aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2019-02-11 22:40:10 +0200
committerEfraim Flashner <efraim@flashner.co.il>2019-02-12 09:08:13 +0200
commitc86b5f1b9bdfdd478ba15804f9343feb8d9c019b (patch)
tree2e6255e7f1c468758f37fe6f5bb446981f0f8265 /gnu/packages
parentd4c95a237ce4af1fc0278f8b2af2ebfb07e86275 (diff)
downloadpatches-c86b5f1b9bdfdd478ba15804f9343feb8d9c019b.tar
patches-c86b5f1b9bdfdd478ba15804f9343feb8d9c019b.tar.gz
gnu: glibc@2.27: fix CVE-2018-11236, CVE-2018-11237.
* gnu/packages/base.scm (glibc@2.27)[sources]: Add patches. [properties]: New field, mark CVE-2017-18269 fixed. * gnu/packages/patches/glibc-CVE-2018-11236.patch, gnu/packages/patches/glibc-CVE-2018-11237.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/base.scm5
-rw-r--r--gnu/packages/patches/glibc-CVE-2018-11236.patch149
-rw-r--r--gnu/packages/patches/glibc-CVE-2018-11237.patch55
3 files changed, 208 insertions, 1 deletions
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 67fab7c114..db9cca6faf 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -892,7 +892,10 @@ with the Linux kernel.")
"glibc-hidden-visibility-ldconfig.patch"
"glibc-versioned-locpath.patch"
"glibc-allow-kernel-2.6.32.patch"
- "glibc-reinstate-prlimit64-fallback.patch"))))))
+ "glibc-reinstate-prlimit64-fallback.patch"
+ "glibc-CVE-2018-11236.patch"
+ "glibc-CVE-2018-11237.patch"))))
+ (properties `((lint-hidden-cve . ("CVE-2017-18269")))))) ; glibc-2.27-git-fixes
(define-public glibc-2.26
(package
diff --git a/gnu/packages/patches/glibc-CVE-2018-11236.patch b/gnu/packages/patches/glibc-CVE-2018-11236.patch
new file mode 100644
index 0000000000..4f8a72943c
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2018-11236.patch
@@ -0,0 +1,149 @@
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=5460617d1567657621107d895ee2dd83bc1f88f2
+with ChangeLog removed
+
+From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Tue, 8 May 2018 18:12:41 -0700
+Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
+ buffer overflow when realpath() input length is close to SSIZE_MAX.
+
+2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #22786]
+ * stdlib/canonicalize.c (__realpath): Fix overflow in path length
+ computation.
+ * stdlib/Makefile (test-bz22786): New test.
+ * stdlib/test-bz22786.c: New test.
+---
+ ChangeLog | 8 +++++
+ stdlib/Makefile | 2 +-
+ stdlib/canonicalize.c | 2 +-
+ stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 100 insertions(+), 2 deletions(-)
+ create mode 100644 stdlib/test-bz22786.c
+
+diff --git a/stdlib/Makefile b/stdlib/Makefile
+index af1643c..1ddb1f9 100644
+--- a/stdlib/Makefile
++++ b/stdlib/Makefile
+@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
+ tst-cxa_atexit tst-on_exit test-atexit-race \
+ test-at_quick_exit-race test-cxa_atexit-race \
+ test-on_exit-race test-dlclose-exit-race \
+- tst-makecontext-align
++ tst-makecontext-align test-bz22786
+
+ tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ tst-tls-atexit tst-tls-atexit-nodelete
+diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
+index 4135f3f..390fb43 100644
+--- a/stdlib/canonicalize.c
++++ b/stdlib/canonicalize.c
+@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
+ extra_buf = __alloca (path_max);
+
+ len = strlen (end);
+- if ((long int) (n + len) >= path_max)
++ if (path_max - n <= len)
+ {
+ __set_errno (ENAMETOOLONG);
+ goto error;
+diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
+new file mode 100644
+index 0000000..e7837f9
+--- /dev/null
++++ b/stdlib/test-bz22786.c
+@@ -0,0 +1,90 @@
++/* Bug 22786: test for buffer overflow in realpath.
++ Copyright (C) 2018 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++/* This file must be run from within a directory called "stdlib". */
++
++#include <errno.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <support/test-driver.h>
++#include <libc-diag.h>
++
++static int
++do_test (void)
++{
++ const char dir[] = "bz22786";
++ const char lnk[] = "bz22786/symlink";
++
++ rmdir (dir);
++ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
++ {
++ printf ("mkdir %s: %m\n", dir);
++ return EXIT_FAILURE;
++ }
++ if (symlink (".", lnk) != 0 && errno != EEXIST)
++ {
++ printf ("symlink (%s, %s): %m\n", dir, lnk);
++ return EXIT_FAILURE;
++ }
++
++ const size_t path_len = (size_t) INT_MAX + 1;
++
++ DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++ /* GCC 7 warns about too-large allocations; here we need such
++ allocation to succeed for the test to work. */
++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
++#endif
++ char *path = malloc (path_len);
++ DIAG_POP_NEEDS_COMMENT;
++
++ if (path == NULL)
++ {
++ printf ("malloc (%zu): %m\n", path_len);
++ return EXIT_UNSUPPORTED;
++ }
++
++ /* Construct very long path = "bz22786/symlink/aaaa....." */
++ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
++ *(p++) = '/';
++ memset (p, 'a', path_len - (path - p) - 2);
++ p[path_len - (path - p) - 1] = '\0';
++
++ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
++ p = realpath (path, NULL);
++
++ if (p != NULL || errno != ENAMETOOLONG)
++ {
++ printf ("realpath: %s (%m)", p);
++ return EXIT_FAILURE;
++ }
++
++ /* Cleanup. */
++ unlink (lnk);
++ rmdir (dir);
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test
++#include <support/test-driver.c>
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-CVE-2018-11237.patch b/gnu/packages/patches/glibc-CVE-2018-11237.patch
new file mode 100644
index 0000000000..8a7c604ecd
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2018-11237.patch
@@ -0,0 +1,55 @@
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e
+with the ChangeLog removed
+
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+---
+ ChangeLog | 9 +++++++++
+ string/test-mempcpy.c | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
++++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+ <http://www.gnu.org/licenses/>. */
+
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..effc3ac 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -336,6 +336,7 @@ L(preloop_large):
+ vmovups (%rsi), %zmm4
+ vmovups 0x40(%rsi), %zmm5
+
++ mov %rdi, %r11
+ /* Align destination for access with non-temporal stores in the loop. */
+ mov %rdi, %r8
+ and $-0x80, %rdi
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ cmp $256, %rdx
+ ja L(gobble_256bytes_nt_loop)
+ sfence
+- vmovups %zmm4, (%rax)
+- vmovups %zmm5, 0x40(%rax)
++ vmovups %zmm4, (%r11)
++ vmovups %zmm5, 0x40(%r11)
+ jmp L(check)
+
+ L(preloop_large_bkw):
+--
+2.9.3
+