1 files changed, 128 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
new file mode 100644
index 0000000000..606b691bcf
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
+From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Wed, 12 Feb 2020 23:31:56 +0000
+Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
+ pseudo-zero (bug 25487).
+Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
+argument (an representation where all the significand bits, including
+the explicit high bit, are zero, but the exponent is not zero, which
+is not a valid representation for the long double type).
+Although this is not a valid long double representation, existing
+practice in this area (see bug 4586, originally marked invalid but
+subsequently fixed) is that we still seek to avoid invalid memory
+accesses as a result, in case of programs that treat arbitrary binary
+data as long double representations, although the invalid
+representations of the ldbl-96 format do not need to be consistently
+handled the same as any particular valid representation.
+This patch makes the range reduction detect pseudo-zero and unnormal
+representations that would otherwise go to __kernel_rem_pio2, and
+returns a NaN for them instead of continuing with the range reduction
+process.  (Pseudo-zero and unnormal representations whose unbiased
+exponent is less than -1 have already been safely returned from the
+function before this point without going through the rest of range
+reduction.)  Pseudo-zero representations would previously result in
+the value passed to __kernel_rem_pio2 being all-zero, which is
+definitely unsafe; unnormal representations would previously result in
+a value passed whose high bit is zero, which might well be unsafe
+since that is not a form of input expected by __kernel_rem_pio2.
+Tested for x86_64.
+CVE: CVE-2020-10029
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
+a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ sysdeps/ieee754/ldbl-96/Makefile           |  3 ++-
+ sysdeps/ieee754/ldbl-96/e_rem_pio2l.c      | 12 +++++++++
+ sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 1 deletion(-)
+ create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
+index b103254..052c1c7 100644
+--- a/sysdeps/ieee754/ldbl-96/Makefile
+++ b/sysdeps/ieee754/ldbl-96/Makefile
+@@ -17,5 +17,6 @@
+ # <http://www.gnu.org/licenses/>.
+ 
+ ifeq ($(subdir),math)
+-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
+ endif
+diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+index 805de22..1aeccb4 100644
+--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
+       return 0;
+     }
+ 
+  if ((i0 & 0x80000000) == 0)
+    {
+      /* Pseudo-zero and unnormal representations are not valid
+        representations of long double.  We need to avoid stack
+        corruption in __kernel_rem_pio2, which expects input in a
+        particular normal form, but those representations do not need
+        to be consistently handled like any particular floating-point
+        value.  */
+      y[1] = y[0] = __builtin_nanl ("");
+      return 0;
+    }
+
+   /* Split the 64 bits of the mantissa into three 24-bit integers
+      stored in a double array.  */
+   exp = j0 - 23;
+diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+new file mode 100644
+index 0000000..f59b977
+--- /dev/null
+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+@@ -0,0 +1,41 @@
+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <math.h>
+#include <math_ldbl.h>
+#include <stdint.h>
+
+static int
+do_test (void)
+{
+  for (int i = 0; i < 64; i++)
+    {
+      uint64_t sig = i == 63 ? 0 : 1ULL << i;
+      long double ld;
+      SET_LDOUBLE_WORDS (ld, 0x4141,
+                        sig >> 32, sig & 0xffffffffULL);
+      /* The requirement is that no stack overflow occurs when the
+        pseudo-zero or unnormal goes through range reduction.  */
+      volatile long double ldr;
+      ldr = sinl (ld);
+      (void) ldr;
+    }
+  return 0;
+}
+
+#include <support/test-driver.c>

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch new file mode 100644 index 0000000000..606b691bcf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
	1	From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
	2	From: Joseph Myers <joseph@codesourcery.com>
	3	Date: Wed, 12 Feb 2020 23:31:56 +0000
	4	Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
	5
	6	pseudo-zero (bug 25487).
	7
	8	Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
	9	argument (an representation where all the significand bits, including
	10	the explicit high bit, are zero, but the exponent is not zero, which
	11	is not a valid representation for the long double type).
	12
	13	Although this is not a valid long double representation, existing
	14	practice in this area (see bug 4586, originally marked invalid but
	15	subsequently fixed) is that we still seek to avoid invalid memory
	16	accesses as a result, in case of programs that treat arbitrary binary
	17	data as long double representations, although the invalid
	18	representations of the ldbl-96 format do not need to be consistently
	19	handled the same as any particular valid representation.
	20
	21	This patch makes the range reduction detect pseudo-zero and unnormal
	22	representations that would otherwise go to __kernel_rem_pio2, and
	23	returns a NaN for them instead of continuing with the range reduction
	24	process. (Pseudo-zero and unnormal representations whose unbiased
	25	exponent is less than -1 have already been safely returned from the
	26	function before this point without going through the rest of range
	27	reduction.) Pseudo-zero representations would previously result in
	28	the value passed to __kernel_rem_pio2 being all-zero, which is
	29	definitely unsafe; unnormal representations would previously result in
	30	a value passed whose high bit is zero, which might well be unsafe
	31	since that is not a form of input expected by __kernel_rem_pio2.
	32
	33	Tested for x86_64.
	34
	35	CVE: CVE-2020-10029
	36	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
	37	a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
	38	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	39
	40	---
	41	sysdeps/ieee754/ldbl-96/Makefile \| 3 ++-
	42	sysdeps/ieee754/ldbl-96/e_rem_pio2l.c \| 12 +++++++++
	43	sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c \| 41 ++++++++++++++++++++++++++++++
	44	3 files changed, 55 insertions(+), 1 deletion(-)
	45	create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
	46
	47	diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
	48	index b103254..052c1c7 100644
	49	--- a/sysdeps/ieee754/ldbl-96/Makefile
	50	+++ b/sysdeps/ieee754/ldbl-96/Makefile
	51	@@ -17,5 +17,6 @@
	52	# <http://www.gnu.org/licenses/>.
	53
	54	ifeq ($(subdir),math)
	55	-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
	56	+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
	57	+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
	58	endif
	59	diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
	60	index 805de22..1aeccb4 100644
	61	--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
	62	+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
	63	@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
	64	return 0;
	65	}
	66
	67	+ if ((i0 & 0x80000000) == 0)
	68	+ {
	69	+ /* Pseudo-zero and unnormal representations are not valid
	70	+ representations of long double. We need to avoid stack
	71	+ corruption in __kernel_rem_pio2, which expects input in a
	72	+ particular normal form, but those representations do not need
	73	+ to be consistently handled like any particular floating-point
	74	+ value. */
	75	+ y[1] = y[0] = __builtin_nanl ("");
	76	+ return 0;
	77	+ }
	78	+
	79	/* Split the 64 bits of the mantissa into three 24-bit integers
	80	stored in a double array. */
	81	exp = j0 - 23;
	82	diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
	83	new file mode 100644
	84	index 0000000..f59b977
	85	--- /dev/null
	86	+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
	87	@@ -0,0 +1,41 @@
	88	+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
	89	+ Copyright (C) 2020 Free Software Foundation, Inc.
	90	+ This file is part of the GNU C Library.
	91	+
	92	+ The GNU C Library is free software; you can redistribute it and/or
	93	+ modify it under the terms of the GNU Lesser General Public
	94	+ License as published by the Free Software Foundation; either
	95	+ version 2.1 of the License, or (at your option) any later version.
	96	+
	97	+ The GNU C Library is distributed in the hope that it will be useful,
	98	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
	99	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	100	+ Lesser General Public License for more details.
	101	+
	102	+ You should have received a copy of the GNU Lesser General Public
	103	+ License along with the GNU C Library; if not, see
	104	+ <https://www.gnu.org/licenses/>. */
	105	+
	106	+#include <math.h>
	107	+#include <math_ldbl.h>
	108	+#include <stdint.h>
	109	+
	110	+static int
	111	+do_test (void)
	112	+{
	113	+ for (int i = 0; i < 64; i++)
	114	+ {
	115	+ uint64_t sig = i == 63 ? 0 : 1ULL << i;
	116	+ long double ld;
	117	+ SET_LDOUBLE_WORDS (ld, 0x4141,
	118	+ sig >> 32, sig & 0xffffffffULL);
	119	+ /* The requirement is that no stack overflow occurs when the
	120	+ pseudo-zero or unnormal goes through range reduction. */
	121	+ volatile long double ldr;
	122	+ ldr = sinl (ld);
	123	+ (void) ldr;
	124	+ }
	125	+ return 0;
	126	+}
	127	+
	128	+#include <support/test-driver.c>