From 49ddb84d87204a62de078a6cc12f3dd2fb2b42a28e820b358bffa3058d24407a Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 31 Jan 2024 14:16:08 +0000 Subject: [PATCH] Accepting request 1143041 from home:Andreas_Schwab:Factory - syslog-buffer-overflow.patch: syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, bsc#1218863, bsc#1218867, bsc#1218868) - qsort-invalid-cmp.patch: qsort: handle degenerated compare function (bsc#1218866) - Change minimum GCC to 13 OBS-URL: https://build.opensuse.org/request/show/1143041 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=691 --- glibc.changes | 14 +++ glibc.spec | 10 +- qsort-invalid-cmp.patch | 29 +++++ syslog-buffer-overflow.patch | 213 +++++++++++++++++++++++++++++++++++ 4 files changed, 264 insertions(+), 2 deletions(-) create mode 100644 qsort-invalid-cmp.patch create mode 100644 syslog-buffer-overflow.patch diff --git a/glibc.changes b/glibc.changes index 9a8f775..223198f 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Wed Jan 31 09:25:16 UTC 2024 - Andreas Schwab + +- syslog-buffer-overflow.patch: syslog: Fix heap buffer overflow in + __vsyslog_internal (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, + bsc#1218863, bsc#1218867, bsc#1218868) +- qsort-invalid-cmp.patch: qsort: handle degenerated compare function + (bsc#1218866) + +------------------------------------------------------------------- +Mon Jan 29 10:06:28 UTC 2024 - Andreas Schwab + +- Change minimum GCC to 13 + ------------------------------------------------------------------- Tue Jan 23 16:15:56 UTC 2024 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index 3b6a578..4047d27 100644 --- a/glibc.spec +++ b/glibc.spec @@ -57,8 +57,8 @@ %bcond_with usrmerged %endif -%if 0%{?gcc_version} < 12 -%define with_gcc 12 +%if 0%{?gcc_version} < 13 +%define with_gcc 13 %endif # Enable support for livepatching. @@ -343,6 +343,10 @@ Patch1018: tls-modid-reuse.patch Patch1019: getaddrinfo-eai-memory.patch # PATCH-FIX-UPSTREAM libio: Check remaining buffer size in _IO_wdo_write (BZ #31183) Patch1020: libio-wdo-write.patch +# PATCH-FIX-UPSTREAM syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780) +Patch1021: syslog-buffer-overflow.patch +# PATCH-FIX-UPSTREAM qsort: handle degenerated compare function +Patch1022: qsort-invalid-cmp.patch ### # Patches awaiting upstream approval @@ -595,6 +599,8 @@ have support for IPv6. %patch1018 -p1 %patch1019 -p1 %patch1020 -p1 +%patch1021 -p1 +%patch1022 -p1 %endif %patch2000 -p1 diff --git a/qsort-invalid-cmp.patch b/qsort-invalid-cmp.patch new file mode 100644 index 0000000..e90caf8 --- /dev/null +++ b/qsort-invalid-cmp.patch @@ -0,0 +1,29 @@ +Index: glibc-2.38/stdlib/qsort.c +=================================================================== +--- glibc-2.38.orig/stdlib/qsort.c ++++ glibc-2.38/stdlib/qsort.c +@@ -136,10 +136,12 @@ _quicksort (void *const pbase, size_t to + that this algorithm runs much faster than others. */ + do + { +- while ((*cmp) ((void *) left_ptr, (void *) mid, arg) < 0) ++ while (left_ptr != mid ++ && (*cmp) ((void *) left_ptr, (void *) mid, arg) < 0) + left_ptr += size; + +- while ((*cmp) ((void *) mid, (void *) right_ptr, arg) < 0) ++ while (right_ptr != mid ++ && (*cmp) ((void *) mid, (void *) right_ptr, arg) < 0) + right_ptr -= size; + + if (left_ptr < right_ptr) +@@ -224,7 +226,8 @@ _quicksort (void *const pbase, size_t to + while ((run_ptr += size) <= end_ptr) + { + tmp_ptr = run_ptr - size; +- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) ++ while (tmp_ptr != base_ptr ++ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) + tmp_ptr -= size; + + tmp_ptr += size; diff --git a/syslog-buffer-overflow.patch b/syslog-buffer-overflow.patch new file mode 100644 index 0000000..cc17896 --- /dev/null +++ b/syslog-buffer-overflow.patch @@ -0,0 +1,213 @@ +diff --git a/misc/Makefile b/misc/Makefile +index 42899c2b6c..c273ec6974 100644 +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \ + $(objpfx)tst-allocate_once-mem.out + endif + +-tests-container := tst-syslog ++tests-container := \ ++ tst-syslog \ ++ tst-syslog-long-progname \ ++ # tests-container + + CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables + CFLAGS-tsearch.c += $(uses-callbacks) +@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ + $(evaluate-test) + ++tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ ++ LD_PRELOAD=libc_malloc_debug.so.0 ++ + $(objpfx)tst-select: $(librt) + $(objpfx)tst-select-time64: $(librt) + $(objpfx)tst-pselect: $(librt) +diff --git a/misc/syslog.c b/misc/syslog.c +index 1b8cb722c5..4af87f54fd 100644 +--- a/misc/syslog.c ++++ b/misc/syslog.c +@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; + #include + #include + #include ++#include + + static int LogType = SOCK_DGRAM; /* type of socket connection */ + static int LogFile = -1; /* fd for log */ +@@ -124,8 +125,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + { + /* Try to use a static buffer as an optimization. */ + char bufs[1024]; +- char *buf = NULL; +- size_t bufsize = 0; ++ char *buf = bufs; ++ size_t bufsize; ++ + int msgoff; + int saved_errno = errno; + +@@ -177,29 +179,55 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ + "<%d>: %n", __pri, __msgoff + +- int l; ++ int l, vl; + if (has_ts) + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); + else + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); +- if (0 <= l && l < sizeof bufs) ++ if (l < 0) ++ goto out; ++ ++ char *pos; ++ size_t len; ++ ++ if (l < sizeof bufs) + { +- va_list apc; +- va_copy (apc, ap); ++ /* At this point, there is still a chance that we can print the ++ remaining part of the log into bufs and use that. */ ++ pos = bufs + l; ++ len = sizeof (bufs) - l; ++ } ++ else ++ { ++ buf = NULL; ++ /* We already know that bufs is too small to use for this log message. ++ The next vsnprintf into bufs is used only to calculate the total ++ required buffer length. We will discard bufs contents and allocate ++ an appropriately sized buffer later instead. */ ++ pos = bufs; ++ len = sizeof (bufs); ++ } + +- /* Restore errno for %m format. */ +- __set_errno (saved_errno); ++ { ++ va_list apc; ++ va_copy (apc, ap); + +- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, +- mode_flags); +- if (0 <= vl && vl < sizeof bufs - l) +- buf = bufs; +- bufsize = l + vl; ++ /* Restore errno for %m format. */ ++ __set_errno (saved_errno); + +- va_end (apc); +- } ++ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); ++ va_end (apc); ++ ++ if (vl < 0 || vl >= INT_MAX - l) ++ goto out; ++ ++ if (vl >= len) ++ buf = NULL; ++ ++ bufsize = l + vl; ++ } + + if (buf == NULL) + { +@@ -209,25 +237,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + /* Tell the cancellation handler to free this buffer. */ + clarg.buf = buf; + ++ int cl; + if (has_ts) +- __snprintf (buf, l + 1, +- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); + else +- __snprintf (buf, l + 1, +- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ if (cl != l) ++ goto out; + + va_list apc; + va_copy (apc, ap); +- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, +- mode_flags); ++ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, ++ mode_flags); + va_end (apc); ++ ++ if (cl != vl) ++ goto out; + } + else + { ++ int bl; + /* Nothing much to do but emit an error message. */ +- bufsize = __snprintf (bufs, sizeof bufs, +- "out of memory[%d]", __getpid ()); ++ bl = __snprintf (bufs, sizeof bufs, ++ "out of memory[%d]", __getpid ()); ++ if (bl < 0 || bl >= sizeof bufs) ++ goto out; ++ ++ bufsize = bl; + buf = bufs; ++ msgoff = 0; + } + } + +diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c +new file mode 100644 +index 0000000000..88f37a8a00 +--- /dev/null ++++ b/misc/tst-syslog-long-progname.c +@@ -0,0 +1,39 @@ ++/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246) ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++extern char * __progname; ++ ++static int ++do_test (void) ++{ ++ char long_progname[2048]; ++ ++ memset (long_progname, 'X', sizeof (long_progname) - 1); ++ long_progname[sizeof (long_progname) - 1] = '\0'; ++ ++ __progname = long_progname; ++ ++ syslog (LOG_INFO, "Hello, World!"); ++ ++ return 0; ++} ++ ++#include +diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2