wok-4.x: 82efffdfec11 glibc/stuff/patches/glibc-2.22-CVE-2015-8779.patch

wok-4.x view glibc/stuff/patches/glibc-2.22-CVE-2015-8779.patch @ rev 12476

Up glibc (2.22) with CVE patchs

author	Stanislas Leduc <shann@slitaz.org>
date	Wed Mar 15 11:41:38 2023 +0000 (14 months ago)
parents
children

line source

1 Based on:

2 https://sourceware.org/bugzilla/show_bug.cgi?id=17905

3 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=0f58539030e436449f79189b6edab17d7479796e

4 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=7565d2a862683a3c26ffb1f32351b8c5ab9f7b31

6 From afd269312ea8aef752b8e4c2531bdd920a085708 Mon Sep 17 00:00:00 2001

7 From: Paul Pluzhnikov <ppluzhnikov@google.com>

8 Date: Sat, 8 Aug 2015 15:53:03 -0700

9 Subject: [PATCH] Fix BZ #17905

11 ---

12 catgets/Makefile | 9 ++++++++-

13 catgets/catgets.c | 19 ++++++++++++-------

14 catgets/open_catalog.c | 23 ++++++++++++++---------

15 catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++

16 4 files changed, 65 insertions(+), 17 deletions(-)

18 diff --git a/catgets/Makefile b/catgets/Makefile

19 index 4624a88..56de38b 100644

20 --- a/catgets/Makefile

21 +++ b/catgets/Makefile

22 @@ -34,6 +34,7 @@ test-srcs = test-gencat

23 ifeq ($(run-built-tests),yes)

24 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \

25 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out

26 +tests-special += $(objpfx)tst-catgets-mem.out

27 endif

29 gencat-modules = xmalloc

30 @@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/%

32 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \

33 test-gencat.h

34 +generated += tst-catgets.mtrace tst-catgets-mem.out

35 +

36 generated-dirs += de

38 -tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de

39 +tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace

41 ifeq ($(run-built-tests),yes)

42 # This test just checks whether the program produces any error or not.

43 @@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \

44 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat

45 $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \

46 $(evaluate-test)

47 +

48 +$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out

49 + $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \

50 + $(evaluate-test)

51 endif

52 diff --git a/catgets/catgets.c b/catgets/catgets.c

53 index cf93d56..4be452d 100644

54 --- a/catgets/catgets.c

55 +++ b/catgets/catgets.c

56 @@ -16,7 +16,6 @@

57 License along with the GNU C Library; if not, see

58 <http://www.gnu.org/licenses/>. */

60 -#include <alloca.h>

61 #include <errno.h>

62 #include <locale.h>

63 #include <nl_types.h>

64 @@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)

65 __nl_catd result;

66 const char *env_var = NULL;

67 const char *nlspath = NULL;

68 + char *tmp = NULL;

70 if (strchr (cat_name, '/') == NULL)

71 {

72 @@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)

73 {

74 /* Append the system dependent directory. */

75 size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;

76 - char *tmp = alloca (len);

77 + tmp = malloc (len);

78 +

79 + if (__glibc_unlikely (tmp == NULL))

80 + return (nl_catd) -1;

82 __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);

83 nlspath = tmp;

84 @@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)

86 result = (__nl_catd) malloc (sizeof (*result));

87 if (result == NULL)

88 - /* We cannot get enough memory. */

89 - return (nl_catd) -1;

90 -

91 - if (__open_catalog (cat_name, nlspath, env_var, result) != 0)

92 + {

93 + /* We cannot get enough memory. */

94 + result = (nl_catd) -1;

95 + }

96 + else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)

97 {

98 /* Couldn't open the file. */

99 free ((void *) result);

100 - return (nl_catd) -1;

101 + result = (nl_catd) -1;

102 }

103

104 + free (tmp);

105 return (nl_catd) result;

106 }

107

108 diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c

109 index e069416..9f4d776 100644

110 --- a/catgets/open_catalog.c

111 +++ b/catgets/open_catalog.c

112 @@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,

113 size_t tab_size;

114 const char *lastp;

115 int result = -1;

116 + char *buf = NULL;

117

118 if (strchr (cat_name, '/') != NULL || nlspath == NULL)

119 fd = open_not_cancel_2 (cat_name, O_RDONLY);

120 @@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,

121 if (__glibc_unlikely (bufact + (n) >= bufmax)) \

122 { \

123 char *old_buf = buf; \

124 - bufmax += 256 + (n); \

125 - buf = (char *) alloca (bufmax); \

126 - memcpy (buf, old_buf, bufact); \

127 + bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \

128 + buf = realloc (buf, bufmax); \

129 + if (__glibc_unlikely (buf == NULL)) \

130 + { \

131 + free (old_buf); \

132 + return -1; \

133 + } \

134 }

135

136 /* The RUN_NLSPATH variable contains a colon separated list of

137 descriptions where we expect to find catalogs. We have to

138 recognize certain % substitutions and stop when we found the

139 first existing file. */

140 - char *buf;

141 size_t bufact;

142 - size_t bufmax;

143 + size_t bufmax = 0;

144 size_t len;

145

146 - buf = NULL;

147 - bufmax = 0;

148 -

149 fd = -1;

150 while (*run_nlspath != '\0')

151 {

152 @@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,

153

154 /* Avoid dealing with directories and block devices */

155 if (__builtin_expect (fd, 0) < 0)

156 - return -1;

157 + {

158 + free (buf);

159 + return -1;

160 + }

161

162 if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)

163 goto close_unlock_return;

164 @@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,

165 /* Release the lock again. */

166 close_unlock_return:

167 close_not_cancel_no_status (fd);

168 + free (buf);

169

170 return result;

171 }

172 diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c

173 index a0a4089..0886938 100644

174 --- a/catgets/tst-catgets.c

175 +++ b/catgets/tst-catgets.c

176 @@ -1,7 +1,10 @@

177 +#include <assert.h>

178 #include <mcheck.h>

179 #include <nl_types.h>

180 #include <stdio.h>

181 +#include <stdlib.h>

182 #include <string.h>

183 +#include <sys/resource.h>

184

185

186 static const char *msgs[] =

187 @@ -12,6 +15,33 @@ static const char *msgs[] =

188 };

189 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))

190

191 +

192 +/* Test for unbounded alloca. */

193 +static int

194 +do_bz17905 (void)

195 +{

196 + char *buf;

197 + struct rlimit rl;

198 + nl_catd result;

199 +

200 + const int sz = 1024 * 1024;

201 +

202 + getrlimit (RLIMIT_STACK, &rl);

203 + rl.rlim_cur = sz;

204 + setrlimit (RLIMIT_STACK, &rl);

205 +

206 + buf = malloc (sz + 1);

207 + memset (buf, 'A', sz);

208 + buf[sz] = '\0';

209 + setenv ("NLSPATH", buf, 1);

210 +

211 + result = catopen (buf, NL_CAT_LOCALE);

212 + assert (result == (nl_catd) -1);

213 +

214 + free (buf);

215 + return 0;

216 +}

217 +

218 #define ROUNDS 5

219

220 static int

221 @@ -62,6 +92,7 @@ do_test (void)

222 }

223 }

224

225 + result += do_bz17905 ();

226 return result;

227 }

228

229 --

230 2.17.1

231

SliTaz Repositories

wok-4.x view glibc/stuff/patches/glibc-2.22-CVE-2015-8779.patch @ rev 12476