wok-4.x view glibc/stuff/patches/glibc-2.22-CVE-2015-8778.patch @ rev 12476
Up glibc (2.22) with CVE patchs
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Wed Mar 15 11:41:38 2023 +0000 (16 months ago) |
| parents | |
| children |
line source
1 Based on:
2 https://sourceware.org/bugzilla/show_bug.cgi?id=18240
3 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=bae7c7c764413b23e61cb099ce33be4c4ee259bb
5 From 287de30e170cb765ed326d23d22791a81aab6e0f Mon Sep 17 00:00:00 2001
6 From: Florian Weimer <fweimer@redhat.com>
7 Date: Thu, 28 Jan 2016 13:59:11 +0100
8 Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ
9 #18240]
10 ---
11 misc/Makefile | 3 +-
12 misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++
13 misc/hsearch_r.c | 30 +++++++++++--------
14 3 files changed, 95 insertions(+), 13 deletions(-)
15 create mode 100644 misc/bug18240.c
17 diff --git a/misc/Makefile b/misc/Makefile
18 index aecb0da..704c2e5 100644
19 --- a/misc/Makefile
20 +++ b/misc/Makefile
21 @@ -76,7 +76,8 @@ install-lib := libg.a
22 gpl2lgpl := error.c error.h
24 tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \
25 - tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1
26 + tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
27 + bug18240
28 ifeq ($(run-built-tests),yes)
29 tests-special += $(objpfx)tst-error1-mem.out
30 endif
31 diff --git a/misc/bug18240.c b/misc/bug18240.c
32 new file mode 100644
33 index 0000000..4b26865
34 --- /dev/null
35 +++ b/misc/bug18240.c
36 @@ -0,0 +1,75 @@
37 +/* Test integer wraparound in hcreate.
38 + Copyright (C) 2016 Free Software Foundation, Inc.
39 + This file is part of the GNU C Library.
40 +
41 + The GNU C Library is free software; you can redistribute it and/or
42 + modify it under the terms of the GNU Lesser General Public
43 + License as published by the Free Software Foundation; either
44 + version 2.1 of the License, or (at your option) any later version.
45 +
46 + The GNU C Library is distributed in the hope that it will be useful,
47 + but WITHOUT ANY WARRANTY; without even the implied warranty of
48 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
49 + Lesser General Public License for more details.
50 +
51 + You should have received a copy of the GNU Lesser General Public
52 + License along with the GNU C Library; if not, see
53 + <http://www.gnu.org/licenses/>. */
54 +
55 +#include <errno.h>
56 +#include <limits.h>
57 +#include <search.h>
58 +#include <stdbool.h>
59 +#include <stdio.h>
60 +#include <stdlib.h>
61 +
62 +static void
63 +test_size (size_t size)
64 +{
65 + int res = hcreate (size);
66 + if (res == 0)
67 + {
68 + if (errno == ENOMEM)
69 + return;
70 + printf ("error: hcreate (%zu): %m\n", size);
71 + exit (1);
72 + }
73 + char *keys[100];
74 + for (int i = 0; i < 100; ++i)
75 + {
76 + if (asprintf (keys + i, "%d", i) < 0)
77 + {
78 + printf ("error: asprintf: %m\n");
79 + exit (1);
80 + }
81 + ENTRY e = { keys[i], (char *) "value" };
82 + if (hsearch (e, ENTER) == NULL)
83 + {
84 + printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
85 + exit (1);
86 + }
87 + }
88 + hdestroy ();
89 +
90 + for (int i = 0; i < 100; ++i)
91 + free (keys[i]);
92 +}
93 +
94 +static int
95 +do_test (void)
96 +{
97 + test_size (500);
98 + test_size (-1);
99 + test_size (-3);
100 + test_size (INT_MAX - 2);
101 + test_size (INT_MAX - 1);
102 + test_size (INT_MAX);
103 + test_size (((unsigned) INT_MAX) + 1);
104 + test_size (UINT_MAX - 2);
105 + test_size (UINT_MAX - 1);
106 + test_size (UINT_MAX);
107 + return 0;
108 +}
109 +
110 +#define TEST_FUNCTION do_test ()
111 +#include "../test-skeleton.c"
112 diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
113 index 9f55e84..661f0f6 100644
114 --- a/misc/hsearch_r.c
115 +++ b/misc/hsearch_r.c
116 @@ -19,7 +19,7 @@
117 #include <errno.h>
118 #include <malloc.h>
119 #include <string.h>
120 -
121 +#include <stdint.h>
122 #include <search.h>
124 /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
125 @@ -46,15 +46,12 @@ static int
126 isprime (unsigned int number)
127 {
128 /* no even number will be passed */
129 - unsigned int div = 3;
130 -
131 - while (div * div < number && number % div != 0)
132 - div += 2;
133 -
134 - return number % div != 0;
135 + for (unsigned int div = 3; div <= number / div; div += 2)
136 + if (number % div == 0)
137 + return 0;
138 + return 1;
139 }
141 -
142 /* Before using the hash table we must allocate memory for it.
143 Test for an existing table are done. We allocate one element
144 more as the found prime number says. This is done for more effective
145 @@ -81,10 +78,19 @@ __hcreate_r (nel, htab)
146 use will not work. */
147 if (nel < 3)
148 nel = 3;
149 - /* Change nel to the first prime number not smaller as nel. */
150 - nel |= 1; /* make odd */
151 - while (!isprime (nel))
152 - nel += 2;
153 +
154 + /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
155 + The '- 2' means 'nel += 2' cannot overflow. */
156 + for (nel |= 1; ; nel += 2)
157 + {
158 + if (UINT_MAX - 2 < nel)
159 + {
160 + __set_errno (ENOMEM);
161 + return 0;
162 + }
163 + if (isprime (nel))
164 + break;
165 + }
167 htab->size = nel;
168 htab->filled = 0;
169 --
170 2.17.1