mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

glibc: remove unused CVE patches

Browse Source 
They were CEVs and should be already in the source after upgraded.

(From OE-Core rev: e8a5332d467434ee65e0f29927abb9c51b025aff)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Robert Yang
2016-04-05 23:58:44 -07:00
committed by Richard Purdie
parent b050ab2224
commit ef163aba20
5 changed files with 0 additions and 1964 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
-155
View File
@@ -1,155 +0,0 @@
From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat, 26 Sep 2015 13:27:48 -0700
Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
segfault
Upstream-Status: Backport
CVE: CVE-2015-8776
[Yocto # 8980]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 8 ++++++++
NEWS | 2 +-
time/strftime_l.c | 20 +++++++++++++-------
time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 73 insertions(+), 9 deletions(-)
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,11 @@
+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #18985]
+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
+ (__strftime_internal): Likewise.
+ * time/tst-strftime.c (do_bz18985): New test.
+ (do_test): Call it.
+
2015-12-04 Joseph Myers <joseph@codesourcery.com>
[BZ #16961]
Index: git/time/strftime_l.c
===================================================================
--- git.orig/time/strftime_l.c
+++ git/time/strftime_l.c
@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
only a few elements. Dereference the pointers only if the format
requires this. Then it is ok to fail if the pointers are invalid. */
# define a_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
# define f_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
# define a_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
# define f_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
# define ampm \
((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
? NLW(PM_STR) : NLW(AM_STR)))
@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
# define ap_len STRLEN (ampm)
#else
# if !HAVE_STRFTIME
-# define f_wkday (weekday_name[tp->tm_wday])
-# define f_month (month_name[tp->tm_mon])
+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : weekday_name[tp->tm_wday])
+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : month_name[tp->tm_mon])
# define a_wkday f_wkday
# define a_month f_month
# define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
*tzset_called = true;
}
# endif
- zone = tzname[tp->tm_isdst];
+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
}
#endif
if (! zone)
Index: git/time/tst-strftime.c
===================================================================
--- git.orig/time/tst-strftime.c
+++ git/time/tst-strftime.c
@@ -4,6 +4,56 @@
#include <time.h>
+static int
+do_bz18985 (void)
+{
+ char buf[1000];
+ struct tm ttm;
+ int rc, ret = 0;
+
+ memset (&ttm, 1, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 66)
+ {
+ const char expected[]
+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 66, got %d\n", rc);
+ ret += 1;
+ }
+
+ /* Check negative values as well. */
+ memset (&ttm, 0xFF, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 30)
+ {
+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 30, got %d\n", rc);
+ ret += 1;
+ }
+
+ return ret;
+}
+
static struct
{
const char *fmt;
@@ -104,7 +154,7 @@ do_test (void)
}
}
- return result;
+ return result + do_bz18985 ();
}
#define TEST_FUNCTION do_test ()
meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
-123
View File
@@ -1,123 +0,0 @@
From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 15 Oct 2015 09:23:07 +0200
Subject: [PATCH] Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
Upstream-Status: Backport
CVE: CVE-2015-8777
[Yocto # 8980]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 10 ++++++++++
NEWS | 13 ++++++++-----
elf/rtld.c | 15 ++++-----------
sysdeps/generic/ldsodefs.h | 3 ---
4 files changed, 22 insertions(+), 19 deletions(-)
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,14 @@
+2015-10-15 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
+
2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
[BZ #18778]
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -34,7 +34,10 @@ Version 2.22
18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
- 18657, 18676, 18694, 18696.
+ 18657, 18676, 18694, 18696, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+ disable the pointer guard feature. It is always enabled.
* Cache information can be queried via sysconf() function on s390 e.g. with
_SC_LEVEL1_ICACHE_SIZE as argument.
Index: git/elf/rtld.c
===================================================================
--- git.orig/elf/rtld.c
+++ git/elf/rtld.c
@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
._dl_hwcap_mask = HWCAP_IMPORTANT,
._dl_lazy = 1,
._dl_fpu_control = _FPU_DEFAULT,
- ._dl_pointer_guard = 1,
._dl_pagesize = EXEC_PAGESIZE,
._dl_inhibit_cache = 0,
@@ -710,15 +709,12 @@ security_init (void)
#endif
/* Set up the pointer guard as well, if necessary. */
- if (GLRO(dl_pointer_guard))
- {
- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
- stack_chk_guard);
+ uintptr_t pointer_chk_guard
+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
#ifdef THREAD_SET_POINTER_GUARD
- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
#endif
- __pointer_chk_guard_local = pointer_chk_guard;
- }
+ __pointer_chk_guard_local = pointer_chk_guard;
/* We do not need the _dl_random value anymore. The less
information we leave behind, the better, so clear the
@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
break;
}
-
- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
- GLRO(dl_pointer_guard) = envline[14] != '0';
break;
case 14:
Index: git/sysdeps/generic/ldsodefs.h
===================================================================
--- git.orig/sysdeps/generic/ldsodefs.h
+++ git/sysdeps/generic/ldsodefs.h
@@ -600,9 +600,6 @@ struct rtld_global_ro
/* List of auditing interfaces. */
struct audit_ifaces *_dl_audit;
unsigned int _dl_naudit;
-
- /* 0 if internal pointer values should not be guarded, 1 if they should. */
- EXTERN int _dl_pointer_guard;
};
# define __rtld_global_attribute__
# if IS_IN (rtld)
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
-262
View File
@@ -1,262 +0,0 @@
From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat, 8 Aug 2015 15:53:03 -0700
Subject: [PATCH] Fix BZ #17905
Upstream-Status: Backport
CVE: CVE-2015-8779
[Yocto # 8980]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 8 ++++++++
NEWS | 2 +-
catgets/Makefile | 9 ++++++++-
catgets/catgets.c | 19 ++++++++++++-------
catgets/open_catalog.c | 23 ++++++++++++++---------
catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
6 files changed, 74 insertions(+), 18 deletions(-)
Index: git/catgets/Makefile
===================================================================
--- git.orig/catgets/Makefile
+++ git/catgets/Makefile
@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
$(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+tests-special += $(objpfx)tst-catgets-mem.out
endif
endif
gencat-modules = xmalloc
@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
test-gencat.h
+generated += tst-catgets.mtrace tst-catgets-mem.out
+
generated-dirs += de
-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
ifeq ($(run-built-tests),yes)
# This test just checks whether the program produces any error or not.
@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
$(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
$(evaluate-test)
+
+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+ $(evaluate-test)
endif
Index: git/catgets/catgets.c
===================================================================
--- git.orig/catgets/catgets.c
+++ git/catgets/catgets.c
@@ -16,7 +16,6 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
-#include <alloca.h>
#include <errno.h>
#include <locale.h>
#include <nl_types.h>
@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
__nl_catd result;
const char *env_var = NULL;
const char *nlspath = NULL;
+ char *tmp = NULL;
if (strchr (cat_name, '/') == NULL)
{
@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
{
/* Append the system dependent directory. */
size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
- char *tmp = alloca (len);
+ tmp = malloc (len);
+
+ if (__glibc_unlikely (tmp == NULL))
+ return (nl_catd) -1;
__stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
nlspath = tmp;
@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
result = (__nl_catd) malloc (sizeof (*result));
if (result == NULL)
- /* We cannot get enough memory. */
- return (nl_catd) -1;
-
- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+ {
+ /* We cannot get enough memory. */
+ result = (nl_catd) -1;
+ }
+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
{
/* Couldn't open the file. */
free ((void *) result);
- return (nl_catd) -1;
+ result = (nl_catd) -1;
}
+ free (tmp);
return (nl_catd) result;
}
Index: git/catgets/open_catalog.c
===================================================================
--- git.orig/catgets/open_catalog.c
+++ git/catgets/open_catalog.c
@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
size_t tab_size;
const char *lastp;
int result = -1;
+ char *buf = NULL;
if (strchr (cat_name, '/') != NULL || nlspath == NULL)
fd = open_not_cancel_2 (cat_name, O_RDONLY);
@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
if (__glibc_unlikely (bufact + (n) >= bufmax)) \
{ \
char *old_buf = buf; \
- bufmax += 256 + (n); \
- buf = (char *) alloca (bufmax); \
- memcpy (buf, old_buf, bufact); \
+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
+ buf = realloc (buf, bufmax); \
+ if (__glibc_unlikely (buf == NULL)) \
+ { \
+ free (old_buf); \
+ return -1; \
+ } \
}
/* The RUN_NLSPATH variable contains a colon separated list of
descriptions where we expect to find catalogs. We have to
recognize certain % substitutions and stop when we found the
first existing file. */
- char *buf;
size_t bufact;
- size_t bufmax;
+ size_t bufmax = 0;
size_t len;
- buf = NULL;
- bufmax = 0;
-
fd = -1;
while (*run_nlspath != '\0')
{
@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
/* Avoid dealing with directories and block devices */
if (__builtin_expect (fd, 0) < 0)
- return -1;
+ {
+ free (buf);
+ return -1;
+ }
if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
goto close_unlock_return;
@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
/* Release the lock again. */
close_unlock_return:
close_not_cancel_no_status (fd);
+ free (buf);
return result;
}
Index: git/catgets/tst-catgets.c
===================================================================
--- git.orig/catgets/tst-catgets.c
+++ git/catgets/tst-catgets.c
@@ -1,7 +1,10 @@
+#include <assert.h>
#include <mcheck.h>
#include <nl_types.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/resource.h>
static const char *msgs[] =
@@ -12,6 +15,33 @@ static const char *msgs[] =
};
#define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+
+/* Test for unbounded alloca. */
+static int
+do_bz17905 (void)
+{
+ char *buf;
+ struct rlimit rl;
+ nl_catd result;
+
+ const int sz = 1024 * 1024;
+
+ getrlimit (RLIMIT_STACK, &rl);
+ rl.rlim_cur = sz;
+ setrlimit (RLIMIT_STACK, &rl);
+
+ buf = malloc (sz + 1);
+ memset (buf, 'A', sz);
+ buf[sz] = '\0';
+ setenv ("NLSPATH", buf, 1);
+
+ result = catopen (buf, NL_CAT_LOCALE);
+ assert (result == (nl_catd) -1);
+
+ free (buf);
+ return 0;
+}
+
#define ROUNDS 5
static int
@@ -62,6 +92,7 @@ do_test (void)
}
}
+ result += do_bz17905 ();
return result;
}
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,11 @@
+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17905]
+ * catgets/Makefile (tst-catgets-mem): New test.
+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
+ * catgets/open_catalog.c (__open_catalog): Likewise.
+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+
2015-10-15 Florian Weimer <fweimer@redhat.com>
[BZ #18928]
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -9,7 +9,7 @@ Version 2.22.1
* The following bugs are resolved with this release:
- 18778, 18781, 18787.
+ 18778, 18781, 18787, 17905.
Version 2.22
meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
-1039
View File
File diff suppressed because it is too large Load Diff
meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
-385
View File
@@ -1,385 +0,0 @@
From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Fri, 4 Dec 2015 20:36:28 +0000
Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug
16962).
The nan, nanf and nanl functions handle payload strings by doing e.g.:
if (tagp[0] != '\0')
{
char buf[6 + strlen (tagp)];
sprintf (buf, "NAN(%s)", tagp);
return strtod (buf, NULL);
}
This is an unbounded stack allocation based on the length of the
argument. Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence. This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.
Tested for x86_64, x86, mips64 and powerpc.
[BZ #16961]
[BZ #16962]
* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
string on the stack for strtod.
* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
a string on the stack for strtof.
* math/s_nanl.c (__nanl): Use __strtold_nan instead of
constructing a string on the stack for strtold.
* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
__strtold_nan to GLIBC_PRIVATE.
* math/test-nan-overflow.c: New file.
* math/test-nan-payload.c: Likewise.
* math/Makefile (tests): Add test-nan-overflow and
test-nan-payload.
Upstream-Status: Backport
CVE: CVE-2015-9761 patch #2
[Yocto # 8980]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 17 +++++++
NEWS | 6 +++
math/Makefile | 3 +-
math/s_nan.c | 9 +---
math/s_nanf.c | 9 +---
math/s_nanl.c | 9 +---
math/test-nan-overflow.c | 66 +++++++++++++++++++++++++
math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
stdlib/Versions | 1 +
9 files changed, 217 insertions(+), 25 deletions(-)
create mode 100644 math/test-nan-overflow.c
create mode 100644 math/test-nan-payload.c
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,20 @@
+2015-12-04 Joseph Myers <joseph@codesourcery.com>
+
+ [BZ #16961]
+ [BZ #16962]
+ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
+ string on the stack for strtod.
+ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
+ a string on the stack for strtof.
+ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
+ constructing a string on the stack for strtold.
+ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
+ __strtold_nan to GLIBC_PRIVATE.
+ * math/test-nan-overflow.c: New file.
+ * math/test-nan-payload.c: Likewise.
+ * math/Makefile (tests): Add test-nan-overflow and
+ test-nan-payload.
+
2015-11-24 Joseph Myers <joseph@codesourcery.com>
* stdlib/strtod_nan.c: New file.
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -99,6 +99,12 @@ Version 2.22
Version 2.21
+Security related changes:
+
+* The nan, nanf and nanl functions no longer have unbounded stack usage
+ depending on the length of the string passed as an argument to the
+ functions. Reported by Joseph Myers.
+
* The following bugs are resolved with this release:
6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
Index: git/math/Makefile
===================================================================
--- git.orig/math/Makefile
+++ git/math/Makefile
@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp
test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \
+ test-nan-overflow test-nan-payload \
$(tests-static)
tests-static = test-fpucw-static test-fpucw-ieee-static
# We do the `long double' tests only if this data type is available and
Index: git/math/s_nan.c
===================================================================
--- git.orig/math/s_nan.c
+++ git/math/s_nan.c
@@ -28,14 +28,7 @@
double
__nan (const char *tagp)
{
- if (tagp[0] != '\0')
- {
- char buf[6 + strlen (tagp)];
- sprintf (buf, "NAN(%s)", tagp);
- return strtod (buf, NULL);
- }
-
- return NAN;
+ return __strtod_nan (tagp, NULL, 0);
}
weak_alias (__nan, nan)
#ifdef NO_LONG_DOUBLE
Index: git/math/s_nanf.c
===================================================================
--- git.orig/math/s_nanf.c
+++ git/math/s_nanf.c
@@ -28,13 +28,6 @@
float
__nanf (const char *tagp)
{
- if (tagp[0] != '\0')
- {
- char buf[6 + strlen (tagp)];
- sprintf (buf, "NAN(%s)", tagp);
- return strtof (buf, NULL);
- }
-
- return NAN;
+ return __strtof_nan (tagp, NULL, 0);
}
weak_alias (__nanf, nanf)
Index: git/math/s_nanl.c
===================================================================
--- git.orig/math/s_nanl.c
+++ git/math/s_nanl.c
@@ -28,13 +28,6 @@
long double
__nanl (const char *tagp)
{
- if (tagp[0] != '\0')
- {
- char buf[6 + strlen (tagp)];
- sprintf (buf, "NAN(%s)", tagp);
- return strtold (buf, NULL);
- }
-
- return NAN;
+ return __strtold_nan (tagp, NULL, 0);
}
weak_alias (__nanl, nanl)
Index: git/math/test-nan-overflow.c
===================================================================
--- /dev/null
+++ git/math/test-nan-overflow.c
@@ -0,0 +1,66 @@
+/* Test nan functions stack overflow (bug 16962).
+ Copyright (C) 2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <math.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/resource.h>
+
+#define STACK_LIM 1048576
+#define STRING_SIZE (2 * STACK_LIM)
+
+static int
+do_test (void)
+{
+ int result = 0;
+ struct rlimit lim;
+ getrlimit (RLIMIT_STACK, &lim);
+ lim.rlim_cur = STACK_LIM;
+ setrlimit (RLIMIT_STACK, &lim);
+ char *nanstr = malloc (STRING_SIZE);
+ if (nanstr == NULL)
+ {
+ puts ("malloc failed, cannot test");
+ return 77;
+ }
+ memset (nanstr, '0', STRING_SIZE - 1);
+ nanstr[STRING_SIZE - 1] = 0;
+#define NAN_TEST(TYPE, FUNC) \
+ do \
+ { \
+ char *volatile p = nanstr; \
+ volatile TYPE v = FUNC (p); \
+ if (isnan (v)) \
+ puts ("PASS: " #FUNC); \
+ else \
+ { \
+ puts ("FAIL: " #FUNC); \
+ result = 1; \
+ } \
+ } \
+ while (0)
+ NAN_TEST (float, nanf);
+ NAN_TEST (double, nan);
+#ifndef NO_LONG_DOUBLE
+ NAN_TEST (long double, nanl);
+#endif
+ return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
Index: git/math/test-nan-payload.c
===================================================================
--- /dev/null
+++ git/math/test-nan-payload.c
@@ -0,0 +1,122 @@
+/* Test nan functions payload handling (bug 16961).
+ Copyright (C) 2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <float.h>
+#include <math.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Avoid built-in functions. */
+#define WRAP_NAN(FUNC, STR) \
+ ({ const char *volatile wns = (STR); FUNC (wns); })
+#define WRAP_STRTO(FUNC, STR) \
+ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
+
+#define CHECK_IS_NAN(TYPE, A) \
+ do \
+ { \
+ if (isnan (A)) \
+ puts ("PASS: " #TYPE " " #A); \
+ else \
+ { \
+ puts ("FAIL: " #TYPE " " #A); \
+ result = 1; \
+ } \
+ } \
+ while (0)
+
+#define CHECK_SAME_NAN(TYPE, A, B) \
+ do \
+ { \
+ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
+ puts ("PASS: " #TYPE " " #A " = " #B); \
+ else \
+ { \
+ puts ("FAIL: " #TYPE " " #A " = " #B); \
+ result = 1; \
+ } \
+ } \
+ while (0)
+
+#define CHECK_DIFF_NAN(TYPE, A, B) \
+ do \
+ { \
+ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
+ puts ("PASS: " #TYPE " " #A " != " #B); \
+ else \
+ { \
+ puts ("FAIL: " #TYPE " " #A " != " #B); \
+ result = 1; \
+ } \
+ } \
+ while (0)
+
+/* Cannot test payloads by memcmp for formats where NaNs have padding
+ bits. */
+#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
+
+#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
+ do \
+ { \
+ TYPE n123 = WRAP_NAN (FUNC, "123"); \
+ CHECK_IS_NAN (TYPE, n123); \
+ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
+ CHECK_IS_NAN (TYPE, s123); \
+ TYPE n456 = WRAP_NAN (FUNC, "456"); \
+ CHECK_IS_NAN (TYPE, n456); \
+ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
+ CHECK_IS_NAN (TYPE, s456); \
+ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
+ CHECK_IS_NAN (TYPE, n123x); \
+ TYPE nemp = WRAP_NAN (FUNC, ""); \
+ CHECK_IS_NAN (TYPE, nemp); \
+ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
+ CHECK_IS_NAN (TYPE, semp); \
+ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
+ CHECK_IS_NAN (TYPE, sx); \
+ if (CAN_TEST_EQ (MANT_DIG)) \
+ CHECK_SAME_NAN (TYPE, n123, s123); \
+ if (CAN_TEST_EQ (MANT_DIG)) \
+ CHECK_SAME_NAN (TYPE, n456, s456); \
+ if (CAN_TEST_EQ (MANT_DIG)) \
+ CHECK_SAME_NAN (TYPE, nemp, semp); \
+ if (CAN_TEST_EQ (MANT_DIG)) \
+ CHECK_SAME_NAN (TYPE, n123x, sx); \
+ CHECK_DIFF_NAN (TYPE, n123, n456); \
+ CHECK_DIFF_NAN (TYPE, n123, nemp); \
+ CHECK_DIFF_NAN (TYPE, n123, n123x); \
+ CHECK_DIFF_NAN (TYPE, n456, nemp); \
+ CHECK_DIFF_NAN (TYPE, n456, n123x); \
+ } \
+ while (0)
+
+static int
+do_test (void)
+{
+ int result = 0;
+ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
+ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
+#ifndef NO_LONG_DOUBLE
+ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
+#endif
+ return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
Index: git/stdlib/Versions
===================================================================
--- git.orig/stdlib/Versions
+++ git/stdlib/Versions
@@ -118,5 +118,6 @@ libc {
# Used from other libraries
__libc_secure_getenv;
__call_tls_dtors;
+ __strtof_nan; __strtod_nan; __strtold_nan;
}
}