diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch | 351 |
1 files changed, 351 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch new file mode 100644 index 0000000000..bafb5ea1bf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch | |||
@@ -0,0 +1,351 @@ | |||
1 | From 49a60a3411b86df1e555acfe7e7a80754c5c6c69 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Tue, 2 Feb 2016 13:46:37 +0100 | ||
4 | Subject: [PATCH] From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 | ||
5 | 00:00:00 2001 From: Joseph Myers <joseph@codesourcery.com> Date: Fri, 4 Dec | ||
6 | 2015 20:36:28 +0000 Subject: [PATCH] Fix nan functions handling of payload | ||
7 | strings (bug 16961, bug 16962). | ||
8 | |||
9 | The nan, nanf and nanl functions handle payload strings by doing e.g.: | ||
10 | |||
11 | if (tagp[0] != '\0') | ||
12 | { | ||
13 | char buf[6 + strlen (tagp)]; | ||
14 | sprintf (buf, "NAN(%s)", tagp); | ||
15 | return strtod (buf, NULL); | ||
16 | } | ||
17 | |||
18 | This is an unbounded stack allocation based on the length of the | ||
19 | argument. Furthermore, if the argument starts with an n-char-sequence | ||
20 | followed by ')', that n-char-sequence is wrongly treated as | ||
21 | significant for determining the payload of the resulting NaN, when ISO | ||
22 | C says the call should be equivalent to strtod ("NAN", NULL), without | ||
23 | being affected by that initial n-char-sequence. This patch fixes both | ||
24 | those problems by using the __strtod_nan etc. functions recently | ||
25 | factored out of strtod etc. for that purpose, with those functions | ||
26 | being exported from libc at version GLIBC_PRIVATE. | ||
27 | |||
28 | Tested for x86_64, x86, mips64 and powerpc. | ||
29 | |||
30 | [BZ #16961] | ||
31 | [BZ #16962] | ||
32 | * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a | ||
33 | string on the stack for strtod. | ||
34 | * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing | ||
35 | a string on the stack for strtof. | ||
36 | * math/s_nanl.c (__nanl): Use __strtold_nan instead of | ||
37 | constructing a string on the stack for strtold. | ||
38 | * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and | ||
39 | __strtold_nan to GLIBC_PRIVATE. | ||
40 | * math/test-nan-overflow.c: New file. | ||
41 | * math/test-nan-payload.c: Likewise. | ||
42 | * math/Makefile (tests): Add test-nan-overflow and | ||
43 | test-nan-payload. | ||
44 | |||
45 | Upstream-Status: Backport | ||
46 | CVE: CVE-2014-9761 patch #2 | ||
47 | [Yocto # 8980] | ||
48 | |||
49 | https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 | ||
50 | |||
51 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
52 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
53 | --- | ||
54 | math/Makefile | 4 +- | ||
55 | math/s_nan.c | 9 +--- | ||
56 | math/s_nanf.c | 9 +--- | ||
57 | math/s_nanl.c | 9 +--- | ||
58 | math/test-nan-overflow.c | 66 +++++++++++++++++++++++++ | ||
59 | math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ | ||
60 | stdlib/Versions | 1 + | ||
61 | 7 files changed, 195 insertions(+), 25 deletions(-) | ||
62 | create mode 100644 math/test-nan-overflow.c | ||
63 | create mode 100644 math/test-nan-payload.c | ||
64 | |||
65 | diff --git a/math/Makefile b/math/Makefile | ||
66 | index 05250c0..acb0007 100644 | ||
67 | --- a/math/Makefile | ||
68 | +++ b/math/Makefile | ||
69 | @@ -92,7 +92,9 @@ tests = test-matherr test-fenv atest-exp atest-sincos atest-exp2 basic-test \ | ||
70 | test-misc test-fpucw test-fpucw-ieee tst-definitions test-tgmath \ | ||
71 | test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \ | ||
72 | test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \ | ||
73 | - test-fenv-tls test-fenv-preserve test-fenv-return $(tests-static) | ||
74 | + test-fenv-tls test-fenv-preserve test-fenv-return \ | ||
75 | + test-nan-overflow test-nan-payload \ | ||
76 | + $(tests-static) | ||
77 | tests-static = test-fpucw-static test-fpucw-ieee-static | ||
78 | # We do the `long double' tests only if this data type is available and | ||
79 | # distinct from `double'. | ||
80 | diff --git a/math/s_nan.c b/math/s_nan.c | ||
81 | index c01085f..3dc9f77 100644 | ||
82 | --- a/math/s_nan.c | ||
83 | +++ b/math/s_nan.c | ||
84 | @@ -28,14 +28,7 @@ | ||
85 | double | ||
86 | __nan (const char *tagp) | ||
87 | { | ||
88 | - if (tagp[0] != '\0') | ||
89 | - { | ||
90 | - char buf[6 + strlen (tagp)]; | ||
91 | - sprintf (buf, "NAN(%s)", tagp); | ||
92 | - return strtod (buf, NULL); | ||
93 | - } | ||
94 | - | ||
95 | - return NAN; | ||
96 | + return __strtod_nan (tagp, NULL, 0); | ||
97 | } | ||
98 | weak_alias (__nan, nan) | ||
99 | #ifdef NO_LONG_DOUBLE | ||
100 | diff --git a/math/s_nanf.c b/math/s_nanf.c | ||
101 | index a16fdbf..103fb8c 100644 | ||
102 | --- a/math/s_nanf.c | ||
103 | +++ b/math/s_nanf.c | ||
104 | @@ -28,13 +28,6 @@ | ||
105 | float | ||
106 | __nanf (const char *tagp) | ||
107 | { | ||
108 | - if (tagp[0] != '\0') | ||
109 | - { | ||
110 | - char buf[6 + strlen (tagp)]; | ||
111 | - sprintf (buf, "NAN(%s)", tagp); | ||
112 | - return strtof (buf, NULL); | ||
113 | - } | ||
114 | - | ||
115 | - return NAN; | ||
116 | + return __strtof_nan (tagp, NULL, 0); | ||
117 | } | ||
118 | weak_alias (__nanf, nanf) | ||
119 | diff --git a/math/s_nanl.c b/math/s_nanl.c | ||
120 | index 3769f17..3ccd3bc 100644 | ||
121 | --- a/math/s_nanl.c | ||
122 | +++ b/math/s_nanl.c | ||
123 | @@ -28,13 +28,6 @@ | ||
124 | long double | ||
125 | __nanl (const char *tagp) | ||
126 | { | ||
127 | - if (tagp[0] != '\0') | ||
128 | - { | ||
129 | - char buf[6 + strlen (tagp)]; | ||
130 | - sprintf (buf, "NAN(%s)", tagp); | ||
131 | - return strtold (buf, NULL); | ||
132 | - } | ||
133 | - | ||
134 | - return NAN; | ||
135 | + return __strtold_nan (tagp, NULL, 0); | ||
136 | } | ||
137 | weak_alias (__nanl, nanl) | ||
138 | diff --git a/math/test-nan-overflow.c b/math/test-nan-overflow.c | ||
139 | new file mode 100644 | ||
140 | index 0000000..f56aaf3 | ||
141 | --- /dev/null | ||
142 | +++ b/math/test-nan-overflow.c | ||
143 | @@ -0,0 +1,66 @@ | ||
144 | +/* Test nan functions stack overflow (bug 16962). | ||
145 | + Copyright (C) 2015 Free Software Foundation, Inc. | ||
146 | + This file is part of the GNU C Library. | ||
147 | + | ||
148 | + The GNU C Library is free software; you can redistribute it and/or | ||
149 | + modify it under the terms of the GNU Lesser General Public | ||
150 | + License as published by the Free Software Foundation; either | ||
151 | + version 2.1 of the License, or (at your option) any later version. | ||
152 | + | ||
153 | + The GNU C Library is distributed in the hope that it will be useful, | ||
154 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
155 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
156 | + Lesser General Public License for more details. | ||
157 | + | ||
158 | + You should have received a copy of the GNU Lesser General Public | ||
159 | + License along with the GNU C Library; if not, see | ||
160 | + <http://www.gnu.org/licenses/>. */ | ||
161 | + | ||
162 | +#include <math.h> | ||
163 | +#include <stdio.h> | ||
164 | +#include <string.h> | ||
165 | +#include <sys/resource.h> | ||
166 | + | ||
167 | +#define STACK_LIM 1048576 | ||
168 | +#define STRING_SIZE (2 * STACK_LIM) | ||
169 | + | ||
170 | +static int | ||
171 | +do_test (void) | ||
172 | +{ | ||
173 | + int result = 0; | ||
174 | + struct rlimit lim; | ||
175 | + getrlimit (RLIMIT_STACK, &lim); | ||
176 | + lim.rlim_cur = STACK_LIM; | ||
177 | + setrlimit (RLIMIT_STACK, &lim); | ||
178 | + char *nanstr = malloc (STRING_SIZE); | ||
179 | + if (nanstr == NULL) | ||
180 | + { | ||
181 | + puts ("malloc failed, cannot test"); | ||
182 | + return 77; | ||
183 | + } | ||
184 | + memset (nanstr, '0', STRING_SIZE - 1); | ||
185 | + nanstr[STRING_SIZE - 1] = 0; | ||
186 | +#define NAN_TEST(TYPE, FUNC) \ | ||
187 | + do \ | ||
188 | + { \ | ||
189 | + char *volatile p = nanstr; \ | ||
190 | + volatile TYPE v = FUNC (p); \ | ||
191 | + if (isnan (v)) \ | ||
192 | + puts ("PASS: " #FUNC); \ | ||
193 | + else \ | ||
194 | + { \ | ||
195 | + puts ("FAIL: " #FUNC); \ | ||
196 | + result = 1; \ | ||
197 | + } \ | ||
198 | + } \ | ||
199 | + while (0) | ||
200 | + NAN_TEST (float, nanf); | ||
201 | + NAN_TEST (double, nan); | ||
202 | +#ifndef NO_LONG_DOUBLE | ||
203 | + NAN_TEST (long double, nanl); | ||
204 | +#endif | ||
205 | + return result; | ||
206 | +} | ||
207 | + | ||
208 | +#define TEST_FUNCTION do_test () | ||
209 | +#include "../test-skeleton.c" | ||
210 | diff --git a/math/test-nan-payload.c b/math/test-nan-payload.c | ||
211 | new file mode 100644 | ||
212 | index 0000000..358ff71 | ||
213 | --- /dev/null | ||
214 | +++ b/math/test-nan-payload.c | ||
215 | @@ -0,0 +1,122 @@ | ||
216 | +/* Test nan functions payload handling (bug 16961). | ||
217 | + Copyright (C) 2015 Free Software Foundation, Inc. | ||
218 | + This file is part of the GNU C Library. | ||
219 | + | ||
220 | + The GNU C Library is free software; you can redistribute it and/or | ||
221 | + modify it under the terms of the GNU Lesser General Public | ||
222 | + License as published by the Free Software Foundation; either | ||
223 | + version 2.1 of the License, or (at your option) any later version. | ||
224 | + | ||
225 | + The GNU C Library is distributed in the hope that it will be useful, | ||
226 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
227 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
228 | + Lesser General Public License for more details. | ||
229 | + | ||
230 | + You should have received a copy of the GNU Lesser General Public | ||
231 | + License along with the GNU C Library; if not, see | ||
232 | + <http://www.gnu.org/licenses/>. */ | ||
233 | + | ||
234 | +#include <float.h> | ||
235 | +#include <math.h> | ||
236 | +#include <stdio.h> | ||
237 | +#include <stdlib.h> | ||
238 | +#include <string.h> | ||
239 | + | ||
240 | +/* Avoid built-in functions. */ | ||
241 | +#define WRAP_NAN(FUNC, STR) \ | ||
242 | + ({ const char *volatile wns = (STR); FUNC (wns); }) | ||
243 | +#define WRAP_STRTO(FUNC, STR) \ | ||
244 | + ({ const char *volatile wss = (STR); FUNC (wss, NULL); }) | ||
245 | + | ||
246 | +#define CHECK_IS_NAN(TYPE, A) \ | ||
247 | + do \ | ||
248 | + { \ | ||
249 | + if (isnan (A)) \ | ||
250 | + puts ("PASS: " #TYPE " " #A); \ | ||
251 | + else \ | ||
252 | + { \ | ||
253 | + puts ("FAIL: " #TYPE " " #A); \ | ||
254 | + result = 1; \ | ||
255 | + } \ | ||
256 | + } \ | ||
257 | + while (0) | ||
258 | + | ||
259 | +#define CHECK_SAME_NAN(TYPE, A, B) \ | ||
260 | + do \ | ||
261 | + { \ | ||
262 | + if (memcmp (&(A), &(B), sizeof (A)) == 0) \ | ||
263 | + puts ("PASS: " #TYPE " " #A " = " #B); \ | ||
264 | + else \ | ||
265 | + { \ | ||
266 | + puts ("FAIL: " #TYPE " " #A " = " #B); \ | ||
267 | + result = 1; \ | ||
268 | + } \ | ||
269 | + } \ | ||
270 | + while (0) | ||
271 | + | ||
272 | +#define CHECK_DIFF_NAN(TYPE, A, B) \ | ||
273 | + do \ | ||
274 | + { \ | ||
275 | + if (memcmp (&(A), &(B), sizeof (A)) != 0) \ | ||
276 | + puts ("PASS: " #TYPE " " #A " != " #B); \ | ||
277 | + else \ | ||
278 | + { \ | ||
279 | + puts ("FAIL: " #TYPE " " #A " != " #B); \ | ||
280 | + result = 1; \ | ||
281 | + } \ | ||
282 | + } \ | ||
283 | + while (0) | ||
284 | + | ||
285 | +/* Cannot test payloads by memcmp for formats where NaNs have padding | ||
286 | + bits. */ | ||
287 | +#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106) | ||
288 | + | ||
289 | +#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \ | ||
290 | + do \ | ||
291 | + { \ | ||
292 | + TYPE n123 = WRAP_NAN (FUNC, "123"); \ | ||
293 | + CHECK_IS_NAN (TYPE, n123); \ | ||
294 | + TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \ | ||
295 | + CHECK_IS_NAN (TYPE, s123); \ | ||
296 | + TYPE n456 = WRAP_NAN (FUNC, "456"); \ | ||
297 | + CHECK_IS_NAN (TYPE, n456); \ | ||
298 | + TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \ | ||
299 | + CHECK_IS_NAN (TYPE, s456); \ | ||
300 | + TYPE n123x = WRAP_NAN (FUNC, "123)"); \ | ||
301 | + CHECK_IS_NAN (TYPE, n123x); \ | ||
302 | + TYPE nemp = WRAP_NAN (FUNC, ""); \ | ||
303 | + CHECK_IS_NAN (TYPE, nemp); \ | ||
304 | + TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \ | ||
305 | + CHECK_IS_NAN (TYPE, semp); \ | ||
306 | + TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \ | ||
307 | + CHECK_IS_NAN (TYPE, sx); \ | ||
308 | + if (CAN_TEST_EQ (MANT_DIG)) \ | ||
309 | + CHECK_SAME_NAN (TYPE, n123, s123); \ | ||
310 | + if (CAN_TEST_EQ (MANT_DIG)) \ | ||
311 | + CHECK_SAME_NAN (TYPE, n456, s456); \ | ||
312 | + if (CAN_TEST_EQ (MANT_DIG)) \ | ||
313 | + CHECK_SAME_NAN (TYPE, nemp, semp); \ | ||
314 | + if (CAN_TEST_EQ (MANT_DIG)) \ | ||
315 | + CHECK_SAME_NAN (TYPE, n123x, sx); \ | ||
316 | + CHECK_DIFF_NAN (TYPE, n123, n456); \ | ||
317 | + CHECK_DIFF_NAN (TYPE, n123, nemp); \ | ||
318 | + CHECK_DIFF_NAN (TYPE, n123, n123x); \ | ||
319 | + CHECK_DIFF_NAN (TYPE, n456, nemp); \ | ||
320 | + CHECK_DIFF_NAN (TYPE, n456, n123x); \ | ||
321 | + } \ | ||
322 | + while (0) | ||
323 | + | ||
324 | +static int | ||
325 | +do_test (void) | ||
326 | +{ | ||
327 | + int result = 0; | ||
328 | + RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG); | ||
329 | + RUN_TESTS (double, strtod, nan, DBL_MANT_DIG); | ||
330 | +#ifndef NO_LONG_DOUBLE | ||
331 | + RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG); | ||
332 | +#endif | ||
333 | + return result; | ||
334 | +} | ||
335 | + | ||
336 | +#define TEST_FUNCTION do_test () | ||
337 | +#include "../test-skeleton.c" | ||
338 | diff --git a/stdlib/Versions b/stdlib/Versions | ||
339 | index f1777df..60b628d 100644 | ||
340 | --- a/stdlib/Versions | ||
341 | +++ b/stdlib/Versions | ||
342 | @@ -118,5 +118,6 @@ libc { | ||
343 | # Used from other libraries | ||
344 | __libc_secure_getenv; | ||
345 | __call_tls_dtors; | ||
346 | + __strtof_nan; __strtod_nan; __strtold_nan; | ||
347 | } | ||
348 | } | ||
349 | -- | ||
350 | 1.9.1 | ||
351 | |||