diff options
Diffstat (limited to 'meta/recipes-core/glibc')
8 files changed, 608 insertions, 3 deletions
diff --git a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb index 657fd4dbc1..d887aeff79 100644 --- a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb +++ b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb | |||
@@ -1,5 +1,7 @@ | |||
1 | require glibc_${PV}.bb | 1 | require glibc_${PV}.bb |
2 | 2 | ||
3 | EXCLUDE_FROM_WORLD = "1" | ||
4 | |||
3 | # handle PN differences | 5 | # handle PN differences |
4 | FILESEXTRAPATHS_prepend := "${THISDIR}/glibc:" | 6 | FILESEXTRAPATHS_prepend := "${THISDIR}/glibc:" |
5 | 7 | ||
@@ -58,3 +60,4 @@ addtask do_check after do_compile | |||
58 | 60 | ||
59 | inherit nopackages | 61 | inherit nopackages |
60 | deltask do_stash_locale | 62 | deltask do_stash_locale |
63 | deltask do_install | ||
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index 3aad603ada..5cd235f6ac 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch | |||
@@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644 | |||
65 | 65 | ||
66 | /* Load the locale data for CATEGORY from the file specified by *NAME. | 66 | /* Load the locale data for CATEGORY from the file specified by *NAME. |
67 | If *NAME is "", use environment variables as specified by POSIX, and | 67 | If *NAME is "", use environment variables as specified by POSIX, and |
68 | -- | 68 | Index: git/locale/programs/locale.c |
69 | 2.22.0 | 69 | =================================================================== |
70 | 70 | --- git.orig/locale/programs/locale.c | |
71 | +++ git/locale/programs/locale.c | ||
72 | @@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b | ||
73 | ((const struct nameent *) b)->name); | ||
74 | } | ||
75 | |||
76 | +static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; | ||
77 | |||
78 | static int | ||
79 | write_archive_locales (void **all_datap, char *linebuf) | ||
80 | @@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, | ||
81 | int fd, ret = 0; | ||
82 | uint32_t cnt; | ||
83 | |||
84 | - fd = open64 (ARCHIVE_NAME, O_RDONLY); | ||
85 | + fd = open64 (_write_archive_locales_path, O_RDONLY); | ||
86 | if (fd < 0) | ||
87 | return 0; | ||
88 | |||
89 | @@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, | ||
90 | if (cnt) | ||
91 | putchar_unlocked ('\n'); | ||
92 | |||
93 | - printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", | ||
94 | - names[cnt].name, linebuf); | ||
95 | + printf ("locale: %-15.15s archive: %s\n%s\n", | ||
96 | + names[cnt].name, _write_archive_locales_path, linebuf); | ||
97 | |||
98 | locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); | ||
99 | |||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch new file mode 100644 index 0000000000..606b691bcf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001 | ||
2 | From: Joseph Myers <joseph@codesourcery.com> | ||
3 | Date: Wed, 12 Feb 2020 23:31:56 +0000 | ||
4 | Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of | ||
5 | |||
6 | pseudo-zero (bug 25487). | ||
7 | |||
8 | Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero | ||
9 | argument (an representation where all the significand bits, including | ||
10 | the explicit high bit, are zero, but the exponent is not zero, which | ||
11 | is not a valid representation for the long double type). | ||
12 | |||
13 | Although this is not a valid long double representation, existing | ||
14 | practice in this area (see bug 4586, originally marked invalid but | ||
15 | subsequently fixed) is that we still seek to avoid invalid memory | ||
16 | accesses as a result, in case of programs that treat arbitrary binary | ||
17 | data as long double representations, although the invalid | ||
18 | representations of the ldbl-96 format do not need to be consistently | ||
19 | handled the same as any particular valid representation. | ||
20 | |||
21 | This patch makes the range reduction detect pseudo-zero and unnormal | ||
22 | representations that would otherwise go to __kernel_rem_pio2, and | ||
23 | returns a NaN for them instead of continuing with the range reduction | ||
24 | process. (Pseudo-zero and unnormal representations whose unbiased | ||
25 | exponent is less than -1 have already been safely returned from the | ||
26 | function before this point without going through the rest of range | ||
27 | reduction.) Pseudo-zero representations would previously result in | ||
28 | the value passed to __kernel_rem_pio2 being all-zero, which is | ||
29 | definitely unsafe; unnormal representations would previously result in | ||
30 | a value passed whose high bit is zero, which might well be unsafe | ||
31 | since that is not a form of input expected by __kernel_rem_pio2. | ||
32 | |||
33 | Tested for x86_64. | ||
34 | |||
35 | CVE: CVE-2020-10029 | ||
36 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git; | ||
37 | a=patch;h=9333498794cde1d5cca518badf79533a24114b6f] | ||
38 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
39 | |||
40 | --- | ||
41 | sysdeps/ieee754/ldbl-96/Makefile | 3 ++- | ||
42 | sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++++ | ||
43 | sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++ | ||
44 | 3 files changed, 55 insertions(+), 1 deletion(-) | ||
45 | create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | ||
46 | |||
47 | diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile | ||
48 | index b103254..052c1c7 100644 | ||
49 | --- a/sysdeps/ieee754/ldbl-96/Makefile | ||
50 | +++ b/sysdeps/ieee754/ldbl-96/Makefile | ||
51 | @@ -17,5 +17,6 @@ | ||
52 | # <http://www.gnu.org/licenses/>. | ||
53 | |||
54 | ifeq ($(subdir),math) | ||
55 | -tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 | ||
56 | +tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo | ||
57 | +CFLAGS-test-sinl-pseudo.c += -fstack-protector-all | ||
58 | endif | ||
59 | diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | ||
60 | index 805de22..1aeccb4 100644 | ||
61 | --- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | ||
62 | +++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | ||
63 | @@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y) | ||
64 | return 0; | ||
65 | } | ||
66 | |||
67 | + if ((i0 & 0x80000000) == 0) | ||
68 | + { | ||
69 | + /* Pseudo-zero and unnormal representations are not valid | ||
70 | + representations of long double. We need to avoid stack | ||
71 | + corruption in __kernel_rem_pio2, which expects input in a | ||
72 | + particular normal form, but those representations do not need | ||
73 | + to be consistently handled like any particular floating-point | ||
74 | + value. */ | ||
75 | + y[1] = y[0] = __builtin_nanl (""); | ||
76 | + return 0; | ||
77 | + } | ||
78 | + | ||
79 | /* Split the 64 bits of the mantissa into three 24-bit integers | ||
80 | stored in a double array. */ | ||
81 | exp = j0 - 23; | ||
82 | diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | ||
83 | new file mode 100644 | ||
84 | index 0000000..f59b977 | ||
85 | --- /dev/null | ||
86 | +++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | ||
87 | @@ -0,0 +1,41 @@ | ||
88 | +/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487). | ||
89 | + Copyright (C) 2020 Free Software Foundation, Inc. | ||
90 | + This file is part of the GNU C Library. | ||
91 | + | ||
92 | + The GNU C Library is free software; you can redistribute it and/or | ||
93 | + modify it under the terms of the GNU Lesser General Public | ||
94 | + License as published by the Free Software Foundation; either | ||
95 | + version 2.1 of the License, or (at your option) any later version. | ||
96 | + | ||
97 | + The GNU C Library is distributed in the hope that it will be useful, | ||
98 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
99 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
100 | + Lesser General Public License for more details. | ||
101 | + | ||
102 | + You should have received a copy of the GNU Lesser General Public | ||
103 | + License along with the GNU C Library; if not, see | ||
104 | + <https://www.gnu.org/licenses/>. */ | ||
105 | + | ||
106 | +#include <math.h> | ||
107 | +#include <math_ldbl.h> | ||
108 | +#include <stdint.h> | ||
109 | + | ||
110 | +static int | ||
111 | +do_test (void) | ||
112 | +{ | ||
113 | + for (int i = 0; i < 64; i++) | ||
114 | + { | ||
115 | + uint64_t sig = i == 63 ? 0 : 1ULL << i; | ||
116 | + long double ld; | ||
117 | + SET_LDOUBLE_WORDS (ld, 0x4141, | ||
118 | + sig >> 32, sig & 0xffffffffULL); | ||
119 | + /* The requirement is that no stack overflow occurs when the | ||
120 | + pseudo-zero or unnormal goes through range reduction. */ | ||
121 | + volatile long double ldr; | ||
122 | + ldr = sinl (ld); | ||
123 | + (void) ldr; | ||
124 | + } | ||
125 | + return 0; | ||
126 | +} | ||
127 | + | ||
128 | +#include <support/test-driver.c> | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch new file mode 100644 index 0000000000..0ed92d50e9 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@suse.de> | ||
3 | Date: Mon, 20 Jan 2020 17:01:50 +0100 | ||
4 | Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423) | ||
5 | |||
6 | When unwinding through a signal frame the backtrace function on PowerPC | ||
7 | didn't check array bounds when storing the frame address. Fixes commit | ||
8 | d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). | ||
9 | |||
10 | CVE: CVE-2020-1751 | ||
11 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
13 | --- | ||
14 | debug/tst-backtrace5.c | 12 ++++++++++++ | ||
15 | sysdeps/powerpc/powerpc32/backtrace.c | 2 ++ | ||
16 | sysdeps/powerpc/powerpc64/backtrace.c | 2 ++ | ||
17 | 3 files changed, 16 insertions(+) | ||
18 | |||
19 | diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c | ||
20 | index e7ce410845..b2f46160e7 100644 | ||
21 | --- a/debug/tst-backtrace5.c | ||
22 | +++ b/debug/tst-backtrace5.c | ||
23 | @@ -89,6 +89,18 @@ handle_signal (int signum) | ||
24 | } | ||
25 | /* Symbol names are not available for static functions, so we do not | ||
26 | check do_test. */ | ||
27 | + | ||
28 | + /* Check that backtrace does not return more than what fits in the array | ||
29 | + (bug 25423). */ | ||
30 | + for (int j = 0; j < NUM_FUNCTIONS; j++) | ||
31 | + { | ||
32 | + n = backtrace (addresses, j); | ||
33 | + if (n > j) | ||
34 | + { | ||
35 | + FAIL (); | ||
36 | + return; | ||
37 | + } | ||
38 | + } | ||
39 | } | ||
40 | |||
41 | NO_INLINE int | ||
42 | diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c | ||
43 | index 7c2d4726f8..d1456c8ae4 100644 | ||
44 | --- a/sysdeps/powerpc/powerpc32/backtrace.c | ||
45 | +++ b/sysdeps/powerpc/powerpc32/backtrace.c | ||
46 | @@ -114,6 +114,8 @@ __backtrace (void **array, int size) | ||
47 | } | ||
48 | if (gregset) | ||
49 | { | ||
50 | + if (count + 1 == size) | ||
51 | + break; | ||
52 | array[++count] = (void*)((*gregset)[PT_NIP]); | ||
53 | current = (void*)((*gregset)[PT_R1]); | ||
54 | } | ||
55 | diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c | ||
56 | index 65c260ab76..8a53a1088f 100644 | ||
57 | --- a/sysdeps/powerpc/powerpc64/backtrace.c | ||
58 | +++ b/sysdeps/powerpc/powerpc64/backtrace.c | ||
59 | @@ -87,6 +87,8 @@ __backtrace (void **array, int size) | ||
60 | if (is_sigtramp_address (current->return_address)) | ||
61 | { | ||
62 | struct signal_frame_64 *sigframe = (struct signal_frame_64*) current; | ||
63 | + if (count + 1 == size) | ||
64 | + break; | ||
65 | array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP]; | ||
66 | current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1]; | ||
67 | } | ||
68 | -- | ||
69 | 2.23.0 | ||
70 | |||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch new file mode 100644 index 0000000000..6c347cd414 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@suse.de> | ||
3 | Date: Wed, 19 Feb 2020 17:21:46 +0100 | ||
4 | Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) | ||
5 | |||
6 | The value of `end_name' points into the value of `dirname', thus don't | ||
7 | deallocate the latter before the last use of the former. | ||
8 | |||
9 | CVE: CVE-2020-1752 | ||
10 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
11 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
12 | --- | ||
13 | posix/glob.c | 25 +++++++++++++------------ | ||
14 | 1 file changed, 13 insertions(+), 12 deletions(-) | ||
15 | |||
16 | diff --git a/posix/glob.c b/posix/glob.c | ||
17 | index cba9cd1819..4580cefb9f 100644 | ||
18 | --- a/posix/glob.c | ||
19 | +++ b/posix/glob.c | ||
20 | @@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), | ||
21 | { | ||
22 | size_t home_len = strlen (p->pw_dir); | ||
23 | size_t rest_len = end_name == NULL ? 0 : strlen (end_name); | ||
24 | - char *d; | ||
25 | + char *d, *newp; | ||
26 | + bool use_alloca = glob_use_alloca (alloca_used, | ||
27 | + home_len + rest_len + 1); | ||
28 | |||
29 | - if (__glibc_unlikely (malloc_dirname)) | ||
30 | - free (dirname); | ||
31 | - malloc_dirname = 0; | ||
32 | - | ||
33 | - if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) | ||
34 | - dirname = alloca_account (home_len + rest_len + 1, | ||
35 | - alloca_used); | ||
36 | + if (use_alloca) | ||
37 | + newp = alloca_account (home_len + rest_len + 1, alloca_used); | ||
38 | else | ||
39 | { | ||
40 | - dirname = malloc (home_len + rest_len + 1); | ||
41 | - if (dirname == NULL) | ||
42 | + newp = malloc (home_len + rest_len + 1); | ||
43 | + if (newp == NULL) | ||
44 | { | ||
45 | scratch_buffer_free (&pwtmpbuf); | ||
46 | retval = GLOB_NOSPACE; | ||
47 | goto out; | ||
48 | } | ||
49 | - malloc_dirname = 1; | ||
50 | } | ||
51 | - d = mempcpy (dirname, p->pw_dir, home_len); | ||
52 | + d = mempcpy (newp, p->pw_dir, home_len); | ||
53 | if (end_name != NULL) | ||
54 | d = mempcpy (d, end_name, rest_len); | ||
55 | *d = '\0'; | ||
56 | |||
57 | + if (__glibc_unlikely (malloc_dirname)) | ||
58 | + free (dirname); | ||
59 | + dirname = newp; | ||
60 | + malloc_dirname = !use_alloca; | ||
61 | + | ||
62 | dirlen = home_len + rest_len; | ||
63 | dirname_modified = 1; | ||
64 | } | ||
65 | -- | ||
66 | 2.18.2 | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch new file mode 100644 index 0000000000..01c0328362 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch | |||
@@ -0,0 +1,193 @@ | |||
1 | From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001 | ||
2 | From: Evgeny Eremin <e.eremin@omprussia.ru> | ||
3 | Date: Wed, 8 Jul 2020 14:18:19 +0200 | ||
4 | Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative | ||
5 | length [BZ #25620] | ||
6 | |||
7 | Unsigned branch instructions could be used for r2 to fix the wrong | ||
8 | behavior when a negative length is passed to memcpy and memmove. | ||
9 | This commit fixes the generic arm implementation of memcpy amd memmove. | ||
10 | |||
11 | CVE: CVE-2020-6096 | ||
12 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
14 | --- | ||
15 | sysdeps/arm/memcpy.S | 24 ++++++++++-------------- | ||
16 | sysdeps/arm/memmove.S | 24 ++++++++++-------------- | ||
17 | 2 files changed, 20 insertions(+), 28 deletions(-) | ||
18 | |||
19 | diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S | ||
20 | index 510e8adaf2..bcfbc51d99 100644 | ||
21 | --- a/sysdeps/arm/memcpy.S | ||
22 | +++ b/sysdeps/arm/memcpy.S | ||
23 | @@ -68,7 +68,7 @@ ENTRY(memcpy) | ||
24 | cfi_remember_state | ||
25 | |||
26 | subs r2, r2, #4 | ||
27 | - blt 8f | ||
28 | + blo 8f | ||
29 | ands ip, r0, #3 | ||
30 | PLD( pld [r1, #0] ) | ||
31 | bne 9f | ||
32 | @@ -82,7 +82,7 @@ ENTRY(memcpy) | ||
33 | cfi_rel_offset (r6, 4) | ||
34 | cfi_rel_offset (r7, 8) | ||
35 | cfi_rel_offset (r8, 12) | ||
36 | - blt 5f | ||
37 | + blo 5f | ||
38 | |||
39 | CALGN( ands ip, r1, #31 ) | ||
40 | CALGN( rsb r3, ip, #32 ) | ||
41 | @@ -98,9 +98,9 @@ ENTRY(memcpy) | ||
42 | #endif | ||
43 | |||
44 | PLD( pld [r1, #0] ) | ||
45 | -2: PLD( subs r2, r2, #96 ) | ||
46 | +2: PLD( cmp r2, #96 ) | ||
47 | PLD( pld [r1, #28] ) | ||
48 | - PLD( blt 4f ) | ||
49 | + PLD( blo 4f ) | ||
50 | PLD( pld [r1, #60] ) | ||
51 | PLD( pld [r1, #92] ) | ||
52 | |||
53 | @@ -108,9 +108,7 @@ ENTRY(memcpy) | ||
54 | 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr} | ||
55 | subs r2, r2, #32 | ||
56 | stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr} | ||
57 | - bge 3b | ||
58 | - PLD( cmn r2, #96 ) | ||
59 | - PLD( bge 4b ) | ||
60 | + bhs 3b | ||
61 | |||
62 | 5: ands ip, r2, #28 | ||
63 | rsb ip, ip, #32 | ||
64 | @@ -222,7 +220,7 @@ ENTRY(memcpy) | ||
65 | strbge r4, [r0], #1 | ||
66 | subs r2, r2, ip | ||
67 | strb lr, [r0], #1 | ||
68 | - blt 8b | ||
69 | + blo 8b | ||
70 | ands ip, r1, #3 | ||
71 | beq 1b | ||
72 | |||
73 | @@ -236,7 +234,7 @@ ENTRY(memcpy) | ||
74 | .macro forward_copy_shift pull push | ||
75 | |||
76 | subs r2, r2, #28 | ||
77 | - blt 14f | ||
78 | + blo 14f | ||
79 | |||
80 | CALGN( ands ip, r1, #31 ) | ||
81 | CALGN( rsb ip, ip, #32 ) | ||
82 | @@ -253,9 +251,9 @@ ENTRY(memcpy) | ||
83 | cfi_rel_offset (r10, 16) | ||
84 | |||
85 | PLD( pld [r1, #0] ) | ||
86 | - PLD( subs r2, r2, #96 ) | ||
87 | + PLD( cmp r2, #96 ) | ||
88 | PLD( pld [r1, #28] ) | ||
89 | - PLD( blt 13f ) | ||
90 | + PLD( blo 13f ) | ||
91 | PLD( pld [r1, #60] ) | ||
92 | PLD( pld [r1, #92] ) | ||
93 | |||
94 | @@ -280,9 +278,7 @@ ENTRY(memcpy) | ||
95 | mov ip, ip, PULL #\pull | ||
96 | orr ip, ip, lr, PUSH #\push | ||
97 | stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip} | ||
98 | - bge 12b | ||
99 | - PLD( cmn r2, #96 ) | ||
100 | - PLD( bge 13b ) | ||
101 | + bhs 12b | ||
102 | |||
103 | pop {r5 - r8, r10} | ||
104 | cfi_adjust_cfa_offset (-20) | ||
105 | diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S | ||
106 | index 954037ef3a..0d07b76ee6 100644 | ||
107 | --- a/sysdeps/arm/memmove.S | ||
108 | +++ b/sysdeps/arm/memmove.S | ||
109 | @@ -85,7 +85,7 @@ ENTRY(memmove) | ||
110 | add r1, r1, r2 | ||
111 | add r0, r0, r2 | ||
112 | subs r2, r2, #4 | ||
113 | - blt 8f | ||
114 | + blo 8f | ||
115 | ands ip, r0, #3 | ||
116 | PLD( pld [r1, #-4] ) | ||
117 | bne 9f | ||
118 | @@ -99,7 +99,7 @@ ENTRY(memmove) | ||
119 | cfi_rel_offset (r6, 4) | ||
120 | cfi_rel_offset (r7, 8) | ||
121 | cfi_rel_offset (r8, 12) | ||
122 | - blt 5f | ||
123 | + blo 5f | ||
124 | |||
125 | CALGN( ands ip, r1, #31 ) | ||
126 | CALGN( sbcsne r4, ip, r2 ) @ C is always set here | ||
127 | @@ -114,9 +114,9 @@ ENTRY(memmove) | ||
128 | #endif | ||
129 | |||
130 | PLD( pld [r1, #-4] ) | ||
131 | -2: PLD( subs r2, r2, #96 ) | ||
132 | +2: PLD( cmp r2, #96 ) | ||
133 | PLD( pld [r1, #-32] ) | ||
134 | - PLD( blt 4f ) | ||
135 | + PLD( blo 4f ) | ||
136 | PLD( pld [r1, #-64] ) | ||
137 | PLD( pld [r1, #-96] ) | ||
138 | |||
139 | @@ -124,9 +124,7 @@ ENTRY(memmove) | ||
140 | 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr} | ||
141 | subs r2, r2, #32 | ||
142 | stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr} | ||
143 | - bge 3b | ||
144 | - PLD( cmn r2, #96 ) | ||
145 | - PLD( bge 4b ) | ||
146 | + bhs 3b | ||
147 | |||
148 | 5: ands ip, r2, #28 | ||
149 | rsb ip, ip, #32 | ||
150 | @@ -237,7 +235,7 @@ ENTRY(memmove) | ||
151 | strbge r4, [r0, #-1]! | ||
152 | subs r2, r2, ip | ||
153 | strb lr, [r0, #-1]! | ||
154 | - blt 8b | ||
155 | + blo 8b | ||
156 | ands ip, r1, #3 | ||
157 | beq 1b | ||
158 | |||
159 | @@ -251,7 +249,7 @@ ENTRY(memmove) | ||
160 | .macro backward_copy_shift push pull | ||
161 | |||
162 | subs r2, r2, #28 | ||
163 | - blt 14f | ||
164 | + blo 14f | ||
165 | |||
166 | CALGN( ands ip, r1, #31 ) | ||
167 | CALGN( rsb ip, ip, #32 ) | ||
168 | @@ -268,9 +266,9 @@ ENTRY(memmove) | ||
169 | cfi_rel_offset (r10, 16) | ||
170 | |||
171 | PLD( pld [r1, #-4] ) | ||
172 | - PLD( subs r2, r2, #96 ) | ||
173 | + PLD( cmp r2, #96 ) | ||
174 | PLD( pld [r1, #-32] ) | ||
175 | - PLD( blt 13f ) | ||
176 | + PLD( blo 13f ) | ||
177 | PLD( pld [r1, #-64] ) | ||
178 | PLD( pld [r1, #-96] ) | ||
179 | |||
180 | @@ -295,9 +293,7 @@ ENTRY(memmove) | ||
181 | mov r4, r4, PUSH #\push | ||
182 | orr r4, r4, r3, PULL #\pull | ||
183 | stmdb r0!, {r4 - r8, r10, ip, lr} | ||
184 | - bge 12b | ||
185 | - PLD( cmn r2, #96 ) | ||
186 | - PLD( bge 13b ) | ||
187 | + bhs 12b | ||
188 | |||
189 | pop {r5 - r8, r10} | ||
190 | cfi_adjust_cfa_offset (-20) | ||
191 | -- | ||
192 | 2.17.0 | ||
193 | |||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch new file mode 100644 index 0000000000..bfb2d7e7f5 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Anisimov <a.anisimov@omprussia.ru> | ||
3 | Date: Wed, 8 Jul 2020 14:18:31 +0200 | ||
4 | Subject: [PATCH 2/2] arm: CVE-2020-6096: Fix multiarch memcpy for negative | ||
5 | length [BZ #25620] | ||
6 | |||
7 | Unsigned branch instructions could be used for r2 to fix the wrong | ||
8 | behavior when a negative length is passed to memcpy. | ||
9 | This commit fixes the armv7 version. | ||
10 | |||
11 | CVE: CVE-2020-6096 | ||
12 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
14 | --- | ||
15 | sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++----------- | ||
16 | 1 file changed, 11 insertions(+), 11 deletions(-) | ||
17 | |||
18 | diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
19 | index bf4ac7077f..379bb56fc9 100644 | ||
20 | --- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
21 | +++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S | ||
22 | @@ -268,7 +268,7 @@ ENTRY(memcpy) | ||
23 | |||
24 | mov dst, dstin /* Preserve dstin, we need to return it. */ | ||
25 | cmp count, #64 | ||
26 | - bge .Lcpy_not_short | ||
27 | + bhs .Lcpy_not_short | ||
28 | /* Deal with small copies quickly by dropping straight into the | ||
29 | exit block. */ | ||
30 | |||
31 | @@ -351,10 +351,10 @@ ENTRY(memcpy) | ||
32 | |||
33 | 1: | ||
34 | subs tmp2, count, #64 /* Use tmp2 for count. */ | ||
35 | - blt .Ltail63aligned | ||
36 | + blo .Ltail63aligned | ||
37 | |||
38 | cmp tmp2, #512 | ||
39 | - bge .Lcpy_body_long | ||
40 | + bhs .Lcpy_body_long | ||
41 | |||
42 | .Lcpy_body_medium: /* Count in tmp2. */ | ||
43 | #ifdef USE_VFP | ||
44 | @@ -378,7 +378,7 @@ ENTRY(memcpy) | ||
45 | add src, src, #64 | ||
46 | vstr d1, [dst, #56] | ||
47 | add dst, dst, #64 | ||
48 | - bge 1b | ||
49 | + bhs 1b | ||
50 | tst tmp2, #0x3f | ||
51 | beq .Ldone | ||
52 | |||
53 | @@ -412,7 +412,7 @@ ENTRY(memcpy) | ||
54 | ldrd A_l, A_h, [src, #64]! | ||
55 | strd A_l, A_h, [dst, #64]! | ||
56 | subs tmp2, tmp2, #64 | ||
57 | - bge 1b | ||
58 | + bhs 1b | ||
59 | tst tmp2, #0x3f | ||
60 | bne 1f | ||
61 | ldr tmp2,[sp], #FRAME_SIZE | ||
62 | @@ -482,7 +482,7 @@ ENTRY(memcpy) | ||
63 | add src, src, #32 | ||
64 | |||
65 | subs tmp2, tmp2, #prefetch_lines * 64 * 2 | ||
66 | - blt 2f | ||
67 | + blo 2f | ||
68 | 1: | ||
69 | cpy_line_vfp d3, 0 | ||
70 | cpy_line_vfp d4, 64 | ||
71 | @@ -494,7 +494,7 @@ ENTRY(memcpy) | ||
72 | add dst, dst, #2 * 64 | ||
73 | add src, src, #2 * 64 | ||
74 | subs tmp2, tmp2, #prefetch_lines * 64 | ||
75 | - bge 1b | ||
76 | + bhs 1b | ||
77 | |||
78 | 2: | ||
79 | cpy_tail_vfp d3, 0 | ||
80 | @@ -615,8 +615,8 @@ ENTRY(memcpy) | ||
81 | 1: | ||
82 | pld [src, #(3 * 64)] | ||
83 | subs count, count, #64 | ||
84 | - ldrmi tmp2, [sp], #FRAME_SIZE | ||
85 | - bmi .Ltail63unaligned | ||
86 | + ldrlo tmp2, [sp], #FRAME_SIZE | ||
87 | + blo .Ltail63unaligned | ||
88 | pld [src, #(4 * 64)] | ||
89 | |||
90 | #ifdef USE_NEON | ||
91 | @@ -633,7 +633,7 @@ ENTRY(memcpy) | ||
92 | neon_load_multi d0-d3, src | ||
93 | neon_load_multi d4-d7, src | ||
94 | subs count, count, #64 | ||
95 | - bmi 2f | ||
96 | + blo 2f | ||
97 | 1: | ||
98 | pld [src, #(4 * 64)] | ||
99 | neon_store_multi d0-d3, dst | ||
100 | @@ -641,7 +641,7 @@ ENTRY(memcpy) | ||
101 | neon_store_multi d4-d7, dst | ||
102 | neon_load_multi d4-d7, src | ||
103 | subs count, count, #64 | ||
104 | - bpl 1b | ||
105 | + bhs 1b | ||
106 | 2: | ||
107 | neon_store_multi d0-d3, dst | ||
108 | neon_store_multi d4-d7, dst | ||
109 | -- | ||
110 | 2.17.0 | ||
111 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb index 7913bc2812..b674b02706 100644 --- a/meta/recipes-core/glibc/glibc_2.30.bb +++ b/meta/recipes-core/glibc/glibc_2.30.bb | |||
@@ -42,6 +42,11 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
42 | file://0027-inject-file-assembly-directives.patch \ | 42 | file://0027-inject-file-assembly-directives.patch \ |
43 | file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ | 43 | file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ |
44 | file://CVE-2019-19126.patch \ | 44 | file://CVE-2019-19126.patch \ |
45 | file://CVE-2020-10029.patch \ | ||
46 | file://CVE-2020-1751.patch \ | ||
47 | file://CVE-2020-1752.patch \ | ||
48 | file://CVE-2020-6096-1.patch \ | ||
49 | file://CVE-2020-6096-2.patch \ | ||
45 | " | 50 | " |
46 | S = "${WORKDIR}/git" | 51 | S = "${WORKDIR}/git" |
47 | B = "${WORKDIR}/build-${TARGET_SYS}" | 52 | B = "${WORKDIR}/build-${TARGET_SYS}" |