mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-29 02:13:23 +00:00
glibc: Update to 2.19
This commit is contained in:
parent
de605827f8
commit
a5ea0a3f50
@ -13,7 +13,7 @@ cross:
|
|||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
version = "2.18";
|
version = "2.19";
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
@ -49,26 +49,10 @@ stdenv.mkDerivation ({
|
|||||||
to default to blowfish). */
|
to default to blowfish). */
|
||||||
./glibc-crypt-blowfish.patch
|
./glibc-crypt-blowfish.patch
|
||||||
|
|
||||||
/* Fix for random "./sysdeps/posix/getaddrinfo.c:1467:
|
|
||||||
rfc3484_sort: Assertion `src->results[i].native == -1 ||
|
|
||||||
src->results[i].native == a2_native' failed." crashes. */
|
|
||||||
./glibc-rh739743.patch
|
|
||||||
|
|
||||||
./scanf.patch
|
|
||||||
|
|
||||||
/* The command "getconf CS_PATH" returns the default search path
|
/* The command "getconf CS_PATH" returns the default search path
|
||||||
"/bin:/usr/bin", which is inappropriate on NixOS machines. This
|
"/bin:/usr/bin", which is inappropriate on NixOS machines. This
|
||||||
patch extends the search path by "/run/current-system/sw/bin". */
|
patch extends the search path by "/run/current-system/sw/bin". */
|
||||||
./fix_path_attribute_in_getconf.patch
|
./fix_path_attribute_in_getconf.patch
|
||||||
|
|
||||||
|
|
||||||
./cve-2012-4412+4424.patch
|
|
||||||
./cve-2013-4237.patch
|
|
||||||
./cve-2013-4332.patch
|
|
||||||
./cve-2013-4458.patch
|
|
||||||
./cve-2013-4788.patch
|
|
||||||
|
|
||||||
./strstr-sse42-hack.patch
|
|
||||||
];
|
];
|
||||||
|
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
@ -152,7 +136,7 @@ stdenv.mkDerivation ({
|
|||||||
}
|
}
|
||||||
else fetchurl {
|
else fetchurl {
|
||||||
url = "mirror://gnu/glibc/glibc-${version}.tar.gz";
|
url = "mirror://gnu/glibc/glibc-${version}.tar.gz";
|
||||||
sha256 = "0d3pnh6kg5r48ga5rg4lhwlc1062brr6fiqs4j23327gzssjgry8";
|
sha256 = "15n7x9mmzhd7w6s5hd9srx0h23b32gwb306x98k9ss940yvnvb8q";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Remove absolute paths from `configure' & co.; build out-of-tree.
|
# Remove absolute paths from `configure' & co.; build out-of-tree.
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,302 +0,0 @@
|
|||||||
commit 91ce40854d0b7f865cf5024ef95a8026b76096f3
|
|
||||||
Author: Florian Weimer <fweimer@redhat.com>
|
|
||||||
Date: Fri Aug 16 09:38:52 2013 +0200
|
|
||||||
|
|
||||||
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
|
|
||||||
|
|
||||||
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
|
|
||||||
member.
|
|
||||||
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
|
|
||||||
member.
|
|
||||||
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
|
|
||||||
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
|
|
||||||
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
|
|
||||||
conditional.
|
|
||||||
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
|
|
||||||
GETDENTS_64BIT_ALIGNED.
|
|
||||||
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
|
|
||||||
* manual/filesys.texi (Reading/Closing Directory): Document
|
|
||||||
ENAMETOOLONG return value of readdir_r. Recommend readdir more
|
|
||||||
strongly.
|
|
||||||
* manual/conf.texi (Limits for Files): Add portability note to
|
|
||||||
NAME_MAX, PATH_MAX.
|
|
||||||
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
|
|
||||||
|
|
||||||
diff --git a/manual/conf.texi b/manual/conf.texi
|
|
||||||
index 7eb8b36..c720063 100644
|
|
||||||
--- a/manual/conf.texi
|
|
||||||
+++ b/manual/conf.texi
|
|
||||||
@@ -1149,6 +1149,9 @@ typed ahead as input. @xref{I/O Queues}.
|
|
||||||
@deftypevr Macro int NAME_MAX
|
|
||||||
The uniform system limit (if any) for the length of a file name component, not
|
|
||||||
including the terminating null character.
|
|
||||||
+
|
|
||||||
+@strong{Portability Note:} On some systems, @theglibc{} defines
|
|
||||||
+@code{NAME_MAX}, but does not actually enforce this limit.
|
|
||||||
@end deftypevr
|
|
||||||
|
|
||||||
@comment limits.h
|
|
||||||
@@ -1157,6 +1160,9 @@ including the terminating null character.
|
|
||||||
The uniform system limit (if any) for the length of an entire file name (that
|
|
||||||
is, the argument given to system calls such as @code{open}), including the
|
|
||||||
terminating null character.
|
|
||||||
+
|
|
||||||
+@strong{Portability Note:} @Theglibc{} does not enforce this limit
|
|
||||||
+even if @code{PATH_MAX} is defined.
|
|
||||||
@end deftypevr
|
|
||||||
|
|
||||||
@cindex limits, pipe buffer size
|
|
||||||
@@ -1476,6 +1482,9 @@ Inquire about the value of @code{POSIX_REC_MIN_XFER_SIZE}.
|
|
||||||
Inquire about the value of @code{POSIX_REC_XFER_ALIGN}.
|
|
||||||
@end table
|
|
||||||
|
|
||||||
+@strong{Portability Note:} On some systems, @theglibc{} does not
|
|
||||||
+enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits.
|
|
||||||
+
|
|
||||||
@node Utility Limits
|
|
||||||
@section Utility Program Capacity Limits
|
|
||||||
|
|
||||||
diff --git a/manual/filesys.texi b/manual/filesys.texi
|
|
||||||
index 1df9cf2..814c210 100644
|
|
||||||
--- a/manual/filesys.texi
|
|
||||||
+++ b/manual/filesys.texi
|
|
||||||
@@ -444,9 +444,9 @@ symbols are declared in the header file @file{dirent.h}.
|
|
||||||
@comment POSIX.1
|
|
||||||
@deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
|
|
||||||
This function reads the next entry from the directory. It normally
|
|
||||||
-returns a pointer to a structure containing information about the file.
|
|
||||||
-This structure is statically allocated and can be rewritten by a
|
|
||||||
-subsequent call.
|
|
||||||
+returns a pointer to a structure containing information about the
|
|
||||||
+file. This structure is associated with the @var{dirstream} handle
|
|
||||||
+and can be rewritten by a subsequent call.
|
|
||||||
|
|
||||||
@strong{Portability Note:} On some systems @code{readdir} may not
|
|
||||||
return entries for @file{.} and @file{..}, even though these are always
|
|
||||||
@@ -461,19 +461,61 @@ conditions are defined for this function:
|
|
||||||
The @var{dirstream} argument is not valid.
|
|
||||||
@end table
|
|
||||||
|
|
||||||
-@code{readdir} is not thread safe. Multiple threads using
|
|
||||||
-@code{readdir} on the same @var{dirstream} may overwrite the return
|
|
||||||
-value. Use @code{readdir_r} when this is critical.
|
|
||||||
+To distinguish between an end-of-directory condition or an error, you
|
|
||||||
+must set @code{errno} to zero before calling @code{readdir}. To avoid
|
|
||||||
+entering an infinite loop, you should stop reading from the directory
|
|
||||||
+after the first error.
|
|
||||||
+
|
|
||||||
+In POSIX.1-2008, @code{readdir} is not thread-safe. In @theglibc{}
|
|
||||||
+implementation, it is safe to call @code{readdir} concurrently on
|
|
||||||
+different @var{dirstream}s, but multiple threads accessing the same
|
|
||||||
+@var{dirstream} result in undefined behavior. @code{readdir_r} is a
|
|
||||||
+fully thread-safe alternative, but suffers from poor portability (see
|
|
||||||
+below). It is recommended that you use @code{readdir}, with external
|
|
||||||
+locking if multiple threads access the same @var{dirstream}.
|
|
||||||
@end deftypefun
|
|
||||||
|
|
||||||
@comment dirent.h
|
|
||||||
@comment GNU
|
|
||||||
@deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
|
|
||||||
-This function is the reentrant version of @code{readdir}. Like
|
|
||||||
-@code{readdir} it returns the next entry from the directory. But to
|
|
||||||
-prevent conflicts between simultaneously running threads the result is
|
|
||||||
-not stored in statically allocated memory. Instead the argument
|
|
||||||
-@var{entry} points to a place to store the result.
|
|
||||||
+This function is a version of @code{readdir} which performs internal
|
|
||||||
+locking. Like @code{readdir} it returns the next entry from the
|
|
||||||
+directory. To prevent conflicts between simultaneously running
|
|
||||||
+threads the result is stored inside the @var{entry} object.
|
|
||||||
+
|
|
||||||
+@strong{Portability Note:} It is recommended to use @code{readdir}
|
|
||||||
+instead of @code{readdir_r} for the following reasons:
|
|
||||||
+
|
|
||||||
+@itemize @bullet
|
|
||||||
+@item
|
|
||||||
+On systems which do not define @code{NAME_MAX}, it may not be possible
|
|
||||||
+to use @code{readdir_r} safely because the caller does not specify the
|
|
||||||
+length of the buffer for the directory entry.
|
|
||||||
+
|
|
||||||
+@item
|
|
||||||
+On some systems, @code{readdir_r} cannot read directory entries with
|
|
||||||
+very long names. If such a name is encountered, @theglibc{}
|
|
||||||
+implementation of @code{readdir_r} returns with an error code of
|
|
||||||
+@code{ENAMETOOLONG} after the final directory entry has been read. On
|
|
||||||
+other systems, @code{readdir_r} may return successfully, but the
|
|
||||||
+@code{d_name} member may not be NUL-terminated or may be truncated.
|
|
||||||
+
|
|
||||||
+@item
|
|
||||||
+POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe,
|
|
||||||
+even when access to the same @var{dirstream} is serialized. But in
|
|
||||||
+current implementations (including @theglibc{}), it is safe to call
|
|
||||||
+@code{readdir} concurrently on different @var{dirstream}s, so there is
|
|
||||||
+no need to use @code{readdir_r} in most multi-threaded programs. In
|
|
||||||
+the rare case that multiple threads need to read from the same
|
|
||||||
+@var{dirstream}, it is still better to use @code{readdir} and external
|
|
||||||
+synchronization.
|
|
||||||
+
|
|
||||||
+@item
|
|
||||||
+It is expected that future versions of POSIX will obsolete
|
|
||||||
+@code{readdir_r} and mandate the level of thread safety for
|
|
||||||
+@code{readdir} which is provided by @theglibc{} and other
|
|
||||||
+implementations today.
|
|
||||||
+@end itemize
|
|
||||||
|
|
||||||
Normally @code{readdir_r} returns zero and sets @code{*@var{result}}
|
|
||||||
to @var{entry}. If there are no more entries in the directory or an
|
|
||||||
@@ -481,15 +523,6 @@ error is detected, @code{readdir_r} sets @code{*@var{result}} to a
|
|
||||||
null pointer and returns a nonzero error code, also stored in
|
|
||||||
@code{errno}, as described for @code{readdir}.
|
|
||||||
|
|
||||||
-@strong{Portability Note:} On some systems @code{readdir_r} may not
|
|
||||||
-return a NUL terminated string for the file name, even when there is no
|
|
||||||
-@code{d_reclen} field in @code{struct dirent} and the file
|
|
||||||
-name is the maximum allowed size. Modern systems all have the
|
|
||||||
-@code{d_reclen} field, and on old systems multi-threading is not
|
|
||||||
-critical. In any case there is no such problem with the @code{readdir}
|
|
||||||
-function, so that even on systems without the @code{d_reclen} member one
|
|
||||||
-could use multiple threads by using external locking.
|
|
||||||
-
|
|
||||||
It is also important to look at the definition of the @code{struct
|
|
||||||
dirent} type. Simply passing a pointer to an object of this type for
|
|
||||||
the second parameter of @code{readdir_r} might not be enough. Some
|
|
||||||
diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h
|
|
||||||
index a7a074d..8e8570d 100644
|
|
||||||
--- a/sysdeps/posix/dirstream.h
|
|
||||||
+++ b/sysdeps/posix/dirstream.h
|
|
||||||
@@ -39,6 +39,8 @@ struct __dirstream
|
|
||||||
|
|
||||||
off_t filepos; /* Position of next entry to read. */
|
|
||||||
|
|
||||||
+ int errcode; /* Delayed error code. */
|
|
||||||
+
|
|
||||||
/* Directory block. */
|
|
||||||
char data[0] __attribute__ ((aligned (__alignof__ (void*))));
|
|
||||||
};
|
|
||||||
diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
|
|
||||||
index ddfc3a7..fc05b0f 100644
|
|
||||||
--- a/sysdeps/posix/opendir.c
|
|
||||||
+++ b/sysdeps/posix/opendir.c
|
|
||||||
@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
|
|
||||||
dirp->size = 0;
|
|
||||||
dirp->offset = 0;
|
|
||||||
dirp->filepos = 0;
|
|
||||||
+ dirp->errcode = 0;
|
|
||||||
|
|
||||||
return dirp;
|
|
||||||
}
|
|
||||||
diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c
|
|
||||||
index b5a8e2e..8ed5c3f 100644
|
|
||||||
--- a/sysdeps/posix/readdir_r.c
|
|
||||||
+++ b/sysdeps/posix/readdir_r.c
|
|
||||||
@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
|
||||||
DIRENT_TYPE *dp;
|
|
||||||
size_t reclen;
|
|
||||||
const int saved_errno = errno;
|
|
||||||
+ int ret;
|
|
||||||
|
|
||||||
__libc_lock_lock (dirp->lock);
|
|
||||||
|
|
||||||
@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
|
||||||
bytes = 0;
|
|
||||||
__set_errno (saved_errno);
|
|
||||||
}
|
|
||||||
+ if (bytes < 0)
|
|
||||||
+ dirp->errcode = errno;
|
|
||||||
|
|
||||||
dp = NULL;
|
|
||||||
- /* Reclen != 0 signals that an error occurred. */
|
|
||||||
- reclen = bytes != 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
dirp->size = (size_t) bytes;
|
|
||||||
@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
|
||||||
dirp->filepos += reclen;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- /* Skip deleted files. */
|
|
||||||
+#ifdef NAME_MAX
|
|
||||||
+ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
|
|
||||||
+ {
|
|
||||||
+ /* The record is very long. It could still fit into the
|
|
||||||
+ caller-supplied buffer if we can skip padding at the
|
|
||||||
+ end. */
|
|
||||||
+ size_t namelen = _D_EXACT_NAMLEN (dp);
|
|
||||||
+ if (namelen <= NAME_MAX)
|
|
||||||
+ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ /* The name is too long. Ignore this file. */
|
|
||||||
+ dirp->errcode = ENAMETOOLONG;
|
|
||||||
+ dp->d_ino = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ /* Skip deleted and ignored files. */
|
|
||||||
}
|
|
||||||
while (dp->d_ino == 0);
|
|
||||||
|
|
||||||
if (dp != NULL)
|
|
||||||
{
|
|
||||||
-#ifdef GETDENTS_64BIT_ALIGNED
|
|
||||||
- /* The d_reclen value might include padding which is not part of
|
|
||||||
- the DIRENT_TYPE data structure. */
|
|
||||||
- reclen = MIN (reclen,
|
|
||||||
- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
|
|
||||||
-#endif
|
|
||||||
*result = memcpy (entry, dp, reclen);
|
|
||||||
-#ifdef GETDENTS_64BIT_ALIGNED
|
|
||||||
+#ifdef _DIRENT_HAVE_D_RECLEN
|
|
||||||
entry->d_reclen = reclen;
|
|
||||||
#endif
|
|
||||||
+ ret = 0;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
- *result = NULL;
|
|
||||||
+ {
|
|
||||||
+ *result = NULL;
|
|
||||||
+ ret = dirp->errcode;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
__libc_lock_unlock (dirp->lock);
|
|
||||||
|
|
||||||
- return dp != NULL ? 0 : reclen ? errno : 0;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef __READDIR_R_ALIAS
|
|
||||||
diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c
|
|
||||||
index 2935a8e..d4991ad 100644
|
|
||||||
--- a/sysdeps/posix/rewinddir.c
|
|
||||||
+++ b/sysdeps/posix/rewinddir.c
|
|
||||||
@@ -33,6 +33,7 @@ rewinddir (dirp)
|
|
||||||
dirp->filepos = 0;
|
|
||||||
dirp->offset = 0;
|
|
||||||
dirp->size = 0;
|
|
||||||
+ dirp->errcode = 0;
|
|
||||||
#ifndef NOT_IN_libc
|
|
||||||
__libc_lock_unlock (dirp->lock);
|
|
||||||
#endif
|
|
||||||
diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
|
||||||
index 8ebbcfd..a7d114e 100644
|
|
||||||
--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
|
||||||
+++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
|
||||||
@@ -18,7 +18,6 @@
|
|
||||||
#define __READDIR_R __readdir64_r
|
|
||||||
#define __GETDENTS __getdents64
|
|
||||||
#define DIRENT_TYPE struct dirent64
|
|
||||||
-#define GETDENTS_64BIT_ALIGNED 1
|
|
||||||
|
|
||||||
#include <sysdeps/posix/readdir_r.c>
|
|
||||||
|
|
||||||
diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
|
||||||
index 5ed8e95..290f2c8 100644
|
|
||||||
--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
|
||||||
+++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
|
||||||
@@ -1,5 +1,4 @@
|
|
||||||
#define readdir64_r __no_readdir64_r_decl
|
|
||||||
-#define GETDENTS_64BIT_ALIGNED 1
|
|
||||||
#include <sysdeps/posix/readdir_r.c>
|
|
||||||
#undef readdir64_r
|
|
||||||
weak_alias (__readdir_r, readdir64_r)
|
|
@ -1,56 +0,0 @@
|
|||||||
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch?h=packages/glibc
|
|
||||||
|
|
||||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
||||||
index dd295f5..7f43ba3 100644
|
|
||||||
--- a/malloc/malloc.c
|
|
||||||
+++ b/malloc/malloc.c
|
|
||||||
@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
|
|
||||||
size_t page_mask = GLRO(dl_pagesize) - 1;
|
|
||||||
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
|
|
||||||
|
|
||||||
+ /* Check for overflow. */
|
|
||||||
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
|
|
||||||
+ {
|
|
||||||
+ __set_errno (ENOMEM);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
void *(*hook) (size_t, size_t, const void *) =
|
|
||||||
force_reg (__memalign_hook);
|
|
||||||
if (__builtin_expect (hook != NULL, 0))
|
|
||||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
||||||
index 7f43ba3..3148c5f 100644
|
|
||||||
--- a/malloc/malloc.c
|
|
||||||
+++ b/malloc/malloc.c
|
|
||||||
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
|
|
||||||
|
|
||||||
size_t pagesz = GLRO(dl_pagesize);
|
|
||||||
|
|
||||||
+ /* Check for overflow. */
|
|
||||||
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
|
|
||||||
+ {
|
|
||||||
+ __set_errno (ENOMEM);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
void *(*hook) (size_t, size_t, const void *) =
|
|
||||||
force_reg (__memalign_hook);
|
|
||||||
if (__builtin_expect (hook != NULL, 0))
|
|
||||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
||||||
index 3148c5f..f7718a9 100644
|
|
||||||
--- a/malloc/malloc.c
|
|
||||||
+++ b/malloc/malloc.c
|
|
||||||
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
|
|
||||||
/* Otherwise, ensure that it is at least a minimum chunk size */
|
|
||||||
if (alignment < MINSIZE) alignment = MINSIZE;
|
|
||||||
|
|
||||||
+ /* Check for overflow. */
|
|
||||||
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
|
|
||||||
+ {
|
|
||||||
+ __set_errno (ENOMEM);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
arena_get(ar_ptr, bytes + alignment + MINSIZE);
|
|
||||||
if(!ar_ptr)
|
|
||||||
return 0;
|
|
@ -1,50 +0,0 @@
|
|||||||
commit 7cbcdb3699584db8913ca90f705d6337633ee10f
|
|
||||||
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
||||||
Date: Fri Oct 25 10:22:12 2013 +0530
|
|
||||||
|
|
||||||
Fix stack overflow due to large AF_INET6 requests
|
|
||||||
|
|
||||||
Resolves #16072 (CVE-2013-4458).
|
|
||||||
|
|
||||||
This patch fixes another stack overflow in getaddrinfo when it is
|
|
||||||
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
|
|
||||||
but the AF_INET6 case went undetected back then.
|
|
||||||
|
|
||||||
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
|
|
||||||
index e6ce4cf..8ff74b4 100644
|
|
||||||
--- a/sysdeps/posix/getaddrinfo.c
|
|
||||||
+++ b/sysdeps/posix/getaddrinfo.c
|
|
||||||
@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
|
|
||||||
&rc, &herrno, NULL, &localcanon)); \
|
|
||||||
if (rc != ERANGE || herrno != NETDB_INTERNAL) \
|
|
||||||
break; \
|
|
||||||
- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
|
|
||||||
+ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
|
|
||||||
+ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
|
|
||||||
+ alloca_used); \
|
|
||||||
+ else \
|
|
||||||
+ { \
|
|
||||||
+ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
|
|
||||||
+ 2 * tmpbuflen); \
|
|
||||||
+ if (newp == NULL) \
|
|
||||||
+ { \
|
|
||||||
+ result = -EAI_MEMORY; \
|
|
||||||
+ goto free_and_return; \
|
|
||||||
+ } \
|
|
||||||
+ tmpbuf = newp; \
|
|
||||||
+ malloc_tmpbuf = true; \
|
|
||||||
+ tmpbuflen = 2 * tmpbuflen; \
|
|
||||||
+ } \
|
|
||||||
} \
|
|
||||||
if (status == NSS_STATUS_SUCCESS && rc == 0) \
|
|
||||||
h = &th; \
|
|
||||||
@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
|
|
||||||
{ \
|
|
||||||
__set_h_errno (herrno); \
|
|
||||||
_res.options |= old_res_options & RES_USE_INET6; \
|
|
||||||
- return -EAI_SYSTEM; \
|
|
||||||
+ result = -EAI_SYSTEM; \
|
|
||||||
+ goto free_and_return; \
|
|
||||||
} \
|
|
||||||
if (herrno == TRY_AGAIN) \
|
|
||||||
no_data = EAI_AGAIN; \
|
|
@ -1,222 +0,0 @@
|
|||||||
commit c61b4d41c9647a54a329aa021341c0eb032b793e
|
|
||||||
Author: Carlos O'Donell <carlos@redhat.com>
|
|
||||||
Date: Mon Sep 23 00:52:09 2013 -0400
|
|
||||||
|
|
||||||
BZ #15754: CVE-2013-4788
|
|
||||||
|
|
||||||
The pointer guard used for pointer mangling was not initialized for
|
|
||||||
static applications resulting in the security feature being disabled.
|
|
||||||
The pointer guard is now correctly initialized to a random value for
|
|
||||||
static applications. Existing static applications need to be
|
|
||||||
recompiled to take advantage of the fix.
|
|
||||||
|
|
||||||
The test tst-ptrguard1-static and tst-ptrguard1 add regression
|
|
||||||
coverage to ensure the pointer guards are sufficiently random
|
|
||||||
and initialized to a default value.
|
|
||||||
|
|
||||||
diff --git a/csu/libc-start.c b/csu/libc-start.c
|
|
||||||
index e5da3ef..c898d06 100644
|
|
||||||
--- a/csu/libc-start.c
|
|
||||||
+++ b/csu/libc-start.c
|
|
||||||
@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void);
|
|
||||||
in thread local area. */
|
|
||||||
uintptr_t __stack_chk_guard attribute_relro;
|
|
||||||
# endif
|
|
||||||
+# ifndef THREAD_SET_POINTER_GUARD
|
|
||||||
+/* Only exported for architectures that don't store the pointer guard
|
|
||||||
+ value in thread local area. */
|
|
||||||
+uintptr_t __pointer_chk_guard_local
|
|
||||||
+ attribute_relro attribute_hidden __attribute__ ((nocommon));
|
|
||||||
+# endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_PTR_NTHREADS
|
|
||||||
@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
|
|
||||||
# else
|
|
||||||
__stack_chk_guard = stack_chk_guard;
|
|
||||||
# endif
|
|
||||||
+
|
|
||||||
+ /* Set up the pointer guard value. */
|
|
||||||
+ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
|
|
||||||
+ stack_chk_guard);
|
|
||||||
+# ifdef THREAD_SET_POINTER_GUARD
|
|
||||||
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
|
|
||||||
+# else
|
|
||||||
+ __pointer_chk_guard_local = pointer_chk_guard;
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Register the destructor of the dynamic linker if there is any. */
|
|
||||||
diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h
|
|
||||||
index dc683c2..3907293 100644
|
|
||||||
--- a/ports/sysdeps/ia64/stackguard-macros.h
|
|
||||||
+++ b/ports/sysdeps/ia64/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,6 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
|
||||||
diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h
|
|
||||||
index 589ea2b..f2e041b 100644
|
|
||||||
--- a/ports/sysdeps/tile/stackguard-macros.h
|
|
||||||
+++ b/ports/sysdeps/tile/stackguard-macros.h
|
|
||||||
@@ -4,11 +4,17 @@
|
|
||||||
# if __WORDSIZE == 64
|
|
||||||
# define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
|
|
||||||
+# define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
|
|
||||||
# else
|
|
||||||
# define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
|
|
||||||
+# define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
|
|
||||||
# endif
|
|
||||||
#else
|
|
||||||
# define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
|
|
||||||
+# define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
|
|
||||||
#endif
|
|
||||||
diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
|
|
||||||
index ababf65..4fa3d96 100644
|
|
||||||
--- a/sysdeps/generic/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/generic/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,6 @@
|
|
||||||
|
|
||||||
extern uintptr_t __stack_chk_guard;
|
|
||||||
#define STACK_CHK_GUARD __stack_chk_guard
|
|
||||||
+
|
|
||||||
+extern uintptr_t __pointer_chk_guard_local;
|
|
||||||
+#define POINTER_CHK_GUARD __pointer_chk_guard_local
|
|
||||||
diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h
|
|
||||||
index 8c31e19..0397629 100644
|
|
||||||
--- a/sysdeps/i386/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/i386/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,11 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ \
|
|
||||||
+ uintptr_t x; \
|
|
||||||
+ asm ("movl %%gs:%c1, %0" : "=r" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, pointer_guard))); \
|
|
||||||
+ x; \
|
|
||||||
+ })
|
|
||||||
diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
||||||
index 839f6a4..b3d0af8 100644
|
|
||||||
--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,13 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ \
|
|
||||||
+ uintptr_t x; \
|
|
||||||
+ asm ("lwz %0,%1(2)" \
|
|
||||||
+ : "=r" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
|
||||||
+ ); \
|
|
||||||
+ x; \
|
|
||||||
+ })
|
|
||||||
diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
||||||
index 9da879c..4620f96 100644
|
|
||||||
--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,13 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ \
|
|
||||||
+ uintptr_t x; \
|
|
||||||
+ asm ("ld %0,%1(2)" \
|
|
||||||
+ : "=r" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
|
||||||
+ ); \
|
|
||||||
+ x; \
|
|
||||||
+ })
|
|
||||||
diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h
|
|
||||||
index b74c579..449e8d4 100644
|
|
||||||
--- a/sysdeps/s390/s390-32/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/s390/s390-32/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,14 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
|
|
||||||
+
|
|
||||||
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
|
||||||
+ same value as the stack guard. */
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ \
|
|
||||||
+ uintptr_t x; \
|
|
||||||
+ asm ("ear %0,%%a0; l %0,%1(%0)" \
|
|
||||||
+ : "=a" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
|
||||||
+ x; \
|
|
||||||
+ })
|
|
||||||
diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h
|
|
||||||
index 0cebb5f..c8270fb 100644
|
|
||||||
--- a/sysdeps/s390/s390-64/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/s390/s390-64/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,17 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
|
|
||||||
+
|
|
||||||
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
|
||||||
+ same value as the stack guard. */
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ \
|
|
||||||
+ uintptr_t x; \
|
|
||||||
+ asm ("ear %0,%%a0;" \
|
|
||||||
+ "sllg %0,%0,32;" \
|
|
||||||
+ "ear %0,%%a1;" \
|
|
||||||
+ "lg %0,%1(%0)" \
|
|
||||||
+ : "=a" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
|
||||||
+ x; \
|
|
||||||
+ })
|
|
||||||
diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
||||||
index c0b02b0..1eef0f1 100644
|
|
||||||
--- a/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,6 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
|
|
||||||
diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
||||||
index 80f0635..cc0c12c 100644
|
|
||||||
--- a/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
||||||
@@ -2,3 +2,6 @@
|
|
||||||
|
|
||||||
#define STACK_CHK_GUARD \
|
|
||||||
({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
|
|
||||||
diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h
|
|
||||||
index d7fedb3..1948800 100644
|
|
||||||
--- a/sysdeps/x86_64/stackguard-macros.h
|
|
||||||
+++ b/sysdeps/x86_64/stackguard-macros.h
|
|
||||||
@@ -4,3 +4,8 @@
|
|
||||||
({ uintptr_t x; \
|
|
||||||
asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
|
||||||
: "i" (offsetof (tcbhead_t, stack_guard))); x; })
|
|
||||||
+
|
|
||||||
+#define POINTER_CHK_GUARD \
|
|
||||||
+ ({ uintptr_t x; \
|
|
||||||
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
|
||||||
+ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
|
|
@ -1,55 +0,0 @@
|
|||||||
2009-04-26 Aurelien Jarno <aurelien@aurel32.net>
|
|
||||||
|
|
||||||
* sysdeps/posix/getaddrinfo.c (rfc3484_sort): don't assign native
|
|
||||||
result if the result has no associated interface.
|
|
||||||
|
|
||||||
---
|
|
||||||
sysdeps/posix/getaddrinfo.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/sysdeps/posix/getaddrinfo.c
|
|
||||||
+++ b/sysdeps/posix/getaddrinfo.c
|
|
||||||
@@ -1456,13 +1456,13 @@
|
|
||||||
|
|
||||||
/* Fill in the results in all the records. */
|
|
||||||
for (int i = 0; i < src->nresults; ++i)
|
|
||||||
- if (src->results[i].index == a1_index)
|
|
||||||
+ if (a1_index != -1 && src->results[i].index == a1_index)
|
|
||||||
{
|
|
||||||
assert (src->results[i].native == -1
|
|
||||||
|| src->results[i].native == a1_native);
|
|
||||||
src->results[i].native = a1_native;
|
|
||||||
}
|
|
||||||
- else if (src->results[i].index == a2_index)
|
|
||||||
+ else if (a2_index != -1 && src->results[i].index == a2_index)
|
|
||||||
{
|
|
||||||
assert (src->results[i].native == -1
|
|
||||||
|| src->results[i].native == a2_native);
|
|
||||||
|
|
||||||
2009-03-15 Aurelien Jarno <aurelien@aurel32.net>
|
|
||||||
|
|
||||||
* sysdeps/posix/getaddrinfo.c (getaddrinfo): correctly detect
|
|
||||||
interface for all 127.X.Y.Z addresses.
|
|
||||||
|
|
||||||
---
|
|
||||||
sysdeps/posix/getaddrinfo.c | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/sysdeps/posix/getaddrinfo.c
|
|
||||||
+++ b/sysdeps/posix/getaddrinfo.c
|
|
||||||
@@ -2265,7 +2265,14 @@
|
|
||||||
tmp.addr[0] = 0;
|
|
||||||
tmp.addr[1] = 0;
|
|
||||||
tmp.addr[2] = htonl (0xffff);
|
|
||||||
- tmp.addr[3] = sinp->sin_addr.s_addr;
|
|
||||||
+ /* Special case for lo interface, the source address
|
|
||||||
+ being possibly different than the interface
|
|
||||||
+ address. */
|
|
||||||
+ if ((ntohl(sinp->sin_addr.s_addr) & 0xff000000)
|
|
||||||
+ == 0x7f000000)
|
|
||||||
+ tmp.addr[3] = htonl(0x7f000001);
|
|
||||||
+ else
|
|
||||||
+ tmp.addr[3] = sinp->sin_addr.s_addr;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
@ -1,21 +0,0 @@
|
|||||||
https://sourceware.org/bugzilla/show_bug.cgi?id=15917
|
|
||||||
|
|
||||||
commit a4966c6104918ac884ee1131a4ed23c5ad6b4c5a
|
|
||||||
Author: Andreas Schwab <schwab@suse.de>
|
|
||||||
Date: Thu Oct 31 12:51:03 2013 +0100
|
|
||||||
|
|
||||||
Fix parsing of 0e+0 as float
|
|
||||||
|
|
||||||
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
|
|
||||||
index 78dc2fc..e6fa8f3 100644
|
|
||||||
--- a/stdio-common/vfscanf.c
|
|
||||||
+++ b/stdio-common/vfscanf.c
|
|
||||||
@@ -1966,6 +1966,8 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
|
|
||||||
if (width > 0)
|
|
||||||
--width;
|
|
||||||
}
|
|
||||||
+ else
|
|
||||||
+ got_digit = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
while (1)
|
|
@ -1,14 +0,0 @@
|
|||||||
https://bugs.archlinux.org/task/36556
|
|
||||||
diff --git a/sysdeps/x86_64/multiarch/strstr.c b/sysdeps/x86_64/multiarch/strstr.c
|
|
||||||
index cd63b68..03d8b9a 100644
|
|
||||||
--- a/sysdeps/x86_64/multiarch/strstr.c
|
|
||||||
+++ b/sysdeps/x86_64/multiarch/strstr.c
|
|
||||||
@@ -86,7 +86,7 @@
|
|
||||||
/* Simple replacement of movdqu to address 4KB boundary cross issue.
|
|
||||||
If EOS occurs within less than 16B before 4KB boundary, we don't
|
|
||||||
cross to next page. */
|
|
||||||
-static __m128i
|
|
||||||
+static inline __m128i
|
|
||||||
__m128i_strloadu (const unsigned char * p, __m128i zero)
|
|
||||||
{
|
|
||||||
if (__builtin_expect ((int) ((size_t) p & 0xfff) > 0xff0, 0))
|
|
Loading…
Reference in New Issue
Block a user