diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2023-4911.patch | 63 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.31.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 | ||
2 | From: Siddhesh Poyarekar <siddhesh@redhat.com> | ||
3 | Date: Mon, 11 Sep 2023 18:53:15 -0400 | ||
4 | Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached | ||
5 | |||
6 | The string parsing routine may end up writing beyond bounds of tunestr | ||
7 | if the input tunable string is malformed, of the form name=name=val. | ||
8 | This gets processed twice, first as name=name=val and next as name=val, | ||
9 | resulting in tunestr being name=name=val:name=val, thus overflowing | ||
10 | tunestr. | ||
11 | |||
12 | Terminate the parsing loop at the first instance itself so that tunestr | ||
13 | does not overflow. | ||
14 | --- | ||
15 | Changes from v1: | ||
16 | |||
17 | - Also null-terminate tunestr before exiting. | ||
18 | |||
19 | elf/dl-tunables.c | 17 ++++++++++------- | ||
20 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
21 | |||
22 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
23 | CVE: CVE-2023-4911 | ||
24 | |||
25 | diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c | ||
26 | index 8e7ee9df10..76cf8b9da3 100644 | ||
27 | --- a/elf/dl-tunables.c | ||
28 | +++ b/elf/dl-tunables.c | ||
29 | @@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) | ||
30 | /* If we reach the end of the string before getting a valid name-value | ||
31 | pair, bail out. */ | ||
32 | if (p[len] == '\0') | ||
33 | - { | ||
34 | - if (__libc_enable_secure) | ||
35 | - tunestr[off] = '\0'; | ||
36 | - return; | ||
37 | - } | ||
38 | + break; | ||
39 | |||
40 | /* We did not find a valid name-value pair before encountering the | ||
41 | colon. */ | ||
42 | @@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) | ||
43 | } | ||
44 | } | ||
45 | |||
46 | - if (p[len] != '\0') | ||
47 | - p += len + 1; | ||
48 | + /* We reached the end while processing the tunable string. */ | ||
49 | + if (p[len] == '\0') | ||
50 | + break; | ||
51 | + | ||
52 | + p += len + 1; | ||
53 | } | ||
54 | + | ||
55 | + /* Terminate tunestr before we leave. */ | ||
56 | + if (__libc_enable_secure) | ||
57 | + tunestr[off] = '\0'; | ||
58 | } | ||
59 | #endif | ||
60 | |||
61 | -- | ||
62 | 2.41.0 | ||
63 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb | |||
@@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ | 80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ |
81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ | 81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ |
82 | file://CVE-2023-0687.patch \ | 82 | file://CVE-2023-0687.patch \ |
83 | file://CVE-2023-4911.patch \ | ||
83 | " | 84 | " |
84 | S = "${WORKDIR}/git" | 85 | S = "${WORKDIR}/git" |
85 | B = "${WORKDIR}/build-${TARGET_SYS}" | 86 | B = "${WORKDIR}/build-${TARGET_SYS}" |