diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2018-11236.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-11236.patch | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch new file mode 100644 index 0000000000..e2bb40b0de --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch | |||
@@ -0,0 +1,164 @@ | |||
1 | From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Pluzhnikov <ppluzhnikov@google.com> | ||
3 | Date: Tue, 8 May 2018 18:12:41 -0700 | ||
4 | Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack | ||
5 | buffer overflow when realpath() input length is close to SSIZE_MAX. | ||
6 | |||
7 | 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
8 | |||
9 | [BZ #22786] | ||
10 | * stdlib/canonicalize.c (__realpath): Fix overflow in path length | ||
11 | computation. | ||
12 | * stdlib/Makefile (test-bz22786): New test. | ||
13 | * stdlib/test-bz22786.c: New test. | ||
14 | |||
15 | CVE: CVE-2018-11236 | ||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
18 | --- | ||
19 | ChangeLog | 8 +++++ | ||
20 | stdlib/Makefile | 2 +- | ||
21 | stdlib/canonicalize.c | 2 +- | ||
22 | stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
23 | 4 files changed, 100 insertions(+), 2 deletions(-) | ||
24 | create mode 100644 stdlib/test-bz22786.c | ||
25 | |||
26 | diff --git a/ChangeLog b/ChangeLog | ||
27 | --- a/ChangeLog | ||
28 | +++ b/ChangeLog | ||
29 | @@ -1,3 +1,11 @@ | ||
30 | +2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
31 | + | ||
32 | + [BZ #22786] | ||
33 | + * stdlib/canonicalize.c (__realpath): Fix overflow in path length | ||
34 | + computation. | ||
35 | + * stdlib/Makefile (test-bz22786): New test. | ||
36 | + * stdlib/test-bz22786.c: New test. | ||
37 | + | ||
38 | 2018-03-23 Andrew Senkevich <andrew.senkevich@intel.com> | ||
39 | Max Horn <max@quendi.de> | ||
40 | |||
41 | diff --git a/stdlib/Makefile b/stdlib/Makefile | ||
42 | index af1643c..1ddb1f9 100644 | ||
43 | --- a/stdlib/Makefile | ||
44 | +++ b/stdlib/Makefile | ||
45 | @@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ | ||
46 | tst-cxa_atexit tst-on_exit test-atexit-race \ | ||
47 | test-at_quick_exit-race test-cxa_atexit-race \ | ||
48 | test-on_exit-race test-dlclose-exit-race \ | ||
49 | - tst-makecontext-align | ||
50 | + tst-makecontext-align test-bz22786 | ||
51 | |||
52 | tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ | ||
53 | tst-tls-atexit tst-tls-atexit-nodelete | ||
54 | diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c | ||
55 | index 4135f3f..390fb43 100644 | ||
56 | --- a/stdlib/canonicalize.c | ||
57 | +++ b/stdlib/canonicalize.c | ||
58 | @@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved) | ||
59 | extra_buf = __alloca (path_max); | ||
60 | |||
61 | len = strlen (end); | ||
62 | - if ((long int) (n + len) >= path_max) | ||
63 | + if (path_max - n <= len) | ||
64 | { | ||
65 | __set_errno (ENAMETOOLONG); | ||
66 | goto error; | ||
67 | diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c | ||
68 | new file mode 100644 | ||
69 | index 0000000..e7837f9 | ||
70 | --- /dev/null | ||
71 | +++ b/stdlib/test-bz22786.c | ||
72 | @@ -0,0 +1,90 @@ | ||
73 | +/* Bug 22786: test for buffer overflow in realpath. | ||
74 | + Copyright (C) 2018 Free Software Foundation, Inc. | ||
75 | + This file is part of the GNU C Library. | ||
76 | + | ||
77 | + The GNU C Library is free software; you can redistribute it and/or | ||
78 | + modify it under the terms of the GNU Lesser General Public | ||
79 | + License as published by the Free Software Foundation; either | ||
80 | + version 2.1 of the License, or (at your option) any later version. | ||
81 | + | ||
82 | + The GNU C Library is distributed in the hope that it will be useful, | ||
83 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
84 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
85 | + Lesser General Public License for more details. | ||
86 | + | ||
87 | + You should have received a copy of the GNU Lesser General Public | ||
88 | + License along with the GNU C Library; if not, see | ||
89 | + <http://www.gnu.org/licenses/>. */ | ||
90 | + | ||
91 | +/* This file must be run from within a directory called "stdlib". */ | ||
92 | + | ||
93 | +#include <errno.h> | ||
94 | +#include <limits.h> | ||
95 | +#include <stdio.h> | ||
96 | +#include <stdlib.h> | ||
97 | +#include <string.h> | ||
98 | +#include <unistd.h> | ||
99 | +#include <sys/stat.h> | ||
100 | +#include <sys/types.h> | ||
101 | +#include <support/test-driver.h> | ||
102 | +#include <libc-diag.h> | ||
103 | + | ||
104 | +static int | ||
105 | +do_test (void) | ||
106 | +{ | ||
107 | + const char dir[] = "bz22786"; | ||
108 | + const char lnk[] = "bz22786/symlink"; | ||
109 | + | ||
110 | + rmdir (dir); | ||
111 | + if (mkdir (dir, 0755) != 0 && errno != EEXIST) | ||
112 | + { | ||
113 | + printf ("mkdir %s: %m\n", dir); | ||
114 | + return EXIT_FAILURE; | ||
115 | + } | ||
116 | + if (symlink (".", lnk) != 0 && errno != EEXIST) | ||
117 | + { | ||
118 | + printf ("symlink (%s, %s): %m\n", dir, lnk); | ||
119 | + return EXIT_FAILURE; | ||
120 | + } | ||
121 | + | ||
122 | + const size_t path_len = (size_t) INT_MAX + 1; | ||
123 | + | ||
124 | + DIAG_PUSH_NEEDS_COMMENT; | ||
125 | +#if __GNUC_PREREQ (7, 0) | ||
126 | + /* GCC 7 warns about too-large allocations; here we need such | ||
127 | + allocation to succeed for the test to work. */ | ||
128 | + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | ||
129 | +#endif | ||
130 | + char *path = malloc (path_len); | ||
131 | + DIAG_POP_NEEDS_COMMENT; | ||
132 | + | ||
133 | + if (path == NULL) | ||
134 | + { | ||
135 | + printf ("malloc (%zu): %m\n", path_len); | ||
136 | + return EXIT_UNSUPPORTED; | ||
137 | + } | ||
138 | + | ||
139 | + /* Construct very long path = "bz22786/symlink/aaaa....." */ | ||
140 | + char *p = mempcpy (path, lnk, sizeof (lnk) - 1); | ||
141 | + *(p++) = '/'; | ||
142 | + memset (p, 'a', path_len - (path - p) - 2); | ||
143 | + p[path_len - (path - p) - 1] = '\0'; | ||
144 | + | ||
145 | + /* This call crashes before the fix for bz22786 on 32-bit platforms. */ | ||
146 | + p = realpath (path, NULL); | ||
147 | + | ||
148 | + if (p != NULL || errno != ENAMETOOLONG) | ||
149 | + { | ||
150 | + printf ("realpath: %s (%m)", p); | ||
151 | + return EXIT_FAILURE; | ||
152 | + } | ||
153 | + | ||
154 | + /* Cleanup. */ | ||
155 | + unlink (lnk); | ||
156 | + rmdir (dir); | ||
157 | + | ||
158 | + return 0; | ||
159 | +} | ||
160 | + | ||
161 | +#define TEST_FUNCTION do_test | ||
162 | +#include <support/test-driver.c> | ||
163 | -- | ||
164 | 2.9.3 | ||