diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes index 20dc6fd..36fc946 100644 --- a/glibc-testsuite.changes +++ b/glibc-testsuite.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 29 13:09:49 UTC 2017 - schwab@suse.de + +- i686-memchr-sse.patch: Fix i686 memchr overflow calculation + (bsc#1031021, BZ #21182) +- sunrpc-use-after-free.patch: Avoid use-after-free read access in + clntudp_call (BZ #21115) +- Build testsuite with gdb and python-pexpect to enable more tests + ------------------------------------------------------------------- Wed Feb 8 09:38:15 UTC 2017 - schwab@suse.de diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec index 9c60f57..e36a20f 100644 --- a/glibc-testsuite.spec +++ b/glibc-testsuite.spec @@ -47,8 +47,10 @@ BuildRequires: systemd-rpm-macros BuildRequires: xz %if %{testsuite_build} BuildRequires: gcc-c++ +BuildRequires: gdb BuildRequires: glibc-devel-static BuildRequires: libstdc++-devel +BuildRequires: python-pexpect %endif %if %{utils_build} BuildRequires: gd-devel @@ -251,6 +253,10 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Fix getting tunable values on big-endian (BZ #21109) Patch1000: tunables-bigendian.patch +# PATCH-FIX-UPSTREAM Fix i686 memchr overflow calculation (BZ #21182) +Patch1001: i686-memchr-sse.patch +# PATCH-FIX-UPSTREAM Avoid use-after-free read access in clntudp_call (BZ #21115) +Patch1002: sunrpc-use-after-free.patch ### # Patches awaiting upstream approval @@ -472,6 +478,8 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 +%patch1002 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc-utils.changes b/glibc-utils.changes index 20dc6fd..36fc946 100644 --- a/glibc-utils.changes +++ b/glibc-utils.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 29 13:09:49 UTC 2017 - schwab@suse.de + +- i686-memchr-sse.patch: Fix i686 memchr overflow calculation + (bsc#1031021, BZ #21182) +- sunrpc-use-after-free.patch: Avoid use-after-free read access in + clntudp_call (BZ #21115) +- Build testsuite with gdb and python-pexpect to enable more tests + ------------------------------------------------------------------- Wed Feb 8 09:38:15 UTC 2017 - schwab@suse.de diff --git a/glibc-utils.spec b/glibc-utils.spec index 16c5515..e04201f 100644 --- a/glibc-utils.spec +++ b/glibc-utils.spec @@ -45,8 +45,10 @@ BuildRequires: systemd-rpm-macros BuildRequires: xz %if %{testsuite_build} BuildRequires: gcc-c++ +BuildRequires: gdb BuildRequires: glibc-devel-static BuildRequires: libstdc++-devel +BuildRequires: python-pexpect %endif %if %{utils_build} BuildRequires: gd-devel @@ -249,6 +251,10 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Fix getting tunable values on big-endian (BZ #21109) Patch1000: tunables-bigendian.patch +# PATCH-FIX-UPSTREAM Fix i686 memchr overflow calculation (BZ #21182) +Patch1001: i686-memchr-sse.patch +# PATCH-FIX-UPSTREAM Avoid use-after-free read access in clntudp_call (BZ #21115) +Patch1002: sunrpc-use-after-free.patch ### # Patches awaiting upstream approval @@ -471,6 +477,8 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 +%patch1002 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc.changes b/glibc.changes index 20dc6fd..36fc946 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 29 13:09:49 UTC 2017 - schwab@suse.de + +- i686-memchr-sse.patch: Fix i686 memchr overflow calculation + (bsc#1031021, BZ #21182) +- sunrpc-use-after-free.patch: Avoid use-after-free read access in + clntudp_call (BZ #21115) +- Build testsuite with gdb and python-pexpect to enable more tests + ------------------------------------------------------------------- Wed Feb 8 09:38:15 UTC 2017 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index 1b50e49..60003f1 100644 --- a/glibc.spec +++ b/glibc.spec @@ -47,8 +47,10 @@ BuildRequires: systemd-rpm-macros BuildRequires: xz %if %{testsuite_build} BuildRequires: gcc-c++ +BuildRequires: gdb BuildRequires: glibc-devel-static BuildRequires: libstdc++-devel +BuildRequires: python-pexpect %endif %if %{utils_build} BuildRequires: gd-devel @@ -251,6 +253,10 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Fix getting tunable values on big-endian (BZ #21109) Patch1000: tunables-bigendian.patch +# PATCH-FIX-UPSTREAM Fix i686 memchr overflow calculation (BZ #21182) +Patch1001: i686-memchr-sse.patch +# PATCH-FIX-UPSTREAM Avoid use-after-free read access in clntudp_call (BZ #21115) +Patch1002: sunrpc-use-after-free.patch ### # Patches awaiting upstream approval @@ -472,6 +478,8 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 +%patch1002 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/i686-memchr-sse.patch b/i686-memchr-sse.patch new file mode 100644 index 0000000..a201f51 --- /dev/null +++ b/i686-memchr-sse.patch @@ -0,0 +1,45 @@ +2017-03-29 Adhemerval Zanella + + [BZ# 21182] + * string/test-memchr.c (do_test): Add BZ#21182 checks for address + near end of a page. + * sysdeps/i386/i686/multiarch/memchr-sse2.S (__memchr): Fix + overflow calculation. + +Index: glibc-2.25/string/test-memchr.c +=================================================================== +--- glibc-2.25.orig/string/test-memchr.c ++++ glibc-2.25/string/test-memchr.c +@@ -208,6 +208,12 @@ test_main (void) + do_test (0, i, i + 1, i + 1, 0); + } + ++ /* BZ#21182 - wrong overflow calculation for i686 implementation ++ with address near end of the page. */ ++ for (i = 2; i < 16; ++i) ++ /* page_size is in fact getpagesize() * 2. */ ++ do_test (page_size / 2 - i, i, i, 1, 0x9B); ++ + do_random_tests (); + return ret; + } +Index: glibc-2.25/sysdeps/i386/i686/multiarch/memchr-sse2.S +=================================================================== +--- glibc-2.25.orig/sysdeps/i386/i686/multiarch/memchr-sse2.S ++++ glibc-2.25/sysdeps/i386/i686/multiarch/memchr-sse2.S +@@ -117,7 +117,6 @@ L(crosscache): + + # ifndef USE_AS_RAWMEMCHR + jnz L(match_case2_prolog1) +- lea -16(%edx), %edx + /* Calculate the last acceptable address and check for possible + addition overflow by using satured math: + edx = ecx + edx +@@ -125,6 +124,7 @@ L(crosscache): + add %ecx, %edx + sbb %eax, %eax + or %eax, %edx ++ sub $16, %edx + jbe L(return_null) + lea 16(%edi), %edi + # else diff --git a/sunrpc-use-after-free.patch b/sunrpc-use-after-free.patch new file mode 100644 index 0000000..b1ddd22 --- /dev/null +++ b/sunrpc-use-after-free.patch @@ -0,0 +1,111 @@ +2017-02-27 Florian Weimer + + [BZ #21115] + * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later. + * sunrpc/Makefile (tests): Add tst-udp-error. + (tst-udp-error): Link against libc.so explicitly. + * sunrpc/tst-udp-error: New file. + +Index: glibc-2.25/sunrpc/Makefile +=================================================================== +--- glibc-2.25.orig/sunrpc/Makefile ++++ glibc-2.25/sunrpc/Makefile +@@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_ + extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) + others += rpcgen + +-tests = tst-xdrmem tst-xdrmem2 test-rpcent ++tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +@@ -155,6 +155,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS) + $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so + $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so + $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so ++$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so + + $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) + +Index: glibc-2.25/sunrpc/clnt_udp.c +=================================================================== +--- glibc-2.25.orig/sunrpc/clnt_udp.c ++++ glibc-2.25/sunrpc/clnt_udp.c +@@ -424,9 +424,9 @@ send_again: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { +- free (cbuf); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; ++ free (cbuf); + return (cu->cu_error.re_status = RPC_CANTRECV); + } + free (cbuf); +Index: glibc-2.25/sunrpc/tst-udp-error.c +=================================================================== +--- /dev/null ++++ glibc-2.25/sunrpc/tst-udp-error.c +@@ -0,0 +1,62 @@ ++/* Check for use-after-free in clntudp_call (bug 21115). ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ support_become_root (); ++ support_enter_network_namespace (); ++ ++ /* Obtain a likely-unused port number. */ ++ struct sockaddr_in sin = ++ { ++ .sin_family = AF_INET, ++ .sin_addr.s_addr = htonl (INADDR_LOOPBACK), ++ }; ++ { ++ int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); ++ xbind (fd, (struct sockaddr *) &sin, sizeof (sin)); ++ socklen_t sinlen = sizeof (sin); ++ xgetsockname (fd, (struct sockaddr *) &sin, &sinlen); ++ /* Close the socket, so that we will receive an error below. */ ++ close (fd); ++ } ++ ++ int sock = RPC_ANYSOCK; ++ CLIENT *clnt = clntudp_create ++ (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock); ++ TEST_VERIFY_EXIT (clnt != NULL); ++ TEST_VERIFY (clnt_call (clnt, 3, ++ (xdrproc_t) xdr_void, NULL, ++ (xdrproc_t) xdr_void, NULL, ++ ((struct timeval) { 3, 0 })) ++ == RPC_CANTRECV); ++ clnt_destroy (clnt); ++ ++ return 0; ++} ++ ++#include