glibc: remove outdated patches

Co-authored-by: Luka Blaskovic <lblasc@znode.net>
wip/yesman
Maximilian Bosch 5 years ago committed by Luka Blaskovic
parent c17058226a
commit 2d5ed2b4b0
  1. 146
      pkgs/development/libraries/glibc/CVE-2018-11236.patch
  2. 55
      pkgs/development/libraries/glibc/CVE-2018-11237.patch
  3. 26
      pkgs/development/libraries/glibc/common.nix
  4. 26
      pkgs/development/libraries/glibc/fix-out-of-bounds-access-in-findidxwc.patch
  5. 35
      pkgs/development/libraries/glibc/fix-out-of-bounds-access-in-ibm-1390-converter.patch

@ -1,146 +0,0 @@
From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Tue, 8 May 2018 18:12:41 -0700
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
buffer overflow when realpath() input length is close to SSIZE_MAX.
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
computation.
* stdlib/Makefile (test-bz22786): New test.
* stdlib/test-bz22786.c: New test.
---
ChangeLog | 8 +++++
stdlib/Makefile | 2 +-
stdlib/canonicalize.c | 2 +-
stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 100 insertions(+), 2 deletions(-)
create mode 100644 stdlib/test-bz22786.c
diff --git a/stdlib/Makefile b/stdlib/Makefile
index af1643c..1ddb1f9 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
tst-cxa_atexit tst-on_exit test-atexit-race \
test-at_quick_exit-race test-cxa_atexit-race \
test-on_exit-race test-dlclose-exit-race \
- tst-makecontext-align
+ tst-makecontext-align test-bz22786
tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
tst-tls-atexit tst-tls-atexit-nodelete
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 4135f3f..390fb43 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
extra_buf = __alloca (path_max);
len = strlen (end);
- if ((long int) (n + len) >= path_max)
+ if (path_max - n <= len)
{
__set_errno (ENAMETOOLONG);
goto error;
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
new file mode 100644
index 0000000..e7837f9
--- /dev/null
+++ b/stdlib/test-bz22786.c
@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+ Copyright (C) 2018 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+/* This file must be run from within a directory called "stdlib". */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-diag.h>
+
+static int
+do_test (void)
+{
+ const char dir[] = "bz22786";
+ const char lnk[] = "bz22786/symlink";
+
+ rmdir (dir);
+ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+ {
+ printf ("mkdir %s: %m\n", dir);
+ return EXIT_FAILURE;
+ }
+ if (symlink (".", lnk) != 0 && errno != EEXIST)
+ {
+ printf ("symlink (%s, %s): %m\n", dir, lnk);
+ return EXIT_FAILURE;
+ }
+
+ const size_t path_len = (size_t) INT_MAX + 1;
+
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we need such
+ allocation to succeed for the test to work. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+ char *path = malloc (path_len);
+ DIAG_POP_NEEDS_COMMENT;
+
+ if (path == NULL)
+ {
+ printf ("malloc (%zu): %m\n", path_len);
+ return EXIT_UNSUPPORTED;
+ }
+
+ /* Construct very long path = "bz22786/symlink/aaaa....." */
+ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+ *(p++) = '/';
+ memset (p, 'a', path_len - (path - p) - 2);
+ p[path_len - (path - p) - 1] = '\0';
+
+ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
+ p = realpath (path, NULL);
+
+ if (p != NULL || errno != ENAMETOOLONG)
+ {
+ printf ("realpath: %s (%m)", p);
+ return EXIT_FAILURE;
+ }
+
+ /* Cleanup. */
+ unlink (lnk);
+ rmdir (dir);
+
+ return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>
--
2.9.3

@ -1,55 +0,0 @@
From f51c8367685dc888a02f7304c729ed5277904aff Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Thu, 24 May 2018 14:39:18 +0200
Subject: [PATCH] Don't write beyond destination in
__mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
---
ChangeLog | 9 +++++++++
NEWS | 7 +++++++
string/test-mempcpy.c | 1 +
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
4 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba8..d98ecdd 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a..effc3ac 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -336,6 +336,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
--
2.9.3

@ -19,7 +19,7 @@
{ stdenv, lib
, buildPackages
, fetchurl, fetchpatch
, fetchurl
, linuxHeaders ? null
, gd ? null, libpng ? null
, libidn2
@ -94,35 +94,13 @@ stdenv.mkDerivation ({
url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
})
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2
./CVE-2018-11236.patch
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f51c8367685dc888a02f7304c729ed5277904aff
./CVE-2018-11237.patch
# Remove after upgrading to glibc 2.28+
# Change backported from upstream
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c79cec8cd2a6996a73aa83d79b360ffd4bebde6
./fix-out-of-bounds-access-in-findidxwc.patch
# Remove after upgrading to glibc 2.28+
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21526a507df8f1b2e37492193a754534d8938c0b
./fix-out-of-bounds-access-in-ibm-1390-converter.patch
]
++ lib.optionals stdenv.isx86_64 [
./fix-x64-abi.patch
./2.27-CVE-2019-19126.patch
]
++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch
# Remove after upgrading to glibc 2.28+
++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform || stdenv.hostPlatform.isMusl) (fetchpatch {
url = "https://sourceware.org/git/?p=glibc.git;a=patch;h=780684eb04298977bc411ebca1eadeeba4877833";
name = "correct-pwent-parsing-issue-and-resulting-build.patch";
sha256 = "08fja894vzaj8phwfhsfik6jj2pbji7kypy3q8pgxvsd508zdv1q";
excludes = [ "ChangeLog" ];
});
++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;
postPatch =
''

@ -1,26 +0,0 @@
diff -ur glibc-2.27/locale/weightwc.h glibc-2.27-patched/locale/weightwc.h
--- glibc-2.27/locale/weightwc.h 2018-02-02 01:17:18.000000000 +0900
+++ glibc-2.27-patched/locale/weightwc.h 2020-01-12 04:54:16.044440602 +0900
@@ -94,19 +94,19 @@
if (cp[cnt] != usrc[cnt])
break;
- if (cnt < nhere - 1)
+ if (cnt < nhere - 1 || cnt == len)
{
cp += 2 * nhere;
continue;
}
- if (cp[nhere - 1] > usrc[nhere -1])
+ if (cp[nhere - 1] > usrc[nhere - 1])
{
cp += 2 * nhere;
continue;
}
- if (cp[2 * nhere - 1] < usrc[nhere -1])
+ if (cp[2 * nhere - 1] < usrc[nhere - 1])
{
cp += 2 * nhere;
continue;

@ -1,35 +0,0 @@
From 21526a507df8f1b2e37492193a754534d8938c0b Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Tue, 24 Jul 2018 14:08:34 +0200
Subject: [PATCH] Fix out-of-bounds access in IBM-1390 converter (bug 23448)
The IBM-1390 converter can consume/produce two UCS4 characters in each
loop.
---
ChangeLog | 6 ++++++
iconvdata/ibm1364.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
index b833273..517fe60 100644
--- a/iconvdata/ibm1364.c
+++ b/iconvdata/ibm1364.c
@@ -150,6 +150,7 @@ enum
#define MIN_NEEDED_INPUT MIN_NEEDED_FROM
#define MAX_NEEDED_INPUT MAX_NEEDED_FROM
#define MIN_NEEDED_OUTPUT MIN_NEEDED_TO
+#define MAX_NEEDED_OUTPUT MAX_NEEDED_TO
#define LOOPFCT FROM_LOOP
#define BODY \
{ \
@@ -296,6 +297,7 @@ enum
/* Next, define the other direction. */
#define MIN_NEEDED_INPUT MIN_NEEDED_TO
+#define MAX_NEEDED_INPUT MAX_NEEDED_TO
#define MIN_NEEDED_OUTPUT MIN_NEEDED_FROM
#define MAX_NEEDED_OUTPUT MAX_NEEDED_FROM
#define LOOPFCT TO_LOOP
--
2.9.3
Loading…
Cancel
Save