From 0bb7ee3ae81de72b8d23f2f9c4705f3f1cdd25814fc21b61a23208a9c6c6460d Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 3 Sep 2014 16:20:30 +0000 Subject: [PATCH] Accepting request 247224 from Base:System - iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM gconv modules (CVE-2014-6040, bnc#894553, BZ #17325) (forwarded request 247223 from Andreas_Schwab) OBS-URL: https://build.opensuse.org/request/show/247224 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=183 --- glibc-testsuite.changes | 6 ++ glibc-testsuite.spec | 7 +- glibc-utils.changes | 6 ++ glibc-utils.spec | 7 +- glibc.changes | 6 ++ glibc.spec | 7 +- iconv-ibm-sentinel-check.patch | 162 +++++++++++++++++++++++++++++++++ 7 files changed, 195 insertions(+), 6 deletions(-) create mode 100644 iconv-ibm-sentinel-check.patch diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes index 85c62f1..383ec79 100644 --- a/glibc-testsuite.changes +++ b/glibc-testsuite.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 2 07:52:36 UTC 2014 - schwab@suse.de + +- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM + gconv modules (CVE-2014-6040, bnc#894553, BZ #17325) + ------------------------------------------------------------------- Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec index 1c80d16..1a14e99 100644 --- a/glibc-testsuite.spec +++ b/glibc-testsuite.spec @@ -270,6 +270,8 @@ Patch1016: dt-ppc64-num.patch Patch1017: ppc64le-profiling.patch # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228) Patch1018: s390-revert-abi-change.patch +# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) +Patch1019: disable-gconv-translit-modules.patch ### # Patches awaiting upstream approval @@ -290,8 +292,8 @@ Patch2005: glibc-memset-nontemporal.diff Patch2006: ibm93x-redundant-shift-si.patch # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790) Patch2007: pthread-mutexattr-gettype-kind.patch -# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) -Patch2008: disable-gconv-translit-modules.patch +# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325) +Patch2008: iconv-ibm-sentinel-check.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -511,6 +513,7 @@ rm nscd/s-stamp %patch1016 -p1 %patch1017 -p1 %patch1018 -p1 +%patch1019 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc-utils.changes b/glibc-utils.changes index 85c62f1..383ec79 100644 --- a/glibc-utils.changes +++ b/glibc-utils.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 2 07:52:36 UTC 2014 - schwab@suse.de + +- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM + gconv modules (CVE-2014-6040, bnc#894553, BZ #17325) + ------------------------------------------------------------------- Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de diff --git a/glibc-utils.spec b/glibc-utils.spec index 074a4a5..1ca5852 100644 --- a/glibc-utils.spec +++ b/glibc-utils.spec @@ -269,6 +269,8 @@ Patch1016: dt-ppc64-num.patch Patch1017: ppc64le-profiling.patch # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228) Patch1018: s390-revert-abi-change.patch +# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) +Patch1019: disable-gconv-translit-modules.patch ### # Patches awaiting upstream approval @@ -289,8 +291,8 @@ Patch2005: glibc-memset-nontemporal.diff Patch2006: ibm93x-redundant-shift-si.patch # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790) Patch2007: pthread-mutexattr-gettype-kind.patch -# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) -Patch2008: disable-gconv-translit-modules.patch +# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325) +Patch2008: iconv-ibm-sentinel-check.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -511,6 +513,7 @@ rm nscd/s-stamp %patch1016 -p1 %patch1017 -p1 %patch1018 -p1 +%patch1019 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc.changes b/glibc.changes index 85c62f1..383ec79 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 2 07:52:36 UTC 2014 - schwab@suse.de + +- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM + gconv modules (CVE-2014-6040, bnc#894553, BZ #17325) + ------------------------------------------------------------------- Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index 1987816..3ec081c 100644 --- a/glibc.spec +++ b/glibc.spec @@ -270,6 +270,8 @@ Patch1016: dt-ppc64-num.patch Patch1017: ppc64le-profiling.patch # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228) Patch1018: s390-revert-abi-change.patch +# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) +Patch1019: disable-gconv-translit-modules.patch ### # Patches awaiting upstream approval @@ -290,8 +292,8 @@ Patch2005: glibc-memset-nontemporal.diff Patch2006: ibm93x-redundant-shift-si.patch # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790) Patch2007: pthread-mutexattr-gettype-kind.patch -# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187) -Patch2008: disable-gconv-translit-modules.patch +# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325) +Patch2008: iconv-ibm-sentinel-check.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -511,6 +513,7 @@ rm nscd/s-stamp %patch1016 -p1 %patch1017 -p1 %patch1018 -p1 +%patch1019 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/iconv-ibm-sentinel-check.patch b/iconv-ibm-sentinel-check.patch new file mode 100644 index 0000000..9ff0980 --- /dev/null +++ b/iconv-ibm-sentinel-check.patch @@ -0,0 +1,162 @@ +2014-08-29 Florian Weimer + + [BZ #17325] + * iconvdata/ibm1364.c (BODY): Fix check for sentinel. + * iconvdata/ibm932.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/ibm933.c (BODY): Fix check for sentinel. + * iconvdata/ibm935.c (BODY): Likewise. + * iconvdata/ibm937.c (BODY): Likewise. + * iconvdata/ibm939.c (BODY): Likewise. + * iconvdata/ibm943.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/Makefile (iconv-test.out): Pass module list to test + script. + * iconvdata/run-iconv-test.sh: New test loop for checking for + decoder crashers. + +Index: glibc-2.19/iconvdata/Makefile +=================================================================== +--- glibc-2.19.orig/iconvdata/Makefile ++++ glibc-2.19/iconvdata/Makefile +@@ -302,6 +302,7 @@ $(objpfx)bug-iconv10.out: $(objpfx)gconv + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ + $(addprefix $(objpfx),$(modules.so)) \ + $(common-objdir)/iconv/iconv_prog TESTS ++ iconv_modules="$(modules)" \ + $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@ + + $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ +Index: glibc-2.19/iconvdata/ibm1364.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm1364.c ++++ glibc-2.19/iconvdata/ibm1364.c +@@ -220,7 +220,8 @@ enum + ++rp2; \ + \ + uint32_t res; \ +- if (__builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ ++ || __builtin_expect (ch < rp2->start, 0) \ + || (res = DB_TO_UCS4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ + { \ +Index: glibc-2.19/iconvdata/ibm932.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm932.c ++++ glibc-2.19/iconvdata/ibm932.c +@@ -73,11 +73,12 @@ + } \ + \ + ch = (ch * 0x100) + inptr[1]; \ ++ /* ch was less than 0xfd. */ \ ++ assert (ch < 0xfd00); \ + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ +- || __builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, '\1') == 0 && ch !=0)) \ + { \ +Index: glibc-2.19/iconvdata/ibm933.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm933.c ++++ glibc-2.19/iconvdata/ibm933.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +Index: glibc-2.19/iconvdata/ibm935.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm935.c ++++ glibc-2.19/iconvdata/ibm935.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +Index: glibc-2.19/iconvdata/ibm937.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm937.c ++++ glibc-2.19/iconvdata/ibm937.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +Index: glibc-2.19/iconvdata/ibm939.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm939.c ++++ glibc-2.19/iconvdata/ibm939.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +Index: glibc-2.19/iconvdata/ibm943.c +=================================================================== +--- glibc-2.19.orig/iconvdata/ibm943.c ++++ glibc-2.19/iconvdata/ibm943.c +@@ -74,11 +74,12 @@ + } \ + \ + ch = (ch * 0x100) + inptr[1]; \ ++ /* ch was less than 0xfd. */ \ ++ assert (ch < 0xfd00); \ + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ +- || __builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, '\1') == 0 && ch !=0)) \ + { \ +Index: glibc-2.19/iconvdata/run-iconv-test.sh +=================================================================== +--- glibc-2.19.orig/iconvdata/run-iconv-test.sh ++++ glibc-2.19/iconvdata/run-iconv-test.sh +@@ -188,6 +188,24 @@ while read utf8 from filename; do + + done < TESTS2 + ++# Check for crashes in decoders. ++printf '\016\377\377\377\377\377\377\377' > $temp1 ++for from in $iconv_modules ; do ++ echo $ac_n "test decoder $from $ac_c" ++ PROG=`eval echo $ICONV` ++ if $PROG < $temp1 >/dev/null 2>&1 ; then ++ : # fall through ++ else ++ status=$? ++ if test $status -gt 1 ; then ++ echo "/FAILED" ++ failed=1 ++ continue ++ fi ++ fi ++ echo "OK" ++done ++ + exit $failed + # Local Variables: + # mode:shell-script