Will Newton [Fri, 16 Aug 2013 11:54:29 +0000 (12:54 +0100)]
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
Will Newton [Fri, 16 Aug 2013 10:59:37 +0000 (11:59 +0100)]
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
Will Newton [Mon, 12 Aug 2013 14:08:02 +0000 (15:08 +0100)]
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
Carlos O'Donell [Mon, 23 Sep 2013 04:52:09 +0000 (00:52 -0400)]
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
Carlos O'Donell [Fri, 19 Jul 2013 06:42:03 +0000 (02:42 -0400)]
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Jeff Law [Wed, 28 Nov 2012 21:12:28 +0000 (14:12 -0700)]
[BZ #14889]
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
Mike Frysinger [Thu, 29 Nov 2012 04:04:32 +0000 (23:04 -0500)]
byteswap.h: fix gcc ver test for __builtin_bswap{32,64}
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int __bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not declared in this scope
Jeff Law [Wed, 7 Nov 2012 18:58:37 +0000 (11:58 -0700)]
2012-11-07 Andreas Jaeger <aj@suse.de>
[BZ #14809]
* sysdeps/unix/sysv/linux/sys/sysctl.h (_UAPI_LINUX_KERNEL_H)
(_UAPI_LINUX_TYPES_H): Starting with Linux 3.7, the include header
guards are changed. Only define if not yet defined, #undef back
after including linux/sysctl.h if defined here.
(cherry picked from commit 01f34a3bd8c087ca4be0bd24857e454c8d29f20b)
* stdio-common/Makefile (tst-sprintf-ENV): Set environment
for testcase.
* stdio-common/tst-sprintf.c: Include <locale.h>
(main): Test sprintf's handling of incomplete multibyte
characters.
[BZ #14195]
* sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix
segmentation fault for a case of two empty input strings.
* string/test-strncasecmp.c (check1): Renamed to...
(bz12205): ...this.
(bz14195): Add new testcase for two empty input strings and N > 0.
(test_main): Call new testcase, adapt for renamed function.
(cherry picked from commit b3f479a85a3e191befbe821d787d7f71c0f64e79)
Mike Frysinger [Tue, 3 Jul 2012 19:22:05 +0000 (15:22 -0400)]
sunrpc: fix rpc bootstrap builds
If you build & install glibc w/rpc disabled, you no longer have headers in
/usr/include/rpc/ (this is expected). But if you try to build glibc w/rpc
enabled, this gets into a bad state due to the new rpc helpers that get
cross-compiled:
$ make
...
x86_64-pc-linux-gnu-gcc -m32 -D_RPC_THREAD_SAFE_ -D_GNU_SOURCE -DIS_IN_build \
-include $objdir/config.h rpc_clntout.c -o $objdir/sunrpc/cross-rpc_clntout.o \
-MMD -MP -MF $objdir/sunrpc/cross-rpc_clntout.o.dt -MT $objdir/sunrpc/cross-rpc_clntout.o -c
rpc_clntout.c:34:23: fatal error: rpc/types.h: No such file or directory
compilation terminated.
make: *** [$objdir/sunrpc/cross-rpc_clntout.o] Error 1
Andreas Schwab [Fri, 22 Jun 2012 18:10:31 +0000 (11:10 -0700)]
Fix invalid memory access in do_lookup_x.
[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.
Jeff Law [Thu, 21 Jun 2012 15:26:41 +0000 (09:26 -0600)]
2012-06-21 Jeff Law <law@redhat.com>
[BZ #13882]
* elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection. Use
uint16_t for elements in the "seen" array to avoid char overflows.
* elf/dl-fini.c (_dl_sort_fini): Likewise.
* elf/dl-open.c (dl_open_worker): Likewise.
Account for the extra stack size when rlimit is small enough
When rlimit is small enough to be used as the stacksize to be returned
in pthread_getattr_np, cases where a stack is made executable due to a
DSO load get stack size that is larger than what the kernel
allows. This is because in such a case the stack size does not account
for the pages that have auxv and program arguments.
Additionally, the stacksize for the process derived from this should
be truncated to align to page size to avoid going beyond rlimit.
Cyril Hrubis [Fri, 15 Jun 2012 07:09:05 +0000 (09:09 +0200)]
Add __wur to GNU version of strerror_r.
Not using the result of the GNU strerror_r() is always a mistake.
Moreover this would generate warning if XSI version was expected but GNU
version was used instead (because some random used header defined
_GNU_SOURCE which was Python.h in this case).
projects / thirdparty / glibc.git / log
