aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYuanjie Huang <yuanjie.huang@windriver.com>2016-04-27 02:32:55 -0700
committerRobert Yang <liezhi.yang@windriver.com>2016-05-10 19:59:39 -0700
commit71b051f51a44dad1fdca7ca6b3552d0aebdc91d3 (patch)
tree03d3a442d40f4ae32f80a596ea8e662fa21e57b7
parent69b49e8dc45cf60defba547d93e663df42c92127 (diff)
downloadopenembedded-core-contrib-71b051f51a44dad1fdca7ca6b3552d0aebdc91d3.tar.gz
glibc: Fix CVE-2015-8778
CVE: CVE-2015-8778 Improve check against integer wraparound in hcreate_r [BZ #18240] This is an integer overflow in hcreate and hcreate_r which can result in an out-of-bound memory access. This could lead to application crashes or, potentially, arbitrary code execution. Upstream-Status: Backport [2.23] (cherry-picked from commit bae7c7c7, 4bd228c8) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8778.patch199
-rw-r--r--meta/recipes-core/glibc/glibc_2.22.bb1
2 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
new file mode 100644
index 0000000000..c505c10c89
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8778.patch
@@ -0,0 +1,199 @@
+From d0f05d1e39adb336a8bbccbc276a344e6ff427e3 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 28 Jan 2016 13:59:11 +0100
+Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ
+ #18240]
+
+CVE: CVE-2015-8778
+
+Improve check against integer wraparound in hcreate_r [BZ #18240]
+
+This is an integer overflow in hcreate and hcreate_r which can result in
+an out-of-bound memory access. This could lead to application crashes
+or, potentially, arbitrary code execution.
+
+Upstream-Status: Backport [2.23]
+(cherry-picked from commit bae7c7c7, 4bd228c8)
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ ChangeLog | 6 +++++
+ NEWS | 2 +-
+ misc/Makefile | 2 +-
+ misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc/hsearch_r.c | 28 ++++++++++++---------
+ 5 files changed, 100 insertions(+), 13 deletions(-)
+ create mode 100644 misc/bug18240.c
+
+diff --git a/ChangeLog b/ChangeLog
+index b7701d1..a9dc8a2 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,9 @@
++2016-01-27 Paul Eggert <eggert@cs.ucla.edu>
++
++ [BZ #18240]
++ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against
++ unsigned int wraparound.
++
+ 2016-02-15 Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #18665]
+diff --git a/NEWS b/NEWS
+index cda7a73..fd77c27 100644
+--- a/NEWS
++++ b/NEWS
+@@ -9,7 +9,7 @@ Version 2.22.1
+
+ * The following bugs are resolved with this release:
+
+- 18778, 18781, 18787, 17905.
++ 18240, 18778, 18781, 18787, 17905.
+
+ Version 2.22
+
+diff --git a/misc/Makefile b/misc/Makefile
+index e6b7c23..463a238 100644
+--- a/misc/Makefile
++++ b/misc/Makefile
+@@ -83,7 +83,7 @@ install-lib := libg.a
+ gpl2lgpl := error.c error.h
+
+ tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \
+- tst-pselect tst-insremque tst-mntent2 bug-hsearch1
++ tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240
+ tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1
+ tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt
+ ifeq ($(run-built-tests),yes)
+diff --git a/misc/bug18240.c b/misc/bug18240.c
+new file mode 100644
+index 0000000..4b26865
+--- /dev/null
++++ b/misc/bug18240.c
+@@ -0,0 +1,75 @@
++/* Test integer wraparound in hcreate.
++ Copyright (C) 2016 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <limits.h>
++#include <search.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++static void
++test_size (size_t size)
++{
++ int res = hcreate (size);
++ if (res == 0)
++ {
++ if (errno == ENOMEM)
++ return;
++ printf ("error: hcreate (%zu): %m\n", size);
++ exit (1);
++ }
++ char *keys[100];
++ for (int i = 0; i < 100; ++i)
++ {
++ if (asprintf (keys + i, "%d", i) < 0)
++ {
++ printf ("error: asprintf: %m\n");
++ exit (1);
++ }
++ ENTRY e = { keys[i], (char *) "value" };
++ if (hsearch (e, ENTER) == NULL)
++ {
++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
++ exit (1);
++ }
++ }
++ hdestroy ();
++
++ for (int i = 0; i < 100; ++i)
++ free (keys[i]);
++}
++
++static int
++do_test (void)
++{
++ test_size (500);
++ test_size (-1);
++ test_size (-3);
++ test_size (INT_MAX - 2);
++ test_size (INT_MAX - 1);
++ test_size (INT_MAX);
++ test_size (((unsigned) INT_MAX) + 1);
++ test_size (UINT_MAX - 2);
++ test_size (UINT_MAX - 1);
++ test_size (UINT_MAX);
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
+index 9f55e84..6000ce2 100644
+--- a/misc/hsearch_r.c
++++ b/misc/hsearch_r.c
+@@ -46,15 +46,12 @@ static int
+ isprime (unsigned int number)
+ {
+ /* no even number will be passed */
+- unsigned int div = 3;
+-
+- while (div * div < number && number % div != 0)
+- div += 2;
+-
+- return number % div != 0;
++ for (unsigned int div = 3; div <= number / div; div += 2)
++ if (number % div == 0)
++ return 0;
++ return 1;
+ }
+
+-
+ /* Before using the hash table we must allocate memory for it.
+ Test for an existing table are done. We allocate one element
+ more as the found prime number says. This is done for more effective
+@@ -81,10 +78,19 @@ __hcreate_r (nel, htab)
+ use will not work. */
+ if (nel < 3)
+ nel = 3;
+- /* Change nel to the first prime number not smaller as nel. */
+- nel |= 1; /* make odd */
+- while (!isprime (nel))
+- nel += 2;
++
++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
++ The '- 2' means 'nel += 2' cannot overflow. */
++ for (nel |= 1; ; nel += 2)
++ {
++ if (UINT_MAX - 2 < nel)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++ if (isprime (nel))
++ break;
++ }
+
+ htab->size = nel;
+ htab->filled = 0;
+--
+2.7.4
+
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index a13b7f94bb..7b25847392 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://CVE-2015-9761_2.patch \
file://CVE-2015-8776.patch \
file://CVE-2015-7547.patch \
+ file://CVE-2015-8778.patch \
"
SRC_URI += "\