SHA256
3
0
forked from pool/glibc

osc copypac from project:Base:System package:glibc revision:448

OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=450
This commit is contained in:
Andreas Schwab 2017-01-12 14:55:16 +00:00 committed by Git OBS Bridge
parent fdc6f8a4db
commit 486cd1541f
7 changed files with 3 additions and 233 deletions

View File

@ -1,68 +0,0 @@
From f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Wed, 21 Dec 2016 23:44:01 +0000
Subject: [PATCH] Fix nss_nisplus build with mainline GCC (bug 20978).
glibc build with current mainline GCC fails because
nis/nss_nisplus/nisplus-alias.c contains code
if (name != NULL)
{
*errnop = EINVAL;
return NSS_STATUS_UNAVAIL;
}
char buf[strlen (name) + 9 + tablename_len];
producing an error about strlen being called on a pointer that is
always NULL (and a subsequent use of that pointer with a %s format in
snprintf).
As Andreas noted, the bogus conditional comes from a 1997 change:
- if (name == NULL || strlen(name) > 8)
- return NSS_STATUS_NOTFOUND;
- else
+ if (name != NULL || strlen(name) <= 8)
So the intention is clearly to return an error for NULL name.
This patch duly inverts the sense of the conditional. It fixes the
build with GCC mainline, and passes usual glibc testsuite testing for
x86_64. However, I have not tried any actual substantive nisplus
testing, do not have an environment for such testing, and do not know
whether it is possible that strlen (name) or tablename_len might be
large so that the VLA for buf is actually a security issue. However,
if it is a security issue, there are plenty of other similar instances
in the nisplus code (that haven't been hidden by a bogus comparison
with NULL) - and nis_table.c:__create_ib_request uses strdupa on the
string passed to nis_list, so a local fix in the caller wouldn't
suffice anyway (see bug 20987). (Calls to strdupa and other such
macros that use alloca must be considered equally questionable
regarding stack overflow issues as direct calls to alloca and VLA
declarations.)
[BZ #20978]
* nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r):
Compare name == NULL, not name != NULL.
---
ChangeLog | 4 ++++
nis/nss_nisplus/nisplus-alias.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c
index 7f698b4e6d..cb5acce01d 100644
--- a/nis/nss_nisplus/nisplus-alias.c
+++ b/nis/nss_nisplus/nisplus-alias.c
@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias,
return status;
}
- if (name != NULL)
+ if (name == NULL)
{
*errnop = EINVAL;
return NSS_STATUS_UNAVAIL;
--
2.11.0

View File

@ -1,102 +0,0 @@
From 5874510faaf3cbd0bb112aaacab9f225002beed1 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Tue, 8 Nov 2016 23:44:51 +0000
Subject: [PATCH] Fix rpcgen buffer overrun (bug 20790).
Building with GCC 7 produces an error building rpcgen:
rpc_parse.c: In function 'get_prog_declaration':
rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=]
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
~~~~^
rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That buffer overrun is for the case where the .x file declares a
program with a million arguments. The strcpy two lines above can
generate a buffer overrun much more simply for a long argument name.
The limit on length of line read by rpcgen (MAXLINESIZE == 1024)
provides a bound on the buffer size needed, so this patch just changes
the buffer size to MAXLINESIZE to avoid both possible buffer
overruns. A testcase is added that rpcgen does not crash with a
500-character argument name, where it previously crashed.
It would not at all surprise me if there are many other ways of
crashing rpcgen with either valid or invalid input; fuzz testing would
likely find various such bugs, though I don't think they are that
important to fix (rpcgen is not that likely to be used with untrusted
.x files as input). (As well as fuzz-findable bugs there are probably
also issues when various int variables get overflowed on very large
input.) The test infrastructure for rpcgen-not-crashing tests would
need extending if tests are to be added for cases where rpcgen should
produce an error, as opposed to cases where it should succeed.
Tested for x86_64 and x86.
[BZ #20790]
* sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size
to MAXLINESIZE.
* sunrpc/bug20790.x: New file.
* sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New
variable.
[$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests).
[$(run-built-tests) = yes] ($(rpcgen-tests)): New rule.
---
ChangeLog | 9 +++++++++
sunrpc/Makefile | 11 +++++++++++
sunrpc/bug20790.x | 1 +
sunrpc/rpc_parse.c | 2 +-
4 files changed, 22 insertions(+), 1 deletion(-)
create mode 100644 sunrpc/bug20790.x
diff --git a/sunrpc/Makefile b/sunrpc/Makefile
index 789ef423e5..99e5c3ccf8 100644
--- a/sunrpc/Makefile
+++ b/sunrpc/Makefile
@@ -103,6 +103,11 @@ ifeq ($(have-thread-library),yes)
xtests += thrsvc
endif
+ifeq ($(run-built-tests),yes)
+rpcgen-tests := $(objpfx)bug20790.out
+tests-special += $(rpcgen-tests)
+endif
+
headers += $(rpcsvc:%.x=rpcsvc/%.h)
extra-libs := librpcsvc
extra-libs-others := librpcsvc # Make it in `others' pass, not `lib' pass.
@@ -225,3 +230,9 @@ endif
endif
$(objpfx)thrsvc: $(common-objpfx)linkobj/libc.so $(shared-thread-library)
+
+ifeq ($(run-built-tests),yes)
+$(rpcgen-tests): $(objpfx)%.out: %.x $(objpfx)rpcgen
+ $(built-program-cmd) -c $< -o $@; \
+ $(evaluate-test)
+endif
diff --git a/sunrpc/bug20790.x b/sunrpc/bug20790.x
new file mode 100644
index 0000000000..a00c9b3830
--- /dev/null
+++ b/sunrpc/bug20790.x
@@ -0,0 +1 @@
+program TPROG { version TVERS { int FUNC(int aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) = 1; } = 1; } = 1;
diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c
index 1a1df6d8c2..505a6554cf 100644
--- a/sunrpc/rpc_parse.c
+++ b/sunrpc/rpc_parse.c
@@ -521,7 +521,7 @@ static void
get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
{
token tok;
- char name[10]; /* argument name */
+ char name[MAXLINESIZE]; /* argument name */
if (dkind == DEF_PROGRAM)
{
--
2.11.0

View File

@ -1,40 +0,0 @@
From e223d1fe72e820d96f43831412ab267a1ace04d0 Mon Sep 17 00:00:00 2001
From: steve ellcey-CA Eng-Software
<sellcey@sellcey-thinkpad.caveonetworks.com>
Date: Fri, 14 Oct 2016 12:53:27 -0700
Subject: [PATCH] Fix warnings from latest GCC.
* sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly
boolean.
---
ChangeLog | 5 +++++
sysdeps/ieee754/dbl-64/e_pow.c | 8 ++++----
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c
index 663fa39..bd758b5 100644
--- a/sysdeps/ieee754/dbl-64/e_pow.c
+++ b/sysdeps/ieee754/dbl-64/e_pow.c
@@ -466,15 +466,15 @@ checkint (double x)
return (n & 1) ? -1 : 1; /* odd or even */
if (k > 20)
{
- if (n << (k - 20))
+ if (n << (k - 20) != 0)
return 0; /* if not integer */
- return (n << (k - 21)) ? -1 : 1;
+ return (n << (k - 21) != 0) ? -1 : 1;
}
if (n)
return 0; /*if not integer */
if (k == 20)
return (m & 1) ? -1 : 1;
- if (m << (k + 12))
+ if (m << (k + 12) != 0)
return 0;
- return (m << (k + 11)) ? -1 : 1;
+ return (m << (k + 11) != 0) ? -1 : 1;
}
--
2.10.2

View File

@ -1,7 +1,7 @@
#
# spec file for package glibc-testsuite
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed

View File

@ -1,7 +1,7 @@
#
# spec file for package glibc-utils
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed

View File

@ -1,14 +1,3 @@
-------------------------------------------------------------------
Fri Dec 23 08:57:59 UTC 2016 - mliska@suse.cz
- Add gcc7-Fix-rpcgen-buffer-overrun-bug-20790.patch and
gcc7-Fix-nss_nisplus-build-with-mainline-GCC-bug-20978.patch patches.
-------------------------------------------------------------------
Mon Nov 28 13:55:27 UTC 2016 - mliska@suse.cz
- Add gcc7-fix-warnings.patch patch to handle new GCC 7 warning.
-------------------------------------------------------------------
Thu Oct 13 08:24:22 UTC 2016 - schwab@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package glibc
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -220,12 +220,6 @@ Patch18: glibc-cpusetsize.diff
Patch19: nscd-server-user.patch
# PATCH-FEATURE-SLE powerpc: enable TLE only if GLIBC_ELISION_ENABLE=yes is defined
Patch21: powerpc-elision-enable-envvar.patch
# PATCH-FIX-OPENSUSE -- Fix GCC7 warnings
Patch22: gcc7-fix-warnings.patch
# PATCH-FIX-OPENSUSE -- Fix bug 20790
Patch23: gcc7-Fix-rpcgen-buffer-overrun-bug-20790.patch
# PATCH-FIX-OPENSUSE -- Fix bug 20978
Patch24: gcc7-Fix-nss_nisplus-build-with-mainline-GCC-bug-20978.patch
### Locale related patches
# PATCH-FIX-OPENSUSE Add additional locales
@ -466,9 +460,6 @@ rm nscd/s-stamp
%patch18 -p1
%patch19 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch100 -p1
%patch102 -p1