glibc: patch CVE-2018-11236, CVE-2018-11237
Patches have been imported into nixpkgs and manually edited to avoid merge conflicts on ChangeLog / NEWS files.
This commit is contained in:
parent
3a4658ea04
commit
17be09a1f0
3 changed files with 206 additions and 0 deletions
146
pkgs/development/libraries/glibc/CVE-2018-11236.patch
Normal file
146
pkgs/development/libraries/glibc/CVE-2018-11236.patch
Normal file
|
@ -0,0 +1,146 @@
|
|||
From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
Date: Tue, 8 May 2018 18:12:41 -0700
|
||||
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
|
||||
buffer overflow when realpath() input length is close to SSIZE_MAX.
|
||||
|
||||
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
|
||||
[BZ #22786]
|
||||
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
|
||||
computation.
|
||||
* stdlib/Makefile (test-bz22786): New test.
|
||||
* stdlib/test-bz22786.c: New test.
|
||||
---
|
||||
ChangeLog | 8 +++++
|
||||
stdlib/Makefile | 2 +-
|
||||
stdlib/canonicalize.c | 2 +-
|
||||
stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 100 insertions(+), 2 deletions(-)
|
||||
create mode 100644 stdlib/test-bz22786.c
|
||||
|
||||
diff --git a/stdlib/Makefile b/stdlib/Makefile
|
||||
index af1643c..1ddb1f9 100644
|
||||
--- a/stdlib/Makefile
|
||||
+++ b/stdlib/Makefile
|
||||
@@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
|
||||
tst-cxa_atexit tst-on_exit test-atexit-race \
|
||||
test-at_quick_exit-race test-cxa_atexit-race \
|
||||
test-on_exit-race test-dlclose-exit-race \
|
||||
- tst-makecontext-align
|
||||
+ tst-makecontext-align test-bz22786
|
||||
|
||||
tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
|
||||
tst-tls-atexit tst-tls-atexit-nodelete
|
||||
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
|
||||
index 4135f3f..390fb43 100644
|
||||
--- a/stdlib/canonicalize.c
|
||||
+++ b/stdlib/canonicalize.c
|
||||
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
|
||||
extra_buf = __alloca (path_max);
|
||||
|
||||
len = strlen (end);
|
||||
- if ((long int) (n + len) >= path_max)
|
||||
+ if (path_max - n <= len)
|
||||
{
|
||||
__set_errno (ENAMETOOLONG);
|
||||
goto error;
|
||||
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
|
||||
new file mode 100644
|
||||
index 0000000..e7837f9
|
||||
--- /dev/null
|
||||
+++ b/stdlib/test-bz22786.c
|
||||
@@ -0,0 +1,90 @@
|
||||
+/* Bug 22786: test for buffer overflow in realpath.
|
||||
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+/* This file must be run from within a directory called "stdlib". */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <support/test-driver.h>
|
||||
+#include <libc-diag.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ const char dir[] = "bz22786";
|
||||
+ const char lnk[] = "bz22786/symlink";
|
||||
+
|
||||
+ rmdir (dir);
|
||||
+ if (mkdir (dir, 0755) != 0 && errno != EEXIST)
|
||||
+ {
|
||||
+ printf ("mkdir %s: %m\n", dir);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ if (symlink (".", lnk) != 0 && errno != EEXIST)
|
||||
+ {
|
||||
+ printf ("symlink (%s, %s): %m\n", dir, lnk);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ const size_t path_len = (size_t) INT_MAX + 1;
|
||||
+
|
||||
+ DIAG_PUSH_NEEDS_COMMENT;
|
||||
+#if __GNUC_PREREQ (7, 0)
|
||||
+ /* GCC 7 warns about too-large allocations; here we need such
|
||||
+ allocation to succeed for the test to work. */
|
||||
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
|
||||
+#endif
|
||||
+ char *path = malloc (path_len);
|
||||
+ DIAG_POP_NEEDS_COMMENT;
|
||||
+
|
||||
+ if (path == NULL)
|
||||
+ {
|
||||
+ printf ("malloc (%zu): %m\n", path_len);
|
||||
+ return EXIT_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ /* Construct very long path = "bz22786/symlink/aaaa....." */
|
||||
+ char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
|
||||
+ *(p++) = '/';
|
||||
+ memset (p, 'a', path_len - (path - p) - 2);
|
||||
+ p[path_len - (path - p) - 1] = '\0';
|
||||
+
|
||||
+ /* This call crashes before the fix for bz22786 on 32-bit platforms. */
|
||||
+ p = realpath (path, NULL);
|
||||
+
|
||||
+ if (p != NULL || errno != ENAMETOOLONG)
|
||||
+ {
|
||||
+ printf ("realpath: %s (%m)", p);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ /* Cleanup. */
|
||||
+ unlink (lnk);
|
||||
+ rmdir (dir);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define TEST_FUNCTION do_test
|
||||
+#include <support/test-driver.c>
|
||||
--
|
||||
2.9.3
|
||||
|
55
pkgs/development/libraries/glibc/CVE-2018-11237.patch
Normal file
55
pkgs/development/libraries/glibc/CVE-2018-11237.patch
Normal file
|
@ -0,0 +1,55 @@
|
|||
From f51c8367685dc888a02f7304c729ed5277904aff Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schwab <schwab@suse.de>
|
||||
Date: Thu, 24 May 2018 14:39:18 +0200
|
||||
Subject: [PATCH] Don't write beyond destination in
|
||||
__mempcpy_avx512_no_vzeroupper (bug 23196)
|
||||
|
||||
When compiled as mempcpy, the return value is the end of the destination
|
||||
buffer, thus it cannot be used to refer to the start of it.
|
||||
|
||||
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
|
||||
---
|
||||
ChangeLog | 9 +++++++++
|
||||
NEWS | 7 +++++++
|
||||
string/test-mempcpy.c | 1 +
|
||||
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
|
||||
4 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
|
||||
index c08fba8..d98ecdd 100644
|
||||
--- a/string/test-mempcpy.c
|
||||
+++ b/string/test-mempcpy.c
|
||||
@@ -18,6 +18,7 @@
|
||||
<http://www.gnu.org/licenses/>. */
|
||||
|
||||
#define MEMCPY_RESULT(dst, len) (dst) + (len)
|
||||
+#define MIN_PAGE_SIZE 131072
|
||||
#define TEST_MAIN
|
||||
#define TEST_NAME "mempcpy"
|
||||
#include "test-string.h"
|
||||
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
index 23c0f7a..effc3ac 100644
|
||||
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||
@@ -336,6 +336,7 @@ L(preloop_large):
|
||||
vmovups (%rsi), %zmm4
|
||||
vmovups 0x40(%rsi), %zmm5
|
||||
|
||||
+ mov %rdi, %r11
|
||||
/* Align destination for access with non-temporal stores in the loop. */
|
||||
mov %rdi, %r8
|
||||
and $-0x80, %rdi
|
||||
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
|
||||
cmp $256, %rdx
|
||||
ja L(gobble_256bytes_nt_loop)
|
||||
sfence
|
||||
- vmovups %zmm4, (%rax)
|
||||
- vmovups %zmm5, 0x40(%rax)
|
||||
+ vmovups %zmm4, (%r11)
|
||||
+ vmovups %zmm5, 0x40(%r11)
|
||||
jmp L(check)
|
||||
|
||||
L(preloop_large_bkw):
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -92,6 +92,11 @@ stdenv.mkDerivation ({
|
|||
url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
|
||||
sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
|
||||
})
|
||||
|
||||
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2
|
||||
./CVE-2018-11236.patch
|
||||
# https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f51c8367685dc888a02f7304c729ed5277904aff
|
||||
./CVE-2018-11237.patch
|
||||
]
|
||||
++ lib.optional stdenv.isx86_64 ./fix-x64-abi.patch
|
||||
++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
|
||||
|
|
Loading…
Reference in a new issue