CRUX-ARM : Home

Home :: Documentation :: Download :: Development :: Community :: Ports :: Packages :: Bugs :: Links :: About :: Donors
development / ports / core-arm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
glibc: added patches for CVE-2015-8776, CVE-2015-8777, CVE-2015-8778, CVE-2015-8779
[ports/core-arm.git] / glibc / CVE-2015-8779.patch
1 diff --git a/catgets/Makefile b/catgets/Makefile
2 index 4624a88..56de38b 100644
3 --- a/catgets/Makefile
4 +++ b/catgets/Makefile
5 @@ -34,6 +34,7 @@ test-srcs = test-gencat
6 ifeq ($(run-built-tests),yes)
7 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
8 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
9 +tests-special += $(objpfx)tst-catgets-mem.out
10 endif
11
12 gencat-modules = xmalloc
13 @@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/%
14
15 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
16 test-gencat.h
17 +generated += tst-catgets.mtrace tst-catgets-mem.out
18 +
19 generated-dirs += de
20
21 -tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
22 +tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
23
24 ifeq ($(run-built-tests),yes)
25 # This test just checks whether the program produces any error or not.
26 @@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \
27 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
28 $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
29 $(evaluate-test)
30 +
31 +$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
32 + $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
33 + $(evaluate-test)
34 endif
35 diff --git a/catgets/catgets.c b/catgets/catgets.c
36 index cf93d56..4be452d 100644
37 --- a/catgets/catgets.c
38 +++ b/catgets/catgets.c
39 @@ -16,7 +16,6 @@
40 License along with the GNU C Library; if not, see
41 <http://www.gnu.org/licenses/>. */
42
43 -#include <alloca.h>
44 #include <errno.h>
45 #include <locale.h>
46 #include <nl_types.h>
47 @@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
48 __nl_catd result;
49 const char *env_var = NULL;
50 const char *nlspath = NULL;
51 + char *tmp = NULL;
52
53 if (strchr (cat_name, '/') == NULL)
54 {
55 @@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
56 {
57 /* Append the system dependent directory. */
58 size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
59 - char *tmp = alloca (len);
60 + tmp = malloc (len);
61 +
62 + if (__glibc_unlikely (tmp == NULL))
63 + return (nl_catd) -1;
64
65 __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
66 nlspath = tmp;
67 @@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
68
69 result = (__nl_catd) malloc (sizeof (*result));
70 if (result == NULL)
71 - /* We cannot get enough memory. */
72 - return (nl_catd) -1;
73 -
74 - if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
75 + {
76 + /* We cannot get enough memory. */
77 + result = (nl_catd) -1;
78 + }
79 + else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
80 {
81 /* Couldn't open the file. */
82 free ((void *) result);
83 - return (nl_catd) -1;
84 + result = (nl_catd) -1;
85 }
86
87 + free (tmp);
88 return (nl_catd) result;
89 }
90
91 diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c
92 index e069416..9f4d776 100644
93 --- a/catgets/open_catalog.c
94 +++ b/catgets/open_catalog.c
95 @@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
96 size_t tab_size;
97 const char *lastp;
98 int result = -1;
99 + char *buf = NULL;
100
101 if (strchr (cat_name, '/') != NULL || nlspath == NULL)
102 fd = open_not_cancel_2 (cat_name, O_RDONLY);
103 @@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
104 if (__glibc_unlikely (bufact + (n) >= bufmax)) \
105 { \
106 char *old_buf = buf; \
107 - bufmax += 256 + (n); \
108 - buf = (char *) alloca (bufmax); \
109 - memcpy (buf, old_buf, bufact); \
110 + bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
111 + buf = realloc (buf, bufmax); \
112 + if (__glibc_unlikely (buf == NULL)) \
113 + { \
114 + free (old_buf); \
115 + return -1; \
116 + } \
117 }
118
119 /* The RUN_NLSPATH variable contains a colon separated list of
120 descriptions where we expect to find catalogs. We have to
121 recognize certain % substitutions and stop when we found the
122 first existing file. */
123 - char *buf;
124 size_t bufact;
125 - size_t bufmax;
126 + size_t bufmax = 0;
127 size_t len;
128
129 - buf = NULL;
130 - bufmax = 0;
131 -
132 fd = -1;
133 while (*run_nlspath != '\0')
134 {
135 @@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
136
137 /* Avoid dealing with directories and block devices */
138 if (__builtin_expect (fd, 0) < 0)
139 - return -1;
140 + {
141 + free (buf);
142 + return -1;
143 + }
144
145 if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
146 goto close_unlock_return;
147 @@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
148 /* Release the lock again. */
149 close_unlock_return:
150 close_not_cancel_no_status (fd);
151 + free (buf);
152
153 return result;
154 }
155 diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
156 index a0a4089..140de72 100644
157 --- a/catgets/tst-catgets.c
158 +++ b/catgets/tst-catgets.c
159 @@ -1,7 +1,10 @@
160 +#include <assert.h>
161 #include <mcheck.h>
162 #include <nl_types.h>
163 #include <stdio.h>
164 +#include <stdlib.h>
165 #include <string.h>
166 +#include <sys/resource.h>
167
168
169 static const char *msgs[] =
170 @@ -12,6 +15,33 @@ static const char *msgs[] =
171 };
172 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
173
174 +
175 +/* Test for unbounded alloca. */
176 +static int
177 +do_bz17905 (void)
178 +{
179 + char *buf;
180 + struct rlimit rl;
181 + nl_catd result;
182 +
183 + const int sz = 1024 * 1024;
184 +
185 + getrlimit (RLIMIT_STACK, &rl);
186 + rl.rlim_cur = sz;
187 + setrlimit (RLIMIT_STACK, &rl);
188 +
189 + buf = malloc (sz + 1);
190 + memset (buf, 'A', sz);
191 + buf[sz] = '\0';
192 + setenv ("NLSPATH", buf, 1);
193 +
194 + result = catopen (buf, NL_CAT_LOCALE);
195 + assert (result == (nl_catd) -1);
196 +
197 + free (buf);
198 + return 0;
199 +}
200 +
201 #define ROUNDS 5
202
203 static int
204 @@ -62,6 +92,7 @@ do_test (void)
205 }
206 }
207
208 + result += do_bz17905 ();
209 return result;
210 }
211
212 --
213 1.9.4
214
215 From 7565d2a862683a3c26ffb1f32351b8c5ab9f7b31 Mon Sep 17 00:00:00 2001
216 From: Paul Pluzhnikov <ppluzhnikov@google.com>
217 Date: Sat, 8 Aug 2015 15:54:40 -0700
218 Subject: [PATCH] Fix trailing space.
219
220 ---
221 catgets/tst-catgets.c | 2 +-
222 1 file changed, 1 insertion(+), 1 deletion(-)
223
224 diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
225 index 140de72..0886938 100644
226 --- a/catgets/tst-catgets.c
227 +++ b/catgets/tst-catgets.c
228 @@ -30,7 +30,7 @@ do_bz17905 (void)
229 rl.rlim_cur = sz;
230 setrlimit (RLIMIT_STACK, &rl);
231
232 - buf = malloc (sz + 1);
233 + buf = malloc (sz + 1);
234 memset (buf, 'A', sz);
235 buf[sz] = '\0';
236 setenv ("NLSPATH", buf, 1);
237 --
238 1.9.4
239
Overlay for core ports