From bf5e654c2118c527172646266a2e833df163d89e Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Mon, 23 Sep 2013 13:22:23 +0530 Subject: [PATCH] Resync with upstream master --- glibc-rh985625-CVE-2013-4788.patch | 494 ----------------------------- glibc-strcoll-cve.patch | 458 -------------------------- glibc.spec | 15 +- sources | 2 +- 4 files changed, 6 insertions(+), 963 deletions(-) delete mode 100644 glibc-rh985625-CVE-2013-4788.patch delete mode 100644 glibc-strcoll-cve.patch diff --git a/glibc-rh985625-CVE-2013-4788.patch b/glibc-rh985625-CVE-2013-4788.patch deleted file mode 100644 index 3ed59d8..0000000 --- a/glibc-rh985625-CVE-2013-4788.patch +++ /dev/null @@ -1,494 +0,0 @@ -# -# CVE-2013-4788 The pointer guard used for pointer mangling was not -# initialized for static applications resulting in the security feature -# being disabled. The pointer guard is now correctly initialized to a -# random value for static applications. Existing static applications need -# to be recompiled to take advantage of the fix (bug 15754). -# -# Not yet upstream. -# -diff --git a/csu/libc-start.c b/csu/libc-start.c -index e5da3ef..c898d06 100644 ---- a/csu/libc-start.c -+++ b/csu/libc-start.c -@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void); - in thread local area. */ - uintptr_t __stack_chk_guard attribute_relro; - # endif -+# ifndef THREAD_SET_POINTER_GUARD -+/* Only exported for architectures that don't store the pointer guard -+ value in thread local area. */ -+uintptr_t __pointer_chk_guard_local -+ attribute_relro attribute_hidden __attribute__ ((nocommon)); -+# endif - #endif - - #ifdef HAVE_PTR_NTHREADS -@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), - # else - __stack_chk_guard = stack_chk_guard; - # endif -+ -+ /* Set up the pointer guard value. */ -+ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, -+ stack_chk_guard); -+# ifdef THREAD_SET_POINTER_GUARD -+ THREAD_SET_POINTER_GUARD (pointer_chk_guard); -+# else -+ __pointer_chk_guard_local = pointer_chk_guard; -+# endif -+ - #endif - - /* Register the destructor of the dynamic linker if there is any. */ -diff --git a/elf/Makefile b/elf/Makefile -index aaa9534..cb8da93 100644 ---- a/elf/Makefile -+++ b/elf/Makefile -@@ -121,7 +121,8 @@ endif - tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \ - tst-array1 tst-array2 tst-array3 tst-array4 tst-array5 - tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \ -- tst-leaks1-static tst-array1-static tst-array5-static -+ tst-leaks1-static tst-array1-static tst-array5-static \ -+ tst-ptrguard1-static - ifeq (yes,$(build-shared)) - tests-static += tst-tls9-static - tst-tls9-static-ENV = \ -@@ -145,7 +146,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \ - tst-audit1 tst-audit2 tst-audit8 \ - tst-stackguard1 tst-addr1 tst-thrlock \ - tst-unique1 tst-unique2 tst-unique3 tst-unique4 \ -- tst-initorder tst-initorder2 tst-relsort1 tst-null-argv -+ tst-initorder tst-initorder2 tst-relsort1 tst-null-argv \ -+ tst-ptrguard1 - # reldep9 - test-srcs = tst-pathopt - selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null) -@@ -1016,6 +1018,9 @@ LDFLAGS-order2mod2.so = $(no-as-needed) - tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child" - tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child" - -+tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child" -+tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child" -+ - $(objpfx)tst-leaks1: $(libdl) - $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out - $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@ -diff --git a/elf/tst-ptrguard1-static.c b/elf/tst-ptrguard1-static.c -new file mode 100644 -index 0000000..7aff3b7 ---- /dev/null -+++ b/elf/tst-ptrguard1-static.c -@@ -0,0 +1 @@ -+#include "tst-ptrguard1.c" -diff --git a/elf/tst-ptrguard1.c b/elf/tst-ptrguard1.c -new file mode 100644 -index 0000000..c344a04 ---- /dev/null -+++ b/elf/tst-ptrguard1.c -@@ -0,0 +1,202 @@ -+/* Copyright (C) 2013 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef POINTER_CHK_GUARD -+extern uintptr_t __pointer_chk_guard; -+# define POINTER_CHK_GUARD __pointer_chk_guard -+#endif -+ -+static const char *command; -+static bool child; -+static uintptr_t ptr_chk_guard_copy; -+static bool ptr_chk_guard_copy_set; -+static int fds[2]; -+ -+static void __attribute__ ((constructor)) -+con (void) -+{ -+ ptr_chk_guard_copy = POINTER_CHK_GUARD; -+ ptr_chk_guard_copy_set = true; -+} -+ -+static int -+uintptr_t_cmp (const void *a, const void *b) -+{ -+ if (*(uintptr_t *) a < *(uintptr_t *) b) -+ return 1; -+ if (*(uintptr_t *) a > *(uintptr_t *) b) -+ return -1; -+ return 0; -+} -+ -+static int -+do_test (void) -+{ -+ if (!ptr_chk_guard_copy_set) -+ { -+ puts ("constructor has not been run"); -+ return 1; -+ } -+ -+ if (ptr_chk_guard_copy != POINTER_CHK_GUARD) -+ { -+ puts ("POINTER_CHK_GUARD changed between constructor and do_test"); -+ return 1; -+ } -+ -+ if (child) -+ { -+ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy)); -+ return 0; -+ } -+ -+ if (command == NULL) -+ { -+ puts ("missing --command or --child argument"); -+ return 1; -+ } -+ -+#define N 16 -+ uintptr_t child_ptr_chk_guards[N + 1]; -+ child_ptr_chk_guards[N] = ptr_chk_guard_copy; -+ int i; -+ for (i = 0; i < N; ++i) -+ { -+ if (pipe (fds) < 0) -+ { -+ printf ("couldn't create pipe: %m\n"); -+ return 1; -+ } -+ -+ pid_t pid = fork (); -+ if (pid < 0) -+ { -+ printf ("fork failed: %m\n"); -+ return 1; -+ } -+ -+ if (!pid) -+ { -+ if (ptr_chk_guard_copy != POINTER_CHK_GUARD) -+ { -+ puts ("POINTER_CHK_GUARD changed after fork"); -+ exit (1); -+ } -+ -+ close (fds[0]); -+ close (2); -+ dup2 (fds[1], 2); -+ close (fds[1]); -+ -+ system (command); -+ exit (0); -+ } -+ -+ close (fds[1]); -+ -+ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i], -+ sizeof (uintptr_t))) != sizeof (uintptr_t)) -+ { -+ puts ("could not read ptr_chk_guard value from child"); -+ return 1; -+ } -+ -+ close (fds[0]); -+ -+ pid_t termpid; -+ int status; -+ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)); -+ if (termpid == -1) -+ { -+ printf ("waitpid failed: %m\n"); -+ return 1; -+ } -+ else if (termpid != pid) -+ { -+ printf ("waitpid returned %ld != %ld\n", -+ (long int) termpid, (long int) pid); -+ return 1; -+ } -+ else if (!WIFEXITED (status) || WEXITSTATUS (status)) -+ { -+ puts ("child hasn't exited with exit status 0"); -+ return 1; -+ } -+ } -+ -+ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp); -+ -+ /* The default pointer guard is the same as the default stack guard. -+ They are only set to default if dl_random is NULL. */ -+ uintptr_t default_guard = 0; -+ unsigned char *p = (unsigned char *) &default_guard; -+ p[sizeof (uintptr_t) - 1] = 255; -+ p[sizeof (uintptr_t) - 2] = '\n'; -+ p[0] = 0; -+ -+ /* Test if the pointer guard canaries are either randomized, -+ or equal to the default pointer guard value. -+ Even with randomized pointer guards it might happen -+ that the random number generator generates the same -+ values, but if that happens in more than half from -+ the 16 runs, something is very wrong. */ -+ int ndifferences = 0; -+ int ndefaults = 0; -+ for (i = 0; i < N; ++i) -+ { -+ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1]) -+ ndifferences++; -+ else if (child_ptr_chk_guards[i] == default_guard) -+ ndefaults++; -+ } -+ -+ printf ("differences %d defaults %d\n", ndifferences, ndefaults); -+ -+ if (ndifferences < N / 2 && ndefaults < N / 2) -+ { -+ puts ("pointer guard values are not randomized enough"); -+ puts ("nor equal to the default value"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+#define OPT_COMMAND 10000 -+#define OPT_CHILD 10001 -+#define CMDLINE_OPTIONS \ -+ { "command", required_argument, NULL, OPT_COMMAND }, \ -+ { "child", no_argument, NULL, OPT_CHILD }, -+#define CMDLINE_PROCESS \ -+ case OPT_COMMAND: \ -+ command = optarg; \ -+ break; \ -+ case OPT_CHILD: \ -+ child = true; \ -+ break; -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c" -diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h -index dc683c2..3907293 100644 ---- a/ports/sysdeps/ia64/stackguard-macros.h -+++ b/ports/sysdeps/ia64/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) -diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h -index 589ea2b..f2e041b 100644 ---- a/ports/sysdeps/tile/stackguard-macros.h -+++ b/ports/sysdeps/tile/stackguard-macros.h -@@ -4,11 +4,17 @@ - # if __WORDSIZE == 64 - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; }) - # else - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; }) - # endif - #else - # define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; }) -+# define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; }) - #endif -diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h -index ababf65..77408c6 100644 ---- a/sysdeps/generic/stackguard-macros.h -+++ b/sysdeps/generic/stackguard-macros.h -@@ -2,3 +2,6 @@ - - extern uintptr_t __stack_chk_guard; - #define STACK_CHK_GUARD __stack_chk_guard -+ -+extern uintptr_t __pointer_chk_guard_local; -+#define POINTER_CHK_GUARD __pointer_chk_guard_local -diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h -index 8c31e19..0397629 100644 ---- a/sysdeps/i386/stackguard-macros.h -+++ b/sysdeps/i386/stackguard-macros.h -@@ -2,3 +2,11 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("movl %%gs:%c1, %0" : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h -index 839f6a4..b3d0af8 100644 ---- a/sysdeps/powerpc/powerpc32/stackguard-macros.h -+++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h -@@ -2,3 +2,13 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("lwz %0,%1(2)" \ -+ : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ -+ ); \ -+ x; \ -+ }) -diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h -index 9da879c..4620f96 100644 ---- a/sysdeps/powerpc/powerpc64/stackguard-macros.h -+++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h -@@ -2,3 +2,13 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ld %0,%1(2)" \ -+ : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ -+ ); \ -+ x; \ -+ }) -diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h -index b74c579..449e8d4 100644 ---- a/sysdeps/s390/s390-32/stackguard-macros.h -+++ b/sysdeps/s390/s390-32/stackguard-macros.h -@@ -2,3 +2,14 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) -+ -+/* On s390/s390x there is no unique pointer guard, instead we use the -+ same value as the stack guard. */ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ear %0,%%a0; l %0,%1(%0)" \ -+ : "=a" (x) \ -+ : "i" (offsetof (tcbhead_t, stack_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h -index 0cebb5f..c8270fb 100644 ---- a/sysdeps/s390/s390-64/stackguard-macros.h -+++ b/sysdeps/s390/s390-64/stackguard-macros.h -@@ -2,3 +2,17 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) -+ -+/* On s390/s390x there is no unique pointer guard, instead we use the -+ same value as the stack guard. */ -+#define POINTER_CHK_GUARD \ -+ ({ \ -+ uintptr_t x; \ -+ asm ("ear %0,%%a0;" \ -+ "sllg %0,%0,32;" \ -+ "ear %0,%%a1;" \ -+ "lg %0,%1(%0)" \ -+ : "=a" (x) \ -+ : "i" (offsetof (tcbhead_t, stack_guard))); \ -+ x; \ -+ }) -diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h -index c0b02b0..1eef0f1 100644 ---- a/sysdeps/sparc/sparc32/stackguard-macros.h -+++ b/sysdeps/sparc/sparc32/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; }) -diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h -index 80f0635..cc0c12c 100644 ---- a/sysdeps/sparc/sparc64/stackguard-macros.h -+++ b/sysdeps/sparc/sparc64/stackguard-macros.h -@@ -2,3 +2,6 @@ - - #define STACK_CHK_GUARD \ - ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; }) -diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h -index d7fedb3..1948800 100644 ---- a/sysdeps/x86_64/stackguard-macros.h -+++ b/sysdeps/x86_64/stackguard-macros.h -@@ -4,3 +4,8 @@ - ({ uintptr_t x; \ - asm ("mov %%fs:%c1, %0" : "=r" (x) \ - : "i" (offsetof (tcbhead_t, stack_guard))); x; }) -+ -+#define POINTER_CHK_GUARD \ -+ ({ uintptr_t x; \ -+ asm ("mov %%fs:%c1, %0" : "=r" (x) \ -+ : "i" (offsetof (tcbhead_t, pointer_guard))); x; }) -diff --git a/elf/Makefile b/elf/Makefile -index cb8da93..27d249b 100644 ---- a/elf/Makefile -+++ b/elf/Makefile -@@ -1019,6 +1019,9 @@ tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child" - tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child" - - tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child" -+# When built statically, the pointer guard interface uses -+# __pointer_chk_guard_local. -+CFLAGS-tst-ptrguard1-static.c = -DPTRGUARD_LOCAL - tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child" - - $(objpfx)tst-leaks1: $(libdl) -diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h -index 4fa3d96..b4a6b23 100644 ---- a/sysdeps/generic/stackguard-macros.h -+++ b/sysdeps/generic/stackguard-macros.h -@@ -3,5 +3,10 @@ - extern uintptr_t __stack_chk_guard; - #define STACK_CHK_GUARD __stack_chk_guard - -+#ifdef PTRGUARD_LOCAL - extern uintptr_t __pointer_chk_guard_local; --#define POINTER_CHK_GUARD __pointer_chk_guard_local -+# define POINTER_CHK_GUARD __pointer_chk_guard_local -+#else -+extern uintptr_t __pointer_chk_guard; -+# define POINTER_CHK_GUARD __pointer_chk_guard -+#endif diff --git a/glibc-strcoll-cve.patch b/glibc-strcoll-cve.patch deleted file mode 100644 index 7c220f4..0000000 --- a/glibc-strcoll-cve.patch +++ /dev/null @@ -1,458 +0,0 @@ -diff --git a/string/Makefile b/string/Makefile -index aaad743..f70dc7a 100644 ---- a/string/Makefile -+++ b/string/Makefile -@@ -57,6 +57,8 @@ tests := tester inl-tester noinl-tester testcopy test-ffs \ - tests-ifunc := $(strop-tests:%=test-%-ifunc) - tests += $(tests-ifunc) - -+xtests = tst-strcoll-overflow -+ - include ../Rules - - tester-ENV = LANGUAGE=C -diff --git a/string/strcoll_l.c b/string/strcoll_l.c -index 50ed84d..4ee101a 100644 ---- a/string/strcoll_l.c -+++ b/string/strcoll_l.c -@@ -45,7 +45,7 @@ - typedef struct - { - int len; /* Length of the current sequence. */ -- int val; /* Position of the sequence relative to the -+ size_t val; /* Position of the sequence relative to the - previous non-ignored sequence. */ - size_t idxnow; /* Current index in sequences. */ - size_t idxmax; /* Maximum index in sequences. */ -@@ -55,6 +55,12 @@ typedef struct - const USTRING_TYPE *us; /* The string. */ - int32_t *idxarr; /* Array to cache weight indices. */ - unsigned char *rulearr; /* Array to cache rules. */ -+ unsigned char rule; /* Saved rule for the first sequence. */ -+ int32_t idx; /* Index to weight of the current sequence. */ -+ int32_t save_idx; /* Save looked up index of a forward -+ sequence after the last backward -+ sequence. */ -+ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */ - } coll_seq; - - /* Get next sequence. The weight indices are cached, so we don't need to -@@ -64,7 +70,7 @@ get_next_seq_cached (coll_seq *seq, int nrules, int pass, - const unsigned char *rulesets, - const USTRING_TYPE *weights) - { -- int val = seq->val = 0; -+ size_t val = seq->val = 0; - int len = seq->len; - size_t backw_stop = seq->backw_stop; - size_t backw = seq->backw; -@@ -146,7 +152,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - const USTRING_TYPE *extra, const int32_t *indirect) - { - #include WEIGHT_H -- int val = seq->val = 0; -+ size_t val = seq->val = 0; - int len = seq->len; - size_t backw_stop = seq->backw_stop; - size_t backw = seq->backw; -@@ -162,7 +168,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - ++val; - if (backw_stop != ~0ul) - { -- /* The is something pushed. */ -+ /* There is something pushed. */ - if (backw == backw_stop) - { - /* The last pushed character was handled. Continue -@@ -227,15 +233,199 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, - seq->us = us; - } - --/* Compare two sequences. */ -+/* Get next sequence. Traverse the string as required. This function does not -+ set or use any index or rule cache. */ -+static void -+get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, -+ const USTRING_TYPE *weights, const int32_t *table, -+ const USTRING_TYPE *extra, const int32_t *indirect, -+ int pass) -+{ -+#include WEIGHT_H -+ size_t val = seq->val = 0; -+ int len = seq->len; -+ size_t backw_stop = seq->backw_stop; -+ size_t backw = seq->backw; -+ size_t idxcnt = seq->idxcnt; -+ size_t idxmax = seq->idxmax; -+ int32_t idx = seq->idx; -+ const USTRING_TYPE *us = seq->us; -+ -+ while (len == 0) -+ { -+ ++val; -+ if (backw_stop != ~0ul) -+ { -+ /* There is something pushed. */ -+ if (backw == backw_stop) -+ { -+ /* The last pushed character was handled. Continue -+ with forward characters. */ -+ if (idxcnt < idxmax) -+ { -+ idx = seq->save_idx; -+ backw_stop = ~0ul; -+ } -+ else -+ { -+ /* Nothing anymore. The backward sequence ended with -+ the last sequence in the string. Note that len is -+ still zero. */ -+ idx = 0; -+ break; -+ } -+ } -+ else -+ { -+ /* XXX Traverse BACKW sequences from the beginning of -+ BACKW_STOP to get the next sequence. Is ther a quicker way -+ to do this? */ -+ size_t i = backw_stop; -+ us = seq->back_us; -+ while (i < backw) -+ { -+ int32_t tmp = findidx (&us, -1); -+ idx = tmp & 0xffffff; -+ i++; -+ } -+ --backw; -+ us = seq->us; -+ } -+ } -+ else -+ { -+ backw_stop = idxmax; -+ int32_t prev_idx = idx; -+ -+ while (*us != L('\0')) -+ { -+ int32_t tmp = findidx (&us, -1); -+ unsigned char rule = tmp >> 24; -+ prev_idx = idx; -+ idx = tmp & 0xffffff; -+ idxcnt = idxmax++; -+ -+ /* Save the rule for the first sequence. */ -+ if (__glibc_unlikely (idxcnt == 0)) -+ seq->rule = rule; -+ -+ if ((rulesets[rule * nrules + pass] -+ & sort_backward) == 0) -+ /* No more backward characters to push. */ -+ break; -+ ++idxcnt; -+ } -+ -+ if (backw_stop >= idxcnt) -+ { -+ /* No sequence at all or just one. */ -+ if (idxcnt == idxmax || backw_stop > idxcnt) -+ /* Note that len is still zero. */ -+ break; -+ -+ backw_stop = ~0ul; -+ } -+ else -+ { -+ /* We pushed backward sequences. If the stream ended with the -+ backward sequence, then we process the last sequence we -+ found. Otherwise we process the sequence before the last -+ one since the last one was a forward sequence. */ -+ seq->back_us = seq->us; -+ seq->us = us; -+ backw = idxcnt; -+ if (idxmax > idxcnt) -+ { -+ backw--; -+ seq->save_idx = idx; -+ idx = prev_idx; -+ } -+ if (backw > backw_stop) -+ backw--; -+ } -+ } -+ -+ len = weights[idx++]; -+ /* Skip over indices of previous levels. */ -+ for (int i = 0; i < pass; i++) -+ { -+ idx += len; -+ len = weights[idx]; -+ idx++; -+ } -+ } -+ -+ /* Update the structure. */ -+ seq->val = val; -+ seq->len = len; -+ seq->backw_stop = backw_stop; -+ seq->backw = backw; -+ seq->idxcnt = idxcnt; -+ seq->idxmax = idxmax; -+ seq->us = us; -+ seq->idx = idx; -+} -+ -+/* Compare two sequences. This version does not use the index and rules -+ cache. */ -+static int -+do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position, -+ const USTRING_TYPE *weights) -+{ -+ int seq1len = seq1->len; -+ int seq2len = seq2->len; -+ size_t val1 = seq1->val; -+ size_t val2 = seq2->val; -+ int idx1 = seq1->idx; -+ int idx2 = seq2->idx; -+ int result = 0; -+ -+ /* Test for position if necessary. */ -+ if (position && val1 != val2) -+ { -+ result = val1 > val2 ? 1 : -1; -+ goto out; -+ } -+ -+ /* Compare the two sequences. */ -+ do -+ { -+ if (weights[idx1] != weights[idx2]) -+ { -+ /* The sequences differ. */ -+ result = weights[idx1] - weights[idx2]; -+ goto out; -+ } -+ -+ /* Increment the offsets. */ -+ ++idx1; -+ ++idx2; -+ -+ --seq1len; -+ --seq2len; -+ } -+ while (seq1len > 0 && seq2len > 0); -+ -+ if (position && seq1len != seq2len) -+ result = seq1len - seq2len; -+ -+out: -+ seq1->len = seq1len; -+ seq2->len = seq2len; -+ seq1->idx = idx1; -+ seq2->idx = idx2; -+ return result; -+} -+ -+/* Compare two sequences using the index cache. */ - static int - do_compare (coll_seq *seq1, coll_seq *seq2, int position, - const USTRING_TYPE *weights) - { - int seq1len = seq1->len; - int seq2len = seq2->len; -- int val1 = seq1->val; -- int val2 = seq2->val; -+ size_t val1 = seq1->val; -+ size_t val2 = seq2->val; - int32_t *idx1arr = seq1->idxarr; - int32_t *idx2arr = seq2->idxarr; - int idx1now = seq1->idxnow; -@@ -245,7 +435,7 @@ do_compare (coll_seq *seq1, coll_seq *seq2, int position, - /* Test for position if necessary. */ - if (position && val1 != val2) - { -- result = val1 - val2; -+ result = val1 > val2 ? 1 : -1; - goto out; - } - -@@ -334,57 +524,70 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - memset (&seq1, 0, sizeof (seq1)); - seq2 = seq1; - -- /* We need the elements of the strings as unsigned values since they -- are used as indices. */ -- seq1.us = (const USTRING_TYPE *) s1; -- seq2.us = (const USTRING_TYPE *) s2; -+ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1); - -- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) -+ if (MIN (s1len, s2len) > size_max -+ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len)) -+ { -+ /* If the strings are long enough to cause overflow in the size request, -+ then skip the allocation and proceed with the non-cached routines. */ -+ } -+ else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) - { - seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); -- seq2.idxarr = &seq1.idxarr[s1len]; -- seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; -- seq2.rulearr = &seq1.rulearr[s1len]; -- -- if (seq1.idxarr == NULL) -- /* No memory. Well, go with the stack then. -- -- XXX Once this implementation is stable we will handle this -- differently. Instead of precomputing the indices we will -- do this in time. This means, though, that this happens for -- every pass again. */ -- goto try_stack; -- use_malloc = true; -+ -+ /* If we failed to allocate memory, we leave everything as NULL so that -+ we use the nocache version of traversal and comparison functions. */ -+ if (seq1.idxarr != NULL) -+ { -+ seq2.idxarr = &seq1.idxarr[s1len]; -+ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; -+ seq2.rulearr = &seq1.rulearr[s1len]; -+ use_malloc = true; -+ } - } - else - { -- try_stack: - seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); - seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); - seq1.rulearr = (unsigned char *) alloca (s1len); - seq2.rulearr = (unsigned char *) alloca (s2len); - } - -- seq1.rulearr[0] = 0; -+ int rule = 0; - - /* Cache values in the first pass and if needed, use them in subsequent - passes. */ - for (int pass = 0; pass < nrules; ++pass) - { - seq1.idxcnt = 0; -+ seq1.idx = 0; -+ seq2.idx = 0; - seq1.backw_stop = ~0ul; - seq1.backw = ~0ul; - seq2.idxcnt = 0; - seq2.backw_stop = ~0ul; - seq2.backw = ~0ul; - -+ /* We need the elements of the strings as unsigned values since they -+ are used as indices. */ -+ seq1.us = (const USTRING_TYPE *) s1; -+ seq2.us = (const USTRING_TYPE *) s2; -+ - /* We assume that if a rule has defined `position' in one section - this is true for all of them. */ -- int position = rulesets[seq1.rulearr[0] * nrules + pass] & sort_position; -+ int position = rulesets[rule * nrules + pass] & sort_position; - - while (1) - { -- if (pass == 0) -+ if (__glibc_unlikely (seq1.idxarr == NULL)) -+ { -+ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table, -+ extra, indirect, pass); -+ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table, -+ extra, indirect, pass); -+ } -+ else if (pass == 0) - { - get_next_seq (&seq1, nrules, rulesets, weights, table, extra, - indirect); -@@ -411,10 +614,18 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) - goto free_and_return; - } - -- result = do_compare (&seq1, &seq2, position, weights); -+ if (__glibc_unlikely (seq1.idxarr == NULL)) -+ result = do_compare_nocache (&seq1, &seq2, position, weights); -+ else -+ result = do_compare (&seq1, &seq2, position, weights); - if (result != 0) - goto free_and_return; - } -+ -+ if (__glibc_likely (seq1.rulearr != NULL)) -+ rule = seq1.rulearr[0]; -+ else -+ rule = seq1.rule; - } - - /* Free the memory if needed. */ -diff --git a/string/tst-strcoll-overflow.c b/string/tst-strcoll-overflow.c -new file mode 100644 -index 0000000..bb665ac ---- /dev/null -+++ b/string/tst-strcoll-overflow.c -@@ -0,0 +1,61 @@ -+/* Copyright (C) 2013 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+/* Verify that strcoll does not crash for large strings for which it cannot -+ cache weight lookup results. The size is large enough to cause integer -+ overflows on 32-bit as well as buffer overflows on 64-bit. The test should -+ work reasonably reliably when overcommit is disabled, but it obviously -+ depends on how much memory the system has. There's a limitation to this -+ test in that it does not run to completion. Actually collating such a -+ large string can take days and we can't have xcheck running that long. For -+ that reason, we run the test for about 5 minutes and then assume that -+ everything is fine if there are no crashes. */ -+#define SIZE 0x40000000ul -+ -+int -+do_test (void) -+{ -+ if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL) -+ { -+ puts ("setlocale failed, cannot test for overflow"); -+ return 0; -+ } -+ -+ char *p = malloc (SIZE); -+ -+ if (p == NULL) -+ { -+ puts ("could not allocate memory"); -+ return 1; -+ } -+ -+ memset (p, 'x', SIZE - 1); -+ p[SIZE - 1] = 0; -+ printf ("%d\n", strcoll (p, p)); -+ return 0; -+} -+ -+#define TIMEOUT 300 -+#define EXPECTED_SIGNAL SIGALRM -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c" diff --git a/glibc.spec b/glibc.spec index 9afa3d8..03c34a6 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,6 +1,6 @@ -%define glibcsrcdir glibc-2.18-113-gf06dd27 +%define glibcsrcdir glibc-2.18-151-g303e567 %define glibcversion 2.18.90 -%define glibcrelease 4%{?dist} +%define glibcrelease 5%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -208,12 +208,6 @@ Patch2026: %{name}-rh841787.patch # Upstream BZ 14185 Patch2027: %{name}-rh819430.patch -# Upstream BZ 14547 -Patch2028: %{name}-strcoll-cve.patch - -# Upstream BZ 15754 -Patch2029: %{name}-rh985625-CVE-2013-4788.patch - ############################################################################## # End of glibc patches. ############################################################################## @@ -535,11 +529,9 @@ package or when debugging this package. %patch0034 -p1 %patch0035 -p1 %patch0037 -p1 -%patch2028 -p1 %patch0040 -p1 %patch0041 -p1 %patch0042 -p1 -%patch2029 -p1 ############################################################################## # %%prep - Additional prep required... @@ -1625,6 +1617,9 @@ rm -f *.filelist* %endif %changelog +* Mon Sep 23 2013 Siddhesh Poyarekar - 2.18.90-5 +- Resync with upstream master. + * Sun Sep 22 2013 Carlos O'Donell - 2.18.90-4 - Fix CVE-2013-4788: Static applications now support pointer mangling. Existing static applications must be recompiled (#985625). diff --git a/sources b/sources index eea5237..50cdc0d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -eaa4be0c8cd2cd4ca32aa8d3ed1c2fc8 glibc-2.18-113-gf06dd27.tar.gz +f516344ccf8bcc3a4066731ec3e62220 glibc-2.18-151-g303e567.tar.gz