wok-4.x rev 12476
Up glibc (2.22) with CVE patchs
line diff
1.1 --- a/glibc-base/receipt Wed Mar 15 08:07:13 2023 +0000 1.2 +++ b/glibc-base/receipt Wed Mar 15 11:41:38 2023 +0000 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="glibc-base" 1.7 -VERSION="2.21" 1.8 +VERSION="2.22" 1.9 CATEGORY="base-system" 1.10 SHORT_DESC="GNU libc minimal libraries and UTF-8 support for SliTaz." 1.11 WEB_SITE="http://www.gnu.org/software/libc/"
2.1 --- a/glibc-base/stuff/wanted-files.list Wed Mar 15 08:07:13 2023 +0000 2.2 +++ b/glibc-base/stuff/wanted-files.list Wed Mar 15 11:41:38 2023 +0000 2.3 @@ -1,18 +1,18 @@ 2.4 -/lib/libutil-2.21.so 2.5 -/lib/libnss_dns-2.21.so 2.6 -/lib/libnsl-2.21.so 2.7 -/lib/libanl-2.21.so 2.8 -/lib/libm-2.21.so 2.9 -/lib/libpthread-2.21.so 2.10 +/lib/libutil-2.22.so 2.11 +/lib/libnss_dns-2.22.so 2.12 +/lib/libnsl-2.22.so 2.13 +/lib/libanl-2.22.so 2.14 +/lib/libm-2.22.so 2.15 +/lib/libpthread-2.22.so 2.16 /lib/libthread_db-1.0.so 2.17 -/lib/libnss_compat-2.21.so 2.18 -/lib/libc-2.21.so 2.19 -/lib/librt-2.21.so 2.20 -/lib/libcrypt-2.21.so 2.21 -/lib/ld-2.21.so 2.22 -/lib/libresolv-2.21.so 2.23 -/lib/libnss_files-2.21.so 2.24 -/lib/libdl-2.21.so 2.25 +/lib/libnss_compat-2.22.so 2.26 +/lib/libc-2.22.so 2.27 +/lib/librt-2.22.so 2.28 +/lib/libcrypt-2.22.so 2.29 +/lib/ld-2.22.so 2.30 +/lib/libresolv-2.22.so 2.31 +/lib/libnss_files-2.22.so 2.32 +/lib/libdl-2.22.so 2.33 2.34 /usr/lib/gconv/UNICODE.so 2.35 /usr/lib/gconv/gconv-modules
3.1 --- a/glibc-dev/receipt Wed Mar 15 08:07:13 2023 +0000 3.2 +++ b/glibc-dev/receipt Wed Mar 15 11:41:38 2023 +0000 3.3 @@ -1,7 +1,7 @@ 3.4 # SliTaz package receipt. 3.5 3.6 PACKAGE="glibc-dev" 3.7 -VERSION="2.21" 3.8 +VERSION="2.22" 3.9 CATEGORY="development" 3.10 SHORT_DESC="The GNU C libraries devel files (Part of SliTaz toolchain)." 3.11 MAINTAINER="pankso@slitaz.org"
4.1 --- a/glibc-extra-samba/receipt Wed Mar 15 08:07:13 2023 +0000 4.2 +++ b/glibc-extra-samba/receipt Wed Mar 15 11:41:38 2023 +0000 4.3 @@ -1,7 +1,7 @@ 4.4 # SliTaz package receipt. 4.5 4.6 PACKAGE="glibc-extra-samba" 4.7 -VERSION="2.21" 4.8 +VERSION="2.22" 4.9 CATEGORY="base-system" 4.10 SHORT_DESC="GNU libc extra gconv modules for samba." 4.11 WEB_SITE="http://gcc.gnu.org/"
5.1 --- a/glibc-locale/receipt Wed Mar 15 08:07:13 2023 +0000 5.2 +++ b/glibc-locale/receipt Wed Mar 15 11:41:38 2023 +0000 5.3 @@ -1,7 +1,7 @@ 5.4 # SliTaz package receipt. 5.5 5.6 PACKAGE="glibc-locale" 5.7 -VERSION="2.21" 5.8 +VERSION="2.22" 5.9 CATEGORY="system-tools" 5.10 SHORT_DESC="The GNU C libraries locale files and utilities (see also locale-*)." 5.11 MAINTAINER="pankso@slitaz.org"
6.1 --- a/glibc/receipt Wed Mar 15 08:07:13 2023 +0000 6.2 +++ b/glibc/receipt Wed Mar 15 11:41:38 2023 +0000 6.3 @@ -1,7 +1,7 @@ 6.4 # SliTaz package receipt. 6.5 6.6 PACKAGE="glibc" 6.7 -VERSION="2.21" 6.8 +VERSION="2.22" 6.9 CATEGORY="meta" 6.10 SHORT_DESC="The GNU C libraries. This package is used to compile the libc." 6.11 MAINTAINER="pankso@slitaz.org" 6.12 @@ -14,6 +14,41 @@ 6.13 6.14 # Genpkg order for tazwok. 6.15 COOK_OPT="genpkg=glibc-base:glibc-extra-samba:glib-locale:glibc-dev" 6.16 + 6.17 +# Apply glibc patches CVE 6.18 +apply_cve_patchs() 6.19 +{ 6.20 + while read file; do 6.21 + [ -f done.$file ] && continue 6.22 + echo "Apply $file..." 6.23 + patch -p1 < $stuff/patches/$PACKAGE-$VERSION-CVE-$file || return 1 6.24 + touch done.$file 6.25 + done <<EOT 6.26 +2014-9761.patch 6.27 +2015-5180.patch 6.28 +2015-7547-getaddrinfo-stack-based-buffer-overflow.patch 6.29 +2015-8776.patch 6.30 +2015-8777.patch 6.31 +2015-8778.patch 6.32 +2015-8779.patch 6.33 +2016-1234.patch 6.34 +2016-3075.patch 6.35 +2016-3706.patch 6.36 +2016-4429.patch 6.37 +2016-5417.patch 6.38 +2016-6323.patch 6.39 +2017-1000366.patch 6.40 +2017-12133.patch 6.41 +2017-15670.patch 6.42 +2017-15671.patch 6.43 +2017-15804.patch 6.44 +2017-16997.patch 6.45 +2017-18269.patch 6.46 +2018-1000001.patch 6.47 +2018-11236.patch 6.48 +2018-6485.patch 6.49 +EOT 6.50 +} 6.51 6.52 # Rules to compile & install the temporary toolchain. 6.53 cook_tmp_toolchain() 6.54 @@ -56,6 +91,8 @@ 6.55 { 6.56 cd $src 6.57 6.58 + apply_cve_patchs 6.59 + 6.60 # SliTaz is a Busybox based OS, why we so small and fast. Using gawk by 6.61 # default to build package will not ensure package work with Busybox awk 6.62 # and so should NOT be use to cook. 6.63 @@ -69,21 +106,21 @@ 6.64 6.65 # Glibc misc Bug Fixes 6.66 # fix for {linux,sys}/xattr.h incompatibility - commit fdbe8eae 6.67 - patch -p1 -i $stuff/glibc-2.19-xattr_header.patch 6.68 + #patch -p1 -i $stuff/glibc-2.19-xattr_header.patch 6.69 6.70 # fix issues in sin/cos slow path calculation - commit ffe768a9 6.71 - patch -p1 -i $stuff/glibc-2.19-fix-sign-in-bsloww1-input.patch 6.72 + #patch -p1 -i $stuff/glibc-2.19-fix-sign-in-bsloww1-input.patch 6.73 6.74 # fix tzselect with missing TZDIR - commit 893b4f37/c72399fb 6.75 - patch -p1 -i $stuff/glibc-2.19-tzselect-default.patch 6.76 + #patch -p1 -i $stuff/glibc-2.19-tzselect-default.patch 6.77 6.78 # Revert commit causing issues with crappy DNS servers 6.79 - patch -Np1 -i $stuff/glibc-2.14-revert-4768ae77.patch 6.80 + #patch -Np1 -i $stuff/glibc-2.14-revert-4768ae77.patch 6.81 6.82 # Fix a stack imbalance that occurs under some conditions: 6.83 - sed -i '195,213 s/PRIVATE_FUTEX/FUTEX_CLOCK_REALTIME/' \ 6.84 - nptl/sysdeps/unix/sysv/linux/x86_64/pthread_rwlock_timedrdlock.S \ 6.85 - nptl/sysdeps/unix/sysv/linux/x86_64/pthread_rwlock_timedwrlock.S 6.86 + #sed -i '195,213 s/PRIVATE_FUTEX/FUTEX_CLOCK_REALTIME/' \ 6.87 + # nptl/sysdeps/unix/sysv/linux/x86_64/pthread_rwlock_timedrdlock.S \ 6.88 + # nptl/sysdeps/unix/sysv/linux/x86_64/pthread_rwlock_timedwrlock.S 6.89 6.90 # Glibc needs ld.so.conf in the install destdir. 6.91 mkdir -p $WOK/$PACKAGE/install/etc
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 7.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2014-9761.patch Wed Mar 15 11:41:38 2023 +0000 7.3 @@ -0,0 +1,1123 @@ 7.4 +Based on: 7.5 + 7.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 7.7 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 7.8 + 7.9 +From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001 7.10 +From: Joseph Myers <joseph@codesourcery.com> 7.11 +Date: Tue, 24 Nov 2015 22:24:52 +0000 7.12 +Subject: [PATCH] Refactor strtod parsing of NaN payloads. 7.13 + 7.14 +The nan* functions handle their string argument by constructing a 7.15 +NAN(...) string on the stack as a VLA and passing it to strtod 7.16 +functions. 7.17 + 7.18 +This approach has problems discussed in bug 16961 and bug 16962: the 7.19 +stack usage is unbounded, and it gives incorrect results in certain 7.20 +cases where the argument is not a valid n-char-sequence. 7.21 + 7.22 +The natural fix for both issues is to refactor the NaN payload parsing 7.23 +out of strtod into a separate function that the nan* functions can 7.24 +call directly, so that no temporary string needs constructing on the 7.25 +stack at all. This patch does that refactoring in preparation for 7.26 +fixing those bugs (but without actually using the new functions from 7.27 +nan* - which will also require exporting them from libc at version 7.28 +GLIBC_PRIVATE). This patch is not intended to change any user-visible 7.29 +behavior, so no tests are added (fixes for the above bugs will of 7.30 +course add tests for them). 7.31 + 7.32 +This patch builds on my recent fixes for strtol and strtod issues in 7.33 +Turkish locales. Given those fixes, the parsing of NaN payloads is 7.34 +locale-independent; thus, the new functions do not need to take a 7.35 +locale_t argument. 7.36 + 7.37 +diff -Naur a/include/stdlib.h b/include/stdlib.h 7.38 +--- a/include/stdlib.h 2017-09-15 15:37:06.011900628 +0530 7.39 ++++ b/include/stdlib.h 2017-09-15 15:37:13.851729724 +0530 7.40 +@@ -203,6 +203,24 @@ 7.41 + libc_hidden_proto (strtoul) 7.42 + libc_hidden_proto (strtoull) 7.43 + 7.44 ++extern float __strtof_nan (const char *, char **, char) internal_function; 7.45 ++extern double __strtod_nan (const char *, char **, char) internal_function; 7.46 ++extern long double __strtold_nan (const char *, char **, char) 7.47 ++ internal_function; 7.48 ++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t) 7.49 ++ internal_function; 7.50 ++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t) 7.51 ++ internal_function; 7.52 ++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t) 7.53 ++ internal_function; 7.54 ++ 7.55 ++libc_hidden_proto (__strtof_nan) 7.56 ++libc_hidden_proto (__strtod_nan) 7.57 ++libc_hidden_proto (__strtold_nan) 7.58 ++libc_hidden_proto (__wcstof_nan) 7.59 ++libc_hidden_proto (__wcstod_nan) 7.60 ++libc_hidden_proto (__wcstold_nan) 7.61 ++ 7.62 + extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt, 7.63 + int *__restrict __sign); 7.64 + extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt, 7.65 +diff -Naur a/include/wchar.h b/include/wchar.h 7.66 +--- a/include/wchar.h 2017-09-15 15:37:06.011900628 +0530 7.67 ++++ b/include/wchar.h 2017-09-15 15:37:13.851729724 +0530 7.68 +@@ -52,6 +52,9 @@ 7.69 + __restrict __endptr, 7.70 + int __base, 7.71 + int __group) __THROW; 7.72 ++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, 7.73 ++ wchar_t **, int, int, 7.74 ++ __locale_t); 7.75 + libc_hidden_proto (__wcstof_internal) 7.76 + libc_hidden_proto (__wcstod_internal) 7.77 + libc_hidden_proto (__wcstold_internal) 7.78 +diff -Naur a/math/Makefile b/math/Makefile 7.79 +--- a/math/Makefile 2017-09-15 15:37:06.039900018 +0530 7.80 ++++ b/math/Makefile 2017-09-15 15:41:38.669965657 +0530 7.81 +@@ -108,6 +108,7 @@ 7.82 + test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \ 7.83 + test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \ 7.84 + test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \ 7.85 ++ test-signgam-ullong-init test-nan-overflow test-nan-payload \ 7.86 + $(tests-static) 7.87 + tests-static = test-fpucw-static test-fpucw-ieee-static 7.88 + # We do the `long double' tests only if this data type is available and 7.89 +diff -Naur a/math/s_nan.c b/math/s_nan.c 7.90 +--- a/math/s_nan.c 2017-09-15 15:37:06.051899756 +0530 7.91 ++++ b/math/s_nan.c 2017-09-15 15:38:10.122503550 +0530 7.92 +@@ -28,14 +28,7 @@ 7.93 + double 7.94 + __nan (const char *tagp) 7.95 + { 7.96 +- if (tagp[0] != '\0') 7.97 +- { 7.98 +- char buf[6 + strlen (tagp)]; 7.99 +- sprintf (buf, "NAN(%s)", tagp); 7.100 +- return strtod (buf, NULL); 7.101 +- } 7.102 +- 7.103 +- return NAN; 7.104 ++ return __strtod_nan (tagp, NULL, 0); 7.105 + } 7.106 + weak_alias (__nan, nan) 7.107 + #ifdef NO_LONG_DOUBLE 7.108 +diff -Naur a/math/s_nanf.c b/math/s_nanf.c 7.109 +--- a/math/s_nanf.c 2017-09-15 15:37:06.051899756 +0530 7.110 ++++ b/math/s_nanf.c 2017-09-15 15:38:10.122503550 +0530 7.111 +@@ -28,13 +28,6 @@ 7.112 + float 7.113 + __nanf (const char *tagp) 7.114 + { 7.115 +- if (tagp[0] != '\0') 7.116 +- { 7.117 +- char buf[6 + strlen (tagp)]; 7.118 +- sprintf (buf, "NAN(%s)", tagp); 7.119 +- return strtof (buf, NULL); 7.120 +- } 7.121 +- 7.122 +- return NAN; 7.123 ++ return __strtof_nan (tagp, NULL, 0); 7.124 + } 7.125 + weak_alias (__nanf, nanf) 7.126 +diff -Naur a/math/s_nanl.c b/math/s_nanl.c 7.127 +--- a/math/s_nanl.c 2017-09-15 15:37:06.051899756 +0530 7.128 ++++ b/math/s_nanl.c 2017-09-15 15:38:10.122503550 +0530 7.129 +@@ -28,13 +28,6 @@ 7.130 + long double 7.131 + __nanl (const char *tagp) 7.132 + { 7.133 +- if (tagp[0] != '\0') 7.134 +- { 7.135 +- char buf[6 + strlen (tagp)]; 7.136 +- sprintf (buf, "NAN(%s)", tagp); 7.137 +- return strtold (buf, NULL); 7.138 +- } 7.139 +- 7.140 +- return NAN; 7.141 ++ return __strtold_nan (tagp, NULL, 0); 7.142 + } 7.143 + weak_alias (__nanl, nanl) 7.144 +diff -Naur a/math/test-nan-overflow.c b/math/test-nan-overflow.c 7.145 +--- a/math/test-nan-overflow.c 1970-01-01 05:30:00.000000000 +0530 7.146 ++++ b/math/test-nan-overflow.c 2017-09-15 15:38:10.122503550 +0530 7.147 +@@ -0,0 +1,66 @@ 7.148 ++/* Test nan functions stack overflow (bug 16962). 7.149 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.150 ++ This file is part of the GNU C Library. 7.151 ++ 7.152 ++ The GNU C Library is free software; you can redistribute it and/or 7.153 ++ modify it under the terms of the GNU Lesser General Public 7.154 ++ License as published by the Free Software Foundation; either 7.155 ++ version 2.1 of the License, or (at your option) any later version. 7.156 ++ 7.157 ++ The GNU C Library is distributed in the hope that it will be useful, 7.158 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.159 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.160 ++ Lesser General Public License for more details. 7.161 ++ 7.162 ++ You should have received a copy of the GNU Lesser General Public 7.163 ++ License along with the GNU C Library; if not, see 7.164 ++ <http://www.gnu.org/licenses/>. */ 7.165 ++ 7.166 ++#include <math.h> 7.167 ++#include <stdio.h> 7.168 ++#include <string.h> 7.169 ++#include <sys/resource.h> 7.170 ++ 7.171 ++#define STACK_LIM 1048576 7.172 ++#define STRING_SIZE (2 * STACK_LIM) 7.173 ++ 7.174 ++static int 7.175 ++do_test (void) 7.176 ++{ 7.177 ++ int result = 0; 7.178 ++ struct rlimit lim; 7.179 ++ getrlimit (RLIMIT_STACK, &lim); 7.180 ++ lim.rlim_cur = STACK_LIM; 7.181 ++ setrlimit (RLIMIT_STACK, &lim); 7.182 ++ char *nanstr = malloc (STRING_SIZE); 7.183 ++ if (nanstr == NULL) 7.184 ++ { 7.185 ++ puts ("malloc failed, cannot test"); 7.186 ++ return 77; 7.187 ++ } 7.188 ++ memset (nanstr, '0', STRING_SIZE - 1); 7.189 ++ nanstr[STRING_SIZE - 1] = 0; 7.190 ++#define NAN_TEST(TYPE, FUNC) \ 7.191 ++ do \ 7.192 ++ { \ 7.193 ++ char *volatile p = nanstr; \ 7.194 ++ volatile TYPE v = FUNC (p); \ 7.195 ++ if (isnan (v)) \ 7.196 ++ puts ("PASS: " #FUNC); \ 7.197 ++ else \ 7.198 ++ { \ 7.199 ++ puts ("FAIL: " #FUNC); \ 7.200 ++ result = 1; \ 7.201 ++ } \ 7.202 ++ } \ 7.203 ++ while (0) 7.204 ++ NAN_TEST (float, nanf); 7.205 ++ NAN_TEST (double, nan); 7.206 ++#ifndef NO_LONG_DOUBLE 7.207 ++ NAN_TEST (long double, nanl); 7.208 ++#endif 7.209 ++ return result; 7.210 ++} 7.211 ++ 7.212 ++#define TEST_FUNCTION do_test () 7.213 ++#include "../test-skeleton.c" 7.214 +diff -Naur a/math/test-nan-payload.c b/math/test-nan-payload.c 7.215 +--- a/math/test-nan-payload.c 1970-01-01 05:30:00.000000000 +0530 7.216 ++++ b/math/test-nan-payload.c 2017-09-15 15:38:10.122503550 +0530 7.217 +@@ -0,0 +1,122 @@ 7.218 ++/* Test nan functions payload handling (bug 16961). 7.219 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.220 ++ This file is part of the GNU C Library. 7.221 ++ 7.222 ++ The GNU C Library is free software; you can redistribute it and/or 7.223 ++ modify it under the terms of the GNU Lesser General Public 7.224 ++ License as published by the Free Software Foundation; either 7.225 ++ version 2.1 of the License, or (at your option) any later version. 7.226 ++ 7.227 ++ The GNU C Library is distributed in the hope that it will be useful, 7.228 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.229 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.230 ++ Lesser General Public License for more details. 7.231 ++ 7.232 ++ You should have received a copy of the GNU Lesser General Public 7.233 ++ License along with the GNU C Library; if not, see 7.234 ++ <http://www.gnu.org/licenses/>. */ 7.235 ++ 7.236 ++#include <float.h> 7.237 ++#include <math.h> 7.238 ++#include <stdio.h> 7.239 ++#include <stdlib.h> 7.240 ++#include <string.h> 7.241 ++ 7.242 ++/* Avoid built-in functions. */ 7.243 ++#define WRAP_NAN(FUNC, STR) \ 7.244 ++ ({ const char *volatile wns = (STR); FUNC (wns); }) 7.245 ++#define WRAP_STRTO(FUNC, STR) \ 7.246 ++ ({ const char *volatile wss = (STR); FUNC (wss, NULL); }) 7.247 ++ 7.248 ++#define CHECK_IS_NAN(TYPE, A) \ 7.249 ++ do \ 7.250 ++ { \ 7.251 ++ if (isnan (A)) \ 7.252 ++ puts ("PASS: " #TYPE " " #A); \ 7.253 ++ else \ 7.254 ++ { \ 7.255 ++ puts ("FAIL: " #TYPE " " #A); \ 7.256 ++ result = 1; \ 7.257 ++ } \ 7.258 ++ } \ 7.259 ++ while (0) 7.260 ++ 7.261 ++#define CHECK_SAME_NAN(TYPE, A, B) \ 7.262 ++ do \ 7.263 ++ { \ 7.264 ++ if (memcmp (&(A), &(B), sizeof (A)) == 0) \ 7.265 ++ puts ("PASS: " #TYPE " " #A " = " #B); \ 7.266 ++ else \ 7.267 ++ { \ 7.268 ++ puts ("FAIL: " #TYPE " " #A " = " #B); \ 7.269 ++ result = 1; \ 7.270 ++ } \ 7.271 ++ } \ 7.272 ++ while (0) 7.273 ++ 7.274 ++#define CHECK_DIFF_NAN(TYPE, A, B) \ 7.275 ++ do \ 7.276 ++ { \ 7.277 ++ if (memcmp (&(A), &(B), sizeof (A)) != 0) \ 7.278 ++ puts ("PASS: " #TYPE " " #A " != " #B); \ 7.279 ++ else \ 7.280 ++ { \ 7.281 ++ puts ("FAIL: " #TYPE " " #A " != " #B); \ 7.282 ++ result = 1; \ 7.283 ++ } \ 7.284 ++ } \ 7.285 ++ while (0) 7.286 ++ 7.287 ++/* Cannot test payloads by memcmp for formats where NaNs have padding 7.288 ++ bits. */ 7.289 ++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106) 7.290 ++ 7.291 ++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \ 7.292 ++ do \ 7.293 ++ { \ 7.294 ++ TYPE n123 = WRAP_NAN (FUNC, "123"); \ 7.295 ++ CHECK_IS_NAN (TYPE, n123); \ 7.296 ++ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \ 7.297 ++ CHECK_IS_NAN (TYPE, s123); \ 7.298 ++ TYPE n456 = WRAP_NAN (FUNC, "456"); \ 7.299 ++ CHECK_IS_NAN (TYPE, n456); \ 7.300 ++ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \ 7.301 ++ CHECK_IS_NAN (TYPE, s456); \ 7.302 ++ TYPE n123x = WRAP_NAN (FUNC, "123)"); \ 7.303 ++ CHECK_IS_NAN (TYPE, n123x); \ 7.304 ++ TYPE nemp = WRAP_NAN (FUNC, ""); \ 7.305 ++ CHECK_IS_NAN (TYPE, nemp); \ 7.306 ++ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \ 7.307 ++ CHECK_IS_NAN (TYPE, semp); \ 7.308 ++ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \ 7.309 ++ CHECK_IS_NAN (TYPE, sx); \ 7.310 ++ if (CAN_TEST_EQ (MANT_DIG)) \ 7.311 ++ CHECK_SAME_NAN (TYPE, n123, s123); \ 7.312 ++ if (CAN_TEST_EQ (MANT_DIG)) \ 7.313 ++ CHECK_SAME_NAN (TYPE, n456, s456); \ 7.314 ++ if (CAN_TEST_EQ (MANT_DIG)) \ 7.315 ++ CHECK_SAME_NAN (TYPE, nemp, semp); \ 7.316 ++ if (CAN_TEST_EQ (MANT_DIG)) \ 7.317 ++ CHECK_SAME_NAN (TYPE, n123x, sx); \ 7.318 ++ CHECK_DIFF_NAN (TYPE, n123, n456); \ 7.319 ++ CHECK_DIFF_NAN (TYPE, n123, nemp); \ 7.320 ++ CHECK_DIFF_NAN (TYPE, n123, n123x); \ 7.321 ++ CHECK_DIFF_NAN (TYPE, n456, nemp); \ 7.322 ++ CHECK_DIFF_NAN (TYPE, n456, n123x); \ 7.323 ++ } \ 7.324 ++ while (0) 7.325 ++ 7.326 ++static int 7.327 ++do_test (void) 7.328 ++{ 7.329 ++ int result = 0; 7.330 ++ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG); 7.331 ++ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG); 7.332 ++#ifndef NO_LONG_DOUBLE 7.333 ++ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG); 7.334 ++#endif 7.335 ++ return result; 7.336 ++} 7.337 ++ 7.338 ++#define TEST_FUNCTION do_test () 7.339 ++#include "../test-skeleton.c" 7.340 +diff -Naur a/stdlib/Makefile b/stdlib/Makefile 7.341 +--- a/stdlib/Makefile 2017-09-15 15:37:06.079899146 +0530 7.342 ++++ b/stdlib/Makefile 2017-09-15 15:37:13.851729724 +0530 7.343 +@@ -50,6 +50,7 @@ 7.344 + strtol_l strtoul_l strtoll_l strtoull_l \ 7.345 + strtof strtod strtold \ 7.346 + strtof_l strtod_l strtold_l \ 7.347 ++ strtof_nan strtod_nan strtold_nan \ 7.348 + system canonicalize \ 7.349 + a64l l64a \ 7.350 + rpmatch strfmon strfmon_l getsubopt xpg_basename fmtmsg \ 7.351 +diff -Naur a/stdlib/strtod_l.c b/stdlib/strtod_l.c 7.352 +--- a/stdlib/strtod_l.c 2017-09-15 15:37:06.079899146 +0530 7.353 ++++ b/stdlib/strtod_l.c 2017-09-15 15:37:13.851729724 +0530 7.354 +@@ -20,8 +20,6 @@ 7.355 + #include <xlocale.h> 7.356 + 7.357 + extern double ____strtod_l_internal (const char *, char **, int, __locale_t); 7.358 +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, 7.359 +- int, int, __locale_t); 7.360 + 7.361 + /* Configuration part. These macros are defined by `strtold.c', 7.362 + `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the 7.363 +@@ -33,27 +31,20 @@ 7.364 + # ifdef USE_WIDE_CHAR 7.365 + # define STRTOF wcstod_l 7.366 + # define __STRTOF __wcstod_l 7.367 ++# define STRTOF_NAN __wcstod_nan 7.368 + # else 7.369 + # define STRTOF strtod_l 7.370 + # define __STRTOF __strtod_l 7.371 ++# define STRTOF_NAN __strtod_nan 7.372 + # endif 7.373 + # define MPN2FLOAT __mpn_construct_double 7.374 + # define FLOAT_HUGE_VAL HUGE_VAL 7.375 +-# define SET_MANTISSA(flt, mant) \ 7.376 +- do { union ieee754_double u; \ 7.377 +- u.d = (flt); \ 7.378 +- u.ieee_nan.mantissa0 = (mant) >> 32; \ 7.379 +- u.ieee_nan.mantissa1 = (mant); \ 7.380 +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ 7.381 +- (flt) = u.d; \ 7.382 +- } while (0) 7.383 + #endif 7.384 + /* End of configuration part. */ 7.385 + 7.386 + #include <ctype.h> 7.387 + #include <errno.h> 7.388 + #include <float.h> 7.389 +-#include <ieee754.h> 7.390 + #include "../locale/localeinfo.h" 7.391 + #include <locale.h> 7.392 + #include <math.h> 7.393 +@@ -104,7 +95,6 @@ 7.394 + # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr) 7.395 + # define STRNCASECMP(S1, S2, N) \ 7.396 + __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) 7.397 +-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc) 7.398 + #else 7.399 + # define STRING_TYPE char 7.400 + # define CHAR_TYPE char 7.401 +@@ -116,7 +106,6 @@ 7.402 + # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr) 7.403 + # define STRNCASECMP(S1, S2, N) \ 7.404 + __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) 7.405 +-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc) 7.406 + #endif 7.407 + 7.408 + 7.409 +@@ -655,33 +644,14 @@ 7.410 + if (*cp == L_('(')) 7.411 + { 7.412 + const STRING_TYPE *startp = cp; 7.413 +- do 7.414 +- ++cp; 7.415 +- while ((*cp >= L_('0') && *cp <= L_('9')) 7.416 +- || ({ CHAR_TYPE lo = TOLOWER (*cp); 7.417 +- lo >= L_('a') && lo <= L_('z'); }) 7.418 +- || *cp == L_('_')); 7.419 +- 7.420 +- if (*cp != L_(')')) 7.421 +- /* The closing brace is missing. Only match the NAN 7.422 +- part. */ 7.423 +- cp = startp; 7.424 ++ STRING_TYPE *endp; 7.425 ++ retval = STRTOF_NAN (cp + 1, &endp, L_(')')); 7.426 ++ if (*endp == L_(')')) 7.427 ++ /* Consume the closing parenthesis. */ 7.428 ++ cp = endp + 1; 7.429 + else 7.430 +- { 7.431 +- /* This is a system-dependent way to specify the 7.432 +- bitmask used for the NaN. We expect it to be 7.433 +- a number which is put in the mantissa of the 7.434 +- number. */ 7.435 +- STRING_TYPE *endp; 7.436 +- unsigned long long int mant; 7.437 +- 7.438 +- mant = STRTOULL (startp + 1, &endp, 0); 7.439 +- if (endp == cp) 7.440 +- SET_MANTISSA (retval, mant); 7.441 +- 7.442 +- /* Consume the closing brace. */ 7.443 +- ++cp; 7.444 +- } 7.445 ++ /* Only match the NAN part. */ 7.446 ++ cp = startp; 7.447 + } 7.448 + 7.449 + if (endptr != NULL) 7.450 +diff -Naur a/stdlib/strtod_nan.c b/stdlib/strtod_nan.c 7.451 +--- a/stdlib/strtod_nan.c 1970-01-01 05:30:00.000000000 +0530 7.452 ++++ b/stdlib/strtod_nan.c 2017-09-15 15:37:13.851729724 +0530 7.453 +@@ -0,0 +1,24 @@ 7.454 ++/* Convert string for NaN payload to corresponding NaN. Narrow 7.455 ++ strings, double. 7.456 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.457 ++ This file is part of the GNU C Library. 7.458 ++ 7.459 ++ The GNU C Library is free software; you can redistribute it and/or 7.460 ++ modify it under the terms of the GNU Lesser General Public 7.461 ++ License as published by the Free Software Foundation; either 7.462 ++ version 2.1 of the License, or (at your option) any later version. 7.463 ++ 7.464 ++ The GNU C Library is distributed in the hope that it will be useful, 7.465 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.466 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.467 ++ Lesser General Public License for more details. 7.468 ++ 7.469 ++ You should have received a copy of the GNU Lesser General Public 7.470 ++ License along with the GNU C Library; if not, see 7.471 ++ <http://www.gnu.org/licenses/>. */ 7.472 ++ 7.473 ++#include <strtod_nan_narrow.h> 7.474 ++#include <strtod_nan_double.h> 7.475 ++ 7.476 ++#define STRTOD_NAN __strtod_nan 7.477 ++#include <strtod_nan_main.c> 7.478 +diff -Naur a/stdlib/strtod_nan_double.h b/stdlib/strtod_nan_double.h 7.479 +--- a/stdlib/strtod_nan_double.h 1970-01-01 05:30:00.000000000 +0530 7.480 ++++ b/stdlib/strtod_nan_double.h 2017-09-15 15:37:13.851729724 +0530 7.481 +@@ -0,0 +1,30 @@ 7.482 ++/* Convert string for NaN payload to corresponding NaN. For double. 7.483 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.484 ++ This file is part of the GNU C Library. 7.485 ++ 7.486 ++ The GNU C Library is free software; you can redistribute it and/or 7.487 ++ modify it under the terms of the GNU Lesser General Public 7.488 ++ License as published by the Free Software Foundation; either 7.489 ++ version 2.1 of the License, or (at your option) any later version. 7.490 ++ 7.491 ++ The GNU C Library is distributed in the hope that it will be useful, 7.492 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.493 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.494 ++ Lesser General Public License for more details. 7.495 ++ 7.496 ++ You should have received a copy of the GNU Lesser General Public 7.497 ++ License along with the GNU C Library; if not, see 7.498 ++ <http://www.gnu.org/licenses/>. */ 7.499 ++ 7.500 ++#define FLOAT double 7.501 ++#define SET_MANTISSA(flt, mant) \ 7.502 ++ do \ 7.503 ++ { \ 7.504 ++ union ieee754_double u; \ 7.505 ++ u.d = (flt); \ 7.506 ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ 7.507 ++ u.ieee_nan.mantissa1 = (mant); \ 7.508 ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ 7.509 ++ (flt) = u.d; \ 7.510 ++ } \ 7.511 ++ while (0) 7.512 +diff -Naur a/stdlib/strtod_nan_float.h b/stdlib/strtod_nan_float.h 7.513 +--- a/stdlib/strtod_nan_float.h 1970-01-01 05:30:00.000000000 +0530 7.514 ++++ b/stdlib/strtod_nan_float.h 2017-09-15 15:37:13.851729724 +0530 7.515 +@@ -0,0 +1,29 @@ 7.516 ++/* Convert string for NaN payload to corresponding NaN. For float. 7.517 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.518 ++ This file is part of the GNU C Library. 7.519 ++ 7.520 ++ The GNU C Library is free software; you can redistribute it and/or 7.521 ++ modify it under the terms of the GNU Lesser General Public 7.522 ++ License as published by the Free Software Foundation; either 7.523 ++ version 2.1 of the License, or (at your option) any later version. 7.524 ++ 7.525 ++ The GNU C Library is distributed in the hope that it will be useful, 7.526 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.527 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.528 ++ Lesser General Public License for more details. 7.529 ++ 7.530 ++ You should have received a copy of the GNU Lesser General Public 7.531 ++ License along with the GNU C Library; if not, see 7.532 ++ <http://www.gnu.org/licenses/>. */ 7.533 ++ 7.534 ++#define FLOAT float 7.535 ++#define SET_MANTISSA(flt, mant) \ 7.536 ++ do \ 7.537 ++ { \ 7.538 ++ union ieee754_float u; \ 7.539 ++ u.f = (flt); \ 7.540 ++ u.ieee_nan.mantissa = (mant); \ 7.541 ++ if (u.ieee.mantissa != 0) \ 7.542 ++ (flt) = u.f; \ 7.543 ++ } \ 7.544 ++ while (0) 7.545 +diff -Naur a/stdlib/strtod_nan_main.c b/stdlib/strtod_nan_main.c 7.546 +--- a/stdlib/strtod_nan_main.c 1970-01-01 05:30:00.000000000 +0530 7.547 ++++ b/stdlib/strtod_nan_main.c 2017-09-15 15:37:13.851729724 +0530 7.548 +@@ -0,0 +1,63 @@ 7.549 ++/* Convert string for NaN payload to corresponding NaN. 7.550 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.551 ++ This file is part of the GNU C Library. 7.552 ++ 7.553 ++ The GNU C Library is free software; you can redistribute it and/or 7.554 ++ modify it under the terms of the GNU Lesser General Public 7.555 ++ License as published by the Free Software Foundation; either 7.556 ++ version 2.1 of the License, or (at your option) any later version. 7.557 ++ 7.558 ++ The GNU C Library is distributed in the hope that it will be useful, 7.559 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.560 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.561 ++ Lesser General Public License for more details. 7.562 ++ 7.563 ++ You should have received a copy of the GNU Lesser General Public 7.564 ++ License along with the GNU C Library; if not, see 7.565 ++ <http://www.gnu.org/licenses/>. */ 7.566 ++ 7.567 ++#include <ieee754.h> 7.568 ++#include <locale.h> 7.569 ++#include <math.h> 7.570 ++#include <stdlib.h> 7.571 ++#include <wchar.h> 7.572 ++ 7.573 ++ 7.574 ++/* If STR starts with an optional n-char-sequence as defined by ISO C 7.575 ++ (a sequence of ASCII letters, digits and underscores), followed by 7.576 ++ ENDC, return a NaN whose payload is set based on STR. Otherwise, 7.577 ++ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point 7.578 ++ to the character after the initial n-char-sequence. */ 7.579 ++ 7.580 ++internal_function 7.581 ++FLOAT 7.582 ++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc) 7.583 ++{ 7.584 ++ const STRING_TYPE *cp = str; 7.585 ++ 7.586 ++ while ((*cp >= L_('0') && *cp <= L_('9')) 7.587 ++ || (*cp >= L_('A') && *cp <= L_('Z')) 7.588 ++ || (*cp >= L_('a') && *cp <= L_('z')) 7.589 ++ || *cp == L_('_')) 7.590 ++ ++cp; 7.591 ++ 7.592 ++ FLOAT retval = NAN; 7.593 ++ if (*cp != endc) 7.594 ++ goto out; 7.595 ++ 7.596 ++ /* This is a system-dependent way to specify the bitmask used for 7.597 ++ the NaN. We expect it to be a number which is put in the 7.598 ++ mantissa of the number. */ 7.599 ++ STRING_TYPE *endp; 7.600 ++ unsigned long long int mant; 7.601 ++ 7.602 ++ mant = STRTOULL (str, &endp, 0); 7.603 ++ if (endp == cp) 7.604 ++ SET_MANTISSA (retval, mant); 7.605 ++ 7.606 ++ out: 7.607 ++ if (endptr != NULL) 7.608 ++ *endptr = (STRING_TYPE *) cp; 7.609 ++ return retval; 7.610 ++} 7.611 ++libc_hidden_def (STRTOD_NAN) 7.612 +diff -Naur a/stdlib/strtod_nan_narrow.h b/stdlib/strtod_nan_narrow.h 7.613 +--- a/stdlib/strtod_nan_narrow.h 1970-01-01 05:30:00.000000000 +0530 7.614 ++++ b/stdlib/strtod_nan_narrow.h 2017-09-15 15:37:13.851729724 +0530 7.615 +@@ -0,0 +1,22 @@ 7.616 ++/* Convert string for NaN payload to corresponding NaN. Narrow strings. 7.617 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.618 ++ This file is part of the GNU C Library. 7.619 ++ 7.620 ++ The GNU C Library is free software; you can redistribute it and/or 7.621 ++ modify it under the terms of the GNU Lesser General Public 7.622 ++ License as published by the Free Software Foundation; either 7.623 ++ version 2.1 of the License, or (at your option) any later version. 7.624 ++ 7.625 ++ The GNU C Library is distributed in the hope that it will be useful, 7.626 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.627 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.628 ++ Lesser General Public License for more details. 7.629 ++ 7.630 ++ You should have received a copy of the GNU Lesser General Public 7.631 ++ License along with the GNU C Library; if not, see 7.632 ++ <http://www.gnu.org/licenses/>. */ 7.633 ++ 7.634 ++#define STRING_TYPE char 7.635 ++#define L_(Ch) Ch 7.636 ++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \ 7.637 ++ _nl_C_locobj_ptr) 7.638 +diff -Naur a/stdlib/strtod_nan_wide.h b/stdlib/strtod_nan_wide.h 7.639 +--- a/stdlib/strtod_nan_wide.h 1970-01-01 05:30:00.000000000 +0530 7.640 ++++ b/stdlib/strtod_nan_wide.h 2017-09-15 15:37:13.851729724 +0530 7.641 +@@ -0,0 +1,22 @@ 7.642 ++/* Convert string for NaN payload to corresponding NaN. Wide strings. 7.643 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.644 ++ This file is part of the GNU C Library. 7.645 ++ 7.646 ++ The GNU C Library is free software; you can redistribute it and/or 7.647 ++ modify it under the terms of the GNU Lesser General Public 7.648 ++ License as published by the Free Software Foundation; either 7.649 ++ version 2.1 of the License, or (at your option) any later version. 7.650 ++ 7.651 ++ The GNU C Library is distributed in the hope that it will be useful, 7.652 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.653 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.654 ++ Lesser General Public License for more details. 7.655 ++ 7.656 ++ You should have received a copy of the GNU Lesser General Public 7.657 ++ License along with the GNU C Library; if not, see 7.658 ++ <http://www.gnu.org/licenses/>. */ 7.659 ++ 7.660 ++#define STRING_TYPE wchar_t 7.661 ++#define L_(Ch) L##Ch 7.662 ++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \ 7.663 ++ _nl_C_locobj_ptr) 7.664 +diff -Naur a/stdlib/strtof_l.c b/stdlib/strtof_l.c 7.665 +--- a/stdlib/strtof_l.c 2017-09-15 15:37:06.079899146 +0530 7.666 ++++ b/stdlib/strtof_l.c 2017-09-15 15:37:13.855729636 +0530 7.667 +@@ -20,26 +20,19 @@ 7.668 + #include <xlocale.h> 7.669 + 7.670 + extern float ____strtof_l_internal (const char *, char **, int, __locale_t); 7.671 +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, 7.672 +- int, int, __locale_t); 7.673 + 7.674 + #define FLOAT float 7.675 + #define FLT FLT 7.676 + #ifdef USE_WIDE_CHAR 7.677 + # define STRTOF wcstof_l 7.678 + # define __STRTOF __wcstof_l 7.679 ++# define STRTOF_NAN __wcstof_nan 7.680 + #else 7.681 + # define STRTOF strtof_l 7.682 + # define __STRTOF __strtof_l 7.683 ++# define STRTOF_NAN __strtof_nan 7.684 + #endif 7.685 + #define MPN2FLOAT __mpn_construct_float 7.686 + #define FLOAT_HUGE_VAL HUGE_VALF 7.687 +-#define SET_MANTISSA(flt, mant) \ 7.688 +- do { union ieee754_float u; \ 7.689 +- u.f = (flt); \ 7.690 +- u.ieee_nan.mantissa = (mant); \ 7.691 +- if (u.ieee.mantissa != 0) \ 7.692 +- (flt) = u.f; \ 7.693 +- } while (0) 7.694 + 7.695 + #include "strtod_l.c" 7.696 +diff -Naur a/stdlib/strtof_nan.c b/stdlib/strtof_nan.c 7.697 +--- a/stdlib/strtof_nan.c 1970-01-01 05:30:00.000000000 +0530 7.698 ++++ b/stdlib/strtof_nan.c 2017-09-15 15:37:13.855729636 +0530 7.699 +@@ -0,0 +1,24 @@ 7.700 ++/* Convert string for NaN payload to corresponding NaN. Narrow 7.701 ++ strings, float. 7.702 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.703 ++ This file is part of the GNU C Library. 7.704 ++ 7.705 ++ The GNU C Library is free software; you can redistribute it and/or 7.706 ++ modify it under the terms of the GNU Lesser General Public 7.707 ++ License as published by the Free Software Foundation; either 7.708 ++ version 2.1 of the License, or (at your option) any later version. 7.709 ++ 7.710 ++ The GNU C Library is distributed in the hope that it will be useful, 7.711 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.712 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.713 ++ Lesser General Public License for more details. 7.714 ++ 7.715 ++ You should have received a copy of the GNU Lesser General Public 7.716 ++ License along with the GNU C Library; if not, see 7.717 ++ <http://www.gnu.org/licenses/>. */ 7.718 ++ 7.719 ++#include <strtod_nan_narrow.h> 7.720 ++#include <strtod_nan_float.h> 7.721 ++ 7.722 ++#define STRTOD_NAN __strtof_nan 7.723 ++#include <strtod_nan_main.c> 7.724 +diff -Naur a/stdlib/strtold_nan.c b/stdlib/strtold_nan.c 7.725 +--- a/stdlib/strtold_nan.c 1970-01-01 05:30:00.000000000 +0530 7.726 ++++ b/stdlib/strtold_nan.c 2017-09-15 15:37:13.855729636 +0530 7.727 +@@ -0,0 +1,30 @@ 7.728 ++/* Convert string for NaN payload to corresponding NaN. Narrow 7.729 ++ strings, long double. 7.730 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.731 ++ This file is part of the GNU C Library. 7.732 ++ 7.733 ++ The GNU C Library is free software; you can redistribute it and/or 7.734 ++ modify it under the terms of the GNU Lesser General Public 7.735 ++ License as published by the Free Software Foundation; either 7.736 ++ version 2.1 of the License, or (at your option) any later version. 7.737 ++ 7.738 ++ The GNU C Library is distributed in the hope that it will be useful, 7.739 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.740 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.741 ++ Lesser General Public License for more details. 7.742 ++ 7.743 ++ You should have received a copy of the GNU Lesser General Public 7.744 ++ License along with the GNU C Library; if not, see 7.745 ++ <http://www.gnu.org/licenses/>. */ 7.746 ++ 7.747 ++#include <math.h> 7.748 ++ 7.749 ++/* This function is unused if long double and double have the same 7.750 ++ representation. */ 7.751 ++#ifndef __NO_LONG_DOUBLE_MATH 7.752 ++# include <strtod_nan_narrow.h> 7.753 ++# include <strtod_nan_ldouble.h> 7.754 ++ 7.755 ++# define STRTOD_NAN __strtold_nan 7.756 ++# include <strtod_nan_main.c> 7.757 ++#endif 7.758 +diff -Naur a/stdlib/Versions b/stdlib/Versions 7.759 +--- a/stdlib/Versions 2017-09-15 15:37:06.079899146 +0530 7.760 ++++ b/stdlib/Versions 2017-09-15 15:38:10.122503550 +0530 7.761 +@@ -118,5 +118,6 @@ 7.762 + # Used from other libraries 7.763 + __libc_secure_getenv; 7.764 + __call_tls_dtors; 7.765 ++ __strtof_nan; __strtod_nan; __strtold_nan; 7.766 + } 7.767 + } 7.768 +diff -Naur a/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h b/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h 7.769 +--- a/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h 1970-01-01 05:30:00.000000000 +0530 7.770 ++++ b/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h 2017-09-15 15:37:13.855729636 +0530 7.771 +@@ -0,0 +1,33 @@ 7.772 ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128. 7.773 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.774 ++ This file is part of the GNU C Library. 7.775 ++ 7.776 ++ The GNU C Library is free software; you can redistribute it and/or 7.777 ++ modify it under the terms of the GNU Lesser General Public 7.778 ++ License as published by the Free Software Foundation; either 7.779 ++ version 2.1 of the License, or (at your option) any later version. 7.780 ++ 7.781 ++ The GNU C Library is distributed in the hope that it will be useful, 7.782 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.783 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.784 ++ Lesser General Public License for more details. 7.785 ++ 7.786 ++ You should have received a copy of the GNU Lesser General Public 7.787 ++ License along with the GNU C Library; if not, see 7.788 ++ <http://www.gnu.org/licenses/>. */ 7.789 ++ 7.790 ++#define FLOAT long double 7.791 ++#define SET_MANTISSA(flt, mant) \ 7.792 ++ do \ 7.793 ++ { \ 7.794 ++ union ieee854_long_double u; \ 7.795 ++ u.d = (flt); \ 7.796 ++ u.ieee_nan.mantissa0 = 0; \ 7.797 ++ u.ieee_nan.mantissa1 = 0; \ 7.798 ++ u.ieee_nan.mantissa2 = (mant) >> 32; \ 7.799 ++ u.ieee_nan.mantissa3 = (mant); \ 7.800 ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ 7.801 ++ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ 7.802 ++ (flt) = u.d; \ 7.803 ++ } \ 7.804 ++ while (0) 7.805 +diff -Naur a/sysdeps/ieee754/ldbl-128/strtold_l.c b/sysdeps/ieee754/ldbl-128/strtold_l.c 7.806 +--- a/sysdeps/ieee754/ldbl-128/strtold_l.c 2017-09-15 15:37:06.107898535 +0530 7.807 ++++ b/sysdeps/ieee754/ldbl-128/strtold_l.c 2017-09-15 15:37:13.855729636 +0530 7.808 +@@ -25,22 +25,13 @@ 7.809 + #ifdef USE_WIDE_CHAR 7.810 + # define STRTOF wcstold_l 7.811 + # define __STRTOF __wcstold_l 7.812 ++# define STRTOF_NAN __wcstold_nan 7.813 + #else 7.814 + # define STRTOF strtold_l 7.815 + # define __STRTOF __strtold_l 7.816 ++# define STRTOF_NAN __strtold_nan 7.817 + #endif 7.818 + #define MPN2FLOAT __mpn_construct_long_double 7.819 + #define FLOAT_HUGE_VAL HUGE_VALL 7.820 +-#define SET_MANTISSA(flt, mant) \ 7.821 +- do { union ieee854_long_double u; \ 7.822 +- u.d = (flt); \ 7.823 +- u.ieee_nan.mantissa0 = 0; \ 7.824 +- u.ieee_nan.mantissa1 = 0; \ 7.825 +- u.ieee_nan.mantissa2 = (mant) >> 32; \ 7.826 +- u.ieee_nan.mantissa3 = (mant); \ 7.827 +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ 7.828 +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ 7.829 +- (flt) = u.d; \ 7.830 +- } while (0) 7.831 + 7.832 + #include <strtod_l.c> 7.833 +diff -Naur a/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h b/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h 7.834 +--- a/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h 1970-01-01 05:30:00.000000000 +0530 7.835 ++++ b/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h 2017-09-15 15:37:13.855729636 +0530 7.836 +@@ -0,0 +1,30 @@ 7.837 ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm. 7.838 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.839 ++ This file is part of the GNU C Library. 7.840 ++ 7.841 ++ The GNU C Library is free software; you can redistribute it and/or 7.842 ++ modify it under the terms of the GNU Lesser General Public 7.843 ++ License as published by the Free Software Foundation; either 7.844 ++ version 2.1 of the License, or (at your option) any later version. 7.845 ++ 7.846 ++ The GNU C Library is distributed in the hope that it will be useful, 7.847 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.848 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.849 ++ Lesser General Public License for more details. 7.850 ++ 7.851 ++ You should have received a copy of the GNU Lesser General Public 7.852 ++ License along with the GNU C Library; if not, see 7.853 ++ <http://www.gnu.org/licenses/>. */ 7.854 ++ 7.855 ++#define FLOAT long double 7.856 ++#define SET_MANTISSA(flt, mant) \ 7.857 ++ do \ 7.858 ++ { \ 7.859 ++ union ibm_extended_long_double u; \ 7.860 ++ u.ld = (flt); \ 7.861 ++ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ 7.862 ++ u.d[0].ieee_nan.mantissa1 = (mant); \ 7.863 ++ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ 7.864 ++ (flt) = u.ld; \ 7.865 ++ } \ 7.866 ++ while (0) 7.867 +diff -Naur a/sysdeps/ieee754/ldbl-128ibm/strtold_l.c b/sysdeps/ieee754/ldbl-128ibm/strtold_l.c 7.868 +--- a/sysdeps/ieee754/ldbl-128ibm/strtold_l.c 2017-09-15 15:37:06.107898535 +0530 7.869 ++++ b/sysdeps/ieee754/ldbl-128ibm/strtold_l.c 2017-09-15 15:37:13.855729636 +0530 7.870 +@@ -30,25 +30,19 @@ 7.871 + # define STRTOF __new_wcstold_l 7.872 + # define __STRTOF ____new_wcstold_l 7.873 + # define ____STRTOF_INTERNAL ____wcstold_l_internal 7.874 ++# define STRTOF_NAN __wcstold_nan 7.875 + #else 7.876 + extern long double ____new_strtold_l (const char *, char **, __locale_t); 7.877 + # define STRTOF __new_strtold_l 7.878 + # define __STRTOF ____new_strtold_l 7.879 + # define ____STRTOF_INTERNAL ____strtold_l_internal 7.880 ++# define STRTOF_NAN __strtold_nan 7.881 + #endif 7.882 + extern __typeof (__STRTOF) STRTOF; 7.883 + libc_hidden_proto (__STRTOF) 7.884 + libc_hidden_proto (STRTOF) 7.885 + #define MPN2FLOAT __mpn_construct_long_double 7.886 + #define FLOAT_HUGE_VAL HUGE_VALL 7.887 +-# define SET_MANTISSA(flt, mant) \ 7.888 +- do { union ibm_extended_long_double u; \ 7.889 +- u.ld = (flt); \ 7.890 +- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ 7.891 +- u.d[0].ieee_nan.mantissa1 = (mant); \ 7.892 +- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ 7.893 +- (flt) = u.ld; \ 7.894 +- } while (0) 7.895 + 7.896 + #include <strtod_l.c> 7.897 + 7.898 +diff -Naur a/sysdeps/ieee754/ldbl-64-128/strtold_l.c b/sysdeps/ieee754/ldbl-64-128/strtold_l.c 7.899 +--- a/sysdeps/ieee754/ldbl-64-128/strtold_l.c 2017-09-15 15:37:06.111898448 +0530 7.900 ++++ b/sysdeps/ieee754/ldbl-64-128/strtold_l.c 2017-09-15 15:37:13.855729636 +0530 7.901 +@@ -30,28 +30,19 @@ 7.902 + # define STRTOF __new_wcstold_l 7.903 + # define __STRTOF ____new_wcstold_l 7.904 + # define ____STRTOF_INTERNAL ____wcstold_l_internal 7.905 ++# define STRTOF_NAN __wcstold_nan 7.906 + #else 7.907 + extern long double ____new_strtold_l (const char *, char **, __locale_t); 7.908 + # define STRTOF __new_strtold_l 7.909 + # define __STRTOF ____new_strtold_l 7.910 + # define ____STRTOF_INTERNAL ____strtold_l_internal 7.911 ++# define STRTOF_NAN __strtold_nan 7.912 + #endif 7.913 + extern __typeof (__STRTOF) STRTOF; 7.914 + libc_hidden_proto (__STRTOF) 7.915 + libc_hidden_proto (STRTOF) 7.916 + #define MPN2FLOAT __mpn_construct_long_double 7.917 + #define FLOAT_HUGE_VAL HUGE_VALL 7.918 +-#define SET_MANTISSA(flt, mant) \ 7.919 +- do { union ieee854_long_double u; \ 7.920 +- u.d = (flt); \ 7.921 +- u.ieee_nan.mantissa0 = 0; \ 7.922 +- u.ieee_nan.mantissa1 = 0; \ 7.923 +- u.ieee_nan.mantissa2 = (mant) >> 32; \ 7.924 +- u.ieee_nan.mantissa3 = (mant); \ 7.925 +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ 7.926 +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ 7.927 +- (flt) = u.d; \ 7.928 +- } while (0) 7.929 + 7.930 + #include <strtod_l.c> 7.931 + 7.932 +diff -Naur a/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h b/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h 7.933 +--- a/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h 1970-01-01 05:30:00.000000000 +0530 7.934 ++++ b/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h 2017-09-15 15:37:13.855729636 +0530 7.935 +@@ -0,0 +1,30 @@ 7.936 ++/* Convert string for NaN payload to corresponding NaN. For ldbl-96. 7.937 ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. 7.938 ++ This file is part of the GNU C Library. 7.939 ++ 7.940 ++ The GNU C Library is free software; you can redistribute it and/or 7.941 ++ modify it under the terms of the GNU Lesser General Public 7.942 ++ License as published by the Free Software Foundation; either 7.943 ++ version 2.1 of the License, or (at your option) any later version. 7.944 ++ 7.945 ++ The GNU C Library is distributed in the hope that it will be useful, 7.946 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.947 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.948 ++ Lesser General Public License for more details. 7.949 ++ 7.950 ++ You should have received a copy of the GNU Lesser General Public 7.951 ++ License along with the GNU C Library; if not, see 7.952 ++ <http://www.gnu.org/licenses/>. */ 7.953 ++ 7.954 ++#define FLOAT long double 7.955 ++#define SET_MANTISSA(flt, mant) \ 7.956 ++ do \ 7.957 ++ { \ 7.958 ++ union ieee854_long_double u; \ 7.959 ++ u.d = (flt); \ 7.960 ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ 7.961 ++ u.ieee_nan.mantissa1 = (mant); \ 7.962 ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ 7.963 ++ (flt) = u.d; \ 7.964 ++ } \ 7.965 ++ while (0) 7.966 +diff -Naur a/sysdeps/ieee754/ldbl-96/strtold_l.c b/sysdeps/ieee754/ldbl-96/strtold_l.c 7.967 +--- a/sysdeps/ieee754/ldbl-96/strtold_l.c 2017-09-15 15:37:06.111898448 +0530 7.968 ++++ b/sysdeps/ieee754/ldbl-96/strtold_l.c 2017-09-15 15:37:13.855729636 +0530 7.969 +@@ -25,19 +25,13 @@ 7.970 + #ifdef USE_WIDE_CHAR 7.971 + # define STRTOF wcstold_l 7.972 + # define __STRTOF __wcstold_l 7.973 ++# define STRTOF_NAN __wcstold_nan 7.974 + #else 7.975 + # define STRTOF strtold_l 7.976 + # define __STRTOF __strtold_l 7.977 ++# define STRTOF_NAN __strtold_nan 7.978 + #endif 7.979 + #define MPN2FLOAT __mpn_construct_long_double 7.980 + #define FLOAT_HUGE_VAL HUGE_VALL 7.981 +-#define SET_MANTISSA(flt, mant) \ 7.982 +- do { union ieee854_long_double u; \ 7.983 +- u.d = (flt); \ 7.984 +- u.ieee_nan.mantissa0 = (mant) >> 32; \ 7.985 +- u.ieee_nan.mantissa1 = (mant); \ 7.986 +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ 7.987 +- (flt) = u.d; \ 7.988 +- } while (0) 7.989 + 7.990 + #include <stdlib/strtod_l.c> 7.991 +diff -Naur a/wcsmbs/Makefile b/wcsmbs/Makefile 7.992 +--- a/wcsmbs/Makefile 2017-09-15 15:37:06.219896093 +0530 7.993 ++++ b/wcsmbs/Makefile 2017-09-15 15:37:13.855729636 +0530 7.994 +@@ -33,6 +33,7 @@ 7.995 + wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \ 7.996 + wcstol_l wcstoul_l wcstoll_l wcstoull_l \ 7.997 + wcstod_l wcstold_l wcstof_l \ 7.998 ++ wcstod_nan wcstold_nan wcstof_nan \ 7.999 + wcscoll wcsxfrm \ 7.1000 + wcwidth wcswidth \ 7.1001 + wcscoll_l wcsxfrm_l \ 7.1002 +diff -Naur a/wcsmbs/wcstod_l.c b/wcsmbs/wcstod_l.c 7.1003 +--- a/wcsmbs/wcstod_l.c 2017-09-15 15:37:06.211896267 +0530 7.1004 ++++ b/wcsmbs/wcstod_l.c 2017-09-15 15:37:13.855729636 +0530 7.1005 +@@ -23,9 +23,6 @@ 7.1006 + 7.1007 + extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int, 7.1008 + __locale_t); 7.1009 +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, 7.1010 +- wchar_t **, int, int, 7.1011 +- __locale_t); 7.1012 + 7.1013 + #define USE_WIDE_CHAR 1 7.1014 + 7.1015 +diff -Naur a/wcsmbs/wcstod_nan.c b/wcsmbs/wcstod_nan.c 7.1016 +--- a/wcsmbs/wcstod_nan.c 1970-01-01 05:30:00.000000000 +0530 7.1017 ++++ b/wcsmbs/wcstod_nan.c 2017-09-15 15:37:13.855729636 +0530 7.1018 +@@ -0,0 +1,23 @@ 7.1019 ++/* Convert string for NaN payload to corresponding NaN. Wide strings, double. 7.1020 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.1021 ++ This file is part of the GNU C Library. 7.1022 ++ 7.1023 ++ The GNU C Library is free software; you can redistribute it and/or 7.1024 ++ modify it under the terms of the GNU Lesser General Public 7.1025 ++ License as published by the Free Software Foundation; either 7.1026 ++ version 2.1 of the License, or (at your option) any later version. 7.1027 ++ 7.1028 ++ The GNU C Library is distributed in the hope that it will be useful, 7.1029 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.1030 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.1031 ++ Lesser General Public License for more details. 7.1032 ++ 7.1033 ++ You should have received a copy of the GNU Lesser General Public 7.1034 ++ License along with the GNU C Library; if not, see 7.1035 ++ <http://www.gnu.org/licenses/>. */ 7.1036 ++ 7.1037 ++#include "../stdlib/strtod_nan_wide.h" 7.1038 ++#include "../stdlib/strtod_nan_double.h" 7.1039 ++ 7.1040 ++#define STRTOD_NAN __wcstod_nan 7.1041 ++#include "../stdlib/strtod_nan_main.c" 7.1042 +diff -Naur a/wcsmbs/wcstof_l.c b/wcsmbs/wcstof_l.c 7.1043 +--- a/wcsmbs/wcstof_l.c 2017-09-15 15:37:06.211896267 +0530 7.1044 ++++ b/wcsmbs/wcstof_l.c 2017-09-15 15:37:13.855729636 +0530 7.1045 +@@ -25,8 +25,5 @@ 7.1046 + 7.1047 + extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int, 7.1048 + __locale_t); 7.1049 +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, 7.1050 +- wchar_t **, int, int, 7.1051 +- __locale_t); 7.1052 + 7.1053 + #include <stdlib/strtof_l.c> 7.1054 +diff -Naur a/wcsmbs/wcstof_nan.c b/wcsmbs/wcstof_nan.c 7.1055 +--- a/wcsmbs/wcstof_nan.c 1970-01-01 05:30:00.000000000 +0530 7.1056 ++++ b/wcsmbs/wcstof_nan.c 2017-09-15 15:37:13.855729636 +0530 7.1057 +@@ -0,0 +1,23 @@ 7.1058 ++/* Convert string for NaN payload to corresponding NaN. Wide strings, float. 7.1059 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.1060 ++ This file is part of the GNU C Library. 7.1061 ++ 7.1062 ++ The GNU C Library is free software; you can redistribute it and/or 7.1063 ++ modify it under the terms of the GNU Lesser General Public 7.1064 ++ License as published by the Free Software Foundation; either 7.1065 ++ version 2.1 of the License, or (at your option) any later version. 7.1066 ++ 7.1067 ++ The GNU C Library is distributed in the hope that it will be useful, 7.1068 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.1069 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.1070 ++ Lesser General Public License for more details. 7.1071 ++ 7.1072 ++ You should have received a copy of the GNU Lesser General Public 7.1073 ++ License along with the GNU C Library; if not, see 7.1074 ++ <http://www.gnu.org/licenses/>. */ 7.1075 ++ 7.1076 ++#include "../stdlib/strtod_nan_wide.h" 7.1077 ++#include "../stdlib/strtod_nan_float.h" 7.1078 ++ 7.1079 ++#define STRTOD_NAN __wcstof_nan 7.1080 ++#include "../stdlib/strtod_nan_main.c" 7.1081 +diff -Naur a/wcsmbs/wcstold_l.c b/wcsmbs/wcstold_l.c 7.1082 +--- a/wcsmbs/wcstold_l.c 2017-09-15 15:37:06.219896093 +0530 7.1083 ++++ b/wcsmbs/wcstold_l.c 2017-09-15 15:37:13.859729550 +0530 7.1084 +@@ -24,8 +24,5 @@ 7.1085 + 7.1086 + extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int, 7.1087 + __locale_t); 7.1088 +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, 7.1089 +- wchar_t **, int, int, 7.1090 +- __locale_t); 7.1091 + 7.1092 + #include <strtold_l.c> 7.1093 +diff -Naur a/wcsmbs/wcstold_nan.c b/wcsmbs/wcstold_nan.c 7.1094 +--- a/wcsmbs/wcstold_nan.c 1970-01-01 05:30:00.000000000 +0530 7.1095 ++++ b/wcsmbs/wcstold_nan.c 2017-09-15 15:37:13.859729550 +0530 7.1096 +@@ -0,0 +1,30 @@ 7.1097 ++/* Convert string for NaN payload to corresponding NaN. Wide strings, 7.1098 ++ long double. 7.1099 ++ Copyright (C) 2015 Free Software Foundation, Inc. 7.1100 ++ This file is part of the GNU C Library. 7.1101 ++ 7.1102 ++ The GNU C Library is free software; you can redistribute it and/or 7.1103 ++ modify it under the terms of the GNU Lesser General Public 7.1104 ++ License as published by the Free Software Foundation; either 7.1105 ++ version 2.1 of the License, or (at your option) any later version. 7.1106 ++ 7.1107 ++ The GNU C Library is distributed in the hope that it will be useful, 7.1108 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 7.1109 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 7.1110 ++ Lesser General Public License for more details. 7.1111 ++ 7.1112 ++ You should have received a copy of the GNU Lesser General Public 7.1113 ++ License along with the GNU C Library; if not, see 7.1114 ++ <http://www.gnu.org/licenses/>. */ 7.1115 ++ 7.1116 ++#include <math.h> 7.1117 ++ 7.1118 ++/* This function is unused if long double and double have the same 7.1119 ++ representation. */ 7.1120 ++#ifndef __NO_LONG_DOUBLE_MATH 7.1121 ++# include "../stdlib/strtod_nan_wide.h" 7.1122 ++# include <strtod_nan_ldouble.h> 7.1123 ++ 7.1124 ++# define STRTOD_NAN __wcstold_nan 7.1125 ++# include "../stdlib/strtod_nan_main.c" 7.1126 ++#endif
8.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 8.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-5180.patch Wed Mar 15 11:41:38 2023 +0000 8.3 @@ -0,0 +1,71 @@ 8.4 +diff -Naur a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h 8.5 +--- a/include/arpa/nameser_compat.h 2018-01-04 15:53:54.033670066 +0530 8.6 ++++ b/include/arpa/nameser_compat.h 2018-01-04 15:54:15.437444821 +0530 8.7 +@@ -1,8 +1,8 @@ 8.8 + #ifndef _ARPA_NAMESER_COMPAT_ 8.9 + #include <resolv/arpa/nameser_compat.h> 8.10 + 8.11 +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., 8.12 +- T_A and T_AAAA). */ 8.13 +-#define T_UNSPEC 62321 8.14 ++/* The number is outside the 16-bit RR type range and is used 8.15 ++ internally by the implementation. */ 8.16 ++#define T_QUERY_A_AND_AAAA 439963904 8.17 + 8.18 + #endif 8.19 +diff -Naur a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c 8.20 +--- a/resolv/nss_dns/dns-host.c 2018-01-04 15:53:54.101669342 +0530 8.21 ++++ b/resolv/nss_dns/dns-host.c 2018-01-04 15:54:15.437444821 +0530 8.22 +@@ -312,7 +312,7 @@ 8.23 + 8.24 + int olderr = errno; 8.25 + enum nss_status status; 8.26 +- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC, 8.27 ++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA, 8.28 + host_buffer.buf->buf, 2048, &host_buffer.ptr, 8.29 + &ans2p, &nans2p, &resplen2, &ans2p_malloced); 8.30 + if (n >= 0) 8.31 +diff -Naur a/resolv/res_mkquery.c b/resolv/res_mkquery.c 8.32 +--- a/resolv/res_mkquery.c 2018-01-04 15:53:54.101669342 +0530 8.33 ++++ b/resolv/res_mkquery.c 2018-01-04 15:54:15.437444821 +0530 8.34 +@@ -110,6 +110,10 @@ 8.35 + int n; 8.36 + u_char *dnptrs[20], **dpp, **lastdnptr; 8.37 + 8.38 ++ if (class < 0 || class > 65535 8.39 ++ || type < 0 || type > 65535) 8.40 ++ return -1; 8.41 ++ 8.42 + #ifdef DEBUG 8.43 + if (statp->options & RES_DEBUG) 8.44 + printf(";; res_nmkquery(%s, %s, %s, %s)\n", 8.45 +diff -Naur a/resolv/res_query.c b/resolv/res_query.c 8.46 +--- a/resolv/res_query.c 2018-01-04 15:53:54.101669342 +0530 8.47 ++++ b/resolv/res_query.c 2018-01-04 15:54:15.437444821 +0530 8.48 +@@ -127,7 +127,7 @@ 8.49 + int n, use_malloc = 0; 8.50 + u_int oflags = statp->_flags; 8.51 + 8.52 +- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE; 8.53 ++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE; 8.54 + u_char *buf = alloca (bufsize); 8.55 + u_char *query1 = buf; 8.56 + int nquery1 = -1; 8.57 +@@ -142,7 +142,7 @@ 8.58 + printf(";; res_query(%s, %d, %d)\n", name, class, type); 8.59 + #endif 8.60 + 8.61 +- if (type == T_UNSPEC) 8.62 ++ if (type == T_QUERY_A_AND_AAAA) 8.63 + { 8.64 + n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL, 8.65 + query1, bufsize); 8.66 +@@ -195,7 +195,7 @@ 8.67 + if (__builtin_expect (n <= 0, 0) && !use_malloc) { 8.68 + /* Retry just in case res_nmkquery failed because of too 8.69 + short buffer. Shouldn't happen. */ 8.70 +- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET; 8.71 ++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET; 8.72 + buf = malloc (bufsize); 8.73 + if (buf != NULL) { 8.74 + query1 = buf;
9.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 9.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-7547-getaddrinfo-stack-based-buffer-overflow.patch Wed Mar 15 11:41:38 2023 +0000 9.3 @@ -0,0 +1,617 @@ 9.4 +Based on: 9.5 + 9.6 +From b995d95a5943785be3ab862b2d3276f3b4a22481 Mon Sep 17 00:00:00 2001 9.7 +From: Carlos O'Donell <carlos@systemhalted.org> 9.8 +Date: Tue, 16 Feb 2016 21:26:37 -0500 9.9 +Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 9.10 + 18665). 9.11 + 9.12 +* A stack-based buffer overflow was found in libresolv when invoked from 9.13 + libnss_dns, allowing specially crafted DNS responses to seize control 9.14 + of execution flow in the DNS client. The buffer overflow occurs in 9.15 + the functions send_dg (send datagram) and send_vc (send TCP) for the 9.16 + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC 9.17 + family. The use of AF_UNSPEC triggers the low-level resolver code to 9.18 + send out two parallel queries for A and AAAA. A mismanagement of the 9.19 + buffers used for those queries could result in the response of a query 9.20 + writing beyond the alloca allocated buffer created by 9.21 + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove 9.22 + the overflow. Thanks to the Google Security Team and Red Hat for 9.23 + reporting the security impact of this issue, and Robert Holiday of 9.24 + Ciena for reporting the related bug 18665. (CVE-2015-7547) 9.25 + 9.26 +See also: 9.27 +https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html 9.28 +https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html 9.29 + 9.30 +(cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca) 9.31 +--- 9.32 + ChangeLog | 15 +++ 9.33 + NEWS | 14 +++ 9.34 + resolv/nss_dns/dns-host.c | 111 ++++++++++++++++++- 9.35 + resolv/res_query.c | 3 + 9.36 + resolv/res_send.c | 264 ++++++++++++++++++++++++++++++++++------------ 9.37 + 5 files changed, 338 insertions(+), 69 deletions(-) 9.38 + 9.39 +diff --git a/NEWS b/NEWS 9.40 +index d1daf9b..81ceeae 100644 9.41 +--- a/NEWS 9.42 ++++ b/NEWS 9.43 +@@ -7,6 +7,20 @@ using `glibc' in the "product" field. 9.44 + 9.45 + Version 2.22.1 9.46 + 9.47 ++* A stack-based buffer overflow was found in libresolv when invoked from 9.48 ++ libnss_dns, allowing specially crafted DNS responses to seize control 9.49 ++ of execution flow in the DNS client. The buffer overflow occurs in 9.50 ++ the functions send_dg (send datagram) and send_vc (send TCP) for the 9.51 ++ NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC 9.52 ++ family. The use of AF_UNSPEC triggers the low-level resolver code to 9.53 ++ send out two parallel queries for A and AAAA. A mismanagement of the 9.54 ++ buffers used for those queries could result in the response of a query 9.55 ++ writing beyond the alloca allocated buffer created by 9.56 ++ _nss_dns_gethostbyname4_r. Buffer management is simplified to remove 9.57 ++ the overflow. Thanks to the Google Security Team and Red Hat for 9.58 ++ reporting the security impact of this issue, and Robert Holiday of 9.59 ++ Ciena for reporting the related bug 18665. (CVE-2015-7547) 9.60 ++ 9.61 + * The following bugs are resolved with this release: 9.62 + 9.63 + 17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796, 9.64 +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c 9.65 +index 357ac04..a0fe9a8 100644 9.66 +--- a/resolv/nss_dns/dns-host.c 9.67 ++++ b/resolv/nss_dns/dns-host.c 9.68 +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, 9.69 + int h_namelen = 0; 9.70 + 9.71 + if (ancount == 0) 9.72 +- return NSS_STATUS_NOTFOUND; 9.73 ++ { 9.74 ++ *h_errnop = HOST_NOT_FOUND; 9.75 ++ return NSS_STATUS_NOTFOUND; 9.76 ++ } 9.77 + 9.78 + while (ancount-- > 0 && cp < end_of_message && had_error == 0) 9.79 + { 9.80 +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, 9.81 + /* Special case here: if the resolver sent a result but it only 9.82 + contains a CNAME while we are looking for a T_A or T_AAAA record, 9.83 + we fail with NOTFOUND instead of TRYAGAIN. */ 9.84 +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; 9.85 ++ if (canon != NULL) 9.86 ++ { 9.87 ++ *h_errnop = HOST_NOT_FOUND; 9.88 ++ return NSS_STATUS_NOTFOUND; 9.89 ++ } 9.90 ++ 9.91 ++ *h_errnop = NETDB_INTERNAL; 9.92 ++ return NSS_STATUS_TRYAGAIN; 9.93 + } 9.94 + 9.95 + 9.96 +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, 9.97 + 9.98 + enum nss_status status = NSS_STATUS_NOTFOUND; 9.99 + 9.100 ++ /* Combining the NSS status of two distinct queries requires some 9.101 ++ compromise and attention to symmetry (A or AAAA queries can be 9.102 ++ returned in any order). What follows is a breakdown of how this 9.103 ++ code is expected to work and why. We discuss only SUCCESS, 9.104 ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns 9.105 ++ that apply (though RETURN and MERGE exist). We make a distinction 9.106 ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). 9.107 ++ A recoverable TRYAGAIN is almost always due to buffer size issues 9.108 ++ and returns ERANGE in errno and the caller is expected to retry 9.109 ++ with a larger buffer. 9.110 ++ 9.111 ++ Lastly, you may be tempted to make significant changes to the 9.112 ++ conditions in this code to bring about symmetry between responses. 9.113 ++ Please don't change anything without due consideration for 9.114 ++ expected application behaviour. Some of the synthesized responses 9.115 ++ aren't very well thought out and sometimes appear to imply that 9.116 ++ IPv4 responses are always answer 1, and IPv6 responses are always 9.117 ++ answer 2, but that's not true (see the implementation of send_dg 9.118 ++ and send_vc to see response can arrive in any order, particularly 9.119 ++ for UDP). However, we expect it holds roughly enough of the time 9.120 ++ that this code works, but certainly needs to be fixed to make this 9.121 ++ a more robust implementation. 9.122 ++ 9.123 ++ ---------------------------------------------- 9.124 ++ | Answer 1 Status / | Synthesized | Reason | 9.125 ++ | Answer 2 Status | Status | | 9.126 ++ |--------------------------------------------| 9.127 ++ | SUCCESS/SUCCESS | SUCCESS | [1] | 9.128 ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | 9.129 ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | 9.130 ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | 9.131 ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | 9.132 ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | 9.133 ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | 9.134 ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | 9.135 ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | 9.136 ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | 9.137 ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | 9.138 ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | 9.139 ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | 9.140 ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | 9.141 ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | 9.142 ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | 9.143 ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | 9.144 ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | 9.145 ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | 9.146 ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | 9.147 ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | 9.148 ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | 9.149 ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | 9.150 ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | 9.151 ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | 9.152 ++ ---------------------------------------------- 9.153 ++ 9.154 ++ [1] If the first response is a success we return success. 9.155 ++ This ignores the state of the second answer and in fact 9.156 ++ incorrectly sets errno and h_errno to that of the second 9.157 ++ answer. However because the response is a success we ignore 9.158 ++ *errnop and *h_errnop (though that means you touched errno on 9.159 ++ success). We are being conservative here and returning the 9.160 ++ likely IPv4 response in the first answer as a success. 9.161 ++ 9.162 ++ [2] If the first response is a recoverable TRYAGAIN we return 9.163 ++ that instead of looking at the second response. The 9.164 ++ expectation here is that we have failed to get an IPv4 response 9.165 ++ and should retry both queries. 9.166 ++ 9.167 ++ [3] If the first response was not a SUCCESS and the second 9.168 ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, 9.169 ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the 9.170 ++ result from the second response, otherwise the first responses 9.171 ++ status is used. Again we have some odd side-effects when the 9.172 ++ second response is NOTFOUND because we overwrite *errnop and 9.173 ++ *h_errnop that means that a first answer of NOTFOUND might see 9.174 ++ its *errnop and *h_errnop values altered. Whether it matters 9.175 ++ in practice that a first response NOTFOUND has the wrong 9.176 ++ *errnop and *h_errnop is undecided. 9.177 ++ 9.178 ++ [4] If the first response is UNAVAIL we return that instead of 9.179 ++ looking at the second response. The expectation here is that 9.180 ++ it will have failed similarly e.g. configuration failure. 9.181 ++ 9.182 ++ [5] Testing this code is complicated by the fact that truncated 9.183 ++ second response buffers might be returned as SUCCESS if the 9.184 ++ first answer is a SUCCESS. To fix this we add symmetry to 9.185 ++ TRYAGAIN with the second response. If the second response 9.186 ++ is a recoverable error we now return TRYAGIN even if the first 9.187 ++ response was SUCCESS. */ 9.188 ++ 9.189 + if (anslen1 > 0) 9.190 + status = gaih_getanswer_slice(answer1, anslen1, qname, 9.191 + &pat, &buffer, &buflen, 9.192 + errnop, h_errnop, ttlp, 9.193 + &first); 9.194 ++ 9.195 + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND 9.196 + || (status == NSS_STATUS_TRYAGAIN 9.197 + /* We want to look at the second answer in case of an 9.198 +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, 9.199 + &pat, &buffer, &buflen, 9.200 + errnop, h_errnop, ttlp, 9.201 + &first); 9.202 ++ /* Use the second response status in some cases. */ 9.203 + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) 9.204 + status = status2; 9.205 ++ /* Do not return a truncated second response (unless it was 9.206 ++ unavoidable e.g. unrecoverable TRYAGAIN). */ 9.207 ++ if (status == NSS_STATUS_SUCCESS 9.208 ++ && (status2 == NSS_STATUS_TRYAGAIN 9.209 ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) 9.210 ++ status = NSS_STATUS_TRYAGAIN; 9.211 + } 9.212 + 9.213 + return status; 9.214 +diff --git a/resolv/res_query.c b/resolv/res_query.c 9.215 +index 4a9b3b3..95470a9 100644 9.216 +--- a/resolv/res_query.c 9.217 ++++ b/resolv/res_query.c 9.218 +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, 9.219 + { 9.220 + free (*answerp2); 9.221 + *answerp2 = NULL; 9.222 ++ *nanswerp2 = 0; 9.223 + *answerp2_malloced = 0; 9.224 + } 9.225 + } 9.226 +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, 9.227 + { 9.228 + free (*answerp2); 9.229 + *answerp2 = NULL; 9.230 ++ *nanswerp2 = 0; 9.231 + *answerp2_malloced = 0; 9.232 + } 9.233 + 9.234 +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, 9.235 + { 9.236 + free (*answerp2); 9.237 + *answerp2 = NULL; 9.238 ++ *nanswerp2 = 0; 9.239 + *answerp2_malloced = 0; 9.240 + } 9.241 + if (saved_herrno != -1) 9.242 +diff --git a/resolv/res_send.c b/resolv/res_send.c 9.243 +index 5e53cc2..6511bb1 100644 9.244 +--- a/resolv/res_send.c 9.245 ++++ b/resolv/res_send.c 9.246 +@@ -1,3 +1,20 @@ 9.247 ++/* Copyright (C) 2016 Free Software Foundation, Inc. 9.248 ++ This file is part of the GNU C Library. 9.249 ++ 9.250 ++ The GNU C Library is free software; you can redistribute it and/or 9.251 ++ modify it under the terms of the GNU Lesser General Public 9.252 ++ License as published by the Free Software Foundation; either 9.253 ++ version 2.1 of the License, or (at your option) any later version. 9.254 ++ 9.255 ++ The GNU C Library is distributed in the hope that it will be useful, 9.256 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 9.257 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 9.258 ++ Lesser General Public License for more details. 9.259 ++ 9.260 ++ You should have received a copy of the GNU Lesser General Public 9.261 ++ License along with the GNU C Library; if not, see 9.262 ++ <http://www.gnu.org/licenses/>. */ 9.263 ++ 9.264 + /* 9.265 + * Copyright (c) 1985, 1989, 1993 9.266 + * The Regents of the University of California. All rights reserved. 9.267 +@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen, 9.268 + #ifdef USE_HOOKS 9.269 + if (__glibc_unlikely (statp->qhook || statp->rhook)) { 9.270 + if (anssiz < MAXPACKET && ansp) { 9.271 ++ /* Always allocate MAXPACKET, callers expect 9.272 ++ this specific size. */ 9.273 + u_char *buf = malloc (MAXPACKET); 9.274 + if (buf == NULL) 9.275 + return (-1); 9.276 +@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) 9.277 + return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; 9.278 + } 9.279 + 9.280 ++/* The send_vc function is responsible for sending a DNS query over TCP 9.281 ++ to the nameserver numbered NS from the res_state STATP i.e. 9.282 ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and 9.283 ++ IPv6 queries at the same serially on the same socket. 9.284 ++ 9.285 ++ Please note that for TCP there is no way to disable sending both 9.286 ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP 9.287 ++ and sends the queries serially and waits for the result after each 9.288 ++ sent query. This implemetnation should be corrected to honour these 9.289 ++ options. 9.290 ++ 9.291 ++ Please also note that for TCP we send both queries over the same 9.292 ++ socket one after another. This technically violates best practice 9.293 ++ since the server is allowed to read the first query, respond, and 9.294 ++ then close the socket (to service another client). If the server 9.295 ++ does this, then the remaining second query in the socket data buffer 9.296 ++ will cause the server to send the client an RST which will arrive 9.297 ++ asynchronously and the client's OS will likely tear down the socket 9.298 ++ receive buffer resulting in a potentially short read and lost 9.299 ++ response data. This will force the client to retry the query again, 9.300 ++ and this process may repeat until all servers and connection resets 9.301 ++ are exhausted and then the query will fail. It's not known if this 9.302 ++ happens with any frequency in real DNS server implementations. This 9.303 ++ implementation should be corrected to use two sockets by default for 9.304 ++ parallel queries. 9.305 ++ 9.306 ++ The query stored in BUF of BUFLEN length is sent first followed by 9.307 ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent 9.308 ++ serially on the same socket. 9.309 ++ 9.310 ++ Answers to the query are stored firstly in *ANSP up to a max of 9.311 ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP 9.312 ++ is non-NULL (to indicate that modifying the answer buffer is allowed) 9.313 ++ then malloc is used to allocate a new response buffer and ANSCP and 9.314 ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes 9.315 ++ are needed but ANSCP is NULL, then as much of the response as 9.316 ++ possible is read into the buffer, but the results will be truncated. 9.317 ++ When truncation happens because of a small answer buffer the DNS 9.318 ++ packets header field TC will bet set to 1, indicating a truncated 9.319 ++ message and the rest of the socket data will be read and discarded. 9.320 ++ 9.321 ++ Answers to the query are stored secondly in *ANSP2 up to a max of 9.322 ++ *ANSSIZP2 bytes, with the actual response length stored in 9.323 ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 9.324 ++ is non-NULL (required for a second query) then malloc is used to 9.325 ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer 9.326 ++ size and *ANSP2_MALLOCED is set to 1. 9.327 ++ 9.328 ++ The ANSP2_MALLOCED argument will eventually be removed as the 9.329 ++ change in buffer pointer can be used to detect the buffer has 9.330 ++ changed and that the caller should use free on the new buffer. 9.331 ++ 9.332 ++ Note that the answers may arrive in any order from the server and 9.333 ++ therefore the first and second answer buffers may not correspond to 9.334 ++ the first and second queries. 9.335 ++ 9.336 ++ It is not supported to call this function with a non-NULL ANSP2 9.337 ++ but a NULL ANSCP. Put another way, you can call send_vc with a 9.338 ++ single unmodifiable buffer or two modifiable buffers, but no other 9.339 ++ combination is supported. 9.340 ++ 9.341 ++ It is the caller's responsibility to free the malloc allocated 9.342 ++ buffers by detecting that the pointers have changed from their 9.343 ++ original values i.e. *ANSCP or *ANSP2 has changed. 9.344 ++ 9.345 ++ If errors are encountered then *TERRNO is set to an appropriate 9.346 ++ errno value and a zero result is returned for a recoverable error, 9.347 ++ and a less-than zero result is returned for a non-recoverable error. 9.348 ++ 9.349 ++ If no errors are encountered then *TERRNO is left unmodified and 9.350 ++ a the length of the first response in bytes is returned. */ 9.351 + static int 9.352 + send_vc(res_state statp, 9.353 + const u_char *buf, int buflen, const u_char *buf2, int buflen2, 9.354 +@@ -647,11 +737,7 @@ send_vc(res_state statp, 9.355 + { 9.356 + const HEADER *hp = (HEADER *) buf; 9.357 + const HEADER *hp2 = (HEADER *) buf2; 9.358 +- u_char *ans = *ansp; 9.359 +- int orig_anssizp = *anssizp; 9.360 +- // XXX REMOVE 9.361 +- // int anssiz = *anssizp; 9.362 +- HEADER *anhp = (HEADER *) ans; 9.363 ++ HEADER *anhp = (HEADER *) *ansp; 9.364 + struct sockaddr *nsap = get_nsaddr (statp, ns); 9.365 + int truncating, connreset, n; 9.366 + /* On some architectures compiler might emit a warning indicating 9.367 +@@ -743,6 +829,8 @@ send_vc(res_state statp, 9.368 + * Receive length & response 9.369 + */ 9.370 + int recvresp1 = 0; 9.371 ++ /* Skip the second response if there is no second query. 9.372 ++ To do that we mark the second response as received. */ 9.373 + int recvresp2 = buf2 == NULL; 9.374 + uint16_t rlen16; 9.375 + read_len: 9.376 +@@ -779,40 +867,14 @@ send_vc(res_state statp, 9.377 + u_char **thisansp; 9.378 + int *thisresplenp; 9.379 + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { 9.380 ++ /* We have not received any responses 9.381 ++ yet or we only have one response to 9.382 ++ receive. */ 9.383 + thisanssizp = anssizp; 9.384 + thisansp = anscp ?: ansp; 9.385 + assert (anscp != NULL || ansp2 == NULL); 9.386 + thisresplenp = &resplen; 9.387 + } else { 9.388 +- if (*anssizp != MAXPACKET) { 9.389 +- /* No buffer allocated for the first 9.390 +- reply. We can try to use the rest 9.391 +- of the user-provided buffer. */ 9.392 +-#if __GNUC_PREREQ (4, 7) 9.393 +- DIAG_PUSH_NEEDS_COMMENT; 9.394 +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); 9.395 +-#endif 9.396 +-#if _STRING_ARCH_unaligned 9.397 +- *anssizp2 = orig_anssizp - resplen; 9.398 +- *ansp2 = *ansp + resplen; 9.399 +-#else 9.400 +- int aligned_resplen 9.401 +- = ((resplen + __alignof__ (HEADER) - 1) 9.402 +- & ~(__alignof__ (HEADER) - 1)); 9.403 +- *anssizp2 = orig_anssizp - aligned_resplen; 9.404 +- *ansp2 = *ansp + aligned_resplen; 9.405 +-#endif 9.406 +-#if __GNUC_PREREQ (4, 7) 9.407 +- DIAG_POP_NEEDS_COMMENT; 9.408 +-#endif 9.409 +- } else { 9.410 +- /* The first reply did not fit into the 9.411 +- user-provided buffer. Maybe the second 9.412 +- answer will. */ 9.413 +- *anssizp2 = orig_anssizp; 9.414 +- *ansp2 = *ansp; 9.415 +- } 9.416 +- 9.417 + thisanssizp = anssizp2; 9.418 + thisansp = ansp2; 9.419 + thisresplenp = resplen2; 9.420 +@@ -820,10 +882,14 @@ send_vc(res_state statp, 9.421 + anhp = (HEADER *) *thisansp; 9.422 + 9.423 + *thisresplenp = rlen; 9.424 +- if (rlen > *thisanssizp) { 9.425 +- /* Yes, we test ANSCP here. If we have two buffers 9.426 +- both will be allocatable. */ 9.427 +- if (__glibc_likely (anscp != NULL)) { 9.428 ++ /* Is the answer buffer too small? */ 9.429 ++ if (*thisanssizp < rlen) { 9.430 ++ /* If the current buffer is not the the static 9.431 ++ user-supplied buffer then we can reallocate 9.432 ++ it. */ 9.433 ++ if (thisansp != NULL && thisansp != ansp) { 9.434 ++ /* Always allocate MAXPACKET, callers expect 9.435 ++ this specific size. */ 9.436 + u_char *newp = malloc (MAXPACKET); 9.437 + if (newp == NULL) { 9.438 + *terrno = ENOMEM; 9.439 +@@ -835,6 +901,9 @@ send_vc(res_state statp, 9.440 + if (thisansp == ansp2) 9.441 + *ansp2_malloced = 1; 9.442 + anhp = (HEADER *) newp; 9.443 ++ /* A uint16_t can't be larger than MAXPACKET 9.444 ++ thus it's safe to allocate MAXPACKET but 9.445 ++ read RLEN bytes instead. */ 9.446 + len = rlen; 9.447 + } else { 9.448 + Dprint(statp->options & RES_DEBUG, 9.449 +@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, int ns) 9.450 + return 1; 9.451 + } 9.452 + 9.453 ++/* The send_dg function is responsible for sending a DNS query over UDP 9.454 ++ to the nameserver numbered NS from the res_state STATP i.e. 9.455 ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries 9.456 ++ along with the ability to send the query in parallel for both stacks 9.457 ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup 9.458 ++ with a close and reopen of the socket used to talk to the server 9.459 ++ (RES_SNGLKUPREOP) to work around broken name servers. 9.460 ++ 9.461 ++ The query stored in BUF of BUFLEN length is sent first followed by 9.462 ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent 9.463 ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). 9.464 ++ 9.465 ++ Answers to the query are stored firstly in *ANSP up to a max of 9.466 ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP 9.467 ++ is non-NULL (to indicate that modifying the answer buffer is allowed) 9.468 ++ then malloc is used to allocate a new response buffer and ANSCP and 9.469 ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes 9.470 ++ are needed but ANSCP is NULL, then as much of the response as 9.471 ++ possible is read into the buffer, but the results will be truncated. 9.472 ++ When truncation happens because of a small answer buffer the DNS 9.473 ++ packets header field TC will bet set to 1, indicating a truncated 9.474 ++ message, while the rest of the UDP packet is discarded. 9.475 ++ 9.476 ++ Answers to the query are stored secondly in *ANSP2 up to a max of 9.477 ++ *ANSSIZP2 bytes, with the actual response length stored in 9.478 ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 9.479 ++ is non-NULL (required for a second query) then malloc is used to 9.480 ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer 9.481 ++ size and *ANSP2_MALLOCED is set to 1. 9.482 ++ 9.483 ++ The ANSP2_MALLOCED argument will eventually be removed as the 9.484 ++ change in buffer pointer can be used to detect the buffer has 9.485 ++ changed and that the caller should use free on the new buffer. 9.486 ++ 9.487 ++ Note that the answers may arrive in any order from the server and 9.488 ++ therefore the first and second answer buffers may not correspond to 9.489 ++ the first and second queries. 9.490 ++ 9.491 ++ It is not supported to call this function with a non-NULL ANSP2 9.492 ++ but a NULL ANSCP. Put another way, you can call send_vc with a 9.493 ++ single unmodifiable buffer or two modifiable buffers, but no other 9.494 ++ combination is supported. 9.495 ++ 9.496 ++ It is the caller's responsibility to free the malloc allocated 9.497 ++ buffers by detecting that the pointers have changed from their 9.498 ++ original values i.e. *ANSCP or *ANSP2 has changed. 9.499 ++ 9.500 ++ If an answer is truncated because of UDP datagram DNS limits then 9.501 ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to 9.502 ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 9.503 ++ if any progress was made reading a response from the nameserver and 9.504 ++ is used by the caller to distinguish between ECONNREFUSED and 9.505 ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). 9.506 ++ 9.507 ++ If errors are encountered then *TERRNO is set to an appropriate 9.508 ++ errno value and a zero result is returned for a recoverable error, 9.509 ++ and a less-than zero result is returned for a non-recoverable error. 9.510 ++ 9.511 ++ If no errors are encountered then *TERRNO is left unmodified and 9.512 ++ a the length of the first response in bytes is returned. */ 9.513 + static int 9.514 + send_dg(res_state statp, 9.515 + const u_char *buf, int buflen, const u_char *buf2, int buflen2, 9.516 +@@ -1006,8 +1135,6 @@ send_dg(res_state statp, 9.517 + { 9.518 + const HEADER *hp = (HEADER *) buf; 9.519 + const HEADER *hp2 = (HEADER *) buf2; 9.520 +- u_char *ans = *ansp; 9.521 +- int orig_anssizp = *anssizp; 9.522 + struct timespec now, timeout, finish; 9.523 + struct pollfd pfd[1]; 9.524 + int ptimeout; 9.525 +@@ -1040,6 +1167,8 @@ send_dg(res_state statp, 9.526 + int need_recompute = 0; 9.527 + int nwritten = 0; 9.528 + int recvresp1 = 0; 9.529 ++ /* Skip the second response if there is no second query. 9.530 ++ To do that we mark the second response as received. */ 9.531 + int recvresp2 = buf2 == NULL; 9.532 + pfd[0].fd = EXT(statp).nssocks[ns]; 9.533 + pfd[0].events = POLLOUT; 9.534 +@@ -1203,55 +1332,56 @@ send_dg(res_state statp, 9.535 + int *thisresplenp; 9.536 + 9.537 + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { 9.538 ++ /* We have not received any responses 9.539 ++ yet or we only have one response to 9.540 ++ receive. */ 9.541 + thisanssizp = anssizp; 9.542 + thisansp = anscp ?: ansp; 9.543 + assert (anscp != NULL || ansp2 == NULL); 9.544 + thisresplenp = &resplen; 9.545 + } else { 9.546 +- if (*anssizp != MAXPACKET) { 9.547 +- /* No buffer allocated for the first 9.548 +- reply. We can try to use the rest 9.549 +- of the user-provided buffer. */ 9.550 +-#if _STRING_ARCH_unaligned 9.551 +- *anssizp2 = orig_anssizp - resplen; 9.552 +- *ansp2 = *ansp + resplen; 9.553 +-#else 9.554 +- int aligned_resplen 9.555 +- = ((resplen + __alignof__ (HEADER) - 1) 9.556 +- & ~(__alignof__ (HEADER) - 1)); 9.557 +- *anssizp2 = orig_anssizp - aligned_resplen; 9.558 +- *ansp2 = *ansp + aligned_resplen; 9.559 +-#endif 9.560 +- } else { 9.561 +- /* The first reply did not fit into the 9.562 +- user-provided buffer. Maybe the second 9.563 +- answer will. */ 9.564 +- *anssizp2 = orig_anssizp; 9.565 +- *ansp2 = *ansp; 9.566 +- } 9.567 +- 9.568 + thisanssizp = anssizp2; 9.569 + thisansp = ansp2; 9.570 + thisresplenp = resplen2; 9.571 + } 9.572 + 9.573 + if (*thisanssizp < MAXPACKET 9.574 +- /* Yes, we test ANSCP here. If we have two buffers 9.575 +- both will be allocatable. */ 9.576 +- && anscp 9.577 ++ /* If the current buffer is not the the static 9.578 ++ user-supplied buffer then we can reallocate 9.579 ++ it. */ 9.580 ++ && (thisansp != NULL && thisansp != ansp) 9.581 + #ifdef FIONREAD 9.582 ++ /* Is the size too small? */ 9.583 + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 9.584 + || *thisanssizp < *thisresplenp) 9.585 + #endif 9.586 + ) { 9.587 ++ /* Always allocate MAXPACKET, callers expect 9.588 ++ this specific size. */ 9.589 + u_char *newp = malloc (MAXPACKET); 9.590 + if (newp != NULL) { 9.591 +- *anssizp = MAXPACKET; 9.592 +- *thisansp = ans = newp; 9.593 ++ *thisanssizp = MAXPACKET; 9.594 ++ *thisansp = newp; 9.595 + if (thisansp == ansp2) 9.596 + *ansp2_malloced = 1; 9.597 + } 9.598 + } 9.599 ++ /* We could end up with truncation if anscp was NULL 9.600 ++ (not allowed to change caller's buffer) and the 9.601 ++ response buffer size is too small. This isn't a 9.602 ++ reliable way to detect truncation because the ioctl 9.603 ++ may be an inaccurate report of the UDP message size. 9.604 ++ Therefore we use this only to issue debug output. 9.605 ++ To do truncation accurately with UDP we need 9.606 ++ MSG_TRUNC which is only available on Linux. We 9.607 ++ can abstract out the Linux-specific feature in the 9.608 ++ future to detect truncation. */ 9.609 ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { 9.610 ++ Dprint(statp->options & RES_DEBUG, 9.611 ++ (stdout, ";; response may be truncated (UDP)\n") 9.612 ++ ); 9.613 ++ } 9.614 ++ 9.615 + HEADER *anhp = (HEADER *) *thisansp; 9.616 + socklen_t fromlen = sizeof(struct sockaddr_in6); 9.617 + assert (sizeof(from) <= fromlen); 9.618 +-- 9.619 +1.9.4 9.620 +
10.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 10.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-8776.patch Wed Mar 15 11:41:38 2023 +0000 10.3 @@ -0,0 +1,127 @@ 10.4 +From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001 10.5 +From: Paul Pluzhnikov <ppluzhnikov@google.com> 10.6 +Date: Sat, 26 Sep 2015 13:27:48 -0700 10.7 +Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a 10.8 + segfault 10.9 + 10.10 +diff --git a/time/strftime_l.c b/time/strftime_l.c 10.11 +index b48ef34..4eb647c 100644 10.12 +--- a/time/strftime_l.c 10.13 ++++ b/time/strftime_l.c 10.14 +@@ -510,13 +510,17 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument 10.15 + only a few elements. Dereference the pointers only if the format 10.16 + requires this. Then it is ok to fail if the pointers are invalid. */ 10.17 + # define a_wkday \ 10.18 +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) 10.19 ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ 10.20 ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) 10.21 + # define f_wkday \ 10.22 +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) 10.23 ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ 10.24 ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) 10.25 + # define a_month \ 10.26 +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) 10.27 ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ 10.28 ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) 10.29 + # define f_month \ 10.30 +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) 10.31 ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ 10.32 ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) 10.33 + # define ampm \ 10.34 + ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ 10.35 + ? NLW(PM_STR) : NLW(AM_STR))) 10.36 +@@ -526,8 +530,10 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument 10.37 + # define ap_len STRLEN (ampm) 10.38 + #else 10.39 + # if !HAVE_STRFTIME 10.40 +-# define f_wkday (weekday_name[tp->tm_wday]) 10.41 +-# define f_month (month_name[tp->tm_mon]) 10.42 ++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ 10.43 ++ ? "?" : weekday_name[tp->tm_wday]) 10.44 ++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ 10.45 ++ ? "?" : month_name[tp->tm_mon]) 10.46 + # define a_wkday f_wkday 10.47 + # define a_month f_month 10.48 + # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) 10.49 +@@ -1321,7 +1327,7 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument 10.50 + *tzset_called = true; 10.51 + } 10.52 + # endif 10.53 +- zone = tzname[tp->tm_isdst]; 10.54 ++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; 10.55 + } 10.56 + #endif 10.57 + if (! zone) 10.58 +diff --git a/time/tst-strftime.c b/time/tst-strftime.c 10.59 +index 374fba4..af3ff72 100644 10.60 +--- a/time/tst-strftime.c 10.61 ++++ b/time/tst-strftime.c 10.62 +@@ -4,6 +4,56 @@ 10.63 + #include <time.h> 10.64 + 10.65 + 10.66 ++static int 10.67 ++do_bz18985 (void) 10.68 ++{ 10.69 ++ char buf[1000]; 10.70 ++ struct tm ttm; 10.71 ++ int rc, ret = 0; 10.72 ++ 10.73 ++ memset (&ttm, 1, sizeof (ttm)); 10.74 ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ 10.75 ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); 10.76 ++ 10.77 ++ if (rc == 66) 10.78 ++ { 10.79 ++ const char expected[] 10.80 ++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; 10.81 ++ if (0 != strcmp (buf, expected)) 10.82 ++ { 10.83 ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); 10.84 ++ ret += 1; 10.85 ++ } 10.86 ++ } 10.87 ++ else 10.88 ++ { 10.89 ++ printf ("expected 66, got %d\n", rc); 10.90 ++ ret += 1; 10.91 ++ } 10.92 ++ 10.93 ++ /* Check negative values as well. */ 10.94 ++ memset (&ttm, 0xFF, sizeof (ttm)); 10.95 ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ 10.96 ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); 10.97 ++ 10.98 ++ if (rc == 30) 10.99 ++ { 10.100 ++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; 10.101 ++ if (0 != strcmp (buf, expected)) 10.102 ++ { 10.103 ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); 10.104 ++ ret += 1; 10.105 ++ } 10.106 ++ } 10.107 ++ else 10.108 ++ { 10.109 ++ printf ("expected 30, got %d\n", rc); 10.110 ++ ret += 1; 10.111 ++ } 10.112 ++ 10.113 ++ return ret; 10.114 ++} 10.115 ++ 10.116 + static struct 10.117 + { 10.118 + const char *fmt; 10.119 +@@ -104,7 +154,7 @@ do_test (void) 10.120 + } 10.121 + } 10.122 + 10.123 +- return result; 10.124 ++ return result + do_bz18985 (); 10.125 + } 10.126 + 10.127 + #define TEST_FUNCTION do_test () 10.128 +-- 10.129 +2.9.3 10.130 +
11.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 11.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-8777.patch Wed Mar 15 11:41:38 2023 +0000 11.3 @@ -0,0 +1,85 @@ 11.4 +Based on: 11.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=18928 11.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=dc22a1ec157d02529a0b17986679d3f1c122985e 11.7 + 11.8 +From dc22a1ec157d02529a0b17986679d3f1c122985e Mon Sep 17 00:00:00 2001 11.9 +From: Florian Weimer <fweimer@redhat.com> 11.10 +Date: Thu, 15 Oct 2015 09:23:07 +0200 11.11 +Subject: [PATCH] Always enable pointer guard [BZ #18928] 11.12 + 11.13 +Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode 11.14 +has security implications. This commit enables pointer guard 11.15 +unconditionally, and the environment variable is now ignored. 11.16 + 11.17 + [BZ #18928] 11.18 + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove 11.19 + _dl_pointer_guard member. 11.20 + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard 11.21 + initializer. 11.22 + (security_init): Always set up pointer guard. 11.23 + (process_envvars): Do not process LD_POINTER_GUARD. 11.24 + 11.25 +--- 11.26 + elf/rtld.c | 15 ++++----------- 11.27 + sysdeps/generic/ldsodefs.h | 3 --- 11.28 + 2 files changed, 4 insertions(+), 14 deletions(-) 11.29 + 11.30 +diff --git a/elf/rtld.c b/elf/rtld.c 11.31 +index 5043046..6c2632d 100644 11.32 +--- a/elf/rtld.c 11.33 ++++ b/elf/rtld.c 11.34 +@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro = 11.35 + ._dl_hwcap_mask = HWCAP_IMPORTANT, 11.36 + ._dl_lazy = 1, 11.37 + ._dl_fpu_control = _FPU_DEFAULT, 11.38 +- ._dl_pointer_guard = 1, 11.39 + ._dl_pagesize = EXEC_PAGESIZE, 11.40 + ._dl_inhibit_cache = 0, 11.41 + 11.42 +@@ -709,15 +708,12 @@ security_init (void) 11.43 + #endif 11.44 + 11.45 + /* Set up the pointer guard as well, if necessary. */ 11.46 +- if (GLRO(dl_pointer_guard)) 11.47 +- { 11.48 +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, 11.49 +- stack_chk_guard); 11.50 ++ uintptr_t pointer_chk_guard 11.51 ++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); 11.52 + #ifdef THREAD_SET_POINTER_GUARD 11.53 +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); 11.54 ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); 11.55 + #endif 11.56 +- __pointer_chk_guard_local = pointer_chk_guard; 11.57 +- } 11.58 ++ __pointer_chk_guard_local = pointer_chk_guard; 11.59 + 11.60 + /* We do not need the _dl_random value anymore. The less 11.61 + information we leave behind, the better, so clear the 11.62 +@@ -2472,9 +2468,6 @@ process_envvars (enum mode *modep) 11.63 + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; 11.64 + break; 11.65 + } 11.66 +- 11.67 +- if (memcmp (envline, "POINTER_GUARD", 13) == 0) 11.68 +- GLRO(dl_pointer_guard) = envline[14] != '0'; 11.69 + break; 11.70 + 11.71 + case 14: 11.72 +diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h 11.73 +index 7a0fe8d..78e3a97 100644 11.74 +--- a/sysdeps/generic/ldsodefs.h 11.75 ++++ b/sysdeps/generic/ldsodefs.h 11.76 +@@ -592,9 +592,6 @@ struct rtld_global_ro 11.77 + /* List of auditing interfaces. */ 11.78 + struct audit_ifaces *_dl_audit; 11.79 + unsigned int _dl_naudit; 11.80 +- 11.81 +- /* 0 if internal pointer values should not be guarded, 1 if they should. */ 11.82 +- EXTERN int _dl_pointer_guard; 11.83 + }; 11.84 + # define __rtld_global_attribute__ 11.85 + # if IS_IN (rtld) 11.86 +-- 11.87 +2.17.1 11.88 +
12.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 12.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-8778.patch Wed Mar 15 11:41:38 2023 +0000 12.3 @@ -0,0 +1,171 @@ 12.4 +Based on: 12.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=18240 12.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=bae7c7c764413b23e61cb099ce33be4c4ee259bb 12.7 + 12.8 +From 287de30e170cb765ed326d23d22791a81aab6e0f Mon Sep 17 00:00:00 2001 12.9 +From: Florian Weimer <fweimer@redhat.com> 12.10 +Date: Thu, 28 Jan 2016 13:59:11 +0100 12.11 +Subject: [PATCH] Improve check against integer wraparound in hcreate_r [BZ 12.12 + #18240] 12.13 +--- 12.14 + misc/Makefile | 3 +- 12.15 + misc/bug18240.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++ 12.16 + misc/hsearch_r.c | 30 +++++++++++-------- 12.17 + 3 files changed, 95 insertions(+), 13 deletions(-) 12.18 + create mode 100644 misc/bug18240.c 12.19 + 12.20 +diff --git a/misc/Makefile b/misc/Makefile 12.21 +index aecb0da..704c2e5 100644 12.22 +--- a/misc/Makefile 12.23 ++++ b/misc/Makefile 12.24 +@@ -76,7 +76,8 @@ install-lib := libg.a 12.25 + gpl2lgpl := error.c error.h 12.26 + 12.27 + tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ 12.28 +- tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 12.29 ++ tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ 12.30 ++ bug18240 12.31 + ifeq ($(run-built-tests),yes) 12.32 + tests-special += $(objpfx)tst-error1-mem.out 12.33 + endif 12.34 +diff --git a/misc/bug18240.c b/misc/bug18240.c 12.35 +new file mode 100644 12.36 +index 0000000..4b26865 12.37 +--- /dev/null 12.38 ++++ b/misc/bug18240.c 12.39 +@@ -0,0 +1,75 @@ 12.40 ++/* Test integer wraparound in hcreate. 12.41 ++ Copyright (C) 2016 Free Software Foundation, Inc. 12.42 ++ This file is part of the GNU C Library. 12.43 ++ 12.44 ++ The GNU C Library is free software; you can redistribute it and/or 12.45 ++ modify it under the terms of the GNU Lesser General Public 12.46 ++ License as published by the Free Software Foundation; either 12.47 ++ version 2.1 of the License, or (at your option) any later version. 12.48 ++ 12.49 ++ The GNU C Library is distributed in the hope that it will be useful, 12.50 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 12.51 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12.52 ++ Lesser General Public License for more details. 12.53 ++ 12.54 ++ You should have received a copy of the GNU Lesser General Public 12.55 ++ License along with the GNU C Library; if not, see 12.56 ++ <http://www.gnu.org/licenses/>. */ 12.57 ++ 12.58 ++#include <errno.h> 12.59 ++#include <limits.h> 12.60 ++#include <search.h> 12.61 ++#include <stdbool.h> 12.62 ++#include <stdio.h> 12.63 ++#include <stdlib.h> 12.64 ++ 12.65 ++static void 12.66 ++test_size (size_t size) 12.67 ++{ 12.68 ++ int res = hcreate (size); 12.69 ++ if (res == 0) 12.70 ++ { 12.71 ++ if (errno == ENOMEM) 12.72 ++ return; 12.73 ++ printf ("error: hcreate (%zu): %m\n", size); 12.74 ++ exit (1); 12.75 ++ } 12.76 ++ char *keys[100]; 12.77 ++ for (int i = 0; i < 100; ++i) 12.78 ++ { 12.79 ++ if (asprintf (keys + i, "%d", i) < 0) 12.80 ++ { 12.81 ++ printf ("error: asprintf: %m\n"); 12.82 ++ exit (1); 12.83 ++ } 12.84 ++ ENTRY e = { keys[i], (char *) "value" }; 12.85 ++ if (hsearch (e, ENTER) == NULL) 12.86 ++ { 12.87 ++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]); 12.88 ++ exit (1); 12.89 ++ } 12.90 ++ } 12.91 ++ hdestroy (); 12.92 ++ 12.93 ++ for (int i = 0; i < 100; ++i) 12.94 ++ free (keys[i]); 12.95 ++} 12.96 ++ 12.97 ++static int 12.98 ++do_test (void) 12.99 ++{ 12.100 ++ test_size (500); 12.101 ++ test_size (-1); 12.102 ++ test_size (-3); 12.103 ++ test_size (INT_MAX - 2); 12.104 ++ test_size (INT_MAX - 1); 12.105 ++ test_size (INT_MAX); 12.106 ++ test_size (((unsigned) INT_MAX) + 1); 12.107 ++ test_size (UINT_MAX - 2); 12.108 ++ test_size (UINT_MAX - 1); 12.109 ++ test_size (UINT_MAX); 12.110 ++ return 0; 12.111 ++} 12.112 ++ 12.113 ++#define TEST_FUNCTION do_test () 12.114 ++#include "../test-skeleton.c" 12.115 +diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c 12.116 +index 9f55e84..661f0f6 100644 12.117 +--- a/misc/hsearch_r.c 12.118 ++++ b/misc/hsearch_r.c 12.119 +@@ -19,7 +19,7 @@ 12.120 + #include <errno.h> 12.121 + #include <malloc.h> 12.122 + #include <string.h> 12.123 +- 12.124 ++#include <stdint.h> 12.125 + #include <search.h> 12.126 + 12.127 + /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 12.128 +@@ -46,15 +46,12 @@ static int 12.129 + isprime (unsigned int number) 12.130 + { 12.131 + /* no even number will be passed */ 12.132 +- unsigned int div = 3; 12.133 +- 12.134 +- while (div * div < number && number % div != 0) 12.135 +- div += 2; 12.136 +- 12.137 +- return number % div != 0; 12.138 ++ for (unsigned int div = 3; div <= number / div; div += 2) 12.139 ++ if (number % div == 0) 12.140 ++ return 0; 12.141 ++ return 1; 12.142 + } 12.143 + 12.144 +- 12.145 + /* Before using the hash table we must allocate memory for it. 12.146 + Test for an existing table are done. We allocate one element 12.147 + more as the found prime number says. This is done for more effective 12.148 +@@ -81,10 +78,19 @@ __hcreate_r (nel, htab) 12.149 + use will not work. */ 12.150 + if (nel < 3) 12.151 + nel = 3; 12.152 +- /* Change nel to the first prime number not smaller as nel. */ 12.153 +- nel |= 1; /* make odd */ 12.154 +- while (!isprime (nel)) 12.155 +- nel += 2; 12.156 ++ 12.157 ++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], 12.158 ++ The '- 2' means 'nel += 2' cannot overflow. */ 12.159 ++ for (nel |= 1; ; nel += 2) 12.160 ++ { 12.161 ++ if (UINT_MAX - 2 < nel) 12.162 ++ { 12.163 ++ __set_errno (ENOMEM); 12.164 ++ return 0; 12.165 ++ } 12.166 ++ if (isprime (nel)) 12.167 ++ break; 12.168 ++ } 12.169 + 12.170 + htab->size = nel; 12.171 + htab->filled = 0; 12.172 +-- 12.173 +2.17.1 12.174 +
13.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 13.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2015-8779.patch Wed Mar 15 11:41:38 2023 +0000 13.3 @@ -0,0 +1,231 @@ 13.4 +Based on: 13.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=17905 13.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=0f58539030e436449f79189b6edab17d7479796e 13.7 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=7565d2a862683a3c26ffb1f32351b8c5ab9f7b31 13.8 + 13.9 +From afd269312ea8aef752b8e4c2531bdd920a085708 Mon Sep 17 00:00:00 2001 13.10 +From: Paul Pluzhnikov <ppluzhnikov@google.com> 13.11 +Date: Sat, 8 Aug 2015 15:53:03 -0700 13.12 +Subject: [PATCH] Fix BZ #17905 13.13 + 13.14 +--- 13.15 + catgets/Makefile | 9 ++++++++- 13.16 + catgets/catgets.c | 19 ++++++++++++------- 13.17 + catgets/open_catalog.c | 23 ++++++++++++++--------- 13.18 + catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++ 13.19 + 4 files changed, 65 insertions(+), 17 deletions(-) 13.20 + 13.21 +diff --git a/catgets/Makefile b/catgets/Makefile 13.22 +index 4624a88..56de38b 100644 13.23 +--- a/catgets/Makefile 13.24 ++++ b/catgets/Makefile 13.25 +@@ -34,6 +34,7 @@ test-srcs = test-gencat 13.26 + ifeq ($(run-built-tests),yes) 13.27 + tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ 13.28 + $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out 13.29 ++tests-special += $(objpfx)tst-catgets-mem.out 13.30 + endif 13.31 + 13.32 + gencat-modules = xmalloc 13.33 +@@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/% 13.34 + 13.35 + generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ 13.36 + test-gencat.h 13.37 ++generated += tst-catgets.mtrace tst-catgets-mem.out 13.38 ++ 13.39 + generated-dirs += de 13.40 + 13.41 +-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de 13.42 ++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace 13.43 + 13.44 + ifeq ($(run-built-tests),yes) 13.45 + # This test just checks whether the program produces any error or not. 13.46 +@@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \ 13.47 + $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat 13.48 + $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ 13.49 + $(evaluate-test) 13.50 ++ 13.51 ++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out 13.52 ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ 13.53 ++ $(evaluate-test) 13.54 + endif 13.55 +diff --git a/catgets/catgets.c b/catgets/catgets.c 13.56 +index cf93d56..4be452d 100644 13.57 +--- a/catgets/catgets.c 13.58 ++++ b/catgets/catgets.c 13.59 +@@ -16,7 +16,6 @@ 13.60 + License along with the GNU C Library; if not, see 13.61 + <http://www.gnu.org/licenses/>. */ 13.62 + 13.63 +-#include <alloca.h> 13.64 + #include <errno.h> 13.65 + #include <locale.h> 13.66 + #include <nl_types.h> 13.67 +@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) 13.68 + __nl_catd result; 13.69 + const char *env_var = NULL; 13.70 + const char *nlspath = NULL; 13.71 ++ char *tmp = NULL; 13.72 + 13.73 + if (strchr (cat_name, '/') == NULL) 13.74 + { 13.75 +@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) 13.76 + { 13.77 + /* Append the system dependent directory. */ 13.78 + size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; 13.79 +- char *tmp = alloca (len); 13.80 ++ tmp = malloc (len); 13.81 ++ 13.82 ++ if (__glibc_unlikely (tmp == NULL)) 13.83 ++ return (nl_catd) -1; 13.84 + 13.85 + __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); 13.86 + nlspath = tmp; 13.87 +@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) 13.88 + 13.89 + result = (__nl_catd) malloc (sizeof (*result)); 13.90 + if (result == NULL) 13.91 +- /* We cannot get enough memory. */ 13.92 +- return (nl_catd) -1; 13.93 +- 13.94 +- if (__open_catalog (cat_name, nlspath, env_var, result) != 0) 13.95 ++ { 13.96 ++ /* We cannot get enough memory. */ 13.97 ++ result = (nl_catd) -1; 13.98 ++ } 13.99 ++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) 13.100 + { 13.101 + /* Couldn't open the file. */ 13.102 + free ((void *) result); 13.103 +- return (nl_catd) -1; 13.104 ++ result = (nl_catd) -1; 13.105 + } 13.106 + 13.107 ++ free (tmp); 13.108 + return (nl_catd) result; 13.109 + } 13.110 + 13.111 +diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c 13.112 +index e069416..9f4d776 100644 13.113 +--- a/catgets/open_catalog.c 13.114 ++++ b/catgets/open_catalog.c 13.115 +@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, 13.116 + size_t tab_size; 13.117 + const char *lastp; 13.118 + int result = -1; 13.119 ++ char *buf = NULL; 13.120 + 13.121 + if (strchr (cat_name, '/') != NULL || nlspath == NULL) 13.122 + fd = open_not_cancel_2 (cat_name, O_RDONLY); 13.123 +@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, 13.124 + if (__glibc_unlikely (bufact + (n) >= bufmax)) \ 13.125 + { \ 13.126 + char *old_buf = buf; \ 13.127 +- bufmax += 256 + (n); \ 13.128 +- buf = (char *) alloca (bufmax); \ 13.129 +- memcpy (buf, old_buf, bufact); \ 13.130 ++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ 13.131 ++ buf = realloc (buf, bufmax); \ 13.132 ++ if (__glibc_unlikely (buf == NULL)) \ 13.133 ++ { \ 13.134 ++ free (old_buf); \ 13.135 ++ return -1; \ 13.136 ++ } \ 13.137 + } 13.138 + 13.139 + /* The RUN_NLSPATH variable contains a colon separated list of 13.140 + descriptions where we expect to find catalogs. We have to 13.141 + recognize certain % substitutions and stop when we found the 13.142 + first existing file. */ 13.143 +- char *buf; 13.144 + size_t bufact; 13.145 +- size_t bufmax; 13.146 ++ size_t bufmax = 0; 13.147 + size_t len; 13.148 + 13.149 +- buf = NULL; 13.150 +- bufmax = 0; 13.151 +- 13.152 + fd = -1; 13.153 + while (*run_nlspath != '\0') 13.154 + { 13.155 +@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, 13.156 + 13.157 + /* Avoid dealing with directories and block devices */ 13.158 + if (__builtin_expect (fd, 0) < 0) 13.159 +- return -1; 13.160 ++ { 13.161 ++ free (buf); 13.162 ++ return -1; 13.163 ++ } 13.164 + 13.165 + if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) 13.166 + goto close_unlock_return; 13.167 +@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, 13.168 + /* Release the lock again. */ 13.169 + close_unlock_return: 13.170 + close_not_cancel_no_status (fd); 13.171 ++ free (buf); 13.172 + 13.173 + return result; 13.174 + } 13.175 +diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c 13.176 +index a0a4089..0886938 100644 13.177 +--- a/catgets/tst-catgets.c 13.178 ++++ b/catgets/tst-catgets.c 13.179 +@@ -1,7 +1,10 @@ 13.180 ++#include <assert.h> 13.181 + #include <mcheck.h> 13.182 + #include <nl_types.h> 13.183 + #include <stdio.h> 13.184 ++#include <stdlib.h> 13.185 + #include <string.h> 13.186 ++#include <sys/resource.h> 13.187 + 13.188 + 13.189 + static const char *msgs[] = 13.190 +@@ -12,6 +15,33 @@ static const char *msgs[] = 13.191 + }; 13.192 + #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) 13.193 + 13.194 ++ 13.195 ++/* Test for unbounded alloca. */ 13.196 ++static int 13.197 ++do_bz17905 (void) 13.198 ++{ 13.199 ++ char *buf; 13.200 ++ struct rlimit rl; 13.201 ++ nl_catd result; 13.202 ++ 13.203 ++ const int sz = 1024 * 1024; 13.204 ++ 13.205 ++ getrlimit (RLIMIT_STACK, &rl); 13.206 ++ rl.rlim_cur = sz; 13.207 ++ setrlimit (RLIMIT_STACK, &rl); 13.208 ++ 13.209 ++ buf = malloc (sz + 1); 13.210 ++ memset (buf, 'A', sz); 13.211 ++ buf[sz] = '\0'; 13.212 ++ setenv ("NLSPATH", buf, 1); 13.213 ++ 13.214 ++ result = catopen (buf, NL_CAT_LOCALE); 13.215 ++ assert (result == (nl_catd) -1); 13.216 ++ 13.217 ++ free (buf); 13.218 ++ return 0; 13.219 ++} 13.220 ++ 13.221 + #define ROUNDS 5 13.222 + 13.223 + static int 13.224 +@@ -62,6 +92,7 @@ do_test (void) 13.225 + } 13.226 + } 13.227 + 13.228 ++ result += do_bz17905 (); 13.229 + return result; 13.230 + } 13.231 + 13.232 +-- 13.233 +2.17.1 13.234 +
14.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 14.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-1234.patch Wed Mar 15 11:41:38 2023 +0000 14.3 @@ -0,0 +1,384 @@ 14.4 +Based on: 14.5 + 14.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea 14.7 + 14.8 +From 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea Mon Sep 17 00:00:00 2001 14.9 +From: Florian Weimer <fweimer@redhat.com> 14.10 +Date: Wed, 4 May 2016 12:09:35 +0200 14.11 +Subject: [PATCH] CVE-2016-1234: glob: Do not copy d_name field of struct 14.12 + dirent [BZ #19779] 14.13 + 14.14 +Instead, we store the data we need from the return value of 14.15 +readdir in an object of the new type struct readdir_result. 14.16 +This type is independent of the layout of struct dirent. 14.17 + 14.18 +diff -Naur a/posix/bug-glob2.c b/posix/bug-glob2.c 14.19 +--- a/posix/bug-glob2.c 2017-08-24 19:56:49.025759608 +0530 14.20 ++++ b/posix/bug-glob2.c 2017-08-24 20:04:01.171777373 +0530 14.21 +@@ -40,6 +40,17 @@ 14.22 + # define PRINTF(fmt, args...) 14.23 + #endif 14.24 + 14.25 ++#define LONG_NAME \ 14.26 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.27 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.28 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.29 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.30 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.31 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.32 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.33 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.34 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ 14.35 ++ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 14.36 + 14.37 + static struct 14.38 + { 14.39 +@@ -58,6 +69,7 @@ 14.40 + { ".", 3, DT_DIR, 0755 }, 14.41 + { "..", 3, DT_DIR, 0755 }, 14.42 + { "a", 3, DT_REG, 0644 }, 14.43 ++ { LONG_NAME, 3, DT_REG, 0644 }, 14.44 + { "unreadable", 2, DT_DIR, 0111 }, 14.45 + { ".", 3, DT_DIR, 0111 }, 14.46 + { "..", 3, DT_DIR, 0755 }, 14.47 +@@ -75,7 +87,7 @@ 14.48 + int level; 14.49 + int idx; 14.50 + struct dirent d; 14.51 +- char room_for_dirent[NAME_MAX]; 14.52 ++ char room_for_dirent[sizeof (LONG_NAME)]; 14.53 + } my_DIR; 14.54 + 14.55 + 14.56 +diff -Naur a/posix/glob.c b/posix/glob.c 14.57 +--- a/posix/glob.c 2017-08-24 19:56:49.025759608 +0530 14.58 ++++ b/posix/glob.c 2017-08-24 20:11:58.123495376 +0530 14.59 +@@ -24,7 +24,9 @@ 14.60 + #include <errno.h> 14.61 + #include <sys/types.h> 14.62 + #include <sys/stat.h> 14.63 ++#include <stdbool.h> 14.64 + #include <stddef.h> 14.65 ++#include <stdint.h> 14.66 + 14.67 + /* Outcomment the following line for production quality code. */ 14.68 + /* #define NDEBUG 1 */ 14.69 +@@ -82,75 +84,8 @@ 14.70 + # define NAMLEN(d) _D_NAMLEN(d) 14.71 + #endif 14.72 + 14.73 +-/* When used in the GNU libc the symbol _DIRENT_HAVE_D_TYPE is available 14.74 +- if the `d_type' member for `struct dirent' is available. 14.75 +- HAVE_STRUCT_DIRENT_D_TYPE plays the same role in GNULIB. */ 14.76 +-#if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE 14.77 +-/* True if the directory entry D must be of type T. */ 14.78 +-# define DIRENT_MUST_BE(d, t) ((d)->d_type == (t)) 14.79 +- 14.80 +-/* True if the directory entry D might be a symbolic link. */ 14.81 +-# define DIRENT_MIGHT_BE_SYMLINK(d) \ 14.82 +- ((d)->d_type == DT_UNKNOWN || (d)->d_type == DT_LNK) 14.83 +- 14.84 +-/* True if the directory entry D might be a directory. */ 14.85 +-# define DIRENT_MIGHT_BE_DIR(d) \ 14.86 +- ((d)->d_type == DT_DIR || DIRENT_MIGHT_BE_SYMLINK (d)) 14.87 +- 14.88 +-#else /* !HAVE_D_TYPE */ 14.89 +-# define DIRENT_MUST_BE(d, t) false 14.90 +-# define DIRENT_MIGHT_BE_SYMLINK(d) true 14.91 +-# define DIRENT_MIGHT_BE_DIR(d) true 14.92 +-#endif /* HAVE_D_TYPE */ 14.93 +- 14.94 +-/* If the system has the `struct dirent64' type we use it internally. */ 14.95 +-#if defined _LIBC && !defined COMPILE_GLOB64 14.96 +-# if defined HAVE_DIRENT_H || defined __GNU_LIBRARY__ 14.97 +-# define CONVERT_D_NAMLEN(d64, d32) 14.98 +-# else 14.99 +-# define CONVERT_D_NAMLEN(d64, d32) \ 14.100 +- (d64)->d_namlen = (d32)->d_namlen; 14.101 +-# endif 14.102 +- 14.103 +-# if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ 14.104 +-# define CONVERT_D_INO(d64, d32) 14.105 +-# else 14.106 +-# define CONVERT_D_INO(d64, d32) \ 14.107 +- (d64)->d_ino = (d32)->d_ino; 14.108 +-# endif 14.109 +- 14.110 +-# ifdef _DIRENT_HAVE_D_TYPE 14.111 +-# define CONVERT_D_TYPE(d64, d32) \ 14.112 +- (d64)->d_type = (d32)->d_type; 14.113 +-# else 14.114 +-# define CONVERT_D_TYPE(d64, d32) 14.115 +-# endif 14.116 +- 14.117 +-# define CONVERT_DIRENT_DIRENT64(d64, d32) \ 14.118 +- memcpy ((d64)->d_name, (d32)->d_name, NAMLEN (d32) + 1); \ 14.119 +- CONVERT_D_NAMLEN (d64, d32) \ 14.120 +- CONVERT_D_INO (d64, d32) \ 14.121 +- CONVERT_D_TYPE (d64, d32) 14.122 +-#endif 14.123 +- 14.124 +- 14.125 +-#if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ 14.126 +-/* Posix does not require that the d_ino field be present, and some 14.127 +- systems do not provide it. */ 14.128 +-# define REAL_DIR_ENTRY(dp) 1 14.129 +-#else 14.130 +-# define REAL_DIR_ENTRY(dp) (dp->d_ino != 0) 14.131 +-#endif /* POSIX */ 14.132 +- 14.133 + #include <stdlib.h> 14.134 + #include <string.h> 14.135 +- 14.136 +-/* NAME_MAX is usually defined in <dirent.h> or <limits.h>. */ 14.137 +-#include <limits.h> 14.138 +-#ifndef NAME_MAX 14.139 +-# define NAME_MAX (sizeof (((struct dirent *) 0)->d_name)) 14.140 +-#endif 14.141 +- 14.142 + #include <alloca.h> 14.143 + 14.144 + #ifdef _LIBC 14.145 +@@ -195,8 +130,111 @@ 14.146 + 14.147 + static const char *next_brace_sub (const char *begin, int flags) __THROWNL; 14.148 + 14.149 ++/* A representation of a directory entry which does not depend on the 14.150 ++ layout of struct dirent, or the size of ino_t. */ 14.151 ++struct readdir_result 14.152 ++{ 14.153 ++ const char *name; 14.154 ++# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE 14.155 ++ uint8_t type; 14.156 ++# endif 14.157 ++ bool skip_entry; 14.158 ++}; 14.159 ++ 14.160 ++# if defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE 14.161 ++/* Initializer based on the d_type member of struct dirent. */ 14.162 ++# define D_TYPE_TO_RESULT(source) (source)->d_type, 14.163 ++ 14.164 ++/* True if the directory entry D might be a symbolic link. */ 14.165 ++static bool 14.166 ++readdir_result_might_be_symlink (struct readdir_result d) 14.167 ++{ 14.168 ++ return d.type == DT_UNKNOWN || d.type == DT_LNK; 14.169 ++} 14.170 ++ 14.171 ++/* True if the directory entry D might be a directory. */ 14.172 ++static bool 14.173 ++readdir_result_might_be_dir (struct readdir_result d) 14.174 ++{ 14.175 ++ return d.type == DT_DIR || readdir_result_might_be_symlink (d); 14.176 ++} 14.177 ++# else /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */ 14.178 ++# define D_TYPE_TO_RESULT(source) 14.179 ++ 14.180 ++/* If we do not have type information, symbolic links and directories 14.181 ++ are always a possibility. */ 14.182 ++ 14.183 ++static bool 14.184 ++readdir_result_might_be_symlink (struct readdir_result d) 14.185 ++{ 14.186 ++ return true; 14.187 ++} 14.188 ++ 14.189 ++static bool 14.190 ++readdir_result_might_be_dir (struct readdir_result d) 14.191 ++{ 14.192 ++ return true; 14.193 ++} 14.194 ++ 14.195 ++# endif /* defined _DIRENT_HAVE_D_TYPE || defined HAVE_STRUCT_DIRENT_D_TYPE */ 14.196 ++ 14.197 ++# if (defined POSIX || defined WINDOWS32) && !defined __GNU_LIBRARY__ 14.198 ++/* Initializer for skip_entry. POSIX does not require that the d_ino 14.199 ++ field be present, and some systems do not provide it. */ 14.200 ++# define D_INO_TO_RESULT(source) false, 14.201 ++# else 14.202 ++# define D_INO_TO_RESULT(source) (source)->d_ino == 0, 14.203 ++# endif 14.204 ++ 14.205 ++/* Construct an initializer for a struct readdir_result object from a 14.206 ++ struct dirent *. No copy of the name is made. */ 14.207 ++#define READDIR_RESULT_INITIALIZER(source) \ 14.208 ++ { \ 14.209 ++ source->d_name, \ 14.210 ++ D_TYPE_TO_RESULT (source) \ 14.211 ++ D_INO_TO_RESULT (source) \ 14.212 ++ } 14.213 ++ 14.214 + #endif /* !defined _LIBC || !defined GLOB_ONLY_P */ 14.215 + 14.216 ++/* Call gl_readdir on STREAM. This macro can be overridden to reduce 14.217 ++ type safety if an old interface version needs to be supported. */ 14.218 ++#ifndef GL_READDIR 14.219 ++# define GL_READDIR(pglob, stream) ((pglob)->gl_readdir (stream)) 14.220 ++#endif 14.221 ++ 14.222 ++/* Extract name and type from directory entry. No copy of the name is 14.223 ++ made. If SOURCE is NULL, result name is NULL. Keep in sync with 14.224 ++ convert_dirent64 below. */ 14.225 ++static struct readdir_result 14.226 ++convert_dirent (const struct dirent *source) 14.227 ++{ 14.228 ++ if (source == NULL) 14.229 ++ { 14.230 ++ struct readdir_result result = { NULL, }; 14.231 ++ return result; 14.232 ++ } 14.233 ++ struct readdir_result result = READDIR_RESULT_INITIALIZER (source); 14.234 ++ return result; 14.235 ++} 14.236 ++ 14.237 ++#ifndef COMPILE_GLOB64 14.238 ++/* Like convert_dirent, but works on struct dirent64 instead. Keep in 14.239 ++ sync with convert_dirent above. */ 14.240 ++static struct readdir_result 14.241 ++convert_dirent64 (const struct dirent64 *source) 14.242 ++{ 14.243 ++ if (source == NULL) 14.244 ++ { 14.245 ++ struct readdir_result result = { NULL, }; 14.246 ++ return result; 14.247 ++ } 14.248 ++ struct readdir_result result = READDIR_RESULT_INITIALIZER (source); 14.249 ++ return result; 14.250 ++} 14.251 ++#endif 14.252 ++ 14.253 ++ 14.254 + #ifndef attribute_hidden 14.255 + # define attribute_hidden 14.256 + #endif 14.257 +@@ -1561,56 +1599,36 @@ 14.258 + 14.259 + while (1) 14.260 + { 14.261 +- const char *name; 14.262 +- size_t len; 14.263 +-#if defined _LIBC && !defined COMPILE_GLOB64 14.264 +- struct dirent64 *d; 14.265 +- union 14.266 +- { 14.267 +- struct dirent64 d64; 14.268 +- char room [offsetof (struct dirent64, d_name[0]) 14.269 +- + NAME_MAX + 1]; 14.270 +- } 14.271 +- d64buf; 14.272 +- 14.273 +- if (__glibc_unlikely (flags & GLOB_ALTDIRFUNC)) 14.274 +- { 14.275 +- struct dirent *d32 = (*pglob->gl_readdir) (stream); 14.276 +- if (d32 != NULL) 14.277 +- { 14.278 +- CONVERT_DIRENT_DIRENT64 (&d64buf.d64, d32); 14.279 +- d = &d64buf.d64; 14.280 +- } 14.281 +- else 14.282 +- d = NULL; 14.283 +- } 14.284 +- else 14.285 +- d = __readdir64 (stream); 14.286 ++ struct readdir_result d; 14.287 ++ { 14.288 ++ if (__builtin_expect (flags & GLOB_ALTDIRFUNC, 0)) 14.289 ++ d = convert_dirent (GL_READDIR (pglob, stream)); 14.290 ++ else 14.291 ++ { 14.292 ++#ifdef COMPILE_GLOB64 14.293 ++ d = convert_dirent (__readdir (stream)); 14.294 + #else 14.295 +- struct dirent *d = (__builtin_expect (flags & GLOB_ALTDIRFUNC, 0) 14.296 +- ? ((struct dirent *) 14.297 +- (*pglob->gl_readdir) (stream)) 14.298 +- : __readdir (stream)); 14.299 ++ d = convert_dirent64 (__readdir64 (stream)); 14.300 + #endif 14.301 +- if (d == NULL) 14.302 ++ } 14.303 ++ } 14.304 ++ if (d.name == NULL) 14.305 + break; 14.306 +- if (! REAL_DIR_ENTRY (d)) 14.307 ++ if (d.skip_entry) 14.308 + continue; 14.309 + 14.310 + /* If we shall match only directories use the information 14.311 + provided by the dirent call if possible. */ 14.312 +- if ((flags & GLOB_ONLYDIR) && !DIRENT_MIGHT_BE_DIR (d)) 14.313 ++ if ((flags & GLOB_ONLYDIR) && !readdir_result_might_be_dir (d)) 14.314 + continue; 14.315 + 14.316 +- name = d->d_name; 14.317 +- 14.318 +- if (fnmatch (pattern, name, fnm_flags) == 0) 14.319 ++ if (fnmatch (pattern, d.name, fnm_flags) == 0) 14.320 + { 14.321 + /* If the file we found is a symlink we have to 14.322 + make sure the target file exists. */ 14.323 +- if (!DIRENT_MIGHT_BE_SYMLINK (d) 14.324 +- || link_exists_p (dfd, directory, dirlen, name, pglob, 14.325 +- flags)) 14.326 ++ if (!readdir_result_might_be_symlink (d) 14.327 ++ || link_exists_p (dfd, directory, dirlen, d.name, 14.328 ++ pglob, flags)) 14.329 + { 14.330 + if (cur == names->count) 14.331 + { 14.332 +@@ -1630,12 +1648,10 @@ 14.333 + names = newnames; 14.334 + cur = 0; 14.335 + } 14.336 +- len = NAMLEN (d); 14.337 +- names->name[cur] = (char *) malloc (len + 1); 14.338 ++ names->name[cur] = strdup (d.name); 14.339 + if (names->name[cur] == NULL) 14.340 + goto memory_error; 14.341 +- *((char *) mempcpy (names->name[cur++], name, len)) 14.342 +- = '\0'; 14.343 ++ ++cur; 14.344 + ++nfound; 14.345 + } 14.346 + } 14.347 +diff -Naur a/sysdeps/unix/sysv/linux/i386/glob64.c b/sysdeps/unix/sysv/linux/i386/glob64.c 14.348 +--- a/sysdeps/unix/sysv/linux/i386/glob64.c 2017-08-24 19:56:49.193740138 +0530 14.349 ++++ b/sysdeps/unix/sysv/linux/i386/glob64.c 2017-08-24 20:04:01.175781134 +0530 14.350 +@@ -1,3 +1,21 @@ 14.351 ++/* Two glob variants with 64-bit support, for dirent64 and __olddirent64. 14.352 ++ Copyright (C) 1998-2016 Free Software Foundation, Inc. 14.353 ++ This file is part of the GNU C Library. 14.354 ++ 14.355 ++ The GNU C Library is free software; you can redistribute it and/or 14.356 ++ modify it under the terms of the GNU Lesser General Public 14.357 ++ License as published by the Free Software Foundation; either 14.358 ++ version 2.1 of the License, or (at your option) any later version. 14.359 ++ 14.360 ++ The GNU C Library is distributed in the hope that it will be useful, 14.361 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 14.362 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14.363 ++ Lesser General Public License for more details. 14.364 ++ 14.365 ++ You should have received a copy of the GNU Lesser General Public 14.366 ++ License along with the GNU C Library; if not, see 14.367 ++ <http://www.gnu.org/licenses/>. */ 14.368 ++ 14.369 + #include <dirent.h> 14.370 + #include <glob.h> 14.371 + #include <sys/stat.h> 14.372 +@@ -38,11 +56,15 @@ 14.373 + 14.374 + #undef dirent 14.375 + #define dirent __old_dirent64 14.376 ++#undef GL_READDIR 14.377 ++# define GL_READDIR(pglob, stream) \ 14.378 ++ ((struct __old_dirent64 *) (pglob)->gl_readdir (stream)) 14.379 + #undef __readdir 14.380 + #define __readdir(dirp) __old_readdir64 (dirp) 14.381 + #undef glob 14.382 + #define glob(pattern, flags, errfunc, pglob) \ 14.383 + __old_glob64 (pattern, flags, errfunc, pglob) 14.384 ++#define convert_dirent __old_convert_dirent 14.385 + #define glob_in_dir __old_glob_in_dir 14.386 + #define GLOB_ATTRIBUTE attribute_compat_text_section 14.387 +
15.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 15.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-3075.patch Wed Mar 15 11:41:38 2023 +0000 15.3 @@ -0,0 +1,35 @@ 15.4 +From 317b199b4aff8cfa27f2302ab404d2bb5032b9a4 Mon Sep 17 00:00:00 2001 15.5 +From: Florian Weimer <fweimer@redhat.com> 15.6 +Date: Tue, 29 Mar 2016 12:57:56 +0200 15.7 +Subject: [PATCH] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ 15.8 + #19879] 15.9 + 15.10 +The defensive copy is not needed because the name may not alias the 15.11 +output buffer. 15.12 + 15.13 +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c 15.14 +index 2eb2f67..8f301a7 100644 15.15 +--- a/resolv/nss_dns/dns-network.c 15.16 ++++ b/resolv/nss_dns/dns-network.c 15.17 +@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, 15.18 + } net_buffer; 15.19 + querybuf *orig_net_buffer; 15.20 + int anslen; 15.21 +- char *qbuf; 15.22 + enum nss_status status; 15.23 + 15.24 + if (__res_maybe_init (&_res, 0) == -1) 15.25 + return NSS_STATUS_UNAVAIL; 15.26 + 15.27 +- qbuf = strdupa (name); 15.28 +- 15.29 + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); 15.30 + 15.31 +- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, 15.32 ++ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 15.33 + 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); 15.34 + if (anslen < 0) 15.35 + { 15.36 +-- 15.37 +2.9.3 15.38 +
16.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 16.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-3706.patch Wed Mar 15 11:41:38 2023 +0000 16.3 @@ -0,0 +1,182 @@ 16.4 +From 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9 Mon Sep 17 00:00:00 2001 16.5 +From: Florian Weimer <fweimer@redhat.com> 16.6 +Date: Fri, 29 Apr 2016 10:35:34 +0200 16.7 +Subject: [PATCH] CVE-2016-3706: getaddrinfo: stack overflow in hostent 16.8 + conversion [BZ #20010] 16.9 + 16.10 +When converting a struct hostent response to struct gaih_addrtuple, the 16.11 +gethosts macro (which is called from gaih_inet) used alloca, without 16.12 +malloc fallback for large responses. This commit changes this code to 16.13 +use calloc unconditionally. 16.14 + 16.15 +This commit also consolidated a second hostent-to-gaih_addrtuple 16.16 +conversion loop (in gaih_inet) to use the new conversion function. 16.17 + 16.18 +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c 16.19 +index 1ef3f20..fed2d3b 100644 16.20 +--- a/sysdeps/posix/getaddrinfo.c 16.21 ++++ b/sysdeps/posix/getaddrinfo.c 16.22 +@@ -168,9 +168,58 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, 16.23 + return 0; 16.24 + } 16.25 + 16.26 ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. 16.27 ++ h_name is not copied, and the struct hostent object must not be 16.28 ++ deallocated prematurely. *RESULT must be NULL or a pointer to an 16.29 ++ object allocated using malloc, which is freed. */ 16.30 ++static bool 16.31 ++convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, 16.32 ++ int family, 16.33 ++ struct hostent *h, 16.34 ++ struct gaih_addrtuple **result) 16.35 ++{ 16.36 ++ free (*result); 16.37 ++ *result = NULL; 16.38 ++ 16.39 ++ /* Count the number of addresses in h->h_addr_list. */ 16.40 ++ size_t count = 0; 16.41 ++ for (char **p = h->h_addr_list; *p != NULL; ++p) 16.42 ++ ++count; 16.43 ++ 16.44 ++ /* Report no data if no addresses are available, or if the incoming 16.45 ++ address size is larger than what we can store. */ 16.46 ++ if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr)) 16.47 ++ return true; 16.48 ++ 16.49 ++ struct gaih_addrtuple *array = calloc (count, sizeof (*array)); 16.50 ++ if (array == NULL) 16.51 ++ return false; 16.52 ++ 16.53 ++ for (size_t i = 0; i < count; ++i) 16.54 ++ { 16.55 ++ if (family == AF_INET && req->ai_family == AF_INET6) 16.56 ++ { 16.57 ++ /* Perform address mapping. */ 16.58 ++ array[i].family = AF_INET6; 16.59 ++ memcpy(array[i].addr + 3, h->h_addr_list[i], sizeof (uint32_t)); 16.60 ++ array[i].addr[2] = htonl (0xffff); 16.61 ++ } 16.62 ++ else 16.63 ++ { 16.64 ++ array[i].family = family; 16.65 ++ memcpy (array[i].addr, h->h_addr_list[i], h->h_length); 16.66 ++ } 16.67 ++ array[i].next = array + i + 1; 16.68 ++ } 16.69 ++ array[0].name = h->h_name; 16.70 ++ array[count - 1].next = NULL; 16.71 ++ 16.72 ++ *result = array; 16.73 ++ return true; 16.74 ++} 16.75 ++ 16.76 + #define gethosts(_family, _type) \ 16.77 + { \ 16.78 +- int i; \ 16.79 + int herrno; \ 16.80 + struct hostent th; \ 16.81 + struct hostent *h; \ 16.82 +@@ -219,36 +268,23 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, 16.83 + } \ 16.84 + else if (h != NULL) \ 16.85 + { \ 16.86 +- for (i = 0; h->h_addr_list[i]; i++) \ 16.87 ++ /* Make sure that addrmem can be freed. */ \ 16.88 ++ if (!malloc_addrmem) \ 16.89 ++ addrmem = NULL; \ 16.90 ++ if (!convert_hostent_to_gaih_addrtuple (req, _family,h, &addrmem)) \ 16.91 + { \ 16.92 +- if (*pat == NULL) \ 16.93 +- { \ 16.94 +- *pat = __alloca (sizeof (struct gaih_addrtuple)); \ 16.95 +- (*pat)->scopeid = 0; \ 16.96 +- } \ 16.97 +- uint32_t *addr = (*pat)->addr; \ 16.98 +- (*pat)->next = NULL; \ 16.99 +- (*pat)->name = i == 0 ? strdupa (h->h_name) : NULL; \ 16.100 +- if (_family == AF_INET && req->ai_family == AF_INET6) \ 16.101 +- { \ 16.102 +- (*pat)->family = AF_INET6; \ 16.103 +- addr[3] = *(uint32_t *) h->h_addr_list[i]; \ 16.104 +- addr[2] = htonl (0xffff); \ 16.105 +- addr[1] = 0; \ 16.106 +- addr[0] = 0; \ 16.107 +- } \ 16.108 +- else \ 16.109 +- { \ 16.110 +- (*pat)->family = _family; \ 16.111 +- memcpy (addr, h->h_addr_list[i], sizeof(_type)); \ 16.112 +- } \ 16.113 +- pat = &((*pat)->next); \ 16.114 ++ _res.options |= old_res_options & RES_USE_INET6; \ 16.115 ++ result = -EAI_SYSTEM; \ 16.116 ++ goto free_and_return; \ 16.117 + } \ 16.118 ++ *pat = addrmem; \ 16.119 ++ /* The conversion uses malloc unconditionally. */ \ 16.120 ++ malloc_addrmem = true; \ 16.121 + \ 16.122 + if (localcanon != NULL && canon == NULL) \ 16.123 + canon = strdupa (localcanon); \ 16.124 + \ 16.125 +- if (_family == AF_INET6 && i > 0) \ 16.126 ++ if (_family == AF_INET6 && *pat != NULL) \ 16.127 + got_ipv6 = true; \ 16.128 + } \ 16.129 + } 16.130 +@@ -612,44 +648,16 @@ gaih_inet (const char *name, const struct gaih_service *service, 16.131 + { 16.132 + if (h != NULL) 16.133 + { 16.134 +- int i; 16.135 +- /* We found data, count the number of addresses. */ 16.136 +- for (i = 0; h->h_addr_list[i]; ++i) 16.137 +- ; 16.138 +- if (i > 0 && *pat != NULL) 16.139 +- --i; 16.140 +- 16.141 +- if (__libc_use_alloca (alloca_used 16.142 +- + i * sizeof (struct gaih_addrtuple))) 16.143 +- addrmem = alloca_account (i * sizeof (struct gaih_addrtuple), 16.144 +- alloca_used); 16.145 +- else 16.146 +- { 16.147 +- addrmem = malloc (i 16.148 +- * sizeof (struct gaih_addrtuple)); 16.149 +- if (addrmem == NULL) 16.150 +- { 16.151 +- result = -EAI_MEMORY; 16.152 +- goto free_and_return; 16.153 +- } 16.154 +- malloc_addrmem = true; 16.155 +- } 16.156 +- 16.157 +- /* Now convert it into the list. */ 16.158 +- struct gaih_addrtuple *addrfree = addrmem; 16.159 +- for (i = 0; h->h_addr_list[i]; ++i) 16.160 ++ /* We found data, convert it. */ 16.161 ++ if (!convert_hostent_to_gaih_addrtuple 16.162 ++ (req, AF_INET, h, &addrmem)) 16.163 + { 16.164 +- if (*pat == NULL) 16.165 +- { 16.166 +- *pat = addrfree++; 16.167 +- (*pat)->scopeid = 0; 16.168 +- } 16.169 +- (*pat)->next = NULL; 16.170 +- (*pat)->family = AF_INET; 16.171 +- memcpy ((*pat)->addr, h->h_addr_list[i], 16.172 +- h->h_length); 16.173 +- pat = &((*pat)->next); 16.174 ++ result = -EAI_MEMORY; 16.175 ++ goto free_and_return; 16.176 + } 16.177 ++ *pat = addrmem; 16.178 ++ /* The conversion uses malloc unconditionally. */ 16.179 ++ malloc_addrmem = true; 16.180 + } 16.181 + } 16.182 + else 16.183 +-- 16.184 +2.9.3 16.185 +
17.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 17.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-4429.patch Wed Mar 15 11:41:38 2023 +0000 17.3 @@ -0,0 +1,51 @@ 17.4 +Based on: 17.5 + 17.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=bc779a1a5b3035133024b21e2f339fe4219fb11c 17.7 + 17.8 +From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001 17.9 +From: Florian Weimer <fweimer@redhat.com> 17.10 +Date: Mon, 23 May 2016 20:18:34 +0200 17.11 +Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ 17.12 + #20112] 17.13 + 17.14 +The call is technically in a loop, and under certain circumstances 17.15 +(which are quite difficult to reproduce in a test case), alloca 17.16 +can be invoked repeatedly during a single call to clntudp_call. 17.17 +As a result, the available stack space can be exhausted (even 17.18 +though individual alloca sizes are bounded implicitly by what 17.19 +can fit into a UDP packet, as a side effect of the earlier 17.20 +successful send operation). 17.21 + 17.22 +diff -Naur a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c 17.23 +--- a/sunrpc/clnt_udp.c 2017-08-24 20:21:20.731588445 +0530 17.24 ++++ b/sunrpc/clnt_udp.c 2017-08-24 20:20:30.188928541 +0530 17.25 +@@ -420,9 +420,15 @@ 17.26 + struct sock_extended_err *e; 17.27 + struct sockaddr_in err_addr; 17.28 + struct iovec iov; 17.29 +- char *cbuf = (char *) alloca (outlen + 256); 17.30 ++ char *cbuf = malloc (outlen + 256); 17.31 + int ret; 17.32 + 17.33 ++ if (cbuf == NULL) 17.34 ++ { 17.35 ++ cu->cu_error.re_errno = errno; 17.36 ++ return (cu->cu_error.re_status = RPC_CANTRECV); 17.37 ++ } 17.38 ++ 17.39 + iov.iov_base = cbuf + 256; 17.40 + iov.iov_len = outlen; 17.41 + msg.msg_name = (void *) &err_addr; 17.42 +@@ -447,10 +453,12 @@ 17.43 + cmsg = CMSG_NXTHDR (&msg, cmsg)) 17.44 + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) 17.45 + { 17.46 ++ free (cbuf); 17.47 + e = (struct sock_extended_err *) CMSG_DATA(cmsg); 17.48 + cu->cu_error.re_errno = e->ee_errno; 17.49 + return (cu->cu_error.re_status = RPC_CANTRECV); 17.50 + } 17.51 ++ free (cbuf); 17.52 + } 17.53 + #endif 17.54 + do
18.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 18.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-5417.patch Wed Mar 15 11:41:38 2023 +0000 18.3 @@ -0,0 +1,19 @@ 18.4 +Based on 18.5 + 18.6 +From 5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 Mon Sep 17 00:00:00 2001 18.7 +From: Andreas Schwab <schwab@suse.de> 18.8 +Date: Wed, 18 Nov 2015 15:45:59 +0100 18.9 +Subject: [PATCH] Fix resource leak in resolver (bug 19257) 18.10 + 18.11 +diff -Naur a/resolv/res_init.c b/resolv/res_init.c 18.12 +--- a/resolv/res_init.c 2017-12-15 12:47:48.763854624 +0530 18.13 ++++ b/resolv/res_init.c 2017-12-15 12:48:54.047853203 +0530 18.14 +@@ -593,7 +593,7 @@ 18.15 + statp->_vcsock = -1; 18.16 + statp->_flags &= ~(RES_F_VC | RES_F_CONN); 18.17 + } 18.18 +- for (ns = 0; ns < statp->_u._ext.nscount; ns++) 18.19 ++ for (ns = 0; ns < statp->nscount; ns++) 18.20 + if (statp->_u._ext.nsaddrs[ns]) { 18.21 + if (statp->_u._ext.nssocks[ns] != -1) { 18.22 + close_not_cancel_no_status(statp->_u._ext.nssocks[ns]);
19.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 19.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2016-6323.patch Wed Mar 15 11:41:38 2023 +0000 19.3 @@ -0,0 +1,30 @@ 19.4 +Based on 19.5 + 19.6 +From 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617 Mon Sep 17 00:00:00 2001 19.7 +From: Andreas Schwab <schwab@suse.de> 19.8 +Date: Mon, 8 Aug 2016 09:29:18 +0200 19.9 +Subject: [PATCH] arm: mark __startcontext as .cantunwind (bug 20435) 19.10 + 19.11 +diff -Naur a/sysdeps/unix/sysv/linux/arm/setcontext.S b/sysdeps/unix/sysv/linux/arm/setcontext.S 19.12 +--- a/sysdeps/unix/sysv/linux/arm/setcontext.S 2017-12-18 12:08:38.222265391 +0530 19.13 ++++ b/sysdeps/unix/sysv/linux/arm/setcontext.S 2017-12-18 12:09:15.202264587 +0530 19.14 +@@ -86,12 +86,19 @@ 19.15 + 19.16 + /* Called when a makecontext() context returns. Start the 19.17 + context in R4 or fall through to exit(). */ 19.18 ++ /* Unwind descriptors are looked up based on PC - 2, so we have to 19.19 ++ make sure to mark the instruction preceding the __startcontext 19.20 ++ label as .cantunwind. */ 19.21 ++ .fnstart 19.22 ++ .cantunwind 19.23 ++ nop 19.24 + ENTRY(__startcontext) 19.25 + movs r0, r4 19.26 + bne PLTJMP(__setcontext) 19.27 + 19.28 + @ New context was 0 - exit 19.29 + b PLTJMP(HIDDEN_JUMPTARGET(exit)) 19.30 ++ .fnend 19.31 + END(__startcontext) 19.32 + 19.33 + #ifdef PIC
20.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 20.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-1000366.patch Wed Mar 15 11:41:38 2023 +0000 20.3 @@ -0,0 +1,37 @@ 20.4 +Based on: 20.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-1000366 20.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=efa26d9c13a6fabd34a05139e1d8b2e441b2fae9 20.7 + 20.8 +From efa26d9c13a6fabd34a05139e1d8b2e441b2fae9 Mon Sep 17 00:00:00 2001 20.9 +From: Florian Weimer <fweimer@redhat.com> 20.10 +Date: Mon, 19 Jun 2017 18:34:53 +0200 20.11 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 20.12 + programs [BZ #21624] 20.13 + 20.14 +LD_LIBRARY_PATH can only be used to reorder system search paths, which 20.15 +is not useful functionality. 20.16 + 20.17 +This makes an exploitable unbounded alloca in _dl_init_paths unreachable 20.18 +for AT_SECURE=1 programs. 20.19 + 20.20 +--- 20.21 + elf/rtld.c | 3 ++- 20.22 + 1 file changed, 2 insertions(+), 1 deletion(-) 20.23 + 20.24 +diff --git a/elf/rtld.c b/elf/rtld.c 20.25 +index 69873c2..5043046 100644 20.26 +--- a/elf/rtld.c 20.27 ++++ b/elf/rtld.c 20.28 +@@ -2441,7 +2441,8 @@ process_envvars (enum mode *modep) 20.29 + 20.30 + case 12: 20.31 + /* The library search path. */ 20.32 +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) 20.33 ++ if (!__libc_enable_secure 20.34 ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) 20.35 + { 20.36 + library_path = &envline[13]; 20.37 + break; 20.38 +-- 20.39 +2.17.1 20.40 +
21.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 21.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-12133.patch Wed Mar 15 11:41:38 2023 +0000 21.3 @@ -0,0 +1,133 @@ 21.4 +Based on: 21.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=21115 21.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 21.7 + 21.8 +From d42eed4a044e5e10dfb885cf9891c2518a72a491 Mon Sep 17 00:00:00 2001 21.9 +From: Florian Weimer <fweimer@redhat.com> 21.10 +Date: Mon, 27 Feb 2017 19:05:13 +0100 21.11 +Subject: [PATCH] sunrpc: Avoid use-after-free read access in clntudp_call [BZ 21.12 + #21115] 21.13 + 21.14 +After commit bc779a1a5b3035133024b21e2f339fe4219fb11c 21.15 +(CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call 21.16 +[BZ #20112]), ancillary data is stored on the heap, 21.17 +but it is accessed after it has been freed. 21.18 + 21.19 +The test case must be run under a heap debugger such as valgrind 21.20 +to observe the invalid access. A malloc implementation which 21.21 +immediately calls munmap on free would catch this bug as well. 21.22 + 21.23 +--- 21.24 + sunrpc/Makefile | 3 +- 21.25 + sunrpc/clnt_udp.c | 2 +- 21.26 + sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++ 21.27 + 3 files changed, 65 insertions(+), 2 deletions(-) 21.28 + create mode 100644 sunrpc/tst-udp-error.c 21.29 + 21.30 +diff --git a/sunrpc/Makefile b/sunrpc/Makefile 21.31 +index 60caa0a..4f74f27 100644 21.32 +--- a/sunrpc/Makefile 21.33 ++++ b/sunrpc/Makefile 21.34 +@@ -96,7 +96,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \ 21.35 + extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) 21.36 + others += rpcgen 21.37 + 21.38 +-tests = tst-xdrmem tst-xdrmem2 test-rpcent 21.39 ++tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error 21.40 + xtests := tst-getmyaddr 21.41 + 21.42 + ifeq ($(have-thread-library),yes) 21.43 +@@ -153,6 +153,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS) 21.44 + $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so 21.45 + $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so 21.46 + $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so 21.47 ++$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so 21.48 + 21.49 + $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) 21.50 + 21.51 +diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c 21.52 +index c818caf..30613e3 100644 21.53 +--- a/sunrpc/clnt_udp.c 21.54 ++++ b/sunrpc/clnt_udp.c 21.55 +@@ -453,9 +453,9 @@ send_again: 21.56 + cmsg = CMSG_NXTHDR (&msg, cmsg)) 21.57 + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) 21.58 + { 21.59 +- free (cbuf); 21.60 + e = (struct sock_extended_err *) CMSG_DATA(cmsg); 21.61 + cu->cu_error.re_errno = e->ee_errno; 21.62 ++ free (cbuf); 21.63 + return (cu->cu_error.re_status = RPC_CANTRECV); 21.64 + } 21.65 + free (cbuf); 21.66 +diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c 21.67 +new file mode 100644 21.68 +index 0000000..1efc02f 21.69 +--- /dev/null 21.70 ++++ b/sunrpc/tst-udp-error.c 21.71 +@@ -0,0 +1,62 @@ 21.72 ++/* Check for use-after-free in clntudp_call (bug 21115). 21.73 ++ Copyright (C) 2017 Free Software Foundation, Inc. 21.74 ++ This file is part of the GNU C Library. 21.75 ++ 21.76 ++ The GNU C Library is free software; you can redistribute it and/or 21.77 ++ modify it under the terms of the GNU Lesser General Public 21.78 ++ License as published by the Free Software Foundation; either 21.79 ++ version 2.1 of the License, or (at your option) any later version. 21.80 ++ 21.81 ++ The GNU C Library is distributed in the hope that it will be useful, 21.82 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 21.83 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 21.84 ++ Lesser General Public License for more details. 21.85 ++ 21.86 ++ You should have received a copy of the GNU Lesser General Public 21.87 ++ License along with the GNU C Library; if not, see 21.88 ++ <http://www.gnu.org/licenses/>. */ 21.89 ++ 21.90 ++#include <netinet/in.h> 21.91 ++#include <rpc/clnt.h> 21.92 ++#include <rpc/svc.h> 21.93 ++#include <support/check.h> 21.94 ++#include <support/namespace.h> 21.95 ++#include <support/xsocket.h> 21.96 ++#include <unistd.h> 21.97 ++ 21.98 ++static int 21.99 ++do_test (void) 21.100 ++{ 21.101 ++ support_become_root (); 21.102 ++ support_enter_network_namespace (); 21.103 ++ 21.104 ++ /* Obtain a likely-unused port number. */ 21.105 ++ struct sockaddr_in sin = 21.106 ++ { 21.107 ++ .sin_family = AF_INET, 21.108 ++ .sin_addr.s_addr = htonl (INADDR_LOOPBACK), 21.109 ++ }; 21.110 ++ { 21.111 ++ int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); 21.112 ++ xbind (fd, (struct sockaddr *) &sin, sizeof (sin)); 21.113 ++ socklen_t sinlen = sizeof (sin); 21.114 ++ xgetsockname (fd, (struct sockaddr *) &sin, &sinlen); 21.115 ++ /* Close the socket, so that we will receive an error below. */ 21.116 ++ close (fd); 21.117 ++ } 21.118 ++ 21.119 ++ int sock = RPC_ANYSOCK; 21.120 ++ CLIENT *clnt = clntudp_create 21.121 ++ (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock); 21.122 ++ TEST_VERIFY_EXIT (clnt != NULL); 21.123 ++ TEST_VERIFY (clnt_call (clnt, 3, 21.124 ++ (xdrproc_t) xdr_void, NULL, 21.125 ++ (xdrproc_t) xdr_void, NULL, 21.126 ++ ((struct timeval) { 3, 0 })) 21.127 ++ == RPC_CANTRECV); 21.128 ++ clnt_destroy (clnt); 21.129 ++ 21.130 ++ return 0; 21.131 ++} 21.132 ++ 21.133 ++#include <support/test-driver.c> 21.134 +-- 21.135 +2.17.1 21.136 +
22.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 22.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-15670.patch Wed Mar 15 11:41:38 2023 +0000 22.3 @@ -0,0 +1,19 @@ 22.4 +Based on: 22.5 + 22.6 +From c369d66e5426a30e4725b100d5cd28e372754f90 Mon Sep 17 00:00:00 2001 22.7 +From: Paul Eggert <eggert@cs.ucla.edu> 22.8 +Date: Fri, 20 Oct 2017 18:41:14 +0200 22.9 +Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] 22.10 + 22.11 +diff -Naur a/posix/glob.c b/posix/glob.c 22.12 +--- a/posix/glob.c 2017-11-02 15:37:04.841879958 +0530 22.13 ++++ b/posix/glob.c 2017-11-02 15:37:28.866595784 +0530 22.14 +@@ -868,7 +868,7 @@ 22.15 + *p = '\0'; 22.16 + } 22.17 + else 22.18 +- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) 22.19 ++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) 22.20 + = '\0'; 22.21 + user_name = newp; 22.22 + }
23.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 23.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-15671.patch Wed Mar 15 11:41:38 2023 +0000 23.3 @@ -0,0 +1,198 @@ 23.4 +Based on: 23.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=22325 23.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=e80fc1fc98bf614eb01cf8325503df3a1451a99c 23.7 + 23.8 +From e80fc1fc98bf614eb01cf8325503df3a1451a99c Mon Sep 17 00:00:00 2001 23.9 +From: Florian Weimer <fweimer@redhat.com> 23.10 +Date: Sat, 21 Oct 2017 18:03:30 +0200 23.11 +Subject: [PATCH] glob: Add new test tst-glob-tilde 23.12 + 23.13 +The new test checks for memory leaks (see bug 22325) and attempts 23.14 +to trigger the buffer overflow in bug 22320 23.15 +--- 23.16 + posix/Makefile | 11 +++- 23.17 + posix/tst-glob-tilde.c | 136 +++++++++++++++++++++++++++++++++++++++++ 23.18 + 2 files changed, 145 insertions(+), 2 deletions(-) 23.19 + create mode 100644 posix/tst-glob-tilde.c 23.20 + 23.21 +diff --git a/posix/Makefile b/posix/Makefile 23.22 +index 15e8818..de18693 100644 23.23 +--- a/posix/Makefile 23.24 ++++ b/posix/Makefile 23.25 +@@ -87,7 +87,7 @@ tests := tstgetopt testfnm runtests runptests \ 23.26 + bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \ 23.27 + bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \ 23.28 + tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \ 23.29 +- tst-fnmatch3 bug-regex36 tst-getaddrinfo5 23.30 ++ tst-fnmatch3 bug-regex36 tst-getaddrinfo5 tst-glob-tilde 23.31 + xtests := bug-ga2 23.32 + ifeq (yes,$(build-shared)) 23.33 + test-srcs := globtest 23.34 +@@ -130,7 +130,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \ 23.35 + $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \ 23.36 + $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \ 23.37 + $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \ 23.38 +- $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out 23.39 ++ $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \ 23.40 ++ $(objpfx)tst-glob-tilde-mem.out 23.41 + xtests-special += $(objpfx)bug-ga2-mem.out 23.42 + endif 23.43 + 23.44 +@@ -307,6 +308,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug-glob2.out 23.45 + $(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \ 23.46 + $(evaluate-test) 23.47 + 23.48 ++tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace 23.49 ++ 23.50 ++$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out 23.51 ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \ 23.52 ++ $(evaluate-test) 23.53 ++ 23.54 + $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \ 23.55 + $(objpfx)getconf.speclist FORCE 23.56 + $(addprefix $(..)./scripts/mkinstalldirs ,\ 23.57 +diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c 23.58 +new file mode 100644 23.59 +index 0000000..9518b4a 23.60 +--- /dev/null 23.61 ++++ b/posix/tst-glob-tilde.c 23.62 +@@ -0,0 +1,136 @@ 23.63 ++/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325). 23.64 ++ Copyright (C) 2017 Free Software Foundation, Inc. 23.65 ++ This file is part of the GNU C Library. 23.66 ++ 23.67 ++ The GNU C Library is free software; you can redistribute it and/or 23.68 ++ modify it under the terms of the GNU Lesser General Public 23.69 ++ License as published by the Free Software Foundation; either 23.70 ++ version 2.1 of the License, or (at your option) any later version. 23.71 ++ 23.72 ++ The GNU C Library is distributed in the hope that it will be useful, 23.73 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 23.74 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 23.75 ++ Lesser General Public License for more details. 23.76 ++ 23.77 ++ You should have received a copy of the GNU Lesser General Public 23.78 ++ License along with the GNU C Library; if not, see 23.79 ++ <http://www.gnu.org/licenses/>. */ 23.80 ++ 23.81 ++#include <glob.h> 23.82 ++#include <mcheck.h> 23.83 ++#include <nss.h> 23.84 ++#include <pwd.h> 23.85 ++#include <stdlib.h> 23.86 ++#include <string.h> 23.87 ++#include <support/check.h> 23.88 ++#include <support/support.h> 23.89 ++ 23.90 ++/* Flag which indicates whether to pass the GLOB_ONLYDIR flag. */ 23.91 ++static int do_onlydir; 23.92 ++ 23.93 ++/* Flag which indicates whether to pass the GLOB_NOCHECK flag. */ 23.94 ++static int do_nocheck; 23.95 ++ 23.96 ++/* Flag which indicates whether to pass the GLOB_MARK flag. */ 23.97 ++static int do_mark; 23.98 ++ 23.99 ++static void 23.100 ++one_test (const char *prefix, const char *middle, const char *suffix) 23.101 ++{ 23.102 ++ char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix); 23.103 ++ int flags = GLOB_TILDE; 23.104 ++ if (do_onlydir) 23.105 ++ flags |= GLOB_ONLYDIR; 23.106 ++ if (do_nocheck) 23.107 ++ flags |= GLOB_NOCHECK; 23.108 ++ if (do_mark) 23.109 ++ flags |= GLOB_MARK; 23.110 ++ glob_t gl; 23.111 ++ /* This glob call might result in crashes or memory leaks. */ 23.112 ++ if (glob (pattern, flags, NULL, &gl) == 0) 23.113 ++ globfree (&gl); 23.114 ++ free (pattern); 23.115 ++} 23.116 ++ 23.117 ++enum 23.118 ++ { 23.119 ++ /* The largest base being tested. */ 23.120 ++ largest_base_size = 500000, 23.121 ++ 23.122 ++ /* The actual size is the base size plus a variable whose absolute 23.123 ++ value is not greater than this. This helps malloc to trigger 23.124 ++ overflows. */ 23.125 ++ max_size_skew = 16, 23.126 ++ 23.127 ++ /* The maximum string length supported by repeating_string 23.128 ++ below. */ 23.129 ++ repeat_size = largest_base_size + max_size_skew, 23.130 ++ }; 23.131 ++ 23.132 ++/* Used to construct strings which repeat a single character 'x'. */ 23.133 ++static char *repeat; 23.134 ++ 23.135 ++/* Return a string of SIZE characters. */ 23.136 ++const char * 23.137 ++repeating_string (int size) 23.138 ++{ 23.139 ++ TEST_VERIFY (size >= 0); 23.140 ++ TEST_VERIFY (size <= repeat_size); 23.141 ++ const char *repeated_shifted = repeat + repeat_size - size; 23.142 ++ TEST_VERIFY (strlen (repeated_shifted) == size); 23.143 ++ return repeated_shifted; 23.144 ++} 23.145 ++ 23.146 ++static int 23.147 ++do_test (void) 23.148 ++{ 23.149 ++ /* Avoid network-based NSS modules and initialize nss_files with a 23.150 ++ dummy lookup. This has to come before mtrace because NSS does 23.151 ++ not free all memory. */ 23.152 ++ __nss_configure_lookup ("passwd", "files"); 23.153 ++ (void) getpwnam ("root"); 23.154 ++ 23.155 ++ mtrace (); 23.156 ++ 23.157 ++ repeat = xmalloc (repeat_size + 1); 23.158 ++ memset (repeat, 'x', repeat_size); 23.159 ++ repeat[repeat_size] = '\0'; 23.160 ++ 23.161 ++ /* These numbers control the size of the user name. The values 23.162 ++ cover the minimum (0), a typical size (8), a large 23.163 ++ stack-allocated size (100000), and a somewhat large 23.164 ++ heap-allocated size (largest_base_size). */ 23.165 ++ static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 }; 23.166 ++ 23.167 ++ for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir) 23.168 ++ for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck) 23.169 ++ for (do_mark = 0; do_mark < 2; ++do_mark) 23.170 ++ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx) 23.171 ++ { 23.172 ++ for (int size_skew = -max_size_skew; size_skew <= max_size_skew; 23.173 ++ ++size_skew) 23.174 ++ { 23.175 ++ int size = base_sizes[base_idx] + size_skew; 23.176 ++ if (size < 0) 23.177 ++ continue; 23.178 ++ 23.179 ++ const char *user_name = repeating_string (size); 23.180 ++ one_test ("~", user_name, "/a/b"); 23.181 ++ } 23.182 ++ 23.183 ++ const char *user_name = repeating_string (base_sizes[base_idx]); 23.184 ++ one_test ("~", user_name, ""); 23.185 ++ one_test ("~", user_name, "/"); 23.186 ++ one_test ("~", user_name, "/a"); 23.187 ++ one_test ("~", user_name, "/*/*"); 23.188 ++ one_test ("~", user_name, "\\/"); 23.189 ++ one_test ("/~", user_name, ""); 23.190 ++ one_test ("*/~", user_name, "/a/b"); 23.191 ++ } 23.192 ++ 23.193 ++ free (repeat); 23.194 ++ 23.195 ++ return 0; 23.196 ++} 23.197 ++ 23.198 ++#include <support/test-driver.c> 23.199 +-- 23.200 +2.17.1 23.201 +
24.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 24.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-15804.patch Wed Mar 15 11:41:38 2023 +0000 24.3 @@ -0,0 +1,26 @@ 24.4 +Based on: 24.5 + 24.6 +From a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 Mon Sep 17 00:00:00 2001 24.7 +From: Paul Eggert <eggert@cs.ucla.edu> 24.8 +Date: Sun, 22 Oct 2017 10:00:57 +0200 24.9 +Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping 24.10 + 24.11 +diff -Naur a/posix/glob.c b/posix/glob.c 24.12 +--- a/posix/glob.c 2017-12-07 18:57:12.370562751 +0530 24.13 ++++ b/posix/glob.c 2017-12-07 18:57:51.246561905 +0530 24.14 +@@ -848,11 +848,11 @@ 24.15 + char *p = mempcpy (newp, dirname + 1, 24.16 + unescape - dirname - 1); 24.17 + char *q = unescape; 24.18 +- while (*q != '\0') 24.19 ++ while (q != end_name) 24.20 + { 24.21 + if (*q == '\\') 24.22 + { 24.23 +- if (q[1] == '\0') 24.24 ++ if (q + 1 == end_name) 24.25 + { 24.26 + /* "~fo\\o\\" unescape to user_name "foo\\", 24.27 + but "~fo\\o\\/" unescape to user_name 24.28 + 24.29 +
25.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 25.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-16997.patch Wed Mar 15 11:41:38 2023 +0000 25.3 @@ -0,0 +1,113 @@ 25.4 +Based on: 25.5 + 25.6 +From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001 25.7 +From: Aurelien Jarno <aurelien@aurel32.net> 25.8 +Date: Sat, 30 Dec 2017 10:54:23 +0100 25.9 +Subject: [PATCH] elf: Check for empty tokens before dynamic string token 25.10 + expansion [BZ #22625] 25.11 + 25.12 +The fillin_rpath function in elf/dl-load.c loops over each RPATH or 25.13 +RUNPATH tokens and interprets empty tokens as the current directory 25.14 +("./"). In practice the check for empty token is done *after* the 25.15 +dynamic string token expansion. The expansion process can return an 25.16 +empty string for the $ORIGIN token if __libc_enable_secure is set 25.17 +or if the path of the binary can not be determined (/proc not mounted). 25.18 + 25.19 +Fix that by moving the check for empty tokens before the dynamic string 25.20 +token expansion. In addition, check for NULL pointer or empty strings 25.21 +return by expand_dynamic_string_token. 25.22 + 25.23 +The above changes highlighted a bug in decompose_rpath, an empty array 25.24 +is represented by the first element being NULL at the fillin_rpath 25.25 +level, but by using a -1 pointer in decompose_rpath and other functions. 25.26 + 25.27 +Changelog: 25.28 + [BZ #22625] 25.29 + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic 25.30 + string token expansion. Check for NULL pointer or empty string possibly 25.31 + returned by expand_dynamic_string_token. 25.32 + (decompose_rpath): Check for empty path after dynamic string 25.33 + token expansion. 25.34 +(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) 25.35 +--- 25.36 + ChangeLog | 10 ++++++++++ 25.37 + NEWS | 4 ++++ 25.38 + elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++---------------- 25.39 + 3 files changed, 47 insertions(+), 16 deletions(-) 25.40 + 25.41 +--- a/elf/dl-load.c 25.42 ++++ b/elf/dl-load.c 25.43 +@@ -431,32 +431,41 @@ fillin_rpath (char *rpath, struct r_sear 25.44 + { 25.45 + char *cp; 25.46 + size_t nelems = 0; 25.47 +- char *to_free; 25.48 + 25.49 + while ((cp = __strsep (&rpath, sep)) != NULL) 25.50 + { 25.51 + struct r_search_path_elem *dirp; 25.52 ++ char *to_free = NULL; 25.53 ++ size_t len = 0; 25.54 + 25.55 +- to_free = cp = expand_dynamic_string_token (l, cp, 1); 25.56 ++ /* `strsep' can pass an empty string. */ 25.57 ++ if (*cp != '\0') 25.58 ++ { 25.59 ++ to_free = cp = expand_dynamic_string_token (l, cp, 1); 25.60 + 25.61 +- size_t len = strlen (cp); 25.62 ++ /* expand_dynamic_string_token can return NULL in case of empty 25.63 ++ path or memory allocation failure. */ 25.64 ++ if (cp == NULL) 25.65 ++ continue; 25.66 ++ 25.67 ++ /* Compute the length after dynamic string token expansion and 25.68 ++ ignore empty paths. */ 25.69 ++ len = strlen (cp); 25.70 ++ if (len == 0) 25.71 ++ { 25.72 ++ free (to_free); 25.73 ++ continue; 25.74 ++ } 25.75 + 25.76 +- /* `strsep' can pass an empty string. This has to be 25.77 +- interpreted as `use the current directory'. */ 25.78 +- if (len == 0) 25.79 +- { 25.80 +- static const char curwd[] = "./"; 25.81 +- cp = (char *) curwd; 25.82 ++ /* Remove trailing slashes (except for "/"). */ 25.83 ++ while (len > 1 && cp[len - 1] == '/') 25.84 ++ --len; 25.85 ++ 25.86 ++ /* Now add one if there is none so far. */ 25.87 ++ if (len > 0 && cp[len - 1] != '/') 25.88 ++ cp[len++] = '/'; 25.89 + } 25.90 + 25.91 +- /* Remove trailing slashes (except for "/"). */ 25.92 +- while (len > 1 && cp[len - 1] == '/') 25.93 +- --len; 25.94 +- 25.95 +- /* Now add one if there is none so far. */ 25.96 +- if (len > 0 && cp[len - 1] != '/') 25.97 +- cp[len++] = '/'; 25.98 +- 25.99 + /* Make sure we don't use untrusted directories if we run SUID. */ 25.100 + if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) 25.101 + { 25.102 +@@ -619,6 +628,14 @@ decompose_rpath (struct r_search_path_st 25.103 + necessary. */ 25.104 + free (copy); 25.105 + 25.106 ++ /* There is no path after expansion. */ 25.107 ++ if (result[0] == NULL) 25.108 ++ { 25.109 ++ free (result); 25.110 ++ sps->dirs = (struct r_search_path_elem **) -1; 25.111 ++ return false; 25.112 ++ } 25.113 ++ 25.114 + sps->dirs = result; 25.115 + /* The caller will change this value if we haven't used a real malloc. */ 25.116 + sps->malloced = 1;
26.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 26.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2017-18269.patch Wed Mar 15 11:41:38 2023 +0000 26.3 @@ -0,0 +1,158 @@ 26.4 +From cd66c0e584c6d692bc8347b5e72723d02b8a8ada Mon Sep 17 00:00:00 2001 26.5 +From: Andrew Senkevich <andrew.n.senkevich@gmail.com> 26.6 +Date: Fri, 23 Mar 2018 16:19:45 +0100 26.7 +Subject: [PATCH] Fix i386 memmove issue (bug 22644). 26.8 + 26.9 + [BZ #22644] 26.10 + * sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed 26.11 + branch conditions. 26.12 + * string/test-memmove.c (do_test2): New testcase. 26.13 +--- 26.14 + string/test-memmove.c | 58 ++++++++++++++++++++++ 26.15 + .../i386/i686/multiarch/memcpy-sse2-unaligned.S | 12 ++--- 26.16 + 3 files changed, 72 insertions(+), 6 deletions(-) 26.17 + 26.18 +diff --git a/string/test-memmove.c b/string/test-memmove.c 26.19 +index edc7a4c..64e3651 100644 26.20 +--- a/string/test-memmove.c 26.21 ++++ b/string/test-memmove.c 26.22 +@@ -24,6 +24,7 @@ 26.23 + # define TEST_NAME "memmove" 26.24 + #endif 26.25 + #include "test-string.h" 26.26 ++#include <support/test-driver.h> 26.27 + 26.28 + char *simple_memmove (char *, const char *, size_t); 26.29 + 26.30 +@@ -245,6 +246,60 @@ do_random_tests (void) 26.31 + } 26.32 + } 26.33 + 26.34 ++static void 26.35 ++do_test2 (void) 26.36 ++{ 26.37 ++ size_t size = 0x20000000; 26.38 ++ uint32_t * large_buf; 26.39 ++ 26.40 ++ large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE, 26.41 ++ MAP_PRIVATE | MAP_ANON, -1, 0); 26.42 ++ 26.43 ++ if (large_buf == MAP_FAILED) 26.44 ++ error (EXIT_UNSUPPORTED, errno, "Large mmap failed"); 26.45 ++ 26.46 ++ if ((uintptr_t) large_buf > 0x80000000 - 128 26.47 ++ || 0x80000000 - (uintptr_t) large_buf > 0x20000000) 26.48 ++ { 26.49 ++ error (0, 0, "Large mmap allocated improperly"); 26.50 ++ ret = EXIT_UNSUPPORTED; 26.51 ++ munmap ((void *) large_buf, size); 26.52 ++ return; 26.53 ++ } 26.54 ++ 26.55 ++ size_t bytes_move = 0x80000000 - (uintptr_t) large_buf; 26.56 ++ size_t arr_size = bytes_move / sizeof (uint32_t); 26.57 ++ size_t i; 26.58 ++ 26.59 ++ FOR_EACH_IMPL (impl, 0) 26.60 ++ { 26.61 ++ for (i = 0; i < arr_size; i++) 26.62 ++ large_buf[i] = (uint32_t) i; 26.63 ++ 26.64 ++ uint32_t * dst = &large_buf[33]; 26.65 ++ 26.66 ++#ifdef TEST_BCOPY 26.67 ++ CALL (impl, (char *) large_buf, (char *) dst, bytes_move); 26.68 ++#else 26.69 ++ CALL (impl, (char *) dst, (char *) large_buf, bytes_move); 26.70 ++#endif 26.71 ++ 26.72 ++ for (i = 0; i < arr_size; i++) 26.73 ++ { 26.74 ++ if (dst[i] != (uint32_t) i) 26.75 ++ { 26.76 ++ error (0, 0, 26.77 ++ "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"", 26.78 ++ impl->name, dst, large_buf, i); 26.79 ++ ret = 1; 26.80 ++ break; 26.81 ++ } 26.82 ++ } 26.83 ++ } 26.84 ++ 26.85 ++ munmap ((void *) large_buf, size); 26.86 ++} 26.87 ++ 26.88 + int 26.89 + test_main (void) 26.90 + { 26.91 +@@ -284,6 +339,9 @@ test_main (void) 26.92 + } 26.93 + 26.94 + do_random_tests (); 26.95 ++ 26.96 ++ do_test2 (); 26.97 ++ 26.98 + return ret; 26.99 + } 26.100 + 26.101 +diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S 26.102 +index 9c3bbe7..9aa17de 100644 26.103 +--- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S 26.104 ++++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S 26.105 +@@ -72,7 +72,7 @@ ENTRY (MEMCPY) 26.106 + cmp %edx, %eax 26.107 + 26.108 + # ifdef USE_AS_MEMMOVE 26.109 +- jg L(check_forward) 26.110 ++ ja L(check_forward) 26.111 + 26.112 + L(mm_len_0_or_more_backward): 26.113 + /* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128] 26.114 +@@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward): 26.115 + jbe L(mm_len_0_16_bytes_backward) 26.116 + 26.117 + cmpl $32, %ecx 26.118 +- jg L(mm_len_32_or_more_backward) 26.119 ++ ja L(mm_len_32_or_more_backward) 26.120 + 26.121 + /* Copy [0..32] and return. */ 26.122 + movdqu (%eax), %xmm0 26.123 +@@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward): 26.124 + 26.125 + L(mm_len_32_or_more_backward): 26.126 + cmpl $64, %ecx 26.127 +- jg L(mm_len_64_or_more_backward) 26.128 ++ ja L(mm_len_64_or_more_backward) 26.129 + 26.130 + /* Copy [0..64] and return. */ 26.131 + movdqu (%eax), %xmm0 26.132 +@@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward): 26.133 + 26.134 + L(mm_len_64_or_more_backward): 26.135 + cmpl $128, %ecx 26.136 +- jg L(mm_len_128_or_more_backward) 26.137 ++ ja L(mm_len_128_or_more_backward) 26.138 + 26.139 + /* Copy [0..128] and return. */ 26.140 + movdqu (%eax), %xmm0 26.141 +@@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward): 26.142 + add %ecx, %eax 26.143 + cmp %edx, %eax 26.144 + movl SRC(%esp), %eax 26.145 +- jle L(forward) 26.146 ++ jbe L(forward) 26.147 + PUSH (%esi) 26.148 + PUSH (%edi) 26.149 + PUSH (%ebx) 26.150 +@@ -269,7 +269,7 @@ L(check_forward): 26.151 + add %edx, %ecx 26.152 + cmp %eax, %ecx 26.153 + movl LEN(%esp), %ecx 26.154 +- jle L(forward) 26.155 ++ jbe L(forward) 26.156 + 26.157 + /* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128] 26.158 + separately. */ 26.159 +-- 26.160 +2.9.3 26.161 +
27.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 27.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2018-1000001.patch Wed Mar 15 11:41:38 2023 +0000 27.3 @@ -0,0 +1,154 @@ 27.4 +Based on: 27.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=22679 27.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=771c846a71d9ee14aa3b91fd184026482da585d9 27.7 + 27.8 +From 771c846a71d9ee14aa3b91fd184026482da585d9 Mon Sep 17 00:00:00 2001 27.9 +From: "Dmitry V. Levin" <ldv@altlinux.org> 27.10 +Date: Sun, 7 Jan 2018 02:03:41 +0000 27.11 +Subject: [PATCH] linux: make getcwd(3) fail if it cannot obtain an absolute 27.12 + path [BZ #22679] 27.13 + 27.14 +Currently getcwd(3) can succeed without returning an absolute path 27.15 +because the underlying getcwd syscall, starting with linux commit 27.16 +v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. 27.17 + 27.18 +This is a conformance issue because "The getcwd() function shall 27.19 +place an absolute pathname of the current working directory 27.20 +in the array pointed to by buf, and return buf". 27.21 + 27.22 +This is also a security issue because a non-absolute path returned 27.23 +by getcwd(3) causes a buffer underflow in realpath(3). 27.24 + 27.25 +Fix this by checking the path returned by getcwd syscall and falling 27.26 +back to generic_getcwd if the path is not absolute, effectively making 27.27 +getcwd(3) fail with ENOENT. The error code is chosen for consistency 27.28 +with the case when the current directory is unlinked. 27.29 + 27.30 +[BZ #22679] 27.31 +CVE-2018-1000001 27.32 +* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to 27.33 +generic_getcwd if the path returned by getcwd syscall is not absolute. 27.34 +* io/tst-getcwd-abspath.c: New test. 27.35 +* io/Makefile (tests): Add tst-getcwd-abspath. 27.36 +--- 27.37 + io/Makefile | 2 +- 27.38 + io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++ 27.39 + sysdeps/unix/sysv/linux/getcwd.c | 8 ++-- 27.40 + 3 files changed, 71 insertions(+), 5 deletions(-) 27.41 + create mode 100644 io/tst-getcwd-abspath.c 27.42 + 27.43 +diff --git a/io/Makefile b/io/Makefile 27.44 +index 613dce0..c50be28 100644 27.45 +--- a/io/Makefile 27.46 ++++ b/io/Makefile 27.47 +@@ -71,7 +71,7 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \ 27.48 + tst-renameat tst-fchownat tst-fchmodat tst-faccessat \ 27.49 + tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \ 27.50 + tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \ 27.51 +- tst-posix_fallocate 27.52 ++ tst-posix_fallocate tst-getcwd-abspath 27.53 + 27.54 + ifeq ($(run-built-tests),yes) 27.55 + tests-special += $(objpfx)ftwtest.out 27.56 +diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c 27.57 +new file mode 100644 27.58 +index 0000000..3a3636f 27.59 +--- /dev/null 27.60 ++++ b/io/tst-getcwd-abspath.c 27.61 +@@ -0,0 +1,66 @@ 27.62 ++/* BZ #22679 getcwd(3) should not succeed without returning an absolute path. 27.63 ++ 27.64 ++ Copyright (C) 2018 Free Software Foundation, Inc. 27.65 ++ This file is part of the GNU C Library. 27.66 ++ 27.67 ++ The GNU C Library is free software; you can redistribute it and/or 27.68 ++ modify it under the terms of the GNU Lesser General Public 27.69 ++ License as published by the Free Software Foundation; either 27.70 ++ version 2.1 of the License, or (at your option) any later version. 27.71 ++ 27.72 ++ The GNU C Library is distributed in the hope that it will be useful, 27.73 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 27.74 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 27.75 ++ Lesser General Public License for more details. 27.76 ++ 27.77 ++ You should have received a copy of the GNU Lesser General Public 27.78 ++ License along with the GNU C Library; if not, see 27.79 ++ <https://www.gnu.org/licenses/>. */ 27.80 ++ 27.81 ++#include <errno.h> 27.82 ++#include <stdio.h> 27.83 ++#include <stdlib.h> 27.84 ++#include <support/check.h> 27.85 ++#include <support/namespace.h> 27.86 ++#include <support/support.h> 27.87 ++#include <support/temp_file.h> 27.88 ++#include <support/test-driver.h> 27.89 ++#include <support/xunistd.h> 27.90 ++#include <unistd.h> 27.91 ++ 27.92 ++static char *chroot_dir; 27.93 ++ 27.94 ++/* The actual test. Run it in a subprocess, so that the test harness 27.95 ++ can remove the temporary directory in --direct mode. */ 27.96 ++static void 27.97 ++getcwd_callback (void *closure) 27.98 ++{ 27.99 ++ xchroot (chroot_dir); 27.100 ++ 27.101 ++ errno = 0; 27.102 ++ char *cwd = getcwd (NULL, 0); 27.103 ++ TEST_COMPARE (errno, ENOENT); 27.104 ++ TEST_VERIFY (cwd == NULL); 27.105 ++ 27.106 ++ errno = 0; 27.107 ++ cwd = realpath (".", NULL); 27.108 ++ TEST_COMPARE (errno, ENOENT); 27.109 ++ TEST_VERIFY (cwd == NULL); 27.110 ++ 27.111 ++ _exit (0); 27.112 ++} 27.113 ++ 27.114 ++static int 27.115 ++do_test (void) 27.116 ++{ 27.117 ++ support_become_root (); 27.118 ++ if (!support_can_chroot ()) 27.119 ++ return EXIT_UNSUPPORTED; 27.120 ++ 27.121 ++ chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-"); 27.122 ++ support_isolate_in_subprocess (getcwd_callback, NULL); 27.123 ++ 27.124 ++ return 0; 27.125 ++} 27.126 ++ 27.127 ++#include <support/test-driver.c> 27.128 +diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c 27.129 +index 5caee92..4a4c8f0 100644 27.130 +--- a/sysdeps/unix/sysv/linux/getcwd.c 27.131 ++++ b/sysdeps/unix/sysv/linux/getcwd.c 27.132 +@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size) 27.133 + int retval; 27.134 + 27.135 + retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size); 27.136 +- if (retval >= 0) 27.137 ++ if (retval > 0 && path[0] == '/') 27.138 + { 27.139 + #ifndef NO_ALLOCATION 27.140 + if (buf == NULL && size == 0) 27.141 +@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size) 27.142 + return buf; 27.143 + } 27.144 + 27.145 +- /* The system call cannot handle paths longer than a page. 27.146 +- Neither can the magic symlink in /proc/self. Just use the 27.147 ++ /* The system call either cannot handle paths longer than a page 27.148 ++ or can succeed without returning an absolute path. Just use the 27.149 + generic implementation right away. */ 27.150 +- if (errno == ENAMETOOLONG) 27.151 ++ if (retval >= 0 || errno == ENAMETOOLONG) 27.152 + { 27.153 + #ifndef NO_ALLOCATION 27.154 + if (buf == NULL && size == 0) 27.155 +-- 27.156 +2.17.1 27.157 +
28.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 28.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2018-11236.patch Wed Mar 15 11:41:38 2023 +0000 28.3 @@ -0,0 +1,143 @@ 28.4 +Based on: 28.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=22786 28.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=af7519f7b35024224c163e32a89fb247b0c446fc 28.7 + 28.8 +From af7519f7b35024224c163e32a89fb247b0c446fc Mon Sep 17 00:00:00 2001 28.9 +From: Paul Pluzhnikov <ppluzhnikov@google.com> 28.10 +Date: Tue, 8 May 2018 18:12:41 -0700 28.11 +Subject: [PATCH] Fix path length overflow in realpath [BZ #22786] 28.12 + 28.13 +Integer addition overflow may cause stack buffer overflow 28.14 +when realpath() input length is close to SSIZE_MAX. 28.15 +--- 28.16 + stdlib/Makefile | 2 +- 28.17 + stdlib/canonicalize.c | 2 +- 28.18 + stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++ 28.19 + 3 files changed, 92 insertions(+), 2 deletions(-) 28.20 + create mode 100644 stdlib/test-bz22786.c 28.21 + 28.22 +diff --git a/stdlib/Makefile b/stdlib/Makefile 28.23 +index a925479..482c587 100644 28.24 +--- a/stdlib/Makefile 28.25 ++++ b/stdlib/Makefile 28.26 +@@ -75,7 +75,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ 28.27 + tst-makecontext3 bug-getcontext bug-fmtmsg1 \ 28.28 + tst-secure-getenv tst-strtod-overflow tst-strtod-round \ 28.29 + tst-tininess tst-strtod-underflow tst-tls-atexit \ 28.30 +- tst-setcontext3 tst-tls-atexit-nodelete 28.31 ++ tst-setcontext3 tst-tls-atexit-nodelete test-bz22786 28.32 + tests-static := tst-secure-getenv 28.33 + 28.34 + modules-names = tst-tls-atexit-lib 28.35 +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c 28.36 +index 6f4f74d..509beb1 100644 28.37 +--- a/stdlib/canonicalize.c 28.38 ++++ b/stdlib/canonicalize.c 28.39 +@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved) 28.40 + extra_buf = __alloca (path_max); 28.41 + 28.42 + len = strlen (end); 28.43 +- if ((long int) (n + len) >= path_max) 28.44 ++ if (path_max - n <= len) 28.45 + { 28.46 + __set_errno (ENAMETOOLONG); 28.47 + goto error; 28.48 +diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c 28.49 +new file mode 100644 28.50 +index 0000000..e7837f9 28.51 +--- /dev/null 28.52 ++++ b/stdlib/test-bz22786.c 28.53 +@@ -0,0 +1,90 @@ 28.54 ++/* Bug 22786: test for buffer overflow in realpath. 28.55 ++ Copyright (C) 2018 Free Software Foundation, Inc. 28.56 ++ This file is part of the GNU C Library. 28.57 ++ 28.58 ++ The GNU C Library is free software; you can redistribute it and/or 28.59 ++ modify it under the terms of the GNU Lesser General Public 28.60 ++ License as published by the Free Software Foundation; either 28.61 ++ version 2.1 of the License, or (at your option) any later version. 28.62 ++ 28.63 ++ The GNU C Library is distributed in the hope that it will be useful, 28.64 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 28.65 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 28.66 ++ Lesser General Public License for more details. 28.67 ++ 28.68 ++ You should have received a copy of the GNU Lesser General Public 28.69 ++ License along with the GNU C Library; if not, see 28.70 ++ <http://www.gnu.org/licenses/>. */ 28.71 ++ 28.72 ++/* This file must be run from within a directory called "stdlib". */ 28.73 ++ 28.74 ++#include <errno.h> 28.75 ++#include <limits.h> 28.76 ++#include <stdio.h> 28.77 ++#include <stdlib.h> 28.78 ++#include <string.h> 28.79 ++#include <unistd.h> 28.80 ++#include <sys/stat.h> 28.81 ++#include <sys/types.h> 28.82 ++#include <support/test-driver.h> 28.83 ++#include <libc-diag.h> 28.84 ++ 28.85 ++static int 28.86 ++do_test (void) 28.87 ++{ 28.88 ++ const char dir[] = "bz22786"; 28.89 ++ const char lnk[] = "bz22786/symlink"; 28.90 ++ 28.91 ++ rmdir (dir); 28.92 ++ if (mkdir (dir, 0755) != 0 && errno != EEXIST) 28.93 ++ { 28.94 ++ printf ("mkdir %s: %m\n", dir); 28.95 ++ return EXIT_FAILURE; 28.96 ++ } 28.97 ++ if (symlink (".", lnk) != 0 && errno != EEXIST) 28.98 ++ { 28.99 ++ printf ("symlink (%s, %s): %m\n", dir, lnk); 28.100 ++ return EXIT_FAILURE; 28.101 ++ } 28.102 ++ 28.103 ++ const size_t path_len = (size_t) INT_MAX + 1; 28.104 ++ 28.105 ++ DIAG_PUSH_NEEDS_COMMENT; 28.106 ++#if __GNUC_PREREQ (7, 0) 28.107 ++ /* GCC 7 warns about too-large allocations; here we need such 28.108 ++ allocation to succeed for the test to work. */ 28.109 ++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); 28.110 ++#endif 28.111 ++ char *path = malloc (path_len); 28.112 ++ DIAG_POP_NEEDS_COMMENT; 28.113 ++ 28.114 ++ if (path == NULL) 28.115 ++ { 28.116 ++ printf ("malloc (%zu): %m\n", path_len); 28.117 ++ return EXIT_UNSUPPORTED; 28.118 ++ } 28.119 ++ 28.120 ++ /* Construct very long path = "bz22786/symlink/aaaa....." */ 28.121 ++ char *p = mempcpy (path, lnk, sizeof (lnk) - 1); 28.122 ++ *(p++) = '/'; 28.123 ++ memset (p, 'a', path_len - (path - p) - 2); 28.124 ++ p[path_len - (path - p) - 1] = '\0'; 28.125 ++ 28.126 ++ /* This call crashes before the fix for bz22786 on 32-bit platforms. */ 28.127 ++ p = realpath (path, NULL); 28.128 ++ 28.129 ++ if (p != NULL || errno != ENAMETOOLONG) 28.130 ++ { 28.131 ++ printf ("realpath: %s (%m)", p); 28.132 ++ return EXIT_FAILURE; 28.133 ++ } 28.134 ++ 28.135 ++ /* Cleanup. */ 28.136 ++ unlink (lnk); 28.137 ++ rmdir (dir); 28.138 ++ 28.139 ++ return 0; 28.140 ++} 28.141 ++ 28.142 ++#define TEST_FUNCTION do_test 28.143 ++#include <support/test-driver.c> 28.144 +-- 28.145 +2.17.1 28.146 +
29.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 29.2 +++ b/glibc/stuff/patches/glibc-2.22-CVE-2018-6485.patch Wed Mar 15 11:41:38 2023 +0000 29.3 @@ -0,0 +1,345 @@ 29.4 +Based on: 29.5 +https://sourceware.org/bugzilla/show_bug.cgi?id=22343 29.6 +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=9331dbdcd7aa8e997eb4caa9b1b0cb6c804320c8 29.7 + 29.8 +From 9331dbdcd7aa8e997eb4caa9b1b0cb6c804320c8 Mon Sep 17 00:00:00 2001 29.9 +From: Arjun Shankar <arjun@redhat.com> 29.10 +Date: Thu, 18 Jan 2018 16:47:06 +0000 29.11 +Subject: [PATCH] Fix integer overflows in internal memalign and malloc [BZ 29.12 + #22343] [BZ #22774] 29.13 + 29.14 +When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT 29.15 +and a requested size close to SIZE_MAX, it falls back to malloc code 29.16 +(because the alignment of a block returned by malloc is sufficient to 29.17 +satisfy the call). In this case, an integer overflow in _int_malloc leads 29.18 +to posix_memalign incorrectly returning successfully. 29.19 + 29.20 +Upon fixing this and writing a somewhat thorough regression test, it was 29.21 +discovered that when posix_memalign is called with an alignment larger than 29.22 +MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size 29.23 +close to SIZE_MAX, a different integer overflow in _int_memalign leads to 29.24 +posix_memalign incorrectly returning successfully. 29.25 + 29.26 +Both integer overflows affect other memory allocation functions that use 29.27 +_int_malloc (one affected malloc in x86) or _int_memalign as well. 29.28 + 29.29 +This commit fixes both integer overflows. In addition to this, it adds a 29.30 +regression test to guard against false successful allocations by the 29.31 +following memory allocation functions when called with too-large allocation 29.32 +sizes and, where relevant, various valid alignments: 29.33 +malloc, realloc, calloc, memalign, posix_memalign, aligned_alloc, valloc, 29.34 +and pvalloc. 29.35 +--- 29.36 + malloc/Makefile | 2 +- 29.37 + malloc/malloc.c | 30 +++-- 29.38 + malloc/tst-malloc-too-large.c | 237 ++++++++++++++++++++++++++++++++++ 29.39 + 3 files changed, 260 insertions(+), 9 deletions(-) 29.40 + create mode 100644 malloc/tst-malloc-too-large.c 29.41 + 29.42 +diff --git a/malloc/Makefile b/malloc/Makefile 29.43 +index 67ed293..8627344 100644 29.44 +--- a/malloc/Makefile 29.45 ++++ b/malloc/Makefile 29.46 +@@ -28,7 +28,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ 29.47 + tst-mallocstate tst-mcheck tst-mallocfork tst-trim1 \ 29.48 + tst-malloc-usable tst-realloc tst-posix_memalign \ 29.49 + tst-pvalloc tst-memalign tst-mallopt tst-scratch_buffer \ 29.50 +- tst-malloc-backtrace 29.51 ++ tst-malloc-backtrace tst-malloc-too-large 29.52 + test-srcs = tst-mtrace 29.53 + 29.54 + routines = malloc morecore mcheck mtrace obstack \ 29.55 +diff --git a/malloc/malloc.c b/malloc/malloc.c 29.56 +index 452f036..1ed5e01 100644 29.57 +--- a/malloc/malloc.c 29.58 ++++ b/malloc/malloc.c 29.59 +@@ -1252,14 +1252,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 29.60 + MINSIZE : \ 29.61 + ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK) 29.62 + 29.63 +-/* Same, except also perform argument check */ 29.64 +- 29.65 +-#define checked_request2size(req, sz) \ 29.66 +- if (REQUEST_OUT_OF_RANGE (req)) { \ 29.67 +- __set_errno (ENOMEM); \ 29.68 +- return 0; \ 29.69 +- } \ 29.70 +- (sz) = request2size (req); 29.71 ++/* Same, except also perform an argument and result check. First, we check 29.72 ++ that the padding done by request2size didn't result in an integer 29.73 ++ overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting 29.74 ++ size isn't so large that a later alignment would lead to another integer 29.75 ++ overflow. */ 29.76 ++#define checked_request2size(req, sz) \ 29.77 ++({ \ 29.78 ++ (sz) = request2size (req); \ 29.79 ++ if (((sz) < (req)) \ 29.80 ++ || REQUEST_OUT_OF_RANGE (sz)) \ 29.81 ++ { \ 29.82 ++ __set_errno (ENOMEM); \ 29.83 ++ return 0; \ 29.84 ++ } \ 29.85 ++}) 29.86 + 29.87 + /* 29.88 + --------------- Physical chunk operations --------------- 29.89 +@@ -4410,6 +4417,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) 29.90 + */ 29.91 + 29.92 + 29.93 ++ /* Check for overflow. */ 29.94 ++ if (nb > SIZE_MAX - alignment - MINSIZE) 29.95 ++ { 29.96 ++ __set_errno (ENOMEM); 29.97 ++ return 0; 29.98 ++ } 29.99 ++ 29.100 + /* Call malloc with worst case padding to hit alignment. */ 29.101 + 29.102 + m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); 29.103 +diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c 29.104 +new file mode 100644 29.105 +index 0000000..1f7bf29 29.106 +--- /dev/null 29.107 ++++ b/malloc/tst-malloc-too-large.c 29.108 +@@ -0,0 +1,237 @@ 29.109 ++/* Test and verify that too-large memory allocations fail with ENOMEM. 29.110 ++ Copyright (C) 2018 Free Software Foundation, Inc. 29.111 ++ This file is part of the GNU C Library. 29.112 ++ 29.113 ++ The GNU C Library is free software; you can redistribute it and/or 29.114 ++ modify it under the terms of the GNU Lesser General Public 29.115 ++ License as published by the Free Software Foundation; either 29.116 ++ version 2.1 of the License, or (at your option) any later version. 29.117 ++ 29.118 ++ The GNU C Library is distributed in the hope that it will be useful, 29.119 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 29.120 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 29.121 ++ Lesser General Public License for more details. 29.122 ++ 29.123 ++ You should have received a copy of the GNU Lesser General Public 29.124 ++ License along with the GNU C Library; if not, see 29.125 ++ <http://www.gnu.org/licenses/>. */ 29.126 ++ 29.127 ++/* Bug 22375 reported a regression in malloc where if after malloc'ing then 29.128 ++ free'ing a small block of memory, malloc is then called with a really 29.129 ++ large size argument (close to SIZE_MAX): instead of returning NULL and 29.130 ++ setting errno to ENOMEM, malloc incorrectly returns the previously 29.131 ++ allocated block instead. Bug 22343 reported a similar case where 29.132 ++ posix_memalign incorrectly returns successfully when called with an with 29.133 ++ a really large size argument. 29.134 ++ 29.135 ++ Both of these were caused by integer overflows in the allocator when it 29.136 ++ was trying to pad the requested size to allow for book-keeping or 29.137 ++ alignment. This test guards against such bugs by repeatedly allocating 29.138 ++ and freeing small blocks of memory then trying to allocate various block 29.139 ++ sizes larger than the memory bus width of 64-bit targets, or almost 29.140 ++ as large as SIZE_MAX on 32-bit targets supported by glibc. In each case, 29.141 ++ it verifies that such impossibly large allocations correctly fail. */ 29.142 ++ 29.143 ++ 29.144 ++#include <stdlib.h> 29.145 ++#include <malloc.h> 29.146 ++#include <errno.h> 29.147 ++#include <stdint.h> 29.148 ++#include <sys/resource.h> 29.149 ++#include <libc-internal.h> 29.150 ++#include <support/check.h> 29.151 ++#include <unistd.h> 29.152 ++#include <sys/param.h> 29.153 ++ 29.154 ++ 29.155 ++/* This function prepares for each 'too-large memory allocation' test by 29.156 ++ performing a small successful malloc/free and resetting errno prior to 29.157 ++ the actual test. */ 29.158 ++static void 29.159 ++test_setup (void) 29.160 ++{ 29.161 ++ void *volatile ptr = malloc (16); 29.162 ++ TEST_VERIFY_EXIT (ptr != NULL); 29.163 ++ free (ptr); 29.164 ++ errno = 0; 29.165 ++} 29.166 ++ 29.167 ++ 29.168 ++/* This function tests each of: 29.169 ++ - malloc (SIZE) 29.170 ++ - realloc (PTR_FOR_REALLOC, SIZE) 29.171 ++ - for various values of NMEMB: 29.172 ++ - calloc (NMEMB, SIZE/NMEMB) 29.173 ++ - calloc (SIZE/NMEMB, NMEMB) 29.174 ++ and precedes each of these tests with a small malloc/free before it. */ 29.175 ++static void 29.176 ++test_large_allocations (size_t size) 29.177 ++{ 29.178 ++ void * ptr_to_realloc; 29.179 ++ 29.180 ++ test_setup (); 29.181 ++ TEST_VERIFY (malloc (size) == NULL); 29.182 ++ TEST_VERIFY (errno == ENOMEM); 29.183 ++ 29.184 ++ ptr_to_realloc = malloc (16); 29.185 ++ TEST_VERIFY_EXIT (ptr_to_realloc != NULL); 29.186 ++ test_setup (); 29.187 ++ TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL); 29.188 ++ TEST_VERIFY (errno == ENOMEM); 29.189 ++ free (ptr_to_realloc); 29.190 ++ 29.191 ++ for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2) 29.192 ++ if ((size % nmemb) == 0) 29.193 ++ { 29.194 ++ test_setup (); 29.195 ++ TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL); 29.196 ++ TEST_VERIFY (errno == ENOMEM); 29.197 ++ 29.198 ++ test_setup (); 29.199 ++ TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL); 29.200 ++ TEST_VERIFY (errno == ENOMEM); 29.201 ++ } 29.202 ++ else 29.203 ++ break; 29.204 ++} 29.205 ++ 29.206 ++ 29.207 ++static long pagesize; 29.208 ++ 29.209 ++/* This function tests the following aligned memory allocation functions 29.210 ++ using several valid alignments and precedes each allocation test with a 29.211 ++ small malloc/free before it: 29.212 ++ memalign, posix_memalign, aligned_alloc, valloc, pvalloc. */ 29.213 ++static void 29.214 ++test_large_aligned_allocations (size_t size) 29.215 ++{ 29.216 ++ /* ptr stores the result of posix_memalign but since all those calls 29.217 ++ should fail, posix_memalign should never change ptr. We set it to 29.218 ++ NULL here and later on we check that it remains NULL after each 29.219 ++ posix_memalign call. */ 29.220 ++ void * ptr = NULL; 29.221 ++ 29.222 ++ size_t align; 29.223 ++ 29.224 ++ /* All aligned memory allocation functions expect an alignment that is a 29.225 ++ power of 2. Given this, we test each of them with every valid 29.226 ++ alignment from 1 thru PAGESIZE. */ 29.227 ++ for (align = 1; align <= pagesize; align *= 2) 29.228 ++ { 29.229 ++ test_setup (); 29.230 ++ TEST_VERIFY (memalign (align, size) == NULL); 29.231 ++ TEST_VERIFY (errno == ENOMEM); 29.232 ++ 29.233 ++ /* posix_memalign expects an alignment that is a power of 2 *and* a 29.234 ++ multiple of sizeof (void *). */ 29.235 ++ if ((align % sizeof (void *)) == 0) 29.236 ++ { 29.237 ++ test_setup (); 29.238 ++ TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM); 29.239 ++ TEST_VERIFY (ptr == NULL); 29.240 ++ } 29.241 ++ 29.242 ++ /* aligned_alloc expects a size that is a multiple of alignment. */ 29.243 ++ if ((size % align) == 0) 29.244 ++ { 29.245 ++ test_setup (); 29.246 ++ TEST_VERIFY (aligned_alloc (align, size) == NULL); 29.247 ++ TEST_VERIFY (errno == ENOMEM); 29.248 ++ } 29.249 ++ } 29.250 ++ 29.251 ++ /* Both valloc and pvalloc return page-aligned memory. */ 29.252 ++ 29.253 ++ test_setup (); 29.254 ++ TEST_VERIFY (valloc (size) == NULL); 29.255 ++ TEST_VERIFY (errno == ENOMEM); 29.256 ++ 29.257 ++ test_setup (); 29.258 ++ TEST_VERIFY (pvalloc (size) == NULL); 29.259 ++ TEST_VERIFY (errno == ENOMEM); 29.260 ++} 29.261 ++ 29.262 ++ 29.263 ++#define FOURTEEN_ON_BITS ((1UL << 14) - 1) 29.264 ++#define FIFTY_ON_BITS ((1UL << 50) - 1) 29.265 ++ 29.266 ++ 29.267 ++static int 29.268 ++do_test (void) 29.269 ++{ 29.270 ++ 29.271 ++#if __WORDSIZE >= 64 29.272 ++ 29.273 ++ /* This test assumes that none of the supported targets have an address 29.274 ++ bus wider than 50 bits, and that therefore allocations for sizes wider 29.275 ++ than 50 bits will fail. Here, we ensure that the assumption continues 29.276 ++ to be true in the future when we might have address buses wider than 50 29.277 ++ bits. */ 29.278 ++ 29.279 ++ struct rlimit alloc_size_limit 29.280 ++ = { 29.281 ++ .rlim_cur = FIFTY_ON_BITS, 29.282 ++ .rlim_max = FIFTY_ON_BITS 29.283 ++ }; 29.284 ++ 29.285 ++ setrlimit (RLIMIT_AS, &alloc_size_limit); 29.286 ++ 29.287 ++#endif /* __WORDSIZE >= 64 */ 29.288 ++ 29.289 ++ DIAG_PUSH_NEEDS_COMMENT; 29.290 ++#if __GNUC_PREREQ (7, 0) 29.291 ++ /* GCC 7 warns about too-large allocations; here we want to test 29.292 ++ that they fail. */ 29.293 ++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); 29.294 ++#endif 29.295 ++ 29.296 ++ /* Aligned memory allocation functions need to be tested up to alignment 29.297 ++ size equivalent to page size, which should be a power of 2. */ 29.298 ++ pagesize = sysconf (_SC_PAGESIZE); 29.299 ++ TEST_VERIFY_EXIT (powerof2 (pagesize)); 29.300 ++ 29.301 ++ /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. 29.302 ++ in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. 29.303 ++ 29.304 ++ We can expect that this range of allocation sizes will always lead to 29.305 ++ an allocation failure on both 64 and 32 bit targets, because: 29.306 ++ 29.307 ++ 1. no currently supported 64-bit target has an address bus wider than 29.308 ++ 50 bits -- and (2^64 - 2^14) is much wider than that; 29.309 ++ 29.310 ++ 2. on 32-bit targets, even though 2^32 is only 4 GB and potentially 29.311 ++ addressable, glibc itself is more than 2^14 bytes in size, and 29.312 ++ therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain 29.313 ++ available. */ 29.314 ++ 29.315 ++ for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++) 29.316 ++ { 29.317 ++ test_large_allocations (SIZE_MAX - i); 29.318 ++ test_large_aligned_allocations (SIZE_MAX - i); 29.319 ++ } 29.320 ++ 29.321 ++#if __WORDSIZE >= 64 29.322 ++ /* On 64-bit targets, we need to test a much wider range of too-large 29.323 ++ sizes, so we test at intervals of (1 << 50) that allocation sizes 29.324 ++ ranging from SIZE_MAX down to (1 << 50) fail: 29.325 ++ The 14 MSBs are decremented starting from "all ON" going down to 1, 29.326 ++ the 50 LSBs are "all ON" and then "all OFF" during every iteration. */ 29.327 ++ for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--) 29.328 ++ { 29.329 ++ size_t size = (msbs << 50) | FIFTY_ON_BITS; 29.330 ++ test_large_allocations (size); 29.331 ++ test_large_aligned_allocations (size); 29.332 ++ 29.333 ++ size = msbs << 50; 29.334 ++ test_large_allocations (size); 29.335 ++ test_large_aligned_allocations (size); 29.336 ++ } 29.337 ++#endif /* __WORDSIZE >= 64 */ 29.338 ++ 29.339 ++ DIAG_POP_NEEDS_COMMENT; 29.340 ++ 29.341 ++ return 0; 29.342 ++} 29.343 ++ 29.344 ++ 29.345 ++#include <support/test-driver.c> 29.346 +-- 29.347 +2.17.1 29.348 +