CRUX-ARM : Home

Home :: Documentation :: Download :: Development :: Community :: Ports :: Packages :: Bugs :: Links :: About :: Donors
development / ports / core-arm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
glibc: updated to 2.19-5 Added CVE patches
[ports/core-arm.git] / glibc / CVE-2015-1472-wscanf-allocates-too-little-memory.patch
1 From 18d9cd1d9d95503074db705686d0236c99db5d00 Mon Sep 17 00:00:00 2001
2 From: Paul Pluzhnikov <ppluzhnikov@google.com>
3 Date: Fri, 6 Feb 2015 00:30:42 -0500
4 Subject: [PATCH 2/2] CVE-2015-1472: wscanf allocates too little memory
5
6 BZ #16618
7
8 Under certain conditions wscanf can allocate too little memory for the
9 to-be-scanned arguments and overflow the allocated buffer. The
10 implementation now correctly computes the required buffer size when
11 using malloc.
12
13 A regression test was added to tst-sscanf.
14
15 Conflicts:
16 ChangeLog
17 NEWS
18 ---
19 ChangeLog | 133 ++++++++++++++++++++++++++++++++++++++++++++++
20 NEWS | 44 +++++++++++++++
21 stdio-common/tst-sscanf.c | 33 ++++++++++++
22 stdio-common/vfscanf.c | 12 ++---
23 4 files changed, 216 insertions(+), 6 deletions(-)
24
25 diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
26 index 1214c7d..c62bee6 100644
27 --- a/stdio-common/tst-sscanf.c
28 +++ b/stdio-common/tst-sscanf.c
29 @@ -232,5 +232,38 @@ main (void)
30 }
31 }
32
33 + /* BZ #16618
34 + The test will segfault during SSCANF if the buffer overflow
35 + is not fixed. The size of `s` is such that it forces the use
36 + of malloc internally and this triggers the incorrect computation.
37 + Thus the value for SIZE is arbitrariy high enough that malloc
38 + is used. */
39 + {
40 +#define SIZE 131072
41 + CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
42 + if (s == NULL)
43 + abort ();
44 + for (size_t i = 0; i < SIZE; i++)
45 + s[i] = L('0');
46 + s[SIZE] = L('\0');
47 + int i = 42;
48 + /* Scan multi-digit zero into `i`. */
49 + if (SSCANF (s, L("%d"), &i) != 1)
50 + {
51 + printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
52 + result = 1;
53 + }
54 + if (i != 0)
55 + {
56 + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
57 + result = 1;
58 + }
59 + free (s);
60 + if (result != 1)
61 + printf ("PASS: bug16618: Did not crash.\n");
62 +#undef SIZE
63 + }
64 +
65 +
66 return result;
67 }
68 diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
69 index 2e1e91a..d7a18e3 100644
70 --- a/stdio-common/vfscanf.c
71 +++ b/stdio-common/vfscanf.c
72 @@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
73 if (__builtin_expect (wpsize == wpmax, 0)) \
74 { \
75 CHAR_T *old = wp; \
76 - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
77 - ? UCHAR_MAX + 1 : 2 * wpmax); \
78 - if (use_malloc || !__libc_use_alloca (newsize)) \
79 + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
80 + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
81 + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
82 + if (!__libc_use_alloca (newsize)) \
83 { \
84 wp = realloc (use_malloc ? wp : NULL, newsize); \
85 if (wp == NULL) \
86 @@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
87 } \
88 if (! use_malloc) \
89 MEMCPY (wp, old, wpsize); \
90 - wpmax = newsize; \
91 + wpmax = wpneed; \
92 use_malloc = true; \
93 } \
94 else \
95 { \
96 size_t s = wpmax * sizeof (CHAR_T); \
97 - wp = (CHAR_T *) extend_alloca (wp, s, \
98 - newsize * sizeof (CHAR_T)); \
99 + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
100 wpmax = s / sizeof (CHAR_T); \
101 if (old != NULL) \
102 MEMCPY (wp, old, wpsize); \
103 --
104 2.2.1
105
Overlay for core ports