diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2020-1751.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch new file mode 100644 index 0000000000..0ed92d50e9 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@suse.de> | ||
3 | Date: Mon, 20 Jan 2020 17:01:50 +0100 | ||
4 | Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423) | ||
5 | |||
6 | When unwinding through a signal frame the backtrace function on PowerPC | ||
7 | didn't check array bounds when storing the frame address. Fixes commit | ||
8 | d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). | ||
9 | |||
10 | CVE: CVE-2020-1751 | ||
11 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
13 | --- | ||
14 | debug/tst-backtrace5.c | 12 ++++++++++++ | ||
15 | sysdeps/powerpc/powerpc32/backtrace.c | 2 ++ | ||
16 | sysdeps/powerpc/powerpc64/backtrace.c | 2 ++ | ||
17 | 3 files changed, 16 insertions(+) | ||
18 | |||
19 | diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c | ||
20 | index e7ce410845..b2f46160e7 100644 | ||
21 | --- a/debug/tst-backtrace5.c | ||
22 | +++ b/debug/tst-backtrace5.c | ||
23 | @@ -89,6 +89,18 @@ handle_signal (int signum) | ||
24 | } | ||
25 | /* Symbol names are not available for static functions, so we do not | ||
26 | check do_test. */ | ||
27 | + | ||
28 | + /* Check that backtrace does not return more than what fits in the array | ||
29 | + (bug 25423). */ | ||
30 | + for (int j = 0; j < NUM_FUNCTIONS; j++) | ||
31 | + { | ||
32 | + n = backtrace (addresses, j); | ||
33 | + if (n > j) | ||
34 | + { | ||
35 | + FAIL (); | ||
36 | + return; | ||
37 | + } | ||
38 | + } | ||
39 | } | ||
40 | |||
41 | NO_INLINE int | ||
42 | diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c | ||
43 | index 7c2d4726f8..d1456c8ae4 100644 | ||
44 | --- a/sysdeps/powerpc/powerpc32/backtrace.c | ||
45 | +++ b/sysdeps/powerpc/powerpc32/backtrace.c | ||
46 | @@ -114,6 +114,8 @@ __backtrace (void **array, int size) | ||
47 | } | ||
48 | if (gregset) | ||
49 | { | ||
50 | + if (count + 1 == size) | ||
51 | + break; | ||
52 | array[++count] = (void*)((*gregset)[PT_NIP]); | ||
53 | current = (void*)((*gregset)[PT_R1]); | ||
54 | } | ||
55 | diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c | ||
56 | index 65c260ab76..8a53a1088f 100644 | ||
57 | --- a/sysdeps/powerpc/powerpc64/backtrace.c | ||
58 | +++ b/sysdeps/powerpc/powerpc64/backtrace.c | ||
59 | @@ -87,6 +87,8 @@ __backtrace (void **array, int size) | ||
60 | if (is_sigtramp_address (current->return_address)) | ||
61 | { | ||
62 | struct signal_frame_64 *sigframe = (struct signal_frame_64*) current; | ||
63 | + if (count + 1 == size) | ||
64 | + break; | ||
65 | array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP]; | ||
66 | current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1]; | ||
67 | } | ||
68 | -- | ||
69 | 2.23.0 | ||
70 | |||