Accepting request 611652 from home:Andreas_Schwab:Factory

- mempcpy-avx512.patch: Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154) - realpath-ssize-max-overflow.patch: Fix overflow in path length computation (CVE-2018-11236, bsc#1094161, BZ #22786) - Use %license also for COPYING, COPYING.LIB OBS-URL: https://build.opensuse.org/request/show/611652 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=505
2018-05-23 13:22:23 +00:00 · 2018-05-23 13:22:23 +00:00 · 43169f4d3a
commit 43169f4d3a
parent ba841278f7
4 changed files with 190 additions and 3 deletions
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 23 08:18:00 UTC 2018 - schwab@suse.de
+
+- mempcpy-avx512.patch: Don't write beyond destination in
+  __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154)
+- realpath-ssize-max-overflow.patch: Fix overflow in path length
+  computation (CVE-2018-11236, bsc#1094161, BZ #22786)
+- Use %license also for COPYING, COPYING.LIB
+
 -------------------------------------------------------------------
 Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de

@ -7,7 +16,7 @@ Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de
 Thu Mar 29 09:53:52 UTC 2018 - schwab@suse.de

 - i386-memmove-sse2-unaligned.patch: Fix SSE2 memmove issue when crossing
-  2GB boundary (BZ #22644)
+  2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644)

 -------------------------------------------------------------------
 Tue Mar 27 11:30:49 UTC 2018 - schwab@suse.de
--- a/glibc.spec
+++ b/glibc.spec
@ -302,8 +302,12 @@ Patch1008:      riscv-tls-init.patch
 Patch1009:      riscv-fmax-fmin-nan.patch
 # PATCH-FIX-UPSTREAM Fix crash in resolver on memory allocation failure (BZ #23005)
 Patch1010:      res-send-enomem.patch
-# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (BZ #22644)
+# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (CVE-2017-18269, BZ #22644)
 Patch1011:      i386-memmove-sse2-unaligned.patch
+# PATCH-FIX-UPSTREAM __mempcpy_avx512_no_vzeroupper mishandles large copies (CVE-2018-11237, BZ #23196)
+Patch1012:      mempcpy-avx512.patch
+# PATCH-FIX-UPSTREAM realpath-ssize-max-overflow.patch: Fix overflow in path length computation (CVE-2018-11236, BZ #22786)
+Patch1013:      realpath-ssize-max-overflow.patch

 ### 
 # Patches awaiting upstream approval
@ -525,6 +529,8 @@ mv crypt_blowfish-%crypt_bf_version/*.[chS] crypt/
 %patch1009 -p1
 %patch1010 -p1
 %patch1011 -p1
+%patch1012 -p1
+%patch1013 -p1

 %patch2000 -p1
 %patch2004 -p1
@ -1252,7 +1258,8 @@ exit 0

 %files devel
 %defattr(-,root,root)
-%doc COPYING COPYING.LIB NEWS README
+%license COPYING COPYING.LIB
+%doc NEWS README
 %doc %{_mandir}/man1/catchsegv.1.gz
 %doc %{_mandir}/man3/*
 %{_bindir}/catchsegv
--- a/mempcpy-avx512.patch
+++ b/mempcpy-avx512.patch
@ -0,0 +1,42 @@
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+Index: glibc-2.27/string/test-mempcpy.c
+===================================================================
+--- glibc-2.27.orig/string/test-mempcpy.c
+++ glibc-2.27/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+Index: glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+===================================================================
+--- glibc-2.27.orig/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -336,6 +336,7 @@ L(preloop_large):
+ 	vmovups	(%rsi), %zmm4
+ 	vmovups	0x40(%rsi), %zmm5
+ 
+	mov	%rdi, %r11
+ /* Align destination for access with non-temporal stores in the loop.  */
+ 	mov	%rdi, %r8
+ 	and	$-0x80, %rdi
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ 	cmp	$256, %rdx
+ 	ja	L(gobble_256bytes_nt_loop)
+ 	sfence
+-	vmovups	%zmm4, (%rax)
+-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
+ 	jmp	L(check)
+ 
+ L(preloop_large_bkw):
--- a/realpath-ssize-max-overflow.patch
+++ b/realpath-ssize-max-overflow.patch
@ -0,0 +1,129 @@
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
+Index: glibc-2.27/stdlib/Makefile
+===================================================================
+--- glibc-2.27.orig/stdlib/Makefile
+++ glibc-2.27/stdlib/Makefile
+@@ -84,7 +84,7 @@ tests		:= tst-strtol tst-strtod testmb t
+ 		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
+ 		   test-at_quick_exit-race test-cxa_atexit-race             \
+ 		   test-on_exit-race test-dlclose-exit-race 		    \
+-		   tst-makecontext-align
+		   tst-makecontext-align test-bz22786
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete
+Index: glibc-2.27/stdlib/canonicalize.c
+===================================================================
+--- glibc-2.27.orig/stdlib/canonicalize.c
+++ glibc-2.27/stdlib/canonicalize.c
+@@ -181,7 +181,7 @@ __realpath (const char *name, char *reso
+ 		extra_buf = __alloca (path_max);
+ 
+ 	      len = strlen (end);
+-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
+ 		{
+ 		  __set_errno (ENAMETOOLONG);
+ 		  goto error;
+Index: glibc-2.27/stdlib/test-bz22786.c
+===================================================================
+--- /dev/null
+++ glibc-2.27/stdlib/test-bz22786.c
+@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This file must be run from within a directory called "stdlib".  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-diag.h>
+
+static int
+do_test (void)
+{
+  const char dir[] = "bz22786";
+  const char lnk[] = "bz22786/symlink";
+
+  rmdir (dir);
+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+    {
+      printf ("mkdir %s: %m\n", dir);
+      return EXIT_FAILURE;
+    }
+  if (symlink (".", lnk) != 0 && errno != EEXIST)
+    {
+      printf ("symlink (%s, %s): %m\n", dir, lnk);
+      return EXIT_FAILURE;
+    }
+
+  const size_t path_len = (size_t) INT_MAX + 1;
+
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 7 warns about too-large allocations; here we need such
+     allocation to succeed for the test to work.  */
+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+  char *path = malloc (path_len);
+  DIAG_POP_NEEDS_COMMENT;
+
+  if (path == NULL)
+    {
+      printf ("malloc (%zu): %m\n", path_len);
+      return EXIT_UNSUPPORTED;
+    }
+
+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+  *(p++) = '/';
+  memset (p, 'a', path_len - (path - p) - 2);
+  p[path_len - (path - p) - 1] = '\0';
+
+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
+  p = realpath (path, NULL);
+
+  if (p != NULL || errno != ENAMETOOLONG)
+    {
+      printf ("realpath: %s (%m)", p);
+      return EXIT_FAILURE;
+    }
+
+  /* Cleanup.  */
+  unlink (lnk);
+  rmdir (dir);
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>