Paul Pluzhnikov [Fri, 6 Feb 2015 05:30:42 +0000 (00:30 -0500)]
CVE-2015-1472: wscanf allocates too little memory
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the internal
version used within GLIBC) to use the system call version instead of the vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
PowerPC: Fix ftime gettimeofday internal call returning bogus data
This patches fixes BZ#16430 by setting a different symbol for internal
GLIBC calls that points to ifunc resolvers. For PPC32, if the symbol
is defined as hidden (which is the case for gettimeofday and time) the
compiler will create local branches (symbol@local) and linker will not
create PLT calls (required for IFUNC). This will leads to internal symbol
calling the IFUNC resolver instead of the resolved symbol.
For PPC64 this behavior does not occur because a call to a function in
another translation unit might use a different toc pointer thus requiring
a PLT call.
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
Carlos O'Donell [Wed, 19 Nov 2014 16:44:12 +0000 (11:44 -0500)]
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Will Newton [Fri, 16 Aug 2013 11:54:29 +0000 (12:54 +0100)]
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
Will Newton [Fri, 16 Aug 2013 10:59:37 +0000 (11:59 +0100)]
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
Will Newton [Mon, 12 Aug 2013 14:08:02 +0000 (15:08 +0100)]
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
Carlos O'Donell [Mon, 23 Sep 2013 04:52:09 +0000 (00:52 -0400)]
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
Carlos O'Donell [Fri, 19 Jul 2013 06:42:03 +0000 (02:42 -0400)]
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Jeff Law [Wed, 28 Nov 2012 21:12:28 +0000 (14:12 -0700)]
[BZ #14889]
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
Mike Frysinger [Thu, 29 Nov 2012 04:04:32 +0000 (23:04 -0500)]
byteswap.h: fix gcc ver test for __builtin_bswap{32,64}
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int __bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not declared in this scope
Jeff Law [Wed, 7 Nov 2012 18:58:37 +0000 (11:58 -0700)]
2012-11-07 Andreas Jaeger <aj@suse.de>
[BZ #14809]
* sysdeps/unix/sysv/linux/sys/sysctl.h (_UAPI_LINUX_KERNEL_H)
(_UAPI_LINUX_TYPES_H): Starting with Linux 3.7, the include header
guards are changed. Only define if not yet defined, #undef back
after including linux/sysctl.h if defined here.
(cherry picked from commit 01f34a3bd8c087ca4be0bd24857e454c8d29f20b)
* stdio-common/Makefile (tst-sprintf-ENV): Set environment
for testcase.
* stdio-common/tst-sprintf.c: Include <locale.h>
(main): Test sprintf's handling of incomplete multibyte
characters.
[BZ #14195]
* sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix
segmentation fault for a case of two empty input strings.
* string/test-strncasecmp.c (check1): Renamed to...
(bz12205): ...this.
(bz14195): Add new testcase for two empty input strings and N > 0.
(test_main): Call new testcase, adapt for renamed function.
(cherry picked from commit b3f479a85a3e191befbe821d787d7f71c0f64e79)
Mike Frysinger [Tue, 3 Jul 2012 19:22:05 +0000 (15:22 -0400)]
sunrpc: fix rpc bootstrap builds
If you build & install glibc w/rpc disabled, you no longer have headers in
/usr/include/rpc/ (this is expected). But if you try to build glibc w/rpc
enabled, this gets into a bad state due to the new rpc helpers that get
cross-compiled:
$ make
...
x86_64-pc-linux-gnu-gcc -m32 -D_RPC_THREAD_SAFE_ -D_GNU_SOURCE -DIS_IN_build \
-include $objdir/config.h rpc_clntout.c -o $objdir/sunrpc/cross-rpc_clntout.o \
-MMD -MP -MF $objdir/sunrpc/cross-rpc_clntout.o.dt -MT $objdir/sunrpc/cross-rpc_clntout.o -c
rpc_clntout.c:34:23: fatal error: rpc/types.h: No such file or directory
compilation terminated.
make: *** [$objdir/sunrpc/cross-rpc_clntout.o] Error 1
Andreas Schwab [Fri, 22 Jun 2012 18:10:31 +0000 (11:10 -0700)]
Fix invalid memory access in do_lookup_x.
[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.
Jeff Law [Thu, 21 Jun 2012 15:26:41 +0000 (09:26 -0600)]
2012-06-21 Jeff Law <law@redhat.com>
[BZ #13882]
* elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection. Use
uint16_t for elements in the "seen" array to avoid char overflows.
* elf/dl-fini.c (_dl_sort_fini): Likewise.
* elf/dl-open.c (dl_open_worker): Likewise.
Account for the extra stack size when rlimit is small enough
When rlimit is small enough to be used as the stacksize to be returned
in pthread_getattr_np, cases where a stack is made executable due to a
DSO load get stack size that is larger than what the kernel
allows. This is because in such a case the stack size does not account
for the pages that have auxv and program arguments.
Additionally, the stacksize for the process derived from this should
be truncated to align to page size to avoid going beyond rlimit.
projects / thirdparty / glibc.git / log
