summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/glibc
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r--meta/recipes-core/glibc/glibc-testsuite_2.30.bb3
-rw-r--r--meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch35
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-10029.patch128
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-1751.patch70
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-1752.patch66
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch193
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch111
-rw-r--r--meta/recipes-core/glibc/glibc_2.30.bb5
8 files changed, 608 insertions, 3 deletions
diff --git a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
index 657fd4dbc1..d887aeff79 100644
--- a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
+++ b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
@@ -1,5 +1,7 @@
1require glibc_${PV}.bb 1require glibc_${PV}.bb
2 2
3EXCLUDE_FROM_WORLD = "1"
4
3# handle PN differences 5# handle PN differences
4FILESEXTRAPATHS_prepend := "${THISDIR}/glibc:" 6FILESEXTRAPATHS_prepend := "${THISDIR}/glibc:"
5 7
@@ -58,3 +60,4 @@ addtask do_check after do_compile
58 60
59inherit nopackages 61inherit nopackages
60deltask do_stash_locale 62deltask do_stash_locale
63deltask do_install
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
index 3aad603ada..5cd235f6ac 100644
--- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
+++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
@@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644
65 65
66 /* Load the locale data for CATEGORY from the file specified by *NAME. 66 /* Load the locale data for CATEGORY from the file specified by *NAME.
67 If *NAME is "", use environment variables as specified by POSIX, and 67 If *NAME is "", use environment variables as specified by POSIX, and
68-- 68Index: git/locale/programs/locale.c
692.22.0 69===================================================================
70 70--- git.orig/locale/programs/locale.c
71+++ git/locale/programs/locale.c
72@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b
73 ((const struct nameent *) b)->name);
74 }
75
76+static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME;
77
78 static int
79 write_archive_locales (void **all_datap, char *linebuf)
80@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap,
81 int fd, ret = 0;
82 uint32_t cnt;
83
84- fd = open64 (ARCHIVE_NAME, O_RDONLY);
85+ fd = open64 (_write_archive_locales_path, O_RDONLY);
86 if (fd < 0)
87 return 0;
88
89@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap,
90 if (cnt)
91 putchar_unlocked ('\n');
92
93- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n",
94- names[cnt].name, linebuf);
95+ printf ("locale: %-15.15s archive: %s\n%s\n",
96+ names[cnt].name, _write_archive_locales_path, linebuf);
97
98 locrec = (struct locrecent *) (addr + names[cnt].locrec_offset);
99
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
new file mode 100644
index 0000000000..606b691bcf
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
1From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
2From: Joseph Myers <joseph@codesourcery.com>
3Date: Wed, 12 Feb 2020 23:31:56 +0000
4Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
5
6 pseudo-zero (bug 25487).
7
8Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
9argument (an representation where all the significand bits, including
10the explicit high bit, are zero, but the exponent is not zero, which
11is not a valid representation for the long double type).
12
13Although this is not a valid long double representation, existing
14practice in this area (see bug 4586, originally marked invalid but
15subsequently fixed) is that we still seek to avoid invalid memory
16accesses as a result, in case of programs that treat arbitrary binary
17data as long double representations, although the invalid
18representations of the ldbl-96 format do not need to be consistently
19handled the same as any particular valid representation.
20
21This patch makes the range reduction detect pseudo-zero and unnormal
22representations that would otherwise go to __kernel_rem_pio2, and
23returns a NaN for them instead of continuing with the range reduction
24process. (Pseudo-zero and unnormal representations whose unbiased
25exponent is less than -1 have already been safely returned from the
26function before this point without going through the rest of range
27reduction.) Pseudo-zero representations would previously result in
28the value passed to __kernel_rem_pio2 being all-zero, which is
29definitely unsafe; unnormal representations would previously result in
30a value passed whose high bit is zero, which might well be unsafe
31since that is not a form of input expected by __kernel_rem_pio2.
32
33Tested for x86_64.
34
35CVE: CVE-2020-10029
36Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
37a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
38Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
39
40---
41 sysdeps/ieee754/ldbl-96/Makefile | 3 ++-
42 sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++++
43 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++
44 3 files changed, 55 insertions(+), 1 deletion(-)
45 create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
46
47diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
48index b103254..052c1c7 100644
49--- a/sysdeps/ieee754/ldbl-96/Makefile
50+++ b/sysdeps/ieee754/ldbl-96/Makefile
51@@ -17,5 +17,6 @@
52 # <http://www.gnu.org/licenses/>.
53
54 ifeq ($(subdir),math)
55-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
56+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
57+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
58 endif
59diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
60index 805de22..1aeccb4 100644
61--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
62+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
63@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
64 return 0;
65 }
66
67+ if ((i0 & 0x80000000) == 0)
68+ {
69+ /* Pseudo-zero and unnormal representations are not valid
70+ representations of long double. We need to avoid stack
71+ corruption in __kernel_rem_pio2, which expects input in a
72+ particular normal form, but those representations do not need
73+ to be consistently handled like any particular floating-point
74+ value. */
75+ y[1] = y[0] = __builtin_nanl ("");
76+ return 0;
77+ }
78+
79 /* Split the 64 bits of the mantissa into three 24-bit integers
80 stored in a double array. */
81 exp = j0 - 23;
82diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
83new file mode 100644
84index 0000000..f59b977
85--- /dev/null
86+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
87@@ -0,0 +1,41 @@
88+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
89+ Copyright (C) 2020 Free Software Foundation, Inc.
90+ This file is part of the GNU C Library.
91+
92+ The GNU C Library is free software; you can redistribute it and/or
93+ modify it under the terms of the GNU Lesser General Public
94+ License as published by the Free Software Foundation; either
95+ version 2.1 of the License, or (at your option) any later version.
96+
97+ The GNU C Library is distributed in the hope that it will be useful,
98+ but WITHOUT ANY WARRANTY; without even the implied warranty of
99+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
100+ Lesser General Public License for more details.
101+
102+ You should have received a copy of the GNU Lesser General Public
103+ License along with the GNU C Library; if not, see
104+ <https://www.gnu.org/licenses/>. */
105+
106+#include <math.h>
107+#include <math_ldbl.h>
108+#include <stdint.h>
109+
110+static int
111+do_test (void)
112+{
113+ for (int i = 0; i < 64; i++)
114+ {
115+ uint64_t sig = i == 63 ? 0 : 1ULL << i;
116+ long double ld;
117+ SET_LDOUBLE_WORDS (ld, 0x4141,
118+ sig >> 32, sig & 0xffffffffULL);
119+ /* The requirement is that no stack overflow occurs when the
120+ pseudo-zero or unnormal goes through range reduction. */
121+ volatile long double ldr;
122+ ldr = sinl (ld);
123+ (void) ldr;
124+ }
125+ return 0;
126+}
127+
128+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
new file mode 100644
index 0000000000..0ed92d50e9
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
@@ -0,0 +1,70 @@
1From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@suse.de>
3Date: Mon, 20 Jan 2020 17:01:50 +0100
4Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423)
5
6When unwinding through a signal frame the backtrace function on PowerPC
7didn't check array bounds when storing the frame address. Fixes commit
8d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
9
10CVE: CVE-2020-1751
11Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
12Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
13---
14 debug/tst-backtrace5.c | 12 ++++++++++++
15 sysdeps/powerpc/powerpc32/backtrace.c | 2 ++
16 sysdeps/powerpc/powerpc64/backtrace.c | 2 ++
17 3 files changed, 16 insertions(+)
18
19diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
20index e7ce410845..b2f46160e7 100644
21--- a/debug/tst-backtrace5.c
22+++ b/debug/tst-backtrace5.c
23@@ -89,6 +89,18 @@ handle_signal (int signum)
24 }
25 /* Symbol names are not available for static functions, so we do not
26 check do_test. */
27+
28+ /* Check that backtrace does not return more than what fits in the array
29+ (bug 25423). */
30+ for (int j = 0; j < NUM_FUNCTIONS; j++)
31+ {
32+ n = backtrace (addresses, j);
33+ if (n > j)
34+ {
35+ FAIL ();
36+ return;
37+ }
38+ }
39 }
40
41 NO_INLINE int
42diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
43index 7c2d4726f8..d1456c8ae4 100644
44--- a/sysdeps/powerpc/powerpc32/backtrace.c
45+++ b/sysdeps/powerpc/powerpc32/backtrace.c
46@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
47 }
48 if (gregset)
49 {
50+ if (count + 1 == size)
51+ break;
52 array[++count] = (void*)((*gregset)[PT_NIP]);
53 current = (void*)((*gregset)[PT_R1]);
54 }
55diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
56index 65c260ab76..8a53a1088f 100644
57--- a/sysdeps/powerpc/powerpc64/backtrace.c
58+++ b/sysdeps/powerpc/powerpc64/backtrace.c
59@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
60 if (is_sigtramp_address (current->return_address))
61 {
62 struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
63+ if (count + 1 == size)
64+ break;
65 array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
66 current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
67 }
68--
692.23.0
70
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
new file mode 100644
index 0000000000..6c347cd414
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
@@ -0,0 +1,66 @@
1From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@suse.de>
3Date: Wed, 19 Feb 2020 17:21:46 +0100
4Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
5
6The value of `end_name' points into the value of `dirname', thus don't
7deallocate the latter before the last use of the former.
8
9CVE: CVE-2020-1752
10Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
11Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
12---
13 posix/glob.c | 25 +++++++++++++------------
14 1 file changed, 13 insertions(+), 12 deletions(-)
15
16diff --git a/posix/glob.c b/posix/glob.c
17index cba9cd1819..4580cefb9f 100644
18--- a/posix/glob.c
19+++ b/posix/glob.c
20@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
21 {
22 size_t home_len = strlen (p->pw_dir);
23 size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
24- char *d;
25+ char *d, *newp;
26+ bool use_alloca = glob_use_alloca (alloca_used,
27+ home_len + rest_len + 1);
28
29- if (__glibc_unlikely (malloc_dirname))
30- free (dirname);
31- malloc_dirname = 0;
32-
33- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
34- dirname = alloca_account (home_len + rest_len + 1,
35- alloca_used);
36+ if (use_alloca)
37+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
38 else
39 {
40- dirname = malloc (home_len + rest_len + 1);
41- if (dirname == NULL)
42+ newp = malloc (home_len + rest_len + 1);
43+ if (newp == NULL)
44 {
45 scratch_buffer_free (&pwtmpbuf);
46 retval = GLOB_NOSPACE;
47 goto out;
48 }
49- malloc_dirname = 1;
50 }
51- d = mempcpy (dirname, p->pw_dir, home_len);
52+ d = mempcpy (newp, p->pw_dir, home_len);
53 if (end_name != NULL)
54 d = mempcpy (d, end_name, rest_len);
55 *d = '\0';
56
57+ if (__glibc_unlikely (malloc_dirname))
58+ free (dirname);
59+ dirname = newp;
60+ malloc_dirname = !use_alloca;
61+
62 dirlen = home_len + rest_len;
63 dirname_modified = 1;
64 }
65--
662.18.2
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
new file mode 100644
index 0000000000..01c0328362
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
@@ -0,0 +1,193 @@
1From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
2From: Evgeny Eremin <e.eremin@omprussia.ru>
3Date: Wed, 8 Jul 2020 14:18:19 +0200
4Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative
5 length [BZ #25620]
6
7Unsigned branch instructions could be used for r2 to fix the wrong
8behavior when a negative length is passed to memcpy and memmove.
9This commit fixes the generic arm implementation of memcpy amd memmove.
10
11CVE: CVE-2020-6096
12Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
13Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
14---
15 sysdeps/arm/memcpy.S | 24 ++++++++++--------------
16 sysdeps/arm/memmove.S | 24 ++++++++++--------------
17 2 files changed, 20 insertions(+), 28 deletions(-)
18
19diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
20index 510e8adaf2..bcfbc51d99 100644
21--- a/sysdeps/arm/memcpy.S
22+++ b/sysdeps/arm/memcpy.S
23@@ -68,7 +68,7 @@ ENTRY(memcpy)
24 cfi_remember_state
25
26 subs r2, r2, #4
27- blt 8f
28+ blo 8f
29 ands ip, r0, #3
30 PLD( pld [r1, #0] )
31 bne 9f
32@@ -82,7 +82,7 @@ ENTRY(memcpy)
33 cfi_rel_offset (r6, 4)
34 cfi_rel_offset (r7, 8)
35 cfi_rel_offset (r8, 12)
36- blt 5f
37+ blo 5f
38
39 CALGN( ands ip, r1, #31 )
40 CALGN( rsb r3, ip, #32 )
41@@ -98,9 +98,9 @@ ENTRY(memcpy)
42 #endif
43
44 PLD( pld [r1, #0] )
45-2: PLD( subs r2, r2, #96 )
46+2: PLD( cmp r2, #96 )
47 PLD( pld [r1, #28] )
48- PLD( blt 4f )
49+ PLD( blo 4f )
50 PLD( pld [r1, #60] )
51 PLD( pld [r1, #92] )
52
53@@ -108,9 +108,7 @@ ENTRY(memcpy)
54 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
55 subs r2, r2, #32
56 stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
57- bge 3b
58- PLD( cmn r2, #96 )
59- PLD( bge 4b )
60+ bhs 3b
61
62 5: ands ip, r2, #28
63 rsb ip, ip, #32
64@@ -222,7 +220,7 @@ ENTRY(memcpy)
65 strbge r4, [r0], #1
66 subs r2, r2, ip
67 strb lr, [r0], #1
68- blt 8b
69+ blo 8b
70 ands ip, r1, #3
71 beq 1b
72
73@@ -236,7 +234,7 @@ ENTRY(memcpy)
74 .macro forward_copy_shift pull push
75
76 subs r2, r2, #28
77- blt 14f
78+ blo 14f
79
80 CALGN( ands ip, r1, #31 )
81 CALGN( rsb ip, ip, #32 )
82@@ -253,9 +251,9 @@ ENTRY(memcpy)
83 cfi_rel_offset (r10, 16)
84
85 PLD( pld [r1, #0] )
86- PLD( subs r2, r2, #96 )
87+ PLD( cmp r2, #96 )
88 PLD( pld [r1, #28] )
89- PLD( blt 13f )
90+ PLD( blo 13f )
91 PLD( pld [r1, #60] )
92 PLD( pld [r1, #92] )
93
94@@ -280,9 +278,7 @@ ENTRY(memcpy)
95 mov ip, ip, PULL #\pull
96 orr ip, ip, lr, PUSH #\push
97 stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
98- bge 12b
99- PLD( cmn r2, #96 )
100- PLD( bge 13b )
101+ bhs 12b
102
103 pop {r5 - r8, r10}
104 cfi_adjust_cfa_offset (-20)
105diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
106index 954037ef3a..0d07b76ee6 100644
107--- a/sysdeps/arm/memmove.S
108+++ b/sysdeps/arm/memmove.S
109@@ -85,7 +85,7 @@ ENTRY(memmove)
110 add r1, r1, r2
111 add r0, r0, r2
112 subs r2, r2, #4
113- blt 8f
114+ blo 8f
115 ands ip, r0, #3
116 PLD( pld [r1, #-4] )
117 bne 9f
118@@ -99,7 +99,7 @@ ENTRY(memmove)
119 cfi_rel_offset (r6, 4)
120 cfi_rel_offset (r7, 8)
121 cfi_rel_offset (r8, 12)
122- blt 5f
123+ blo 5f
124
125 CALGN( ands ip, r1, #31 )
126 CALGN( sbcsne r4, ip, r2 ) @ C is always set here
127@@ -114,9 +114,9 @@ ENTRY(memmove)
128 #endif
129
130 PLD( pld [r1, #-4] )
131-2: PLD( subs r2, r2, #96 )
132+2: PLD( cmp r2, #96 )
133 PLD( pld [r1, #-32] )
134- PLD( blt 4f )
135+ PLD( blo 4f )
136 PLD( pld [r1, #-64] )
137 PLD( pld [r1, #-96] )
138
139@@ -124,9 +124,7 @@ ENTRY(memmove)
140 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
141 subs r2, r2, #32
142 stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
143- bge 3b
144- PLD( cmn r2, #96 )
145- PLD( bge 4b )
146+ bhs 3b
147
148 5: ands ip, r2, #28
149 rsb ip, ip, #32
150@@ -237,7 +235,7 @@ ENTRY(memmove)
151 strbge r4, [r0, #-1]!
152 subs r2, r2, ip
153 strb lr, [r0, #-1]!
154- blt 8b
155+ blo 8b
156 ands ip, r1, #3
157 beq 1b
158
159@@ -251,7 +249,7 @@ ENTRY(memmove)
160 .macro backward_copy_shift push pull
161
162 subs r2, r2, #28
163- blt 14f
164+ blo 14f
165
166 CALGN( ands ip, r1, #31 )
167 CALGN( rsb ip, ip, #32 )
168@@ -268,9 +266,9 @@ ENTRY(memmove)
169 cfi_rel_offset (r10, 16)
170
171 PLD( pld [r1, #-4] )
172- PLD( subs r2, r2, #96 )
173+ PLD( cmp r2, #96 )
174 PLD( pld [r1, #-32] )
175- PLD( blt 13f )
176+ PLD( blo 13f )
177 PLD( pld [r1, #-64] )
178 PLD( pld [r1, #-96] )
179
180@@ -295,9 +293,7 @@ ENTRY(memmove)
181 mov r4, r4, PUSH #\push
182 orr r4, r4, r3, PULL #\pull
183 stmdb r0!, {r4 - r8, r10, ip, lr}
184- bge 12b
185- PLD( cmn r2, #96 )
186- PLD( bge 13b )
187+ bhs 12b
188
189 pop {r5 - r8, r10}
190 cfi_adjust_cfa_offset (-20)
191--
1922.17.0
193
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
new file mode 100644
index 0000000000..bfb2d7e7f5
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
@@ -0,0 +1,111 @@
1From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
2From: Alexander Anisimov <a.anisimov@omprussia.ru>
3Date: Wed, 8 Jul 2020 14:18:31 +0200
4Subject: [PATCH 2/2] arm: CVE-2020-6096: Fix multiarch memcpy for negative
5 length [BZ #25620]
6
7Unsigned branch instructions could be used for r2 to fix the wrong
8behavior when a negative length is passed to memcpy.
9This commit fixes the armv7 version.
10
11CVE: CVE-2020-6096
12Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
13Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
14---
15 sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
16 1 file changed, 11 insertions(+), 11 deletions(-)
17
18diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
19index bf4ac7077f..379bb56fc9 100644
20--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
21+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
22@@ -268,7 +268,7 @@ ENTRY(memcpy)
23
24 mov dst, dstin /* Preserve dstin, we need to return it. */
25 cmp count, #64
26- bge .Lcpy_not_short
27+ bhs .Lcpy_not_short
28 /* Deal with small copies quickly by dropping straight into the
29 exit block. */
30
31@@ -351,10 +351,10 @@ ENTRY(memcpy)
32
33 1:
34 subs tmp2, count, #64 /* Use tmp2 for count. */
35- blt .Ltail63aligned
36+ blo .Ltail63aligned
37
38 cmp tmp2, #512
39- bge .Lcpy_body_long
40+ bhs .Lcpy_body_long
41
42 .Lcpy_body_medium: /* Count in tmp2. */
43 #ifdef USE_VFP
44@@ -378,7 +378,7 @@ ENTRY(memcpy)
45 add src, src, #64
46 vstr d1, [dst, #56]
47 add dst, dst, #64
48- bge 1b
49+ bhs 1b
50 tst tmp2, #0x3f
51 beq .Ldone
52
53@@ -412,7 +412,7 @@ ENTRY(memcpy)
54 ldrd A_l, A_h, [src, #64]!
55 strd A_l, A_h, [dst, #64]!
56 subs tmp2, tmp2, #64
57- bge 1b
58+ bhs 1b
59 tst tmp2, #0x3f
60 bne 1f
61 ldr tmp2,[sp], #FRAME_SIZE
62@@ -482,7 +482,7 @@ ENTRY(memcpy)
63 add src, src, #32
64
65 subs tmp2, tmp2, #prefetch_lines * 64 * 2
66- blt 2f
67+ blo 2f
68 1:
69 cpy_line_vfp d3, 0
70 cpy_line_vfp d4, 64
71@@ -494,7 +494,7 @@ ENTRY(memcpy)
72 add dst, dst, #2 * 64
73 add src, src, #2 * 64
74 subs tmp2, tmp2, #prefetch_lines * 64
75- bge 1b
76+ bhs 1b
77
78 2:
79 cpy_tail_vfp d3, 0
80@@ -615,8 +615,8 @@ ENTRY(memcpy)
81 1:
82 pld [src, #(3 * 64)]
83 subs count, count, #64
84- ldrmi tmp2, [sp], #FRAME_SIZE
85- bmi .Ltail63unaligned
86+ ldrlo tmp2, [sp], #FRAME_SIZE
87+ blo .Ltail63unaligned
88 pld [src, #(4 * 64)]
89
90 #ifdef USE_NEON
91@@ -633,7 +633,7 @@ ENTRY(memcpy)
92 neon_load_multi d0-d3, src
93 neon_load_multi d4-d7, src
94 subs count, count, #64
95- bmi 2f
96+ blo 2f
97 1:
98 pld [src, #(4 * 64)]
99 neon_store_multi d0-d3, dst
100@@ -641,7 +641,7 @@ ENTRY(memcpy)
101 neon_store_multi d4-d7, dst
102 neon_load_multi d4-d7, src
103 subs count, count, #64
104- bpl 1b
105+ bhs 1b
106 2:
107 neon_store_multi d0-d3, dst
108 neon_store_multi d4-d7, dst
109--
1102.17.0
111
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index 7913bc2812..b674b02706 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -42,6 +42,11 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
42 file://0027-inject-file-assembly-directives.patch \ 42 file://0027-inject-file-assembly-directives.patch \
43 file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 43 file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
44 file://CVE-2019-19126.patch \ 44 file://CVE-2019-19126.patch \
45 file://CVE-2020-10029.patch \
46 file://CVE-2020-1751.patch \
47 file://CVE-2020-1752.patch \
48 file://CVE-2020-6096-1.patch \
49 file://CVE-2020-6096-2.patch \
45 " 50 "
46S = "${WORKDIR}/git" 51S = "${WORKDIR}/git"
47B = "${WORKDIR}/build-${TARGET_SYS}" 52B = "${WORKDIR}/build-${TARGET_SYS}"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-02 03:30:23 +0000