Merge branch release/2.28/master into ibm/2.28/master

9 files changed, 46 insertions, 16 deletions

diff --git a/ChangeLog b/ChangeLog
index 74a337eafc..2a448f382d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2019-06-06  Florian Weimer  <fweimer@redhat.com>
+
+	* sysdeps/unix/sysv/linux/riscv/flush-icache.c: Do not use
+	internal GCC preprocessor identifier __has_include__.
+
 2019-02-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	[BZ #23403]
diff --git a/NEWS b/NEWS
index d488f14ae5..1d00542a5d 100644
--- a/NEWS
+++ b/NEWS
@@ -72,6 +72,9 @@ The following bugs are resolved with this release:
   [25203] libio: Disable vtable validation for pre-2.1 interposed handles
   [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
   [25225] ld.so fails to link on x86 if GCC defaults to -fcf-protection
+  [25232] No const correctness for strchr et al. for Clang++
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)
+  [25423] Array overflow in backtrace on powerpc
 
 Security related changes:
 
@@ -107,6 +110,9 @@ Security related changes:
   addresses for loaded libraries and thus bypass ASLR for a setuid
   program.  Reported by Marcin Kościelnicki.
 
+  CVE-2020-1752: A use-after-free vulnerability in the glob function when
+  expanding ~user has been fixed.
+
 
 Version 2.28
 
diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 0e6fb1a024..a117f1544f 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -88,6 +88,18 @@ handle_signal (int signum)
       }
   /* Symbol names are not available for static functions, so we do not
      check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j = 0; j < NUM_FUNCTIONS; j++)
+    {
+      n = backtrace (addresses, j);
+      if (n > j)
+	{
+	  FAIL ();
+	  return;
+	}
+    }
 }
 
 NO_INLINE int
diff --git a/posix/glob.c b/posix/glob.c
index 8444b2f79e..1b389d2da1 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 	      {
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
 
-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
-
-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			scratch_buffer_free (&pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
 		if (end_name != NULL)
 		  d = mempcpy (d, end_name, rest_len);
 		*d = '\0';
 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
 	      }
diff --git a/string/string.h b/string/string.h
index 150cfd8b13..22cd0fa08f 100644
--- a/string/string.h
+++ b/string/string.h
@@ -33,7 +33,8 @@ __BEGIN_DECLS
 #include <stddef.h>
 
 /* Tell the caller that we provide correct C++ prototypes.  */
-#if defined __cplusplus && __GNUC_PREREQ (4, 4)
+#if defined __cplusplus && (__GNUC_PREREQ (4, 4) \
+			    || __glibc_clang_prereq (3, 5))
 # define __CORRECT_ISO_CPP_STRING_H_PROTO
 #endif
 
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
index 5422fdd50d..c7b64f9e9b 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
         }
       if (gregset)
 	{
+	  if (count + 1 == size)
+	    break;
 	  array[++count] = (void*)((*gregset)[PT_NIP]);
 	  current = (void*)((*gregset)[PT_R1]);
 	}
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
index c0c4b48262..0acf17b37e 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
       if (is_sigtramp_address (current->return_address))
         {
 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
+	  if (count + 1 == size)
+	    break;
           array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
 	}
diff --git a/sysdeps/unix/sysv/linux/riscv/flush-icache.c b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
index 0b2042620b..ddcb809e7d 100644
--- a/sysdeps/unix/sysv/linux/riscv/flush-icache.c
+++ b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
@@ -21,7 +21,7 @@
 #include <stdlib.h>
 #include <atomic.h>
 #include <sys/cachectl.h>
-#if __has_include__ (<asm/syscalls.h>)
+#if __has_include (<asm/syscalls.h>)
 # include <asm/syscalls.h>
 #else
 # include <asm/unistd.h>
diff --git a/sysdeps/unix/sysv/linux/test-errno-linux.c b/sysdeps/unix/sysv/linux/test-errno-linux.c
index be1135351d..073e2fba64 100644
--- a/sysdeps/unix/sysv/linux/test-errno-linux.c
+++ b/sysdeps/unix/sysv/linux/test-errno-linux.c
@@ -160,8 +160,9 @@ do_test (void)
   fails |= test_wrp (EINVAL, poll, &pollfd, -1, 0);
   /* quotactl returns ENOSYS for kernels not configured with
      CONFIG_QUOTA, and may return EPERM if called within certain types
-     of containers.  */
-  fails |= test_wrp2 (LIST (ENODEV, ENOSYS, EPERM),
+     of containers.  Linux 5.4 added additional argument validation
+     and can return EINVAL.  */
+  fails |= test_wrp2 (LIST (ENODEV, ENOSYS, EPERM, EINVAL),
 		      quotactl, Q_GETINFO, NULL, -1, (caddr_t) &dqblk);
   fails |= test_wrp (EINVAL, sched_getparam, -1, &sch_param);
   fails |= test_wrp (EINVAL, sched_getscheduler, -1);