glibc: CVE-2020-1752

Backport the CVE patch from upstream: git://sourceware.org/git/glibc.git commit ddc650e9b3dc916eab417ce9f79e67337b05035c (From OE-Core rev: 50b04216e47b1bf0da8170c7fd62d18a07d10152) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2020-05-12 01:37:24 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-06-02 13:32:49 +0100
commit: 786a0678db5471e4db6509fc875097b54ba8b8aa (patch)
tree: a96128fde3e75988e1a78c96d92744611a5ada64
parent: 45c9f45b85df9c73e00dc653a99b49360889cbba (diff)
download: poky-786a0678db5471e4db6509fc875097b54ba8b8aa.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
new file mode 100644
index 0000000000..6c347cd414
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
@@ -0,0 +1,66 @@
+From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 17:21:46 +0100
+Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+CVE: CVE-2020-1752
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ posix/glob.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+diff --git a/posix/glob.c b/posix/glob.c
+index cba9cd1819..4580cefb9f 100644
+--- a/posix/glob.c
+++ b/posix/glob.c
+@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+              {
+                size_t home_len = strlen (p->pw_dir);
+                size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+-               char *d;
+               char *d, *newp;
+               bool use_alloca = glob_use_alloca (alloca_used,
+                                                  home_len + rest_len + 1);
+ 
+-               if (__glibc_unlikely (malloc_dirname))
+-                 free (dirname);
+-               malloc_dirname = 0;
+-
+-               if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-                 dirname = alloca_account (home_len + rest_len + 1,
+-                                           alloca_used);
+               if (use_alloca)
+                 newp = alloca_account (home_len + rest_len + 1, alloca_used);
+                else
+                  {
+-                   dirname = malloc (home_len + rest_len + 1);
+-                   if (dirname == NULL)
+                   newp = malloc (home_len + rest_len + 1);
+                   if (newp == NULL)
+                      {
+                        scratch_buffer_free (&pwtmpbuf);
+                        retval = GLOB_NOSPACE;
+                        goto out;
+                      }
+-                   malloc_dirname = 1;
+                  }
+-               d = mempcpy (dirname, p->pw_dir, home_len);
+               d = mempcpy (newp, p->pw_dir, home_len);
+                if (end_name != NULL)
+                  d = mempcpy (d, end_name, rest_len);
+                *d = '\0';
+ 
+               if (__glibc_unlikely (malloc_dirname))
+                 free (dirname);
+               dirname = newp;
+               malloc_dirname = !use_alloca;
+
+                dirlen = home_len + rest_len;
+                dirname_modified = 1;
+              }
+-- 
+2.18.2
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index 84a6538ea1..e9286b6b49 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -44,6 +44,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://CVE-2019-19126.patch \
           file://CVE-2020-10029.patch \
           file://CVE-2020-1751.patch \
+           file://CVE-2020-1752.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2020-05-12 01:37:24 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-06-02 13:32:49 +0100
commit	786a0678db5471e4db6509fc875097b54ba8b8aa (patch)
tree	a96128fde3e75988e1a78c96d92744611a5ada64
parent	45c9f45b85df9c73e00dc653a99b49360889cbba (diff)
download	poky-786a0678db5471e4db6509fc875097b54ba8b8aa.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch new file mode 100644 index 0000000000..6c347cd414 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch
@@ -0,0 +1,66 @@
		1	From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@suse.de>
		3	Date: Wed, 19 Feb 2020 17:21:46 +0100
		4	Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
		5
		6	The value of `end_name' points into the value of `dirname', thus don't
		7	deallocate the latter before the last use of the former.
		8
		9	CVE: CVE-2020-1752
		10	Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
		11	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		12	---
		13	posix/glob.c \| 25 +++++++++++++------------
		14	1 file changed, 13 insertions(+), 12 deletions(-)
		15
		16	diff --git a/posix/glob.c b/posix/glob.c
		17	index cba9cd1819..4580cefb9f 100644
		18	--- a/posix/glob.c
		19	+++ b/posix/glob.c
		20	@@ -827,31 +827,32 @@ __glob (const char pattern, int flags, int (errfunc) (const char *, int),
		21	{
		22	size_t home_len = strlen (p->pw_dir);
		23	size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
		24	- char *d;
		25	+ char d, newp;
		26	+ bool use_alloca = glob_use_alloca (alloca_used,
		27	+ home_len + rest_len + 1);
		28
		29	- if (__glibc_unlikely (malloc_dirname))
		30	- free (dirname);
		31	- malloc_dirname = 0;
		32	-
		33	- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
		34	- dirname = alloca_account (home_len + rest_len + 1,
		35	- alloca_used);
		36	+ if (use_alloca)
		37	+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
		38	else
		39	{
		40	- dirname = malloc (home_len + rest_len + 1);
		41	- if (dirname == NULL)
		42	+ newp = malloc (home_len + rest_len + 1);
		43	+ if (newp == NULL)
		44	{
		45	scratch_buffer_free (&pwtmpbuf);
		46	retval = GLOB_NOSPACE;
		47	goto out;
		48	}
		49	- malloc_dirname = 1;
		50	}
		51	- d = mempcpy (dirname, p->pw_dir, home_len);
		52	+ d = mempcpy (newp, p->pw_dir, home_len);
		53	if (end_name != NULL)
		54	d = mempcpy (d, end_name, rest_len);
		55	*d = '\0';
		56
		57	+ if (__glibc_unlikely (malloc_dirname))
		58	+ free (dirname);
		59	+ dirname = newp;
		60	+ malloc_dirname = !use_alloca;
		61	+
		62	dirlen = home_len + rest_len;
		63	dirname_modified = 1;
		64	}
		65	--
		66	2.18.2


diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb index 84a6538ea1..e9286b6b49 100644 --- a/meta/recipes-core/glibc/glibc_2.30.bb +++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
44	file://CVE-2019-19126.patch \	44	file://CVE-2019-19126.patch \
45	file://CVE-2020-10029.patch \	45	file://CVE-2020-10029.patch \
46	file://CVE-2020-1751.patch \	46	file://CVE-2020-1751.patch \
		47	file://CVE-2020-1752.patch \
47	"	48	"
48	S = "${WORKDIR}/git"	49	S = "${WORKDIR}/git"
49	B = "${WORKDIR}/build-${TARGET_SYS}"	50	B = "${WORKDIR}/build-${TARGET_SYS}"