summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Yang <liezhi.yang@windriver.com>2016-04-05 23:58:44 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-04-06 10:31:41 +0100
commite8a5332d467434ee65e0f29927abb9c51b025aff (patch)
tree4f13b46482aa0521e3acbd8f08c72c4f753da30d
parente2961eacd55f0edc2fef3b38cf76340c62db9bff (diff)
downloadopenembedded-core-e8a5332d467434ee65e0f29927abb9c51b025aff.tar.gz
openembedded-core-e8a5332d467434ee65e0f29927abb9c51b025aff.tar.bz2
openembedded-core-e8a5332d467434ee65e0f29927abb9c51b025aff.zip
glibc: remove unused CVE patches
They were CEVs and should be already in the source after upgraded. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8776.patch155
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch123
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8779.patch262
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch1039
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch385
5 files changed, 0 insertions, 1964 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
deleted file mode 100644
index 684f344177..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
-From: Paul Pluzhnikov <ppluzhnikov@google.com>
-Date: Sat, 26 Sep 2015 13:27:48 -0700
-Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
- segfault
-
-Upstream-Status: Backport
-CVE: CVE-2015-8776
-[Yocto # 8980]
-
-https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 8 ++++++++
- NEWS | 2 +-
- time/strftime_l.c | 20 +++++++++++++-------
- time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
- 4 files changed, 73 insertions(+), 9 deletions(-)
-
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,11 @@
-+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
-+
-+ [BZ #18985]
-+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
-+ (__strftime_internal): Likewise.
-+ * time/tst-strftime.c (do_bz18985): New test.
-+ (do_test): Call it.
-+
- 2015-12-04 Joseph Myers <joseph@codesourcery.com>
-
- [BZ #16961]
-Index: git/time/strftime_l.c
-===================================================================
---- git.orig/time/strftime_l.c
-+++ git/time/strftime_l.c
-@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
- only a few elements. Dereference the pointers only if the format
- requires this. Then it is ok to fail if the pointers are invalid. */
- # define a_wkday \
-- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
-+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
-+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
- # define f_wkday \
-- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
-+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
-+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
- # define a_month \
-- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
-+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
-+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
- # define f_month \
-- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
-+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
-+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
- # define ampm \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
- ? NLW(PM_STR) : NLW(AM_STR)))
-@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
- # define ap_len STRLEN (ampm)
- #else
- # if !HAVE_STRFTIME
--# define f_wkday (weekday_name[tp->tm_wday])
--# define f_month (month_name[tp->tm_mon])
-+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
-+ ? "?" : weekday_name[tp->tm_wday])
-+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
-+ ? "?" : month_name[tp->tm_mon])
- # define a_wkday f_wkday
- # define a_month f_month
- # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
-@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
- *tzset_called = true;
- }
- # endif
-- zone = tzname[tp->tm_isdst];
-+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
- }
- #endif
- if (! zone)
-Index: git/time/tst-strftime.c
-===================================================================
---- git.orig/time/tst-strftime.c
-+++ git/time/tst-strftime.c
-@@ -4,6 +4,56 @@
- #include <time.h>
-
-
-+static int
-+do_bz18985 (void)
-+{
-+ char buf[1000];
-+ struct tm ttm;
-+ int rc, ret = 0;
-+
-+ memset (&ttm, 1, sizeof (ttm));
-+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
-+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
-+
-+ if (rc == 66)
-+ {
-+ const char expected[]
-+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
-+ if (0 != strcmp (buf, expected))
-+ {
-+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
-+ ret += 1;
-+ }
-+ }
-+ else
-+ {
-+ printf ("expected 66, got %d\n", rc);
-+ ret += 1;
-+ }
-+
-+ /* Check negative values as well. */
-+ memset (&ttm, 0xFF, sizeof (ttm));
-+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
-+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
-+
-+ if (rc == 30)
-+ {
-+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
-+ if (0 != strcmp (buf, expected))
-+ {
-+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
-+ ret += 1;
-+ }
-+ }
-+ else
-+ {
-+ printf ("expected 30, got %d\n", rc);
-+ ret += 1;
-+ }
-+
-+ return ret;
-+}
-+
- static struct
- {
- const char *fmt;
-@@ -104,7 +154,7 @@ do_test (void)
- }
- }
-
-- return result;
-+ return result + do_bz18985 ();
- }
-
- #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
deleted file mode 100644
index eeab72d650..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Thu, 15 Oct 2015 09:23:07 +0200
-Subject: [PATCH] Always enable pointer guard [BZ #18928]
-
-Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
-has security implications. This commit enables pointer guard
-unconditionally, and the environment variable is now ignored.
-
- [BZ #18928]
- * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
- _dl_pointer_guard member.
- * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
- initializer.
- (security_init): Always set up pointer guard.
- (process_envvars): Do not process LD_POINTER_GUARD.
-
-Upstream-Status: Backport
-CVE: CVE-2015-8777
-[Yocto # 8980]
-
-https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 10 ++++++++++
- NEWS | 13 ++++++++-----
- elf/rtld.c | 15 ++++-----------
- sysdeps/generic/ldsodefs.h | 3 ---
- 4 files changed, 22 insertions(+), 19 deletions(-)
-
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,14 @@
-+2015-10-15 Florian Weimer <fweimer@redhat.com>
-+
-+ [BZ #18928]
-+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
-+ _dl_pointer_guard member.
-+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
-+ initializer.
-+ (security_init): Always set up pointer guard.
-+ (process_envvars): Do not process LD_POINTER_GUARD.
-+
-+
- 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
-
- [BZ #18778]
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -34,7 +34,10 @@ Version 2.22
- 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
- 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
- 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
-- 18657, 18676, 18694, 18696.
-+ 18657, 18676, 18694, 18696, 18928.
-+
-+* The LD_POINTER_GUARD environment variable can no longer be used to
-+ disable the pointer guard feature. It is always enabled.
-
- * Cache information can be queried via sysconf() function on s390 e.g. with
- _SC_LEVEL1_ICACHE_SIZE as argument.
-Index: git/elf/rtld.c
-===================================================================
---- git.orig/elf/rtld.c
-+++ git/elf/rtld.c
-@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
- ._dl_hwcap_mask = HWCAP_IMPORTANT,
- ._dl_lazy = 1,
- ._dl_fpu_control = _FPU_DEFAULT,
-- ._dl_pointer_guard = 1,
- ._dl_pagesize = EXEC_PAGESIZE,
- ._dl_inhibit_cache = 0,
-
-@@ -710,15 +709,12 @@ security_init (void)
- #endif
-
- /* Set up the pointer guard as well, if necessary. */
-- if (GLRO(dl_pointer_guard))
-- {
-- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
-- stack_chk_guard);
-+ uintptr_t pointer_chk_guard
-+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
- #ifdef THREAD_SET_POINTER_GUARD
-- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
-+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
- #endif
-- __pointer_chk_guard_local = pointer_chk_guard;
-- }
-+ __pointer_chk_guard_local = pointer_chk_guard;
-
- /* We do not need the _dl_random value anymore. The less
- information we leave behind, the better, so clear the
-@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
- GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
- break;
- }
--
-- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
-- GLRO(dl_pointer_guard) = envline[14] != '0';
- break;
-
- case 14:
-Index: git/sysdeps/generic/ldsodefs.h
-===================================================================
---- git.orig/sysdeps/generic/ldsodefs.h
-+++ git/sysdeps/generic/ldsodefs.h
-@@ -600,9 +600,6 @@ struct rtld_global_ro
- /* List of auditing interfaces. */
- struct audit_ifaces *_dl_audit;
- unsigned int _dl_naudit;
--
-- /* 0 if internal pointer values should not be guarded, 1 if they should. */
-- EXTERN int _dl_pointer_guard;
- };
- # define __rtld_global_attribute__
- # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
deleted file mode 100644
index 4dc93c769d..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+++ /dev/null
@@ -1,262 +0,0 @@
-From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
-From: Paul Pluzhnikov <ppluzhnikov@google.com>
-Date: Sat, 8 Aug 2015 15:53:03 -0700
-Subject: [PATCH] Fix BZ #17905
-
-Upstream-Status: Backport
-CVE: CVE-2015-8779
-[Yocto # 8980]
-
-https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 8 ++++++++
- NEWS | 2 +-
- catgets/Makefile | 9 ++++++++-
- catgets/catgets.c | 19 ++++++++++++-------
- catgets/open_catalog.c | 23 ++++++++++++++---------
- catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
- 6 files changed, 74 insertions(+), 18 deletions(-)
-
-Index: git/catgets/Makefile
-===================================================================
---- git.orig/catgets/Makefile
-+++ git/catgets/Makefile
-@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
- ifeq ($(run-built-tests),yes)
- tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
- $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
-+tests-special += $(objpfx)tst-catgets-mem.out
- endif
- endif
- gencat-modules = xmalloc
-@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
-
- generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
- test-gencat.h
-+generated += tst-catgets.mtrace tst-catgets-mem.out
-+
- generated-dirs += de
-
--tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
-+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
-
- ifeq ($(run-built-tests),yes)
- # This test just checks whether the program produces any error or not.
-@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
- $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
- $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
- $(evaluate-test)
-+
-+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
-+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
-+ $(evaluate-test)
- endif
-Index: git/catgets/catgets.c
-===================================================================
---- git.orig/catgets/catgets.c
-+++ git/catgets/catgets.c
-@@ -16,7 +16,6 @@
- License along with the GNU C Library; if not, see
- <http://www.gnu.org/licenses/>. */
-
--#include <alloca.h>
- #include <errno.h>
- #include <locale.h>
- #include <nl_types.h>
-@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
- __nl_catd result;
- const char *env_var = NULL;
- const char *nlspath = NULL;
-+ char *tmp = NULL;
-
- if (strchr (cat_name, '/') == NULL)
- {
-@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
- {
- /* Append the system dependent directory. */
- size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
-- char *tmp = alloca (len);
-+ tmp = malloc (len);
-+
-+ if (__glibc_unlikely (tmp == NULL))
-+ return (nl_catd) -1;
-
- __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
- nlspath = tmp;
-@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
-
- result = (__nl_catd) malloc (sizeof (*result));
- if (result == NULL)
-- /* We cannot get enough memory. */
-- return (nl_catd) -1;
--
-- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
-+ {
-+ /* We cannot get enough memory. */
-+ result = (nl_catd) -1;
-+ }
-+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
- {
- /* Couldn't open the file. */
- free ((void *) result);
-- return (nl_catd) -1;
-+ result = (nl_catd) -1;
- }
-
-+ free (tmp);
- return (nl_catd) result;
- }
-
-Index: git/catgets/open_catalog.c
-===================================================================
---- git.orig/catgets/open_catalog.c
-+++ git/catgets/open_catalog.c
-@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
- size_t tab_size;
- const char *lastp;
- int result = -1;
-+ char *buf = NULL;
-
- if (strchr (cat_name, '/') != NULL || nlspath == NULL)
- fd = open_not_cancel_2 (cat_name, O_RDONLY);
-@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
- if (__glibc_unlikely (bufact + (n) >= bufmax)) \
- { \
- char *old_buf = buf; \
-- bufmax += 256 + (n); \
-- buf = (char *) alloca (bufmax); \
-- memcpy (buf, old_buf, bufact); \
-+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
-+ buf = realloc (buf, bufmax); \
-+ if (__glibc_unlikely (buf == NULL)) \
-+ { \
-+ free (old_buf); \
-+ return -1; \
-+ } \
- }
-
- /* The RUN_NLSPATH variable contains a colon separated list of
- descriptions where we expect to find catalogs. We have to
- recognize certain % substitutions and stop when we found the
- first existing file. */
-- char *buf;
- size_t bufact;
-- size_t bufmax;
-+ size_t bufmax = 0;
- size_t len;
-
-- buf = NULL;
-- bufmax = 0;
--
- fd = -1;
- while (*run_nlspath != '\0')
- {
-@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
-
- /* Avoid dealing with directories and block devices */
- if (__builtin_expect (fd, 0) < 0)
-- return -1;
-+ {
-+ free (buf);
-+ return -1;
-+ }
-
- if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
- goto close_unlock_return;
-@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
- /* Release the lock again. */
- close_unlock_return:
- close_not_cancel_no_status (fd);
-+ free (buf);
-
- return result;
- }
-Index: git/catgets/tst-catgets.c
-===================================================================
---- git.orig/catgets/tst-catgets.c
-+++ git/catgets/tst-catgets.c
-@@ -1,7 +1,10 @@
-+#include <assert.h>
- #include <mcheck.h>
- #include <nl_types.h>
- #include <stdio.h>
-+#include <stdlib.h>
- #include <string.h>
-+#include <sys/resource.h>
-
-
- static const char *msgs[] =
-@@ -12,6 +15,33 @@ static const char *msgs[] =
- };
- #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
-
-+
-+/* Test for unbounded alloca. */
-+static int
-+do_bz17905 (void)
-+{
-+ char *buf;
-+ struct rlimit rl;
-+ nl_catd result;
-+
-+ const int sz = 1024 * 1024;
-+
-+ getrlimit (RLIMIT_STACK, &rl);
-+ rl.rlim_cur = sz;
-+ setrlimit (RLIMIT_STACK, &rl);
-+
-+ buf = malloc (sz + 1);
-+ memset (buf, 'A', sz);
-+ buf[sz] = '\0';
-+ setenv ("NLSPATH", buf, 1);
-+
-+ result = catopen (buf, NL_CAT_LOCALE);
-+ assert (result == (nl_catd) -1);
-+
-+ free (buf);
-+ return 0;
-+}
-+
- #define ROUNDS 5
-
- static int
-@@ -62,6 +92,7 @@ do_test (void)
- }
- }
-
-+ result += do_bz17905 ();
- return result;
- }
-
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,11 @@
-+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
-+
-+ [BZ #17905]
-+ * catgets/Makefile (tst-catgets-mem): New test.
-+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
-+ * catgets/open_catalog.c (__open_catalog): Likewise.
-+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
-+
- 2015-10-15 Florian Weimer <fweimer@redhat.com>
-
- [BZ #18928]
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -9,7 +9,7 @@ Version 2.22.1
-
- * The following bugs are resolved with this release:
-
-- 18778, 18781, 18787.
-+ 18778, 18781, 18787, 17905.
-
- Version 2.22
-
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch b/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
deleted file mode 100644
index 3aca913317..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+++ /dev/null
@@ -1,1039 +0,0 @@
-From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
-From: Joseph Myers <joseph@codesourcery.com>
-Date: Tue, 24 Nov 2015 22:24:52 +0000
-Subject: [PATCH] Refactor strtod parsing of NaN payloads.
-
-The nan* functions handle their string argument by constructing a
-NAN(...) string on the stack as a VLA and passing it to strtod
-functions.
-
-This approach has problems discussed in bug 16961 and bug 16962: the
-stack usage is unbounded, and it gives incorrect results in certain
-cases where the argument is not a valid n-char-sequence.
-
-The natural fix for both issues is to refactor the NaN payload parsing
-out of strtod into a separate function that the nan* functions can
-call directly, so that no temporary string needs constructing on the
-stack at all. This patch does that refactoring in preparation for
-fixing those bugs (but without actually using the new functions from
-nan* - which will also require exporting them from libc at version
-GLIBC_PRIVATE). This patch is not intended to change any user-visible
-behavior, so no tests are added (fixes for the above bugs will of
-course add tests for them).
-
-This patch builds on my recent fixes for strtol and strtod issues in
-Turkish locales. Given those fixes, the parsing of NaN payloads is
-locale-independent; thus, the new functions do not need to take a
-locale_t argument.
-
-Tested for x86_64, x86, mips64 and powerpc.
-
- * stdlib/strtod_nan.c: New file.
- * stdlib/strtod_nan_double.h: Likewise.
- * stdlib/strtod_nan_float.h: Likewise.
- * stdlib/strtod_nan_main.c: Likewise.
- * stdlib/strtod_nan_narrow.h: Likewise.
- * stdlib/strtod_nan_wide.h: Likewise.
- * stdlib/strtof_nan.c: Likewise.
- * stdlib/strtold_nan.c: Likewise.
- * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
- * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
- * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
- * wcsmbs/wcstod_nan.c: Likewise.
- * wcsmbs/wcstof_nan.c: Likewise.
- * wcsmbs/wcstold_nan.c: Likewise.
- * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
- strtold_nan.
- * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
- wcstof_nan.
- * include/stdlib.h (__strtof_nan): Declare and use
- libc_hidden_proto.
- (__strtod_nan): Likewise.
- (__strtold_nan): Likewise.
- (__wcstof_nan): Likewise.
- (__wcstod_nan): Likewise.
- (__wcstold_nan): Likewise.
- * include/wchar.h (____wcstoull_l_internal): Declare.
- * stdlib/strtod_l.c: Do not include <ieee754.h>.
- (____strtoull_l_internal): Remove declaration.
- (STRTOF_NAN): Define macro.
- (SET_MANTISSA): Remove macro.
- (STRTOULL): Likewise.
- (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
- * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
- (STRTOF_NAN): Define macro.
- (SET_MANTISSA): Remove macro.
- * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
- (SET_MANTISSA): Remove macro.
- * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
- macro.
- (SET_MANTISSA): Remove macro.
- * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
- macro.
- (SET_MANTISSA): Remove macro.
- * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
- (SET_MANTISSA): Remove macro.
- * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
- * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
- * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
-
-Upstream-Status: Backport
-CVE: CVE-2015-9761 patch #1
-[Yocto # 8980]
-
-https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 49 ++++++++++++++++++
- include/stdlib.h | 18 +++++++
- include/wchar.h | 3 ++
- stdlib/Makefile | 1 +
- stdlib/strtod_l.c | 48 ++++--------------
- stdlib/strtod_nan.c | 24 +++++++++
- stdlib/strtod_nan_double.h | 30 +++++++++++
- stdlib/strtod_nan_float.h | 29 +++++++++++
- stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++
- stdlib/strtod_nan_narrow.h | 22 +++++++++
- stdlib/strtod_nan_wide.h | 22 +++++++++
- stdlib/strtof_l.c | 11 +----
- stdlib/strtof_nan.c | 24 +++++++++
- stdlib/strtold_nan.c | 30 +++++++++++
- sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++
- sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +----
- sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
- sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +---
- sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +----
- sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++
- sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +---
- wcsmbs/Makefile | 1 +
- wcsmbs/wcstod_l.c | 3 --
- wcsmbs/wcstod_nan.c | 23 +++++++++
- wcsmbs/wcstof_l.c | 3 --
- wcsmbs/wcstof_nan.c | 23 +++++++++
- wcsmbs/wcstold_l.c | 3 --
- wcsmbs/wcstold_nan.c | 30 +++++++++++
- 28 files changed, 504 insertions(+), 95 deletions(-)
- create mode 100644 stdlib/strtod_nan.c
- create mode 100644 stdlib/strtod_nan_double.h
- create mode 100644 stdlib/strtod_nan_float.h
- create mode 100644 stdlib/strtod_nan_main.c
- create mode 100644 stdlib/strtod_nan_narrow.h
- create mode 100644 stdlib/strtod_nan_wide.h
- create mode 100644 stdlib/strtof_nan.c
- create mode 100644 stdlib/strtold_nan.c
- create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
- create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
- create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
- create mode 100644 wcsmbs/wcstod_nan.c
- create mode 100644 wcsmbs/wcstof_nan.c
- create mode 100644 wcsmbs/wcstold_nan.c
-
-Index: git/include/stdlib.h
-===================================================================
---- git.orig/include/stdlib.h
-+++ git/include/stdlib.h
-@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
- libc_hidden_proto (strtoul)
- libc_hidden_proto (strtoull)
-
-+extern float __strtof_nan (const char *, char **, char) internal_function;
-+extern double __strtod_nan (const char *, char **, char) internal_function;
-+extern long double __strtold_nan (const char *, char **, char)
-+ internal_function;
-+extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
-+ internal_function;
-+extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
-+ internal_function;
-+extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
-+ internal_function;
-+
-+libc_hidden_proto (__strtof_nan)
-+libc_hidden_proto (__strtod_nan)
-+libc_hidden_proto (__strtold_nan)
-+libc_hidden_proto (__wcstof_nan)
-+libc_hidden_proto (__wcstod_nan)
-+libc_hidden_proto (__wcstold_nan)
-+
- extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
- int *__restrict __sign);
- extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
-Index: git/include/wchar.h
-===================================================================
---- git.orig/include/wchar.h
-+++ git/include/wchar.h
-@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
- __restrict __endptr,
- int __base,
- int __group) __THROW;
-+extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
-+ wchar_t **, int, int,
-+ __locale_t);
- libc_hidden_proto (__wcstof_internal)
- libc_hidden_proto (__wcstod_internal)
- libc_hidden_proto (__wcstold_internal)
-Index: git/stdlib/Makefile
-===================================================================
---- git.orig/stdlib/Makefile
-+++ git/stdlib/Makefile
-@@ -51,6 +51,7 @@ routines-y := \
- strtol_l strtoul_l strtoll_l strtoull_l \
- strtof strtod strtold \
- strtof_l strtod_l strtold_l \
-+ strtof_nan strtod_nan strtold_nan \
- system canonicalize \
- a64l l64a \
- getsubopt xpg_basename \
-Index: git/stdlib/strtod_l.c
-===================================================================
---- git.orig/stdlib/strtod_l.c
-+++ git/stdlib/strtod_l.c
-@@ -21,8 +21,6 @@
- #include <xlocale.h>
-
- extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
--extern unsigned long long int ____strtoull_l_internal (const char *, char **,
-- int, int, __locale_t);
-
- /* Configuration part. These macros are defined by `strtold.c',
- `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
-@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
- # ifdef USE_WIDE_CHAR
- # define STRTOF wcstod_l
- # define __STRTOF __wcstod_l
-+# define STRTOF_NAN __wcstod_nan
- # else
- # define STRTOF strtod_l
- # define __STRTOF __strtod_l
-+# define STRTOF_NAN __strtod_nan
- # endif
- # define MPN2FLOAT __mpn_construct_double
- # define FLOAT_HUGE_VAL HUGE_VAL
--# define SET_MANTISSA(flt, mant) \
-- do { union ieee754_double u; \
-- u.d = (flt); \
-- u.ieee_nan.mantissa0 = (mant) >> 32; \
-- u.ieee_nan.mantissa1 = (mant); \
-- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
-- (flt) = u.d; \
-- } while (0)
- #endif
- /* End of configuration part. */
-
- #include <ctype.h>
- #include <errno.h>
- #include <float.h>
--#include <ieee754.h>
- #include "../locale/localeinfo.h"
- #include <locale.h>
- #include <math.h>
-@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
- # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
- # define STRNCASECMP(S1, S2, N) \
- __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
--# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
- #else
- # define STRING_TYPE char
- # define CHAR_TYPE char
-@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
- # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
- # define STRNCASECMP(S1, S2, N) \
- __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
--# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
- #endif
-
-
-@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
- if (*cp == L_('('))
- {
- const STRING_TYPE *startp = cp;
-- do
-- ++cp;
-- while ((*cp >= L_('0') && *cp <= L_('9'))
-- || ({ CHAR_TYPE lo = TOLOWER (*cp);
-- lo >= L_('a') && lo <= L_('z'); })
-- || *cp == L_('_'));
--
-- if (*cp != L_(')'))
-- /* The closing brace is missing. Only match the NAN
-- part. */
-- cp = startp;
-+ STRING_TYPE *endp;
-+ retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
-+ if (*endp == L_(')'))
-+ /* Consume the closing parenthesis. */
-+ cp = endp + 1;
- else
-- {
-- /* This is a system-dependent way to specify the
-- bitmask used for the NaN. We expect it to be
-- a number which is put in the mantissa of the
-- number. */
-- STRING_TYPE *endp;
-- unsigned long long int mant;
--
-- mant = STRTOULL (startp + 1, &endp, 0);
-- if (endp == cp)
-- SET_MANTISSA (retval, mant);
--
-- /* Consume the closing brace. */
-- ++cp;
-- }
-+ /* Only match the NAN part. */
-+ cp = startp;
- }
-
- if (endptr != NULL)
-Index: git/stdlib/strtod_nan.c
-===================================================================
---- /dev/null
-+++ git/stdlib/strtod_nan.c
-@@ -0,0 +1,24 @@
-+/* Convert string for NaN payload to corresponding NaN. Narrow
-+ strings, double.
-+ Copyright (C) 2015 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
-+#include <strtod_nan_narrow.h>
-+#include <strtod_nan_double.h>
-+
-+#define STRTOD_NAN __strtod_nan
-+#include <strtod_nan_main.c>
-Index: git/stdlib/strtod_nan_double.h
-===================================================================
---- /dev/null
-+++ git/stdlib/strtod_nan_double.h
-@@ -0,0 +1,30 @@
-+/* Convert string for NaN payload to corresponding NaN. For double.
-+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
-+#define FLOAT double
-+#define SET_MANTISSA(flt, mant) \
-+ do \
-+ { \
-+ union ieee754_double u; \
-+ u.d = (flt); \
-+ u.ieee_nan.mantissa0 = (mant) >> 32; \
-+ u.ieee_nan.mantissa1 = (mant); \
-+ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
-+ (flt) = u.d; \
-+ } \
-+ while (0)
-Index: git/stdlib/strtod_nan_float.h
-===================================================================
---- /dev/null
-+++ git/stdlib/strtod_nan_float.h
-@@ -0,0 +1,29 @@
-+/* Convert string for NaN payload to corresponding NaN. For float.
-+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
-+#define FLOAT float
-+#define SET_MANTISSA(flt, mant) \
-+ do \
-+ { \
-+ union ieee754_float u; \
-+ u.f = (flt); \
-+ u.ieee_nan.mantissa = (mant); \
-+ if (u.ieee.mantissa != 0) \
-+ (flt) = u.f; \
-+ } \
-+ while (0)
-Index: git/stdlib/strtod_nan_main.c
-===================================================================
---- /dev/null
-+++ git/stdlib/strtod_nan_main.c
-@@ -0,0 +1,63 @@
-+/* Convert string for NaN payload to corresponding NaN.
-+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of