2015 14:06:31 +0200
+Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
+ [BZ#18287]
+Upstream-Status: Backport
+https://sourceware.org/bugzilla/show_bug.cgi?id=18287
+---
+ resolv/nss_dns/dns-host.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int n, ancount, qdcount;
+   int haveanswer, had_error;
+   char *bp, **ap, **hap;
+   char tbuf[MAXDNAME];
+   const char *tname;
+   int (*name_ok) (const char *);
+   u_char packtmp[NS_MAXCDNAME];
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+     {
+       /* The buffer is too small.  */
+     too_small:
+       *errnop = ERANGE;
+       *h_errnop = NETDB_INTERNAL;
+       return NSS_STATUS_TRYAGAIN;
+     }
+   host_data = (struct host_data *) buffer;
+   linebuflen = buflen - sizeof (struct host_data);
+   if (buflen - sizeof (struct host_data) != linebuflen)
+-- 
+2.2.2
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index ac8e8f8200..0c2881450b 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://sourceware.org/git/glibc.git;branch=${BRANCH} \
           file://elf-Makefile-fix-a-typo.patch \
           file://makesyscall.patch \
           ${EGLIBCPATCHES} \
+           ${CVEPATCHES} \
          "
 EGLIBCPATCHES = "\
           file://timezone-re-written-tzselect-as-posix-sh.patch \
@@ -43,6 +44,9 @@ EGLIBCPATCHES = "\
 #           file://eglibc-install-pic-archives.patch \
 #           file://initgroups_keys.patch \
 #
+CVEPATCHES = "\
+        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+"
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
      file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
author	Haris Okanovic <haris.okanovic@ni.com>	2015-05-15 16:57:11 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-05-18 09:23:03 +0100
commit	37fe48d801a1ae8e3e79e9d6a96d6b52666c3fc5 (patch)
tree	add0905067488ccc5fbb19a6910d62cc5210db53 /meta
parent	bc162d21dd148252efcf3ed771e04c791ef4d869 (diff)
download	poky-37fe48d801a1ae8e3e79e9d6a96d6b52666c3fc5.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch new file mode 100644 index 0000000000..c02fa127cd --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
@@ -0,0 +1,43 @@
		1	From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
		2	From: Arjun Shankar <arjun.is@lostca.se>
		3	Date: Tue, 21 Apr 2015 14:06:31 +0200
		4	Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
		5	[BZ#18287]
		6
		7	Upstream-Status: Backport
		8	https://sourceware.org/bugzilla/show_bug.cgi?id=18287
		9	---
		10	resolv/nss_dns/dns-host.c \| 3 ++-
		11	1 file changed, 2 insertions(+), 1 deletion(-)
		12
		13	diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
		14	index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
		15	--- a/resolv/nss_dns/dns-host.c
		16	+++ b/resolv/nss_dns/dns-host.c
		17	@@ -608,21 +608,22 @@ getanswer_r (const querybuf answer, int anslen, const char qname, int qtype,
		18	int n, ancount, qdcount;
		19	int haveanswer, had_error;
		20	char bp, ap, *hap;
		21	char tbuf[MAXDNAME];
		22	const char *tname;
		23	int (name_ok) (const char );
		24	u_char packtmp[NS_MAXCDNAME];
		25	int have_to_map = 0;
		26	uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
		27	buffer += pad;
		28	- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
		29	+ buflen = buflen > pad ? buflen - pad : 0;
		30	+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
		31	{
		32	/* The buffer is too small. */
		33	too_small:
		34	*errnop = ERANGE;
		35	*h_errnop = NETDB_INTERNAL;
		36	return NSS_STATUS_TRYAGAIN;
		37	}
		38	host_data = (struct host_data *) buffer;
		39	linebuflen = buflen - sizeof (struct host_data);
		40	if (buflen - sizeof (struct host_data) != linebuflen)
		41	--
		42	2.2.2
		43


diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb index ac8e8f8200..0c2881450b 100644 --- a/meta/recipes-core/glibc/glibc_2.21.bb +++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -28,6 +28,7 @@ SRC_URI = "git://sourceware.org/git/glibc.git;branch=${BRANCH} \
28	file://elf-Makefile-fix-a-typo.patch \	28	file://elf-Makefile-fix-a-typo.patch \
29	file://makesyscall.patch \	29	file://makesyscall.patch \
30	${EGLIBCPATCHES} \	30	${EGLIBCPATCHES} \
		31	${CVEPATCHES} \
31	"	32	"
32	EGLIBCPATCHES = "\	33	EGLIBCPATCHES = "\
33	file://timezone-re-written-tzselect-as-posix-sh.patch \	34	file://timezone-re-written-tzselect-as-posix-sh.patch \
@@ -43,6 +44,9 @@ EGLIBCPATCHES = "\
43	# file://eglibc-install-pic-archives.patch \	44	# file://eglibc-install-pic-archives.patch \
44	# file://initgroups_keys.patch \	45	# file://initgroups_keys.patch \
45	#	46	#
		47	CVEPATCHES = "\
		48	file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
		49	"
46		50
47	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \	51	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
48	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \	52	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \