Age | Commit message (Collapse) | Author |
|
|
|
The defensive copy is not needed because the name may not alias the
output buffer.
(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
|
|
Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
second fallback mode for DNS requests), there is a code path which
returns early, before *resplen2 is initialized. This happens if the
name server address is immediately recognized as invalid (because of
lack of protocol support, or if it is a broadcast address such
255.255.255.255, or another invalid address).
If this happens and *resplen2 was non-zero (which is the case if a
previous query resulted in a failure), __libc_res_nquery would reuse
an existing second answer buffer. This answer has been previously
identified as unusable (for example, it could be an NXDOMAIN
response). Due to the presence of a second answer, no name server
switching will occur. The result is a name resolution failure,
although a successful resolution would have been possible if name
servers have been switched and queries had proceeded along the search
path.
The above paragraph still simplifies the situation. Before glibc
2.23, if the second answer needed malloc, the stub resolver would
still attempt to reuse the second answer, but this is not possible
because __libc_res_nsearch has freed it, after the unsuccessful call
to __libc_res_nquerydomain, and set the buffer pointer to NULL. This
eventually leads to an assertion failure in __libc_res_nquery:
/* Make sure both hp and hp2 are defined */
assert((hp != NULL) && (hp2 != NULL));
If assertions are disabled, the consequence is a NULL pointer
dereference on the next line.
Starting with glibc 2.23, as a result of commit
e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
stack-based buffer overflow (Bug 18665)), the second answer is always
allocated with malloc. This means that the assertion failure happens
with small responses as well because there is no buffer to reuse, as
soon as there is a name resolution failure which triggers a search for
an answer along the search path.
This commit addresses the issue by ensuring that *resplen2 is
initialized before the send_dg function returns.
This commit also addresses a bug where an invalid second reply is
incorrectly returned as a valid to the caller.
(cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
|
|
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
(cherry pick from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
|
|
Conflicts:
NEWS
|
|
[Modified from the original email by Siddhesh Poyarekar]
This patch solves bug #16009 by implementing an additional path in
strxfrm that does not depend on caching the weight and rule indices.
In detail the following changed:
* The old main loop was factored out of strxfrm_l into the function
do_xfrm_cached to be able to alternativly use the non-caching version
do_xfrm.
* strxfrm_l allocates a a fixed size array on the stack. If this is not
sufficiant to store the weight and rule indices, the non-caching path is
taken. As the cache size is not dependent on the input there can be no
problems with integer overflows or stack allocations greater than
__MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
definition of strxfrm does not allow an oom errorhandling.
* The uncached path determines the weight and rule index for every char
and for every pass again.
* Passing all the locale data array by array resulted in very long
parameter lists, so I introduced a structure that holds them.
* Checking for zero src string has been moved a bit upwards, it is
before the locale data initialization now.
* To verify that the non-caching path works correct I added a test run
to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
are patched up with spaces so that they are too large for the caching path.
(cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)
Conflicts:
NEWS
string/strxfrm_l.c
|
|
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
|
|
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
Conflicts:
NEWS
posix/tst-fnmatch3.c
|
|
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
|
|
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
|
|
Conflicts:
NEWS
nss/nss_files/files-hosts.c
|
|
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */ \
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{ \
/* Tell getent function that we have repositioned the file pointer. */ \
last_use = getby; \
\
while ((status = internal_getent (result, buffer, buflen, errnop \
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
} \
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
Conflicts:
NEWS
|
|
Conflicts:
NEWS
|
|
Conflicts:
NEWS
|
|
Conflicts:
NEWS
|
|
This patch adds no FMA generation for e_pow to avoid precision issues
for powerpc. This fixes BZ#18104.
|
|
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
A regression test was added to tst-sscanf.
Conflicts:
ChangeLog
NEWS
|
|
This patch replaces the insrdi by insrwi in powerpc32 assembly.
It is a backport of d298c41635ce7f2dc7c3eccc842fe3aa754c0c8e.
Conflicts:
ChangeLog
|
|
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
|
|
|
|
|
|
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
|
|
|
|
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
|
|
Prevent directory traversal in locale-related environment variables
(CVE-2014-0475).
|
|
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
|
|
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
|
|
|
|
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
|
|
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
|
|
[BZ #16882]
* nptl/sysdeps/sparc/sparc32/pthread_spin_lock.S
(pthread_spin_lock): Branch out of spin loop to proper location.
* nptl/sysdeps/sparc/sparc64/pthread_spin_lock.S
(pthread_spin_lock): Likewise.
* nptl/tst-spin4.c: New test.
* nptl/Makefile (tests): Add tst-spin4.
|
|
* sysdeps/sparc/sparc64/multiarch/memcpy-niagara2.S: Add missing
membar to avoid block loads/stores to overlap previous stores.
|
|
prlimit and prlimit64 have been added in the main <bits/resource.h>, but
not in the SPARC specific version. Fix that.
Note: this is Debian bug#703559, reported by Emilio Pozuelo Monfort
<pochu@debian.org>
(cherry picked from commit d16e6ec7ca2c861ba681e3a2fbd431725774292e)
|
|
EFD_SEMAPHORE has been added in the main <bits/eventfd.h>, but not in
the SPARC specific version. Fix that.
(cherry picked from commit 83df9ad0cc861ef24f08a88c5a4c055e2516d33c)
|
|
|
|
[BZ #16885]
* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
multiple zero bytes exist at the end of a string.
Reported by Aurelien Jarno <aurelien@aurel32.net>
* string/test-strcmp.c (check): Add explicit test for situations where
there are multiple zero bytes after the first.
|
|
[BZ #15915] As described in the bug, the pattern rule for lib%.so files
in Makerules includes linkobj/libc.so as a dependency. However, the
explicit rule for linkobj/libc.so is in the top-level Makefile.
Thus, the subdirectory makefiles that include Makerules end up with an
erroneous makefile pattern rule for linkobj/libc.so that includes
itself as a dependency. The result is make warnings whenever rules
for other .so files are resolved -- and, on occasion, actual makefile
failures when a race condition causes the implicit rule to actually be
used.
This patch moves the explicit rules for linkobj/libc.so into Makerules
to clear up this problem. It also elaborates a couple of comments
that I'd initially found confusing.
Backport of 5f855e3598a576c35e54623a13b256f3e87fcd4d
|
|
This patch removes inexistent paths when building with --with-cpu=power5
or newer.
|
|
This patch fixes a wrong merge of d19762a5fd946ef86fb2922eb5710aac8000ab25
|
|
|
|
This patch adds GLIBC_2.3 mark on libm so it is always
define in abi-versions.h. This fixes a build issue with
fe_nomask.c in PPC64 LE where GLIBC_2_3 are no defined
for SHLIB_COMPAT, resulting in a wrong evaluation in the macro.
|
|
This patch is the abifiles for powerpc64le based on GLIBC 2.17.
|
|
Backport of 0ff8246327401ae8779e2697d5c7348611cdbf8a.
|
|
This patch creates implicit rules to match the abifiles if
abilist-pattern is defined in the architecture Makefile. This allows
machine specific Makefiles to define different abifiles names
(for instance *-le.abilist for powerpc64le).
|
|
When i386 and x86-64 mathinline.h was merged into a single mathinline.h,
"gcc -m32" enables x87 inline functions on x86-64 even when -mfpmath=sse
and SSE2 is enabled. It is a regression on x86-64. We should check
__SSE2_MATH__ instead of __x86_64__ when disabling x87 inline functions.
(cherry picked from commit 409e00bd69b8d8dd74d7327085351d26769ea6fc)
Conflicts:
ChangeLog
NEWS
|
|
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the internal
version used within GLIBC) to use the system call version instead of the vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
It fixes BZ#16431.
|
|
The truncl assembly implementation (sysdeps/powerpc/powerpc64/fpu/s_truncl.S)
returns wrong results for some inputs where first double is a exact integer
and the precision is determined by second long double.
Checking on implementation comments and history, I am very confident the
assembly implementation was based on a version before commit
5c68d401698a58cf7da150d9cce769fa6679ba5f that fixes BZ#2423 (Errors in
long double (ldbl-128ibm) rounding functions in glibc-2.4).
By just removing the implementation and make the build select
sysdeps/ieee754/ldbl-128ibm/s_truncl.c instead it fixes tgammal
issues regarding wrong result sign.
|
|
This patch does not export __fe_mask_env anymore, only providing a
compatibility symbol. It fixes BZ#14143.
|
|
[BZ #16169] Add CFI directives to the AArch64 clone.S implementation
and ensure that the FP in the child is zero'd in order to comply with
AAPCS.
(cherry picked from commit 3a3acb6afc753475675b5724f206e619d0c9590d)
Conflicts:
NEWS
|
|
In BZ #15605 fix with addding memset/memmove alias in symbol-hacks.h,
x32 symbol-hacks.h change was missing. Fixed by including
<sysdeps/generic/symbol-hacks.h> in x32 symbol-hacks.h.
|