From 0892adf79c73bbfb427846670c480da0912431a2 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 20 Feb 2015 11:31:46 +0100 Subject: eglibc: CVE-2012-3406 Stack overflow in vfprintf printf() unbound alloca() usage in case of positional parameters + many format specs Changes in the NEWS and ChangeLog files from the original upstream commit have been ignored References http://www.openwall.com/lists/oss-security/2012/07/11/5 https://sourceware.org/bugzilla/show_bug.cgi?id=16617 Signed-off-by: Sona Sarmadi --- ...-3406-Stack-overflow-in-vfprintf-BZ-16617.patch | 273 +++++++++++++++++++++ meta/recipes-core/eglibc/eglibc_2.19.bb | 1 + 2 files changed, 274 insertions(+) create mode 100644 meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch diff --git a/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch new file mode 100644 index 0000000000..c018bdd6c7 --- /dev/null +++ b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch @@ -0,0 +1,273 @@ +From a5357b7ce2a2982c5778435704bcdb55ce3667a0 Mon Sep 17 00:00:00 2001 +From: Jeff Law +Date: Mon, 15 Dec 2014 10:09:32 +0100 +Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] + +A larger number of format specifiers coudld cause a stack overflow, +potentially allowing to bypass _FORTIFY_SOURCE format string +protection. +--- + stdio-common/Makefile | 2 +- + stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ + stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++ + stdio-common/bug23-4.c | 31 ++++++++++++++++++++++ + stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++-- + create mode 100644 stdio-common/bug23-2.c + create mode 100644 stdio-common/bug23-3.c + create mode 100644 stdio-common/bug23-4.c + +Index: git/stdio-common/bug23-2.c +=================================================================== +--- /dev/null ++++ git/stdio-common/bug23-2.c +@@ -0,0 +1,70 @@ ++#include ++#include ++#include ++ ++static const char expected[] = "\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; ++ ++static int ++do_test (void) ++{ ++ char *buf = malloc (strlen (expected) + 1); ++ snprintf (buf, strlen (expected) + 1, ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", ++ "a", "b", "c", "d", 5); ++ return strcmp (buf, expected) != 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/stdio-common/bug23-3.c +=================================================================== +--- /dev/null ++++ git/stdio-common/bug23-3.c +@@ -0,0 +1,50 @@ ++#include ++#include ++#include ++ ++int ++do_test (void) ++{ ++ size_t instances = 16384; ++#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ const char *item = "\na\nabbcd55"; ++#define X3 X0 X0 X0 X0 X0 X0 X0 X0 ++#define X6 X3 X3 X3 X3 X3 X3 X3 X3 ++#define X9 X6 X6 X6 X6 X6 X6 X6 X6 ++#define X12 X9 X9 X9 X9 X9 X9 X9 X9 ++#define X14 X12 X12 X12 X12 ++#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%" ++#define TRAILER2 TRAILER TRAILER ++ size_t length = instances * strlen (item) + strlen (TRAILER) + 1; ++ ++ char *buf = malloc (length + 1); ++ snprintf (buf, length + 1, ++ X14 TRAILER2 "\n", ++ "a", "b", "c", "d", 5); ++ ++ const char *p = buf; ++ size_t i; ++ for (i = 0; i < instances; ++i) ++ { ++ const char *expected; ++ for (expected = item; *expected; ++expected) ++ { ++ if (*p != *expected) ++ { ++ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n", ++ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF); ++ return 1; ++ } ++ ++p; ++ } ++ } ++ if (strcmp (p, TRAILER "\n") != 0) ++ { ++ printf ("mismatch at trailer: [%s]\n", p); ++ return 1; ++ } ++ free (buf); ++ return 0; ++} ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/stdio-common/bug23-4.c +=================================================================== +--- /dev/null ++++ git/stdio-common/bug23-4.c +@@ -0,0 +1,31 @@ ++#include ++#include ++#include ++#include ++ ++#define LIMIT 1000000 ++ ++int ++main (void) ++{ ++ struct rlimit lim; ++ getrlimit (RLIMIT_STACK, &lim); ++ lim.rlim_cur = 1048576; ++ setrlimit (RLIMIT_STACK, &lim); ++ char *fmtstr = malloc (4 * LIMIT + 1); ++ if (fmtstr == NULL) ++ abort (); ++ char *output = malloc (LIMIT + 1); ++ if (output == NULL) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ memcpy (fmtstr + 4 * i, "%1$d", 4); ++ fmtstr[4 * LIMIT] = '\0'; ++ int ret = snprintf (output, LIMIT + 1, fmtstr, 0); ++ if (ret != LIMIT) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ if (output[i] != '0') ++ abort (); ++ return 0; ++} +Index: git/stdio-common/vfprintf.c +=================================================================== +--- git.orig/stdio-common/vfprintf.c ++++ git/stdio-common/vfprintf.c +@@ -276,6 +276,12 @@ vfprintf (FILE *s, const CHAR_T *format, + /* For the argument descriptions, which may be allocated on the heap. */ + void *args_malloced = NULL; + ++ /* For positional argument handling. */ ++ struct printf_spec *specs; ++ ++ /* Track if we malloced the SPECS array and thus must free it. */ ++ bool specs_malloced = false; ++ + /* This table maps a character into a number representing a + class. In each step there is a destination label for each + class. */ +@@ -1699,8 +1705,8 @@ do_positional: + size_t nspecs = 0; + /* A more or less arbitrary start value. */ + size_t nspecs_size = 32 * sizeof (struct printf_spec); +- struct printf_spec *specs = alloca (nspecs_size); + ++ specs = alloca (nspecs_size); + /* The number of arguments the format string requests. This will + determine the size of the array needed to store the argument + attributes. */ +@@ -1743,11 +1749,39 @@ do_positional: + if (nspecs * sizeof (*specs) >= nspecs_size) + { + /* Extend the array of format specifiers. */ ++ if (nspecs_size * 2 < nspecs_size) ++ { ++ __set_errno (ENOMEM); ++ done = -1; ++ goto all_done; ++ } + struct printf_spec *old = specs; +- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ if (__libc_use_alloca (2 * nspecs_size)) ++ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ else ++ { ++ nspecs_size *= 2; ++ specs = malloc (nspecs_size); ++ if (specs == NULL) ++ { ++ __set_errno (ENOMEM); ++ specs = old; ++ done = -1; ++ goto all_done; ++ } ++ } + + /* Copy the old array's elements to the new space. */ + memmove (specs, old, nspecs * sizeof (*specs)); ++ ++ /* If we had previously malloc'd space for SPECS, then ++ release it after the copy is complete. */ ++ if (specs_malloced) ++ free (old); ++ ++ /* Now set SPECS_MALLOCED if needed. */ ++ if (!__libc_use_alloca (nspecs_size)) ++ specs_malloced = true; + } + + /* Parse the format specifier. */ +@@ -2068,6 +2102,8 @@ do_positional: + } + + all_done: ++ if (specs_malloced) ++ free (specs); + if (__glibc_unlikely (args_malloced != NULL)) + free (args_malloced); + if (__glibc_unlikely (workstart != NULL)) +Index: git/stdio-common/Makefile +=================================================================== +--- git.orig/stdio-common/Makefile ++++ git/stdio-common/Makefile +@@ -66,7 +66,7 @@ tests := tstscanf test_rdwr test-popen t + tst-fwrite bug16 bug17 tst-sprintf2 bug18 \ + bug19 tst-popen2 scanf14 scanf15 bug21 bug22 scanf16 scanf17 \ + tst-setvbuf1 bug23 bug24 bug-vfprintf-nargs tst-sprintf3 bug25 \ +- tst-printf-round bug26 ++ tst-printf-round bug23-2 bug23-3 bug23-4 + tests-$(OPTION_EGLIBC_LOCALE_CODE) \ + += tst-sscanf tst-swprintf test-vfprintf bug14 scanf13 tst-grouping diff --git a/meta/recipes-core/eglibc/eglibc_2.19.bb b/meta/recipes-core/eglibc/eglibc_2.19.bb index ba79f27d61..1ef1a429d2 100644 --- a/meta/recipes-core/eglibc/eglibc_2.19.bb +++ b/meta/recipes-core/eglibc/eglibc_2.19.bb @@ -27,6 +27,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/eglibc/eglibc-${PV}-svnr25 file://ppce6500-32b_slow_ieee754_sqrt.patch \ file://CVE-2014-5119.patch \ file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ + file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ " SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd" SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c" -- cgit v1.2.3-54-g00ecf