forked from rpms/glibc
Avoid unbound alloca usage in *-crypt routines (#804792)
This commit is contained in:
parent
d004e5468f
commit
5022ed713c
217
glibc-rh804792.patch
Normal file
217
glibc-rh804792.patch
Normal file
@ -0,0 +1,217 @@
|
||||
2012-03-29 Jeff Law <law@redhat.com>
|
||||
|
||||
* crypt/md5-crypt.c (__md5_crypt_r): Avoid unbounded alloca uses
|
||||
due to long keys.
|
||||
* crypt/sha256-crypt.c (__sha256_crypt_r): Likewise.
|
||||
* crypt/sha512-crypt.c (__sha512_crypt_r): Likewise.
|
||||
|
||||
diff -rup c/crypt/md5-crypt.c d/crypt/md5-crypt.c
|
||||
--- c/crypt/md5-crypt.c 2012-01-01 05:16:32.000000000 -0700
|
||||
+++ d/crypt/md5-crypt.c 2012-03-27 11:37:24.035574503 -0600
|
||||
@@ -108,6 +108,7 @@ __md5_crypt_r (key, salt, buffer, buflen
|
||||
char *cp;
|
||||
char *copied_key = NULL;
|
||||
char *copied_salt = NULL;
|
||||
+ char *free_key = NULL;
|
||||
|
||||
/* Find beginning of salt string. The prefix should normally always
|
||||
be present. Just in case it is not. */
|
||||
@@ -120,7 +121,17 @@ __md5_crypt_r (key, salt, buffer, buflen
|
||||
|
||||
if ((key - (char *) 0) % __alignof__ (md5_uint32) != 0)
|
||||
{
|
||||
- char *tmp = (char *) alloca (key_len + __alignof__ (md5_uint32));
|
||||
+ char *tmp;
|
||||
+
|
||||
+ if (__libc_use_alloca (key_len + __alignof__ (md5_uint32)))
|
||||
+ tmp = (char *) alloca (key_len + __alignof__ (md5_uint32));
|
||||
+ else
|
||||
+ {
|
||||
+ free_key = tmp = (char *) malloc (key_len + __alignof__ (md5_uint32));
|
||||
+ if (tmp == NULL)
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
key = copied_key =
|
||||
memcpy (tmp + __alignof__ (md5_uint32)
|
||||
- (tmp - (char *) 0) % __alignof__ (md5_uint32),
|
||||
@@ -142,7 +158,10 @@ __md5_crypt_r (key, salt, buffer, buflen
|
||||
/* Initialize libfreebl3. */
|
||||
NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
|
||||
if (nss_ictx == NULL)
|
||||
- return NULL;
|
||||
+ {
|
||||
+ free (free_key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
NSSLOWHASHContext *nss_ctx = NULL;
|
||||
NSSLOWHASHContext *nss_alt_ctx = NULL;
|
||||
#else
|
||||
@@ -296,6 +315,7 @@ __md5_crypt_r (key, salt, buffer, buflen
|
||||
if (copied_salt != NULL)
|
||||
memset (copied_salt, '\0', salt_len);
|
||||
|
||||
+ free (free_key);
|
||||
return buffer;
|
||||
}
|
||||
|
||||
diff -rup c/crypt/sha256-crypt.c d/crypt/sha256-crypt.c
|
||||
--- c/crypt/sha256-crypt.c 2012-01-01 05:16:32.000000000 -0700
|
||||
+++ d/crypt/sha256-crypt.c 2012-03-27 11:58:55.823809542 -0600
|
||||
@@ -123,6 +123,9 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
/* Default number of rounds. */
|
||||
size_t rounds = ROUNDS_DEFAULT;
|
||||
bool rounds_custom = false;
|
||||
+ size_t alloca_used = 0;
|
||||
+ char *free_key = NULL;
|
||||
+ char *free_pbytes = NULL;
|
||||
|
||||
/* Find beginning of salt string. The prefix should normally always
|
||||
be present. Just in case it is not. */
|
||||
@@ -149,7 +152,17 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
|
||||
if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
|
||||
{
|
||||
- char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
|
||||
+ char *tmp;
|
||||
+
|
||||
+ if (__libc_use_alloca (key_len + __alignof__ (uint32_t)))
|
||||
+ tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
|
||||
+ else
|
||||
+ {
|
||||
+ free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
|
||||
+ if (tmp == NULL)
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
key = copied_key =
|
||||
memcpy (tmp + __alignof__ (uint32_t)
|
||||
- (tmp - (char *) 0) % __alignof__ (uint32_t),
|
||||
@@ -160,6 +179,7 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
|
||||
{
|
||||
char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
|
||||
+ alloca_used += salt_len + __alignof__ (uint32_t);
|
||||
salt = copied_salt =
|
||||
memcpy (tmp + __alignof__ (uint32_t)
|
||||
- (tmp - (char *) 0) % __alignof__ (uint32_t),
|
||||
@@ -171,7 +191,10 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
/* Initialize libfreebl3. */
|
||||
NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
|
||||
if (nss_ictx == NULL)
|
||||
- return NULL;
|
||||
+ {
|
||||
+ free (free_key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
NSSLOWHASHContext *nss_ctx = NULL;
|
||||
NSSLOWHASHContext *nss_alt_ctx = NULL;
|
||||
#else
|
||||
@@ -233,8 +256,19 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
/* Finish the digest. */
|
||||
sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
|
||||
|
||||
- /* Create byte sequence P. */
|
||||
- cp = p_bytes = alloca (key_len);
|
||||
+ /* Create byte sequence P. */
|
||||
+ if (__libc_use_alloca (alloca_used + key_len))
|
||||
+ cp = p_bytes = (char *) alloca (key_len);
|
||||
+ else
|
||||
+ {
|
||||
+ free_pbytes = cp = p_bytes = (char *)malloc (key_len);
|
||||
+ if (free_pbytes == NULL)
|
||||
+ {
|
||||
+ free (free_key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (cnt = key_len; cnt >= 32; cnt -= 32)
|
||||
cp = mempcpy (cp, temp_result, 32);
|
||||
memcpy (cp, temp_result, cnt);
|
||||
@@ -362,6 +401,8 @@ __sha256_crypt_r (key, salt, buffer, buf
|
||||
if (copied_salt != NULL)
|
||||
memset (copied_salt, '\0', salt_len);
|
||||
|
||||
+ free (free_key);
|
||||
+ free (free_pbytes);
|
||||
return buffer;
|
||||
}
|
||||
|
||||
diff -rup c/crypt/sha512-crypt.c d/crypt/sha512-crypt.c
|
||||
--- c/crypt/sha512-crypt.c 2012-01-01 05:16:32.000000000 -0700
|
||||
+++ d/crypt/sha512-crypt.c 2012-03-27 12:10:08.895097239 -0600
|
||||
@@ -123,6 +123,9 @@ __sha512_crypt_r (key, salt, buffer, buf
|
||||
/* Default number of rounds. */
|
||||
size_t rounds = ROUNDS_DEFAULT;
|
||||
bool rounds_custom = false;
|
||||
+ size_t alloca_used = 0;
|
||||
+ char *free_key = NULL;
|
||||
+ char *free_pbytes = NULL;
|
||||
|
||||
/* Find beginning of salt string. The prefix should normally always
|
||||
be present. Just in case it is not. */
|
||||
@@ -149,7 +152,17 @@ __sha512_crypt_r (key, salt, buffer, buf
|
||||
|
||||
if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
|
||||
{
|
||||
- char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
|
||||
+ char *tmp;
|
||||
+
|
||||
+ if (__libc_use_alloca (key_len + __alignof__ (uint64_t)))
|
||||
+ tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
|
||||
+ else
|
||||
+ {
|
||||
+ free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
|
||||
+ if (tmp == NULL)
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
key = copied_key =
|
||||
memcpy (tmp + __alignof__ (uint64_t)
|
||||
- (tmp - (char *) 0) % __alignof__ (uint64_t),
|
||||
@@ -171,7 +190,10 @@ __sha512_crypt_r (key, salt, buffer, buf
|
||||
/* Initialize libfreebl3. */
|
||||
NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
|
||||
if (nss_ictx == NULL)
|
||||
- return NULL;
|
||||
+ {
|
||||
+ free (free_key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
NSSLOWHASHContext *nss_ctx = NULL;
|
||||
NSSLOWHASHContext *nss_alt_ctx = NULL;
|
||||
#else
|
||||
@@ -233,8 +255,19 @@ __sha512_crypt_r (key, salt, buffer, buf
|
||||
/* Finish the digest. */
|
||||
sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
|
||||
|
||||
- /* Create byte sequence P. */
|
||||
- cp = p_bytes = alloca (key_len);
|
||||
+ /* Create byte sequence P. */
|
||||
+ if (__libc_use_alloca (alloca_used + key_len))
|
||||
+ cp = p_bytes = (char *) alloca (key_len);
|
||||
+ else
|
||||
+ {
|
||||
+ free_pbytes = cp = p_bytes = (char *)malloc (key_len);
|
||||
+ if (free_pbytes == NULL)
|
||||
+ {
|
||||
+ free (free_key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (cnt = key_len; cnt >= 64; cnt -= 64)
|
||||
cp = mempcpy (cp, temp_result, 64);
|
||||
memcpy (cp, temp_result, cnt);
|
||||
@@ -374,6 +412,8 @@ __sha512_crypt_r (key, salt, buffer, buf
|
||||
if (copied_salt != NULL)
|
||||
memset (copied_salt, '\0', salt_len);
|
||||
|
||||
+ free (free_key);
|
||||
+ free (free_pbytes);
|
||||
return buffer;
|
||||
}
|
||||
|
||||
|
||||
|
@ -125,6 +125,8 @@ Patch45 : %{name}-rh803286.patch
|
||||
Patch46 : %{name}-rh806403.patch
|
||||
# Submitted upstream, BZ 13594
|
||||
Patch47 : %{name}-rh806070.patch
|
||||
# Submitted upstream
|
||||
Patch48 : %{name}-rh804792.patch
|
||||
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
@ -391,6 +393,7 @@ rm -rf %{glibcportsdir}
|
||||
%patch45 -p1
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
%patch48 -p1
|
||||
|
||||
# A lot of programs still misuse memcpy when they have to use
|
||||
# memmove. The memcpy implementation below is not tolerant at
|
||||
@ -1244,6 +1247,7 @@ rm -f *.filelist*
|
||||
|
||||
%changelog
|
||||
* Tue Mar 27 2012 Jeff Law <law@redhat.com> - 2.15-30
|
||||
- Avoid unbound alloca usage in *-crypt routines (#804792)
|
||||
- Fix data race in nscd (#806070)
|
||||
|
||||
* Fri Mar 23 2012 Jeff Law <law@redhat.com> - 2.15-29
|
||||
|
Loading…
Reference in New Issue
Block a user