diff options
Diffstat (limited to 'meta/recipes-core/glibc')
5 files changed, 513 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 0000000000..78e9ea9e65 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Mon, 19 Jun 2017 18:33:26 +0200 | ||
4 | Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 | ||
5 | programs [BZ #21624] | ||
6 | |||
7 | LD_LIBRARY_PATH can only be used to reorder system search paths, which | ||
8 | is not useful functionality. | ||
9 | |||
10 | This makes an exploitable unbounded alloca in _dl_init_paths unreachable | ||
11 | for AT_SECURE=1 programs. | ||
12 | |||
13 | (cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d) | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac | ||
17 | https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb | ||
18 | |||
19 | CVE: CVE-2017-1000366 | ||
20 | |||
21 | Signed-off-by: George McCollister <george.mccollister@gmail.com> | ||
22 | --- | ||
23 | ChangeLog | 7 +++++++ | ||
24 | NEWS | 1 + | ||
25 | elf/rtld.c | 3 ++- | ||
26 | 3 files changed, 10 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/ChangeLog b/ChangeLog | ||
29 | index 2bdaf69e43..7a999802dd 100644 | ||
30 | --- a/ChangeLog | ||
31 | +++ b/ChangeLog | ||
32 | @@ -1,3 +1,10 @@ | ||
33 | +2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
34 | + | ||
35 | + [BZ #21624] | ||
36 | + CVE-2017-1000366 | ||
37 | + * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for | ||
38 | + __libc_enable_secure. | ||
39 | + | ||
40 | 2016-12-31 Florian Weimer <fweimer@redhat.com> | ||
41 | |||
42 | [BZ #18784] | ||
43 | diff --git a/NEWS b/NEWS | ||
44 | index 4b1ca3cb65..66b49dbbc0 100644 | ||
45 | --- a/NEWS | ||
46 | +++ b/NEWS | ||
47 | @@ -17,6 +17,7 @@ using `glibc' in the "product" field. | ||
48 | question type which is outside the range of valid question type values. | ||
49 | (CVE-2015-5180) | ||
50 | |||
51 | + [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) | ||
52 | Version 2.24 | ||
53 | |||
54 | * The minimum Linux kernel version that this version of the GNU C Library | ||
55 | diff --git a/elf/rtld.c b/elf/rtld.c | ||
56 | index 647661ca45..215a9aec8f 100644 | ||
57 | --- a/elf/rtld.c | ||
58 | +++ b/elf/rtld.c | ||
59 | @@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep) | ||
60 | |||
61 | case 12: | ||
62 | /* The library search path. */ | ||
63 | - if (memcmp (envline, "LIBRARY_PATH", 12) == 0) | ||
64 | + if (!__libc_enable_secure | ||
65 | + && memcmp (envline, "LIBRARY_PATH", 12) == 0) | ||
66 | { | ||
67 | library_path = &envline[13]; | ||
68 | break; | ||
69 | -- | ||
70 | 2.15.0 | ||
71 | |||
diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 0000000000..7f81ed1566 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Mon, 19 Jun 2017 22:31:04 +0200 | ||
4 | Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements | ||
5 | |||
6 | (cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467 | ||
10 | https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb | ||
11 | |||
12 | CVE: CVE-2017-1000366 | ||
13 | |||
14 | Signed-off-by: George McCollister <george.mccollister@gmail.com> | ||
15 | --- | ||
16 | ChangeLog | 7 ++++++ | ||
17 | elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------ | ||
18 | 2 files changed, 73 insertions(+), 16 deletions(-) | ||
19 | |||
20 | diff --git a/ChangeLog b/ChangeLog | ||
21 | index 7a999802dd..ea5ecd4a1e 100644 | ||
22 | --- a/ChangeLog | ||
23 | +++ b/ChangeLog | ||
24 | @@ -1,3 +1,10 @@ | ||
25 | +2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
26 | + | ||
27 | + * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define. | ||
28 | + (dso_name_valid_for_suid): New function. | ||
29 | + (handle_ld_preload): Likewise. | ||
30 | + (dl_main): Call it. Remove alloca. | ||
31 | + | ||
32 | 2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
33 | |||
34 | [BZ #21624] | ||
35 | diff --git a/elf/rtld.c b/elf/rtld.c | ||
36 | index 215a9aec8f..1d8eab9fe2 100644 | ||
37 | --- a/elf/rtld.c | ||
38 | +++ b/elf/rtld.c | ||
39 | @@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local | ||
40 | strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) | ||
41 | #endif | ||
42 | |||
43 | +/* Length limits for names and paths, to protect the dynamic linker, | ||
44 | + particularly when __libc_enable_secure is active. */ | ||
45 | +#ifdef NAME_MAX | ||
46 | +# define SECURE_NAME_LIMIT NAME_MAX | ||
47 | +#else | ||
48 | +# define SECURE_NAME_LIMIT 255 | ||
49 | +#endif | ||
50 | +#ifdef PATH_MAX | ||
51 | +# define SECURE_PATH_LIMIT PATH_MAX | ||
52 | +#else | ||
53 | +# define SECURE_PATH_LIMIT 1024 | ||
54 | +#endif | ||
55 | + | ||
56 | +/* Check that AT_SECURE=0, or that the passed name does not contain | ||
57 | + directories and is not overly long. Reject empty names | ||
58 | + unconditionally. */ | ||
59 | +static bool | ||
60 | +dso_name_valid_for_suid (const char *p) | ||
61 | +{ | ||
62 | + if (__glibc_unlikely (__libc_enable_secure)) | ||
63 | + { | ||
64 | + /* Ignore pathnames with directories for AT_SECURE=1 | ||
65 | + programs, and also skip overlong names. */ | ||
66 | + size_t len = strlen (p); | ||
67 | + if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL) | ||
68 | + return false; | ||
69 | + } | ||
70 | + return *p != '\0'; | ||
71 | +} | ||
72 | |||
73 | /* List of auditing DSOs. */ | ||
74 | static struct audit_list | ||
75 | @@ -730,6 +759,42 @@ static const char *preloadlist attribute_relro; | ||
76 | /* Nonzero if information about versions has to be printed. */ | ||
77 | static int version_info attribute_relro; | ||
78 | |||
79 | +/* The LD_PRELOAD environment variable gives list of libraries | ||
80 | + separated by white space or colons that are loaded before the | ||
81 | + executable's dependencies and prepended to the global scope list. | ||
82 | + (If the binary is running setuid all elements containing a '/' are | ||
83 | + ignored since it is insecure.) Return the number of preloads | ||
84 | + performed. */ | ||
85 | +unsigned int | ||
86 | +handle_ld_preload (const char *preloadlist, struct link_map *main_map) | ||
87 | +{ | ||
88 | + unsigned int npreloads = 0; | ||
89 | + const char *p = preloadlist; | ||
90 | + char fname[SECURE_PATH_LIMIT]; | ||
91 | + | ||
92 | + while (*p != '\0') | ||
93 | + { | ||
94 | + /* Split preload list at space/colon. */ | ||
95 | + size_t len = strcspn (p, " :"); | ||
96 | + if (len > 0 && len < sizeof (fname)) | ||
97 | + { | ||
98 | + memcpy (fname, p, len); | ||
99 | + fname[len] = '\0'; | ||
100 | + } | ||
101 | + else | ||
102 | + fname[0] = '\0'; | ||
103 | + | ||
104 | + /* Skip over the substring and the following delimiter. */ | ||
105 | + p += len; | ||
106 | + if (*p != '\0') | ||
107 | + ++p; | ||
108 | + | ||
109 | + if (dso_name_valid_for_suid (fname)) | ||
110 | + npreloads += do_preload (fname, main_map, "LD_PRELOAD"); | ||
111 | + } | ||
112 | + return npreloads; | ||
113 | +} | ||
114 | + | ||
115 | static void | ||
116 | dl_main (const ElfW(Phdr) *phdr, | ||
117 | ElfW(Word) phnum, | ||
118 | @@ -1481,23 +1546,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", | ||
119 | |||
120 | if (__glibc_unlikely (preloadlist != NULL)) | ||
121 | { | ||
122 | - /* The LD_PRELOAD environment variable gives list of libraries | ||
123 | - separated by white space or colons that are loaded before the | ||
124 | - executable's dependencies and prepended to the global scope | ||
125 | - list. If the binary is running setuid all elements | ||
126 | - containing a '/' are ignored since it is insecure. */ | ||
127 | - char *list = strdupa (preloadlist); | ||
128 | - char *p; | ||
129 | - | ||
130 | HP_TIMING_NOW (start); | ||
131 | - | ||
132 | - /* Prevent optimizing strsep. Speed is not important here. */ | ||
133 | - while ((p = (strsep) (&list, " :")) != NULL) | ||
134 | - if (p[0] != '\0' | ||
135 | - && (__builtin_expect (! __libc_enable_secure, 1) | ||
136 | - || strchr (p, '/') == NULL)) | ||
137 | - npreloads += do_preload (p, main_map, "LD_PRELOAD"); | ||
138 | - | ||
139 | + npreloads += handle_ld_preload (preloadlist, main_map); | ||
140 | HP_TIMING_NOW (stop); | ||
141 | HP_TIMING_DIFF (diff, start, stop); | ||
142 | HP_TIMING_ACCUM_NT (load_time, diff); | ||
143 | -- | ||
144 | 2.15.0 | ||
145 | |||
diff --git a/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch new file mode 100644 index 0000000000..b52b8a1fa7 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch | |||
@@ -0,0 +1,231 @@ | |||
1 | From c0b25407def32718147530da72959a034cd1318d Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Mon, 19 Jun 2017 22:32:12 +0200 | ||
4 | Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements | ||
5 | |||
6 | Also only process the last LD_AUDIT entry. | ||
7 | |||
8 | (cherry picked from commit 81b82fb966ffbd94353f793ad17116c6088dedd9) | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | https://sourceware.org/git/?p=glibc.git;a=commit;h=2febff860b31df3666bef5ade0d0744c93f76a74 | ||
12 | https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb | ||
13 | |||
14 | CVE: CVE-2017-1000366 | ||
15 | |||
16 | Signed-off-by: George McCollister <george.mccollister@gmail.com> | ||
17 | --- | ||
18 | ChangeLog | 11 +++++++ | ||
19 | elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------- | ||
20 | 2 files changed, 106 insertions(+), 15 deletions(-) | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index ea5ecd4a1e..638cb632b1 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,3 +1,14 @@ | ||
27 | +2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
28 | + | ||
29 | + * elf/rtld.c (audit_list_string): New variable. | ||
30 | + (audit_list): Update comment. | ||
31 | + (struct audit_list_iter): Define. | ||
32 | + (audit_list_iter_init, audit_list_iter_next): New function. | ||
33 | + (dl_main): Use struct audit_list_iter to process audit modules. | ||
34 | + (process_dl_audit): Call dso_name_valid_for_suid. | ||
35 | + (process_envvars): Set audit_list_string instead of calling | ||
36 | + process_dl_audit. | ||
37 | + | ||
38 | 2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
39 | |||
40 | * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define. | ||
41 | diff --git a/elf/rtld.c b/elf/rtld.c | ||
42 | index 1d8eab9fe2..302bb63620 100644 | ||
43 | --- a/elf/rtld.c | ||
44 | +++ b/elf/rtld.c | ||
45 | @@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p) | ||
46 | return *p != '\0'; | ||
47 | } | ||
48 | |||
49 | -/* List of auditing DSOs. */ | ||
50 | +/* LD_AUDIT variable contents. Must be processed before the | ||
51 | + audit_list below. */ | ||
52 | +const char *audit_list_string; | ||
53 | + | ||
54 | +/* Cyclic list of auditing DSOs. audit_list->next is the first | ||
55 | + element. */ | ||
56 | static struct audit_list | ||
57 | { | ||
58 | const char *name; | ||
59 | struct audit_list *next; | ||
60 | } *audit_list; | ||
61 | |||
62 | +/* Iterator for audit_list_string followed by audit_list. */ | ||
63 | +struct audit_list_iter | ||
64 | +{ | ||
65 | + /* Tail of audit_list_string still needing processing, or NULL. */ | ||
66 | + const char *audit_list_tail; | ||
67 | + | ||
68 | + /* The list element returned in the previous iteration. NULL before | ||
69 | + the first element. */ | ||
70 | + struct audit_list *previous; | ||
71 | + | ||
72 | + /* Scratch buffer for returning a name which is part of | ||
73 | + audit_list_string. */ | ||
74 | + char fname[SECURE_NAME_LIMIT]; | ||
75 | +}; | ||
76 | + | ||
77 | +/* Initialize an audit list iterator. */ | ||
78 | +static void | ||
79 | +audit_list_iter_init (struct audit_list_iter *iter) | ||
80 | +{ | ||
81 | + iter->audit_list_tail = audit_list_string; | ||
82 | + iter->previous = NULL; | ||
83 | +} | ||
84 | + | ||
85 | +/* Iterate through both audit_list_string and audit_list. */ | ||
86 | +static const char * | ||
87 | +audit_list_iter_next (struct audit_list_iter *iter) | ||
88 | +{ | ||
89 | + if (iter->audit_list_tail != NULL) | ||
90 | + { | ||
91 | + /* First iterate over audit_list_string. */ | ||
92 | + while (*iter->audit_list_tail != '\0') | ||
93 | + { | ||
94 | + /* Split audit list at colon. */ | ||
95 | + size_t len = strcspn (iter->audit_list_tail, ":"); | ||
96 | + if (len > 0 && len < sizeof (iter->fname)) | ||
97 | + { | ||
98 | + memcpy (iter->fname, iter->audit_list_tail, len); | ||
99 | + iter->fname[len] = '\0'; | ||
100 | + } | ||
101 | + else | ||
102 | + /* Do not return this name to the caller. */ | ||
103 | + iter->fname[0] = '\0'; | ||
104 | + | ||
105 | + /* Skip over the substring and the following delimiter. */ | ||
106 | + iter->audit_list_tail += len; | ||
107 | + if (*iter->audit_list_tail == ':') | ||
108 | + ++iter->audit_list_tail; | ||
109 | + | ||
110 | + /* If the name is valid, return it. */ | ||
111 | + if (dso_name_valid_for_suid (iter->fname)) | ||
112 | + return iter->fname; | ||
113 | + /* Otherwise, wrap around and try the next name. */ | ||
114 | + } | ||
115 | + /* Fall through to the procesing of audit_list. */ | ||
116 | + } | ||
117 | + | ||
118 | + if (iter->previous == NULL) | ||
119 | + { | ||
120 | + if (audit_list == NULL) | ||
121 | + /* No pre-parsed audit list. */ | ||
122 | + return NULL; | ||
123 | + /* Start of audit list. The first list element is at | ||
124 | + audit_list->next (cyclic list). */ | ||
125 | + iter->previous = audit_list->next; | ||
126 | + return iter->previous->name; | ||
127 | + } | ||
128 | + if (iter->previous == audit_list) | ||
129 | + /* Cyclic list wrap-around. */ | ||
130 | + return NULL; | ||
131 | + iter->previous = iter->previous->next; | ||
132 | + return iter->previous->name; | ||
133 | +} | ||
134 | + | ||
135 | #ifndef HAVE_INLINED_SYSCALLS | ||
136 | /* Set nonzero during loading and initialization of executable and | ||
137 | libraries, cleared before the executable's entry point runs. This | ||
138 | @@ -1322,11 +1400,13 @@ of this helper program; chances are you did not intend to run this program.\n\ | ||
139 | GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); | ||
140 | |||
141 | /* If we have auditing DSOs to load, do it now. */ | ||
142 | - if (__glibc_unlikely (audit_list != NULL)) | ||
143 | + bool need_security_init = true; | ||
144 | + if (__glibc_unlikely (audit_list != NULL) | ||
145 | + || __glibc_unlikely (audit_list_string != NULL)) | ||
146 | { | ||
147 | - /* Iterate over all entries in the list. The order is important. */ | ||
148 | struct audit_ifaces *last_audit = NULL; | ||
149 | - struct audit_list *al = audit_list->next; | ||
150 | + struct audit_list_iter al_iter; | ||
151 | + audit_list_iter_init (&al_iter); | ||
152 | |||
153 | /* Since we start using the auditing DSOs right away we need to | ||
154 | initialize the data structures now. */ | ||
155 | @@ -1337,9 +1417,14 @@ of this helper program; chances are you did not intend to run this program.\n\ | ||
156 | use different values (especially the pointer guard) and will | ||
157 | fail later on. */ | ||
158 | security_init (); | ||
159 | + need_security_init = false; | ||
160 | |||
161 | - do | ||
162 | + while (true) | ||
163 | { | ||
164 | + const char *name = audit_list_iter_next (&al_iter); | ||
165 | + if (name == NULL) | ||
166 | + break; | ||
167 | + | ||
168 | int tls_idx = GL(dl_tls_max_dtv_idx); | ||
169 | |||
170 | /* Now it is time to determine the layout of the static TLS | ||
171 | @@ -1348,7 +1433,7 @@ of this helper program; chances are you did not intend to run this program.\n\ | ||
172 | no DF_STATIC_TLS bit is set. The reason is that we know | ||
173 | glibc will use the static model. */ | ||
174 | struct dlmopen_args dlmargs; | ||
175 | - dlmargs.fname = al->name; | ||
176 | + dlmargs.fname = name; | ||
177 | dlmargs.map = NULL; | ||
178 | |||
179 | const char *objname; | ||
180 | @@ -1361,7 +1446,7 @@ of this helper program; chances are you did not intend to run this program.\n\ | ||
181 | not_loaded: | ||
182 | _dl_error_printf ("\ | ||
183 | ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", | ||
184 | - al->name, err_str); | ||
185 | + name, err_str); | ||
186 | if (malloced) | ||
187 | free ((char *) err_str); | ||
188 | } | ||
189 | @@ -1465,10 +1550,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", | ||
190 | goto not_loaded; | ||
191 | } | ||
192 | } | ||
193 | - | ||
194 | - al = al->next; | ||
195 | } | ||
196 | - while (al != audit_list->next); | ||
197 | |||
198 | /* If we have any auditing modules, announce that we already | ||
199 | have two objects loaded. */ | ||
200 | @@ -1732,7 +1814,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", | ||
201 | if (tcbp == NULL) | ||
202 | tcbp = init_tls (); | ||
203 | |||
204 | - if (__glibc_likely (audit_list == NULL)) | ||
205 | + if (__glibc_likely (need_security_init)) | ||
206 | /* Initialize security features. But only if we have not done it | ||
207 | earlier. */ | ||
208 | security_init (); | ||
209 | @@ -2363,9 +2445,7 @@ process_dl_audit (char *str) | ||
210 | char *p; | ||
211 | |||
212 | while ((p = (strsep) (&str, ":")) != NULL) | ||
213 | - if (p[0] != '\0' | ||
214 | - && (__builtin_expect (! __libc_enable_secure, 1) | ||
215 | - || strchr (p, '/') == NULL)) | ||
216 | + if (dso_name_valid_for_suid (p)) | ||
217 | { | ||
218 | /* This is using the local malloc, not the system malloc. The | ||
219 | memory can never be freed. */ | ||
220 | @@ -2429,7 +2509,7 @@ process_envvars (enum mode *modep) | ||
221 | break; | ||
222 | } | ||
223 | if (memcmp (envline, "AUDIT", 5) == 0) | ||
224 | - process_dl_audit (&envline[6]); | ||
225 | + audit_list_string = &envline[6]; | ||
226 | break; | ||
227 | |||
228 | case 7: | ||
229 | -- | ||
230 | 2.15.0 | ||
231 | |||
diff --git a/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch new file mode 100644 index 0000000000..43c4398fec --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 203835b3bf6f1edfe1ebe4a7fa15dc085e6dc8f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Wed, 14 Jun 2017 08:11:22 +0200 | ||
4 | Subject: [PATCH] i686: Add missing IS_IN (libc) guards to vectorized strcspn | ||
5 | |||
6 | Since commit d957c4d3fa48d685ff2726c605c988127ef99395 (i386: Compile | ||
7 | rtld-*.os with -mno-sse -mno-mmx -mfpmath=387), vector intrinsics can | ||
8 | no longer be used in ld.so, even if the compiled code never makes it | ||
9 | into the final ld.so link. This commit adds the missing IS_IN (libc) | ||
10 | guard to the SSE 4.2 strcspn implementation, so that it can be used from | ||
11 | ld.so in the future. | ||
12 | |||
13 | (cherry picked from commit 69052a3a95da37169a08f9e59b2cc1808312753c) | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | https://sourceware.org/git/?p=glibc.git;a=commit;h=86ac4a78a9218d1e1dcfbacc6f7d09957c1fe3a4 | ||
17 | |||
18 | Required to build fixes for CVE-2017-1000366. | ||
19 | |||
20 | Signed-off-by: George McCollister <george.mccollister@gmail.com> | ||
21 | --- | ||
22 | ChangeLog | 5 +++++ | ||
23 | sysdeps/i386/i686/multiarch/strcspn-c.c | 6 ++++-- | ||
24 | sysdeps/i386/i686/multiarch/varshift.c | 4 +++- | ||
25 | 3 files changed, 12 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/ChangeLog b/ChangeLog | ||
28 | index 638cb632b1..3f89a2cdb2 100644 | ||
29 | --- a/ChangeLog | ||
30 | +++ b/ChangeLog | ||
31 | @@ -1,3 +1,8 @@ | ||
32 | +2017-06-14 Florian Weimer <fweimer@redhat.com> | ||
33 | + | ||
34 | + * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard. | ||
35 | + * sysdeps/i386/i686/multiarch/varshift.c: Likewise. | ||
36 | + | ||
37 | 2017-06-19 Florian Weimer <fweimer@redhat.com> | ||
38 | |||
39 | * elf/rtld.c (audit_list_string): New variable. | ||
40 | diff --git a/sysdeps/i386/i686/multiarch/strcspn-c.c b/sysdeps/i386/i686/multiarch/strcspn-c.c | ||
41 | index 6d61e190a8..ec230fb383 100644 | ||
42 | --- a/sysdeps/i386/i686/multiarch/strcspn-c.c | ||
43 | +++ b/sysdeps/i386/i686/multiarch/strcspn-c.c | ||
44 | @@ -1,2 +1,4 @@ | ||
45 | -#define __strcspn_sse2 __strcspn_ia32 | ||
46 | -#include <sysdeps/x86_64/multiarch/strcspn-c.c> | ||
47 | +#if IS_IN (libc) | ||
48 | +# define __strcspn_sse2 __strcspn_ia32 | ||
49 | +# include <sysdeps/x86_64/multiarch/strcspn-c.c> | ||
50 | +#endif | ||
51 | diff --git a/sysdeps/i386/i686/multiarch/varshift.c b/sysdeps/i386/i686/multiarch/varshift.c | ||
52 | index 7760b966e2..6742a35d41 100644 | ||
53 | --- a/sysdeps/i386/i686/multiarch/varshift.c | ||
54 | +++ b/sysdeps/i386/i686/multiarch/varshift.c | ||
55 | @@ -1 +1,3 @@ | ||
56 | -#include <sysdeps/x86_64/multiarch/varshift.c> | ||
57 | +#if IS_IN (libc) | ||
58 | +# include <sysdeps/x86_64/multiarch/varshift.c> | ||
59 | +#endif | ||
60 | -- | ||
61 | 2.15.0 | ||
62 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb index 4c7d901149..359379bac5 100644 --- a/meta/recipes-core/glibc/glibc_2.24.bb +++ b/meta/recipes-core/glibc/glibc_2.24.bb | |||
@@ -46,6 +46,10 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
46 | file://0005-Remove-__ASSUME_REQUEUE_PI.patch \ | 46 | file://0005-Remove-__ASSUME_REQUEUE_PI.patch \ |
47 | file://0006-Fix-atomic_fetch_xor_release.patch \ | 47 | file://0006-Fix-atomic_fetch_xor_release.patch \ |
48 | file://0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch \ | 48 | file://0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch \ |
49 | file://0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch \ | ||
50 | file://0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch \ | ||
51 | file://0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch \ | ||
52 | file://0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch \ | ||
49 | " | 53 | " |
50 | 54 | ||
51 | SRC_URI += "\ | 55 | SRC_URI += "\ |