diff options
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch | 108 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.20.bb | 1 |
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000000..ab513aafb5 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | CVE-2015-1472: wscanf allocates too little memory | ||
2 | |||
3 | BZ #16618 | ||
4 | |||
5 | Under certain conditions wscanf can allocate too little memory for the | ||
6 | to-be-scanned arguments and overflow the allocated buffer. The | ||
7 | implementation now correctly computes the required buffer size when | ||
8 | using malloc. | ||
9 | |||
10 | A regression test was added to tst-sscanf. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>): | ||
15 | [https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06] | ||
16 | |||
17 | diff -ruN a/ChangeLog b/ChangeLog | ||
18 | --- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200 | ||
19 | +++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200 | ||
20 | @@ -1,3 +1,12 @@ | ||
21 | +2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
22 | + | ||
23 | + [BZ #16618] CVE-2015-1472 | ||
24 | + * stdio-common/tst-sscanf.c (main): Test for buffer overflow. | ||
25 | + * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed | ||
26 | + size in bytes. Store needed elements in wpmax. Use needed size | ||
27 | + in bytes for extend_alloca. | ||
28 | + | ||
29 | + | ||
30 | 2014-12-16 Florian Weimer <fweimer@redhat.com> | ||
31 | |||
32 | [BZ #17630] | ||
33 | diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c | ||
34 | --- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200 | ||
35 | +++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200 | ||
36 | @@ -233,5 +233,38 @@ | ||
37 | } | ||
38 | } | ||
39 | |||
40 | + /* BZ #16618 | ||
41 | + The test will segfault during SSCANF if the buffer overflow | ||
42 | + is not fixed. The size of `s` is such that it forces the use | ||
43 | + of malloc internally and this triggers the incorrect computation. | ||
44 | + Thus the value for SIZE is arbitrariy high enough that malloc | ||
45 | + is used. */ | ||
46 | + { | ||
47 | +#define SIZE 131072 | ||
48 | + CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); | ||
49 | + if (s == NULL) | ||
50 | + abort (); | ||
51 | + for (size_t i = 0; i < SIZE; i++) | ||
52 | + s[i] = L('0'); | ||
53 | + s[SIZE] = L('\0'); | ||
54 | + int i = 42; | ||
55 | + /* Scan multi-digit zero into `i`. */ | ||
56 | + if (SSCANF (s, L("%d"), &i) != 1) | ||
57 | + { | ||
58 | + printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); | ||
59 | + result = 1; | ||
60 | + } | ||
61 | + if (i != 0) | ||
62 | + { | ||
63 | + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); | ||
64 | + result = 1; | ||
65 | + } | ||
66 | + free (s); | ||
67 | + if (result != 1) | ||
68 | + printf ("PASS: bug16618: Did not crash.\n"); | ||
69 | +#undef SIZE | ||
70 | + } | ||
71 | + | ||
72 | + | ||
73 | return result; | ||
74 | } | ||
75 | diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c | ||
76 | --- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200 | ||
77 | +++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200 | ||
78 | @@ -279,9 +279,10 @@ | ||
79 | if (__glibc_unlikely (wpsize == wpmax)) \ | ||
80 | { \ | ||
81 | CHAR_T *old = wp; \ | ||
82 | - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ | ||
83 | - ? UCHAR_MAX + 1 : 2 * wpmax); \ | ||
84 | - if (use_malloc || !__libc_use_alloca (newsize)) \ | ||
85 | + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ | ||
86 | + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ | ||
87 | + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ | ||
88 | + if (!__libc_use_alloca (newsize)) \ | ||
89 | { \ | ||
90 | wp = realloc (use_malloc ? wp : NULL, newsize); \ | ||
91 | if (wp == NULL) \ | ||
92 | @@ -293,14 +294,13 @@ | ||
93 | } \ | ||
94 | if (! use_malloc) \ | ||
95 | MEMCPY (wp, old, wpsize); \ | ||
96 | - wpmax = newsize; \ | ||
97 | + wpmax = wpneed; \ | ||
98 | use_malloc = true; \ | ||
99 | } \ | ||
100 | else \ | ||
101 | { \ | ||
102 | size_t s = wpmax * sizeof (CHAR_T); \ | ||
103 | - wp = (CHAR_T *) extend_alloca (wp, s, \ | ||
104 | - newsize * sizeof (CHAR_T)); \ | ||
105 | + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ | ||
106 | wpmax = s / sizeof (CHAR_T); \ | ||
107 | if (old != NULL) \ | ||
108 | MEMCPY (wp, old, wpsize); \ | ||
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index a0736cdeec..cfbc1c2956 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb | |||
@@ -48,6 +48,7 @@ CVEPATCHES = "\ | |||
48 | file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ | 48 | file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ |
49 | file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ | 49 | file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ |
50 | file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ | 50 | file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ |
51 | file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ | ||
51 | " | 52 | " |
52 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ | 53 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ |
53 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ | 54 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ |