Maximilian Bosch
5 years ago
committed by
Luka Blaskovic
parent
c17058226a
commit
2d5ed2b4b0
@ -1,146 +0,0 @@ |
||||
From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
Date: Tue, 8 May 2018 18:12:41 -0700
|
||||
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
|
||||
buffer overflow when realpath() input length is close to SSIZE_MAX.
|
||||
|
||||
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
|
||||
[BZ #22786]
|
||||
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
|
||||
computation.
|
||||
* stdlib/Makefile (test-bz22786): New test.
|
||||
* stdlib/test-bz22786.c: New test.
|
||||
---
|
||||
ChangeLog | 8 +++++
|
||||
stdlib/Makefile | 2 +-
|
||||
stdlib/canonicalize.c | 2 +-
|
||||
stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 100 insertions(+), 2 deletions(-)
|
||||
create mode 100644 stdlib/test-bz22786.c
|
||||
|
||||
diff --git a/stdlib/Makefile b/stdlib/Makefile
|
||||
index af1643c..1ddb1f9 100644
|
||||
--- a/stdlib/Makefile
|
||||
+++ b/stdlib/Makefile
|
||||
@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
|
||||
tst-cxa_atexit tst-on_exit test-atexit-race \
|
||||
test-at_quick_exit-race test-cxa_atexit-race \
|
||||
test-on_exit-race test-dlclose-exit-race \
|
||||
- tst-makecontext-align
|
||||
+ tst-makecontext-align test-bz22786
|
||||
|
||||
tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
|
||||
tst-tls-atexit tst-tls-atexit-nodelete
|
||||
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
|
||||
index 4135f3f..390fb43 100644
|
||||
--- a/stdlib/canonicalize.c
|
||||
+++ b/stdlib/canonicalize.c
|
||||
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
|
||||
extra_buf = __alloca (path_max);
|
||||
|
||||
len = strlen (end);
|
||||
- if ((long int) (n + len) >= path_max)
|
||||
+ if (path_max - n <= len)
|
||||
{
|
||||
__set_errno (ENAMETOOLONG);
|
||||
goto error;
|
||||
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
|
||||
new file mode 100644
|
||||
index 0000000..e7837f9
|
||||
--- /dev/null
|
||||
+++ b/stdlib/test-bz22786.c
|
||||
@@ -0,0 +1,90 @@
|
||||
+/* Bug 22786: test for buffer overflow in realpath.
|
||||
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+/* This file must be run from within a directory called "stdlib". */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <support/test-driver.h>
|
||||
+#include <libc-diag.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ const char dir[] = "bz22786";
|
||||
+ const char lnk[] = "bz22786/symlink";
|
||||
+
|
||||
+ rmdir (dir);
|
||||
+ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
|
||||
+ {
|
||||
+ printf ("mkdir %s: %m\n", dir);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ if (symlink (".", lnk) != 0 && errno != EEXIST)
|
||||
+ {
|
||||
+ printf ("symlink (%s, %s): %m\n", dir, lnk);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ const size_t path_len = (size_t) INT_MAX + 1;
|
||||
+
|
||||
+ DIAG_PUSH_NEEDS_COMMENT;
|
||||
+#if __GNUC_PREREQ (7, 0)
|
||||
+ /* GCC 7 warns about too-large allocations; here we need such
|
||||
+ allocation to succeed for the test to work. */
|
||||
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
|
||||
+#endif
|
||||
+ char *path = malloc (path_len);
|
||||
+ DIAG_POP_NEEDS_COMMENT;
|
||||
+
|
||||
+ if (path == NULL)
|
||||
+ {
|
||||
+ printf ("malloc (%zu): %m\n", path_len);
|
||||
+ return EXIT_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ /* Construct very long path = "bz22786/symlink/aaaa....." */
|
||||
+ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
|
||||
+ *(p++) = '/';
|
||||
+ memset (p, 'a', path_len - (path - p) - 2);
|
||||
+ p[path_len - (path - p) - 1] = '\0';
|
||||
+
|
||||
+ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
|
||||
+ p = realpath (path, NULL);
|
||||
+
|
||||
+ if (p != NULL || errno != ENAMETOOLONG)
|
||||
+ {
|
||||
+ printf ("realpath: %s (%m)", p);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ /* Cleanup. */
|
||||
+ unlink (lnk);
|
||||
+ rmdir (dir);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define TEST_FUNCTION do_test
|
||||
+#include <support/test-driver.c>
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,55 +0,0 @@ |
||||
From f51c8367685dc888a02f7304c729ed5277904aff Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schwab <schwab@suse.de>
|
||||
Date: Thu, 24 May 2018 14:39:18 +0200
|
||||
Subject: [PATCH] Don't write beyond destination in
|
||||
__mempcpy_avx512_no_vzeroupper (bug 23196)
|
||||
|
||||
When compiled as mempcpy, the return value is the end of the destination
|
||||
buffer, thus it cannot be used to refer to the start of it.
|
||||
|
||||
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
|
||||
---
|
||||
ChangeLog | 9 +++++++++
|
||||
NEWS | 7 +++++++
|
||||
string/test-mempcpy.c | 1 +
|
||||
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
|
||||
4 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
|
||||
index c08fba8..d98ecdd 100644
|
||||
--- a/string/test-mempcpy.c
|
||||
+++ b/string/test-mempcpy.c
|
||||
@@ -18,6 +18,7 @@
|
||||
<http://www.gnu.org/licenses/>. */
|
||||
|
||||
#define MEMCPY_RESULT(dst, len) (dst) + (len)
|
||||
+#define MIN_PAGE_SIZE 131072
|
||||
#define TEST_MAIN
|
||||
#define TEST_NAME "mempcpy"
|
||||
#include "test-string.h"
|
||||
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
index 23c0f7a..effc3ac 100644
|
||||
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
@@ -336,6 +336,7 @@ L(preloop_large):
|
||||
vmovups (%rsi), %zmm4
|
||||
vmovups 0x40(%rsi), %zmm5
|
||||
|
||||
+ mov %rdi, %r11
|
||||
/* Align destination for access with non-temporal stores in the loop. */
|
||||
mov %rdi, %r8
|
||||
and $-0x80, %rdi
|
||||
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
|
||||
cmp $256, %rdx
|
||||
ja L(gobble_256bytes_nt_loop)
|
||||
sfence
|
||||
- vmovups %zmm4, (%rax)
|
||||
- vmovups %zmm5, 0x40(%rax)
|
||||
+ vmovups %zmm4, (%r11)
|
||||
+ vmovups %zmm5, 0x40(%r11)
|
||||
jmp L(check)
|
||||
|
||||
L(preloop_large_bkw):
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@ -1,26 +0,0 @@ |
||||
diff -ur glibc-2.27/locale/weightwc.h glibc-2.27-patched/locale/weightwc.h
|
||||
--- glibc-2.27/locale/weightwc.h 2018-02-02 01:17:18.000000000 +0900
|
||||
+++ glibc-2.27-patched/locale/weightwc.h 2020-01-12 04:54:16.044440602 +0900
|
||||
@@ -94,19 +94,19 @@
|
||||
if (cp[cnt] != usrc[cnt])
|
||||
break;
|
||||
|
||||
- if (cnt < nhere - 1)
|
||||
+ if (cnt < nhere - 1 || cnt == len)
|
||||
{
|
||||
cp += 2 * nhere;
|
||||
continue;
|
||||
}
|
||||
|
||||
- if (cp[nhere - 1] > usrc[nhere -1])
|
||||
+ if (cp[nhere - 1] > usrc[nhere - 1])
|
||||
{
|
||||
cp += 2 * nhere;
|
||||
continue;
|
||||
}
|
||||
|
||||
- if (cp[2 * nhere - 1] < usrc[nhere -1])
|
||||
+ if (cp[2 * nhere - 1] < usrc[nhere - 1])
|
||||
{
|
||||
cp += 2 * nhere;
|
||||
continue;
|
||||
@ -1,35 +0,0 @@ |
||||
From 21526a507df8f1b2e37492193a754534d8938c0b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schwab <schwab@suse.de>
|
||||
Date: Tue, 24 Jul 2018 14:08:34 +0200
|
||||
Subject: [PATCH] Fix out-of-bounds access in IBM-1390 converter (bug 23448)
|
||||
|
||||
The IBM-1390 converter can consume/produce two UCS4 characters in each
|
||||
loop.
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
iconvdata/ibm1364.c | 2 ++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
|
||||
index b833273..517fe60 100644
|
||||
--- a/iconvdata/ibm1364.c
|
||||
+++ b/iconvdata/ibm1364.c
|
||||
@@ -150,6 +150,7 @@ enum
|
||||
#define MIN_NEEDED_INPUT MIN_NEEDED_FROM
|
||||
#define MAX_NEEDED_INPUT MAX_NEEDED_FROM
|
||||
#define MIN_NEEDED_OUTPUT MIN_NEEDED_TO
|
||||
+#define MAX_NEEDED_OUTPUT MAX_NEEDED_TO
|
||||
#define LOOPFCT FROM_LOOP
|
||||
#define BODY \
|
||||
{ \
|
||||
@@ -296,6 +297,7 @@ enum
|
||||
|
||||
/* Next, define the other direction. */
|
||||
#define MIN_NEEDED_INPUT MIN_NEEDED_TO
|
||||
+#define MAX_NEEDED_INPUT MAX_NEEDED_TO
|
||||
#define MIN_NEEDED_OUTPUT MIN_NEEDED_FROM
|
||||
#define MAX_NEEDED_OUTPUT MAX_NEEDED_FROM
|
||||
#define LOOPFCT TO_LOOP
|
||||
--
|
||||
2.9.3
|
||||
|
||||
Loading…
Reference in new issue