1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
new file mode 100644
index 0000000000..4d3146509a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
@@ -0,0 +1,63 @@
+From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Mon, 11 Sep 2023 18:53:15 -0400
+Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+---
+Changes from v1:
+- Also null-terminate tunestr before exiting.
+ elf/dl-tunables.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+CVE: CVE-2023-4911
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8e7ee9df10..76cf8b9da3 100644
+--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+         pair, bail out.  */
+       if (p[len] == '\0')
+-       {
+-         if (__libc_enable_secure)
+-           tunestr[off] = '\0';
+-         return;
+-       }
+       break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+         colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+            }
+        }
+ 
+-      if (p[len] != '\0')
+-       p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+       break;
+
+      p += len + 1;
+     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
+ }
+ #endif
+ 
+-- 
+2.41.0

diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
@@ -0,0 +1,63 @@
	1	From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
	2	From: Siddhesh Poyarekar <siddhesh@redhat.com>
	3	Date: Mon, 11 Sep 2023 18:53:15 -0400
	4	Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
	5
	6	The string parsing routine may end up writing beyond bounds of tunestr
	7	if the input tunable string is malformed, of the form name=name=val.
	8	This gets processed twice, first as name=name=val and next as name=val,
	9	resulting in tunestr being name=name=val:name=val, thus overflowing
	10	tunestr.
	11
	12	Terminate the parsing loop at the first instance itself so that tunestr
	13	does not overflow.
	14	---
	15	Changes from v1:
	16
	17	- Also null-terminate tunestr before exiting.
	18
	19	elf/dl-tunables.c \| 17 ++++++++++-------
	20	1 file changed, 10 insertions(+), 7 deletions(-)
	21
	22	Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
	23	CVE: CVE-2023-4911
	24
	25	diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
	26	index 8e7ee9df10..76cf8b9da3 100644
	27	--- a/elf/dl-tunables.c
	28	+++ b/elf/dl-tunables.c
	29	@@ -187,11 +187,7 @@ parse_tunables (char tunestr, char valstring)
	30	/* If we reach the end of the string before getting a valid name-value
	31	pair, bail out. */
	32	if (p[len] == '\0')
	33	- {
	34	- if (__libc_enable_secure)
	35	- tunestr[off] = '\0';
	36	- return;
	37	- }
	38	+ break;
	39
	40	/* We did not find a valid name-value pair before encountering the
	41	colon. */
	42	@@ -251,9 +247,16 @@ parse_tunables (char tunestr, char valstring)
	43	}
	44	}
	45
	46	- if (p[len] != '\0')
	47	- p += len + 1;
	48	+ /* We reached the end while processing the tunable string. */
	49	+ if (p[len] == '\0')
	50	+ break;
	51	+
	52	+ p += len + 1;
	53	}
	54	+
	55	+ /* Terminate tunestr before we leave. */
	56	+ if (__libc_enable_secure)
	57	+ tunestr[off] = '\0';
	58	}
	59	#endif
	60
	61	--
	62	2.41.0
	63