From 71ba03d4deb60a06adc45a4a5c7dc846af47e326e048b14e154fc4fcea9f7f52 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 16 Dec 2020 16:31:56 +0000 Subject: [PATCH] Accepting request 856525 from home:Andreas_Schwab:Factory - aarch64-static-pie.patch: fix static PIE start code for BTI (bsc#1179450, BZ #27068) - iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - printf-long-double-non-normal.patch: x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - get-nprocs-cpu-online-parsing.patch: Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) OBS-URL: https://build.opensuse.org/request/show/856525 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=574 --- aarch64-static-pie.patch | 25 +++++ get-nprocs-cpu-online-parsing.patch | 35 +++++++ glibc.changes | 16 ++- glibc.spec | 15 +++ iconv-redundant-shift.patch | 82 ++++++++++++++++ iconv-ucs4-loop-bounds.patch | 147 ++++++++++++++++++++++++++++ printf-long-double-non-normal.patch | 124 +++++++++++++++++++++++ 7 files changed, 443 insertions(+), 1 deletion(-) create mode 100644 aarch64-static-pie.patch create mode 100644 get-nprocs-cpu-online-parsing.patch create mode 100644 iconv-redundant-shift.patch create mode 100644 iconv-ucs4-loop-bounds.patch create mode 100644 printf-long-double-non-normal.patch diff --git a/aarch64-static-pie.patch b/aarch64-static-pie.patch new file mode 100644 index 0000000..6319e46 --- /dev/null +++ b/aarch64-static-pie.patch @@ -0,0 +1,25 @@ +From d4136903a29baabeec8987b53081def8b4a49826 Mon Sep 17 00:00:00 2001 +From: Guillaume Gardet +Date: Mon, 14 Dec 2020 15:38:22 +0000 +Subject: [PATCH] aarch64: fix static PIE start code for BTI [BZ #27068] + +A bti c was missing from rcrt1.o which made all -static-pie +binaries fail at program startup on BTI enabled systems. + +Fixes bug 27068. +--- + sysdeps/aarch64/start.S | 1 + + 1 file changed, 1 insertion(+) + +Index: glibc-2.32/sysdeps/aarch64/start.S +=================================================================== +--- glibc-2.32.orig/sysdeps/aarch64/start.S ++++ glibc-2.32/sysdeps/aarch64/start.S +@@ -101,6 +101,7 @@ _start: + because crt1.o and rcrt1.o share code and the later must avoid the + use of GOT relocations before __libc_start_main is called. */ + __wrap_main: ++ BTI_C + b main + #endif + diff --git a/get-nprocs-cpu-online-parsing.patch b/get-nprocs-cpu-online-parsing.patch new file mode 100644 index 0000000..c65e26f --- /dev/null +++ b/get-nprocs-cpu-online-parsing.patch @@ -0,0 +1,35 @@ +From b5eeca8cfd9d0fd92b5633a88901d9ff27f2b496 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Tue, 8 Dec 2020 19:17:41 +0100 +Subject: [PATCH] Fix parsing of /sys/devices/system/cpu/online (bug 25859) + +The file contains comma-separated ranges, not spaces. +--- + sysdeps/unix/sysv/linux/getsysstats.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c +=================================================================== +--- glibc-2.32.orig/sysdeps/unix/sysv/linux/getsysstats.c ++++ glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c +@@ -143,6 +143,7 @@ __get_nprocs (void) + char *re = buffer_end; + + const int flags = O_RDONLY | O_CLOEXEC; ++ /* This file contains comma-separated ranges. */ + int fd = __open_nocancel ("/sys/devices/system/cpu/online", flags); + char *l; + int result = 0; +@@ -175,10 +176,10 @@ __get_nprocs (void) + result += m - n + 1; + + l = endp; +- while (l < re && isspace (*l)) ++ if (l < re && *l == ',') + ++l; + } +- while (l < re); ++ while (l < re && *l != '\n'); + + __close_nocancel_nostatus (fd); + diff --git a/glibc.changes b/glibc.changes index affc635..942dac3 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Dec 15 16:41:29 UTC 2020 - Andreas Schwab + +- aarch64-static-pie.patch: fix static PIE start code for BTI + (bsc#1179450, BZ #27068) +- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in + IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) +- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop + bounds (CVE-2020-29562, bsc#1179694, BZ #26923) +- printf-long-double-non-normal.patch: x86: Harden printf against + non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) +- get-nprocs-cpu-online-parsing.patch: Fix parsing of + /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) + ------------------------------------------------------------------- Tue Nov 10 15:36:40 UTC 2020 - Andreas Schwab @@ -13,7 +27,7 @@ Mon Oct 26 07:07:38 UTC 2020 - Richard Biener - Use --enable-cet on x86_64 to instrument glibc for indirect branch tracking and shadow stack use. Enable indirect branch tracking - and shadow stack in the dynamic loader. [jsc#PM-2110] [bsc#1175154] + and shadow stack in the dynamic loader (jsc#PM-2110, bsc#1175154) ------------------------------------------------------------------- Tue Sep 8 08:00:33 UTC 2020 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index 532c2aa..d8776ae 100644 --- a/glibc.spec +++ b/glibc.spec @@ -269,6 +269,16 @@ Patch1002: intl-codeset-suffixes.patch Patch1003: strerrorname-np.patch # PATCH-FIX-UPSTREAM sysvipc: Fix SEM_STAT_ANY kernel argument pass (BZ #26637, BZ #26639, BZ #26636) Patch1004: sysvipc.patch +# PATCH-FIX-UPSTREAM aarch64: fix static PIE start code for BTI (BZ #27068) +Patch1005: aarch64-static-pie.patch +# PATCH-FIX-UPSTREAM iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, BZ #26224) +Patch1006: iconv-redundant-shift.patch +# PATCH-FIX-UPSTREAM iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, BZ#26923) +Patch1007: iconv-ucs4-loop-bounds.patch +# PATCH-FIX-UPSTREAM x86: Harden printf against non-normal long double values (CVE-2020-29573, BZ #26649) +Patch1008: printf-long-double-non-normal.patch +# PATCH-FIX-UPSTREAM Fix parsing of /sys/devices/system/cpu/online (BZ #25859) +Patch1009: get-nprocs-cpu-online-parsing.patch ### # Patches awaiting upstream approval @@ -486,6 +496,11 @@ makedb: A program to create a database for nss %patch1002 -p1 %patch1003 -p1 %patch1004 -p1 +%patch1005 -p1 +%patch1006 -p1 +%patch1007 -p1 +%patch1008 -p1 +%patch1009 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/iconv-redundant-shift.patch b/iconv-redundant-shift.patch new file mode 100644 index 0000000..58e52b6 --- /dev/null +++ b/iconv-redundant-shift.patch @@ -0,0 +1,82 @@ +From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Wed, 4 Nov 2020 12:19:38 +0100 +Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ + #26224] + +The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets +share converter logic (iconvdata/ibm1364.c) which would reject +redundant shift sequences when processing input in these character +sets. This led to a hang in the iconv program (CVE-2020-27618). + +This commit adjusts the converter to ignore redundant shift sequences +and adds test cases for iconv_prog hangs that would be triggered upon +their rejection. This brings the implementation in line with other +converters that also ignore redundant shift sequences (e.g. IBM930 +etc., fixed in commit 692de4b3960d). + +Reviewed-by: Carlos O'Donell +--- + NEWS | 4 +++- + iconv/tst-iconv_prog.sh | 16 ++++++++++------ + iconvdata/ibm1364.c | 14 ++------------ + 3 files changed, 15 insertions(+), 19 deletions(-) + +Index: glibc-2.32/iconv/tst-iconv_prog.sh +=================================================================== +--- glibc-2.32.orig/iconv/tst-iconv_prog.sh ++++ glibc-2.32/iconv/tst-iconv_prog.sh +@@ -102,12 +102,16 @@ hangarray=( + "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE" + "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE" + "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE" +-# These are known hangs that are yet to be fixed: +-# "\x00\x0f;-c;IBM1364;UTF-8" +-# "\x00\x0f;-c;IBM1371;UTF-8" +-# "\x00\x0f;-c;IBM1388;UTF-8" +-# "\x00\x0f;-c;IBM1390;UTF-8" +-# "\x00\x0f;-c;IBM1399;UTF-8" ++"\x00\x0f;-c;IBM1364;UTF-8" ++"\x0e\x0e;-c;IBM1364;UTF-8" ++"\x00\x0f;-c;IBM1371;UTF-8" ++"\x0e\x0e;-c;IBM1371;UTF-8" ++"\x00\x0f;-c;IBM1388;UTF-8" ++"\x0e\x0e;-c;IBM1388;UTF-8" ++"\x00\x0f;-c;IBM1390;UTF-8" ++"\x0e\x0e;-c;IBM1390;UTF-8" ++"\x00\x0f;-c;IBM1399;UTF-8" ++"\x0e\x0e;-c;IBM1399;UTF-8" + "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE" + "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE" + "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE" +Index: glibc-2.32/iconvdata/ibm1364.c +=================================================================== +--- glibc-2.32.orig/iconvdata/ibm1364.c ++++ glibc-2.32/iconvdata/ibm1364.c +@@ -158,24 +158,14 @@ enum + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +- /* Shift OUT, change to DBCS converter. */ \ +- if (curcs == db) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ + curcs = db; \ + ++inptr; \ + continue; \ + } \ + if (__builtin_expect (ch, 0) == SI) \ + { \ +- /* Shift IN, change to SBCS converter. */ \ +- if (curcs == sb) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift IN, change to SBCS converter (redundant escape okay). */ \ + curcs = sb; \ + ++inptr; \ + continue; \ diff --git a/iconv-ucs4-loop-bounds.patch b/iconv-ucs4-loop-bounds.patch new file mode 100644 index 0000000..ac7be10 --- /dev/null +++ b/iconv-ucs4-loop-bounds.patch @@ -0,0 +1,147 @@ +From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001 +From: Michael Colavita +Date: Thu, 19 Nov 2020 11:44:40 -0500 +Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923) + +Previously, in UCS4 conversion routines we limit the number of +characters we examine to the minimum of the number of characters in the +input and the number of characters in the output. This is not the +correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume +an output character when we skip a code unit. Instead, track the input +and output pointers and terminate the loop when either reaches its +limit. + +This resolves assertion failures when resetting the input buffer in a step of +iconv, which assumes that the input will be fully consumed given sufficient +output space. +--- + iconv/Makefile | 2 +- + iconv/gconv_simple.c | 16 ++++---------- + iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 13 deletions(-) + create mode 100644 iconv/tst-iconv8.c + +Index: glibc-2.32/iconv/Makefile +=================================================================== +--- glibc-2.32.orig/iconv/Makefile ++++ glibc-2.32/iconv/Makefile +@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERAT + CFLAGS-simple-hash.c += -I../locale + + tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \ +- tst-iconv7 tst-iconv-mt tst-iconv-opt ++ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt + + others = iconv_prog iconvconfig + install-others-programs = $(inst_bindir)/iconv +Index: glibc-2.32/iconv/gconv_simple.c +=================================================================== +--- glibc-2.32.orig/iconv/gconv_simple.c ++++ glibc-2.32/iconv/gconv_simple.c +@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + uint32_t inval; + +@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __g + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + if (__glibc_unlikely (inptr[0] > 0x80)) + { +@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_ste + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + uint32_t inval; + +@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct _ + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + if (__glibc_unlikely (inptr[3] > 0x80)) + { +Index: glibc-2.32/iconv/tst-iconv8.c +=================================================================== +--- /dev/null ++++ glibc-2.32/iconv/tst-iconv8.c +@@ -0,0 +1,50 @@ ++/* Test iconv behavior on UCS4 conversions with //IGNORE. ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Derived from BZ #26923 */ ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ /* ++ * Convert sequence beginning with an irreversible character into buffer that ++ * is too small. ++ */ ++ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA"; ++ char *inptr = input; ++ size_t insize = sizeof (input); ++ char output[6]; ++ char *outptr = output; ++ size_t outsize = sizeof (output); ++ ++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1); ++ TEST_VERIFY (errno == E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ return 0; ++} ++ ++#include diff --git a/printf-long-double-non-normal.patch b/printf-long-double-non-normal.patch new file mode 100644 index 0000000..7565f91 --- /dev/null +++ b/printf-long-double-non-normal.patch @@ -0,0 +1,124 @@ +From 681900d29683722b1cb0a8e565a0585846ec5a61 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 22 Sep 2020 19:07:48 +0200 +Subject: [PATCH] x86: Harden printf against non-normal long double values (bug + 26649) + +The behavior of isnan/__builtin_isnan on bit patterns that do not +correspond to something that the CPU would produce from valid inputs +is currently under-defined in the toolchain. (The GCC built-in and +glibc disagree.) + +The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c +assumes the GCC behavior that returns true for non-normal numbers +which are not specified as NaN. (The glibc implementation returns +false for such numbers.) + +At present, passing non-normal numbers to __mpn_extract_long_double +causes this function to produce irregularly shaped multi-precision +integers, triggering undefined behavior in __printf_fp_l. + +With GCC 10 and glibc 2.32, this behavior is not visible because +__builtin_isnan is used, which avoids calling +__mpn_extract_long_double in this case. This commit updates the +implementation of __mpn_extract_long_double so that regularly shaped +multi-precision integers are produced in this case, avoiding +undefined behavior in __printf_fp_l. +--- + sysdeps/x86/Makefile | 4 ++ + sysdeps/x86/ldbl2mpn.c | 8 ++++ + sysdeps/x86/tst-ldbl-nonnormal-printf.c | 52 +++++++++++++++++++++++++ + 3 files changed, 64 insertions(+) + create mode 100644 sysdeps/x86/tst-ldbl-nonnormal-printf.c + +Index: glibc-2.32/sysdeps/i386/ldbl2mpn.c +=================================================================== +--- glibc-2.32.orig/sysdeps/i386/ldbl2mpn.c ++++ glibc-2.32/sysdeps/i386/ldbl2mpn.c +@@ -115,6 +115,14 @@ __mpn_extract_long_double (mp_ptr res_pt + && res_ptr[N - 1] == 0) + /* Pseudo zero. */ + *expt = 0; ++ else ++ /* Unlike other floating point formats, the most significant bit ++ is explicit and expected to be set for normal numbers. Set it ++ in case it is cleared in the input. Otherwise, callers will ++ not be able to produce the expected multi-precision integer ++ layout by shifting. */ ++ res_ptr[N - 1] |= (mp_limb_t) 1 << (LDBL_MANT_DIG - 1 ++ - ((N - 1) * BITS_PER_MP_LIMB)); + + return N; + } +Index: glibc-2.32/sysdeps/x86/Makefile +=================================================================== +--- glibc-2.32.orig/sysdeps/x86/Makefile ++++ glibc-2.32/sysdeps/x86/Makefile +@@ -9,6 +9,10 @@ tests += tst-get-cpu-features tst-get-cp + tests-static += tst-get-cpu-features-static + endif + ++ifeq ($(subdir),math) ++tests += tst-ldbl-nonnormal-printf ++endif # $(subdir) == math ++ + ifeq ($(subdir),setjmp) + gen-as-const-headers += jmp_buf-ssp.sym + sysdep_routines += __longjmp_cancel +Index: glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c +=================================================================== +--- /dev/null ++++ glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c +@@ -0,0 +1,52 @@ ++/* Test printf with x86-specific non-normal long double value. ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++/* Fill the stack with non-zero values. This makes a crash in ++ snprintf more likely. */ ++static void __attribute__ ((noinline, noclone)) ++fill_stack (void) ++{ ++ char buffer[65536]; ++ memset (buffer, 0xc0, sizeof (buffer)); ++ asm ("" ::: "memory"); ++} ++ ++static int ++do_test (void) ++{ ++ fill_stack (); ++ ++ long double value; ++ memcpy (&value, "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04", 10); ++ ++ char buf[30]; ++ int ret = snprintf (buf, sizeof (buf), "%Lg", value); ++ TEST_COMPARE (ret, strlen (buf)); ++ if (strcmp (buf, "nan") != 0) ++ /* If snprintf does not recognize the non-normal number as a NaN, ++ it has added the missing explicit MSB. */ ++ TEST_COMPARE_STRING (buf, "3.02201e-4624"); ++ return 0; ++} ++ ++#include