2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 0000000000..ab513aafb5
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
+CVE-2015-1472: wscanf allocates too little memory
+BZ #16618
+Under certain conditions wscanf can allocate too little memory for the
+to-be-scanned arguments and overflow the allocated buffer.  The
+implementation now correctly computes the required buffer size when
+using malloc.
+A regression test was added to tst-sscanf.
+Upstream-Status: Backport
+The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
+[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200
+++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200
+@@ -1,3 +1,12 @@
+2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+       [BZ #16618] CVE-2015-1472
+       * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
+       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
+       size in bytes. Store needed elements in wpmax. Use needed size
+       in bytes for extend_alloca.
+
+
+ 2014-12-16  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #17630]
+diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+--- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200
+++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200
+@@ -233,5 +233,38 @@
+        }
+     }
+ 
+  /* BZ #16618
+     The test will segfault during SSCANF if the buffer overflow
+     is not fixed.  The size of `s` is such that it forces the use
+     of malloc internally and this triggers the incorrect computation.
+     Thus the value for SIZE is arbitrariy high enough that malloc
+     is used.  */
+  {
+#define SIZE 131072
+    CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
+    if (s == NULL)
+      abort ();
+    for (size_t i = 0; i < SIZE; i++)
+      s[i] = L('0');
+    s[SIZE] = L('\0');
+    int i = 42;
+    /* Scan multi-digit zero into `i`.  */
+    if (SSCANF (s, L("%d"), &i) != 1)
+      {
+       printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
+       result = 1;
+      }
+    if (i != 0)
+      {
+       printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
+       result = 1;
+      }
+    free (s);
+    if (result != 1)
+      printf ("PASS: bug16618: Did not crash.\n");
+#undef SIZE
+  }
+
+
+   return result;
+ }
+diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+--- a/stdio-common/vfscanf.c    2015-09-22 10:20:14.051423230 +0200
+++ b/stdio-common/vfscanf.c    2015-09-22 10:21:39.215791228 +0200
+@@ -279,9 +279,10 @@
+       if (__glibc_unlikely (wpsize == wpmax))                                \
+        {                                                                   \
+          CHAR_T *old = wp;                                                 \
+-         size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax                       \
+-                           ? UCHAR_MAX + 1 : 2 * wpmax);                   \
+-         if (use_malloc || !__libc_use_alloca (newsize))                   \
+         bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
+         size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);                   \
+         size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;      \
+         if (!__libc_use_alloca (newsize))                                 \
+            {                                                               \
+              wp = realloc (use_malloc ? wp : NULL, newsize);               \
+              if (wp == NULL)                                               \
+@@ -293,14 +294,13 @@
+                }                                                           \
+              if (! use_malloc)                                             \
+                MEMCPY (wp, old, wpsize);                                   \
+-             wpmax = newsize;                                              \
+             wpmax = wpneed;                                               \
+              use_malloc = true;                                            \
+            }                                                               \
+          else                                                              \
+            {                                                               \
+              size_t s = wpmax * sizeof (CHAR_T);                           \
+-             wp = (CHAR_T *) extend_alloca (wp, s,                         \
+-                                            newsize * sizeof (CHAR_T));    \
+             wp = (CHAR_T *) extend_alloca (wp, s, newsize);               \
+              wpmax = s / sizeof (CHAR_T);                                  \
+              if (old != NULL)                                              \
+                MEMCPY (wp, old, wpsize);                                   \
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index a0736cdeec..cfbc1c2956 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -48,6 +48,7 @@ CVEPATCHES = "\
        file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
        file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
        file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
+        file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
    "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
      file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000000..ab513aafb5 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
		1	CVE-2015-1472: wscanf allocates too little memory
		2
		3	BZ #16618
		4
		5	Under certain conditions wscanf can allocate too little memory for the
		6	to-be-scanned arguments and overflow the allocated buffer. The
		7	implementation now correctly computes the required buffer size when
		8	using malloc.
		9
		10	A regression test was added to tst-sscanf.
		11
		12	Upstream-Status: Backport
		13
		14	The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
		15	[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
		16
		17	diff -ruN a/ChangeLog b/ChangeLog
		18	--- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200
		19	+++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200
		20	@@ -1,3 +1,12 @@
		21	+2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
		22	+
		23	+ [BZ #16618] CVE-2015-1472
		24	+ * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
		25	+ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
		26	+ size in bytes. Store needed elements in wpmax. Use needed size
		27	+ in bytes for extend_alloca.
		28	+
		29	+
		30	2014-12-16 Florian Weimer <fweimer@redhat.com>
		31
		32	[BZ #17630]
		33	diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
		34	--- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200
		35	+++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200
		36	@@ -233,5 +233,38 @@
		37	}
		38	}
		39
		40	+ /* BZ #16618
		41	+ The test will segfault during SSCANF if the buffer overflow
		42	+ is not fixed. The size of `s` is such that it forces the use
		43	+ of malloc internally and this triggers the incorrect computation.
		44	+ Thus the value for SIZE is arbitrariy high enough that malloc
		45	+ is used. */
		46	+ {
		47	+#define SIZE 131072
		48	+ CHAR s = malloc ((SIZE + 1) sizeof (*s));
		49	+ if (s == NULL)
		50	+ abort ();
		51	+ for (size_t i = 0; i < SIZE; i++)
		52	+ s[i] = L('0');
		53	+ s[SIZE] = L('\0');
		54	+ int i = 42;
		55	+ /* Scan multi-digit zero into `i`. */
		56	+ if (SSCANF (s, L("%d"), &i) != 1)
		57	+ {
		58	+ printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
		59	+ result = 1;
		60	+ }
		61	+ if (i != 0)
		62	+ {
		63	+ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
		64	+ result = 1;
		65	+ }
		66	+ free (s);
		67	+ if (result != 1)
		68	+ printf ("PASS: bug16618: Did not crash.\n");
		69	+#undef SIZE
		70	+ }
		71	+
		72	+
		73	return result;
		74	}
		75	diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
		76	--- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200
		77	+++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200
		78	@@ -279,9 +279,10 @@
		79	if (__glibc_unlikely (wpsize == wpmax)) \
		80	{ \
		81	CHAR_T *old = wp; \
		82	- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
		83	- ? UCHAR_MAX + 1 : 2 * wpmax); \
		84	- if (use_malloc \|\| !__libc_use_alloca (newsize)) \
		85	+ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
		86	+ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
		87	+ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
		88	+ if (!__libc_use_alloca (newsize)) \
		89	{ \
		90	wp = realloc (use_malloc ? wp : NULL, newsize); \
		91	if (wp == NULL) \
		92	@@ -293,14 +294,13 @@
		93	} \
		94	if (! use_malloc) \
		95	MEMCPY (wp, old, wpsize); \
		96	- wpmax = newsize; \
		97	+ wpmax = wpneed; \
		98	use_malloc = true; \
		99	} \
		100	else \
		101	{ \
		102	size_t s = wpmax * sizeof (CHAR_T); \
		103	- wp = (CHAR_T *) extend_alloca (wp, s, \
		104	- newsize * sizeof (CHAR_T)); \
		105	+ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
		106	wpmax = s / sizeof (CHAR_T); \
		107	if (old != NULL) \
		108	MEMCPY (wp, old, wpsize); \


diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index a0736cdeec..cfbc1c2956 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -48,6 +48,7 @@ CVEPATCHES = "\
48	file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \	48	file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
49	file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \	49	file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
50	file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \	50	file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
		51	file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
51	"	52	"
52	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \	53	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
53	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \	54	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \