forked from pool/glibc
Accepting request 856525 from home:Andreas_Schwab:Factory
- aarch64-static-pie.patch: fix static PIE start code for BTI (bsc#1179450, BZ #27068) - iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - printf-long-double-non-normal.patch: x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - get-nprocs-cpu-online-parsing.patch: Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) OBS-URL: https://build.opensuse.org/request/show/856525 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=574
This commit is contained in:
parent
f1d8923af9
commit
71ba03d4de
25
aarch64-static-pie.patch
Normal file
25
aarch64-static-pie.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
From d4136903a29baabeec8987b53081def8b4a49826 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guillaume Gardet <guillaume.gardet@arm.com>
|
||||||
|
Date: Mon, 14 Dec 2020 15:38:22 +0000
|
||||||
|
Subject: [PATCH] aarch64: fix static PIE start code for BTI [BZ #27068]
|
||||||
|
|
||||||
|
A bti c was missing from rcrt1.o which made all -static-pie
|
||||||
|
binaries fail at program startup on BTI enabled systems.
|
||||||
|
|
||||||
|
Fixes bug 27068.
|
||||||
|
---
|
||||||
|
sysdeps/aarch64/start.S | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
Index: glibc-2.32/sysdeps/aarch64/start.S
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/sysdeps/aarch64/start.S
|
||||||
|
+++ glibc-2.32/sysdeps/aarch64/start.S
|
||||||
|
@@ -101,6 +101,7 @@ _start:
|
||||||
|
because crt1.o and rcrt1.o share code and the later must avoid the
|
||||||
|
use of GOT relocations before __libc_start_main is called. */
|
||||||
|
__wrap_main:
|
||||||
|
+ BTI_C
|
||||||
|
b main
|
||||||
|
#endif
|
||||||
|
|
35
get-nprocs-cpu-online-parsing.patch
Normal file
35
get-nprocs-cpu-online-parsing.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From b5eeca8cfd9d0fd92b5633a88901d9ff27f2b496 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schwab <schwab@linux-m68k.org>
|
||||||
|
Date: Tue, 8 Dec 2020 19:17:41 +0100
|
||||||
|
Subject: [PATCH] Fix parsing of /sys/devices/system/cpu/online (bug 25859)
|
||||||
|
|
||||||
|
The file contains comma-separated ranges, not spaces.
|
||||||
|
---
|
||||||
|
sysdeps/unix/sysv/linux/getsysstats.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
Index: glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/sysdeps/unix/sysv/linux/getsysstats.c
|
||||||
|
+++ glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c
|
||||||
|
@@ -143,6 +143,7 @@ __get_nprocs (void)
|
||||||
|
char *re = buffer_end;
|
||||||
|
|
||||||
|
const int flags = O_RDONLY | O_CLOEXEC;
|
||||||
|
+ /* This file contains comma-separated ranges. */
|
||||||
|
int fd = __open_nocancel ("/sys/devices/system/cpu/online", flags);
|
||||||
|
char *l;
|
||||||
|
int result = 0;
|
||||||
|
@@ -175,10 +176,10 @@ __get_nprocs (void)
|
||||||
|
result += m - n + 1;
|
||||||
|
|
||||||
|
l = endp;
|
||||||
|
- while (l < re && isspace (*l))
|
||||||
|
+ if (l < re && *l == ',')
|
||||||
|
++l;
|
||||||
|
}
|
||||||
|
- while (l < re);
|
||||||
|
+ while (l < re && *l != '\n');
|
||||||
|
|
||||||
|
__close_nocancel_nostatus (fd);
|
||||||
|
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 15 16:41:29 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
||||||
|
|
||||||
|
- aarch64-static-pie.patch: fix static PIE start code for BTI
|
||||||
|
(bsc#1179450, BZ #27068)
|
||||||
|
- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in
|
||||||
|
IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
|
||||||
|
- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop
|
||||||
|
bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
|
||||||
|
- printf-long-double-non-normal.patch: x86: Harden printf against
|
||||||
|
non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
|
||||||
|
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
|
||||||
|
/sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 10 15:36:40 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
Tue Nov 10 15:36:40 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
||||||
|
|
||||||
@ -13,7 +27,7 @@ Mon Oct 26 07:07:38 UTC 2020 - Richard Biener <rguenther@suse.com>
|
|||||||
|
|
||||||
- Use --enable-cet on x86_64 to instrument glibc for indirect branch
|
- Use --enable-cet on x86_64 to instrument glibc for indirect branch
|
||||||
tracking and shadow stack use. Enable indirect branch tracking
|
tracking and shadow stack use. Enable indirect branch tracking
|
||||||
and shadow stack in the dynamic loader. [jsc#PM-2110] [bsc#1175154]
|
and shadow stack in the dynamic loader (jsc#PM-2110, bsc#1175154)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 8 08:00:33 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
Tue Sep 8 08:00:33 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
||||||
|
15
glibc.spec
15
glibc.spec
@ -269,6 +269,16 @@ Patch1002: intl-codeset-suffixes.patch
|
|||||||
Patch1003: strerrorname-np.patch
|
Patch1003: strerrorname-np.patch
|
||||||
# PATCH-FIX-UPSTREAM sysvipc: Fix SEM_STAT_ANY kernel argument pass (BZ #26637, BZ #26639, BZ #26636)
|
# PATCH-FIX-UPSTREAM sysvipc: Fix SEM_STAT_ANY kernel argument pass (BZ #26637, BZ #26639, BZ #26636)
|
||||||
Patch1004: sysvipc.patch
|
Patch1004: sysvipc.patch
|
||||||
|
# PATCH-FIX-UPSTREAM aarch64: fix static PIE start code for BTI (BZ #27068)
|
||||||
|
Patch1005: aarch64-static-pie.patch
|
||||||
|
# PATCH-FIX-UPSTREAM iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, BZ #26224)
|
||||||
|
Patch1006: iconv-redundant-shift.patch
|
||||||
|
# PATCH-FIX-UPSTREAM iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, BZ#26923)
|
||||||
|
Patch1007: iconv-ucs4-loop-bounds.patch
|
||||||
|
# PATCH-FIX-UPSTREAM x86: Harden printf against non-normal long double values (CVE-2020-29573, BZ #26649)
|
||||||
|
Patch1008: printf-long-double-non-normal.patch
|
||||||
|
# PATCH-FIX-UPSTREAM Fix parsing of /sys/devices/system/cpu/online (BZ #25859)
|
||||||
|
Patch1009: get-nprocs-cpu-online-parsing.patch
|
||||||
|
|
||||||
###
|
###
|
||||||
# Patches awaiting upstream approval
|
# Patches awaiting upstream approval
|
||||||
@ -486,6 +496,11 @@ makedb: A program to create a database for nss
|
|||||||
%patch1002 -p1
|
%patch1002 -p1
|
||||||
%patch1003 -p1
|
%patch1003 -p1
|
||||||
%patch1004 -p1
|
%patch1004 -p1
|
||||||
|
%patch1005 -p1
|
||||||
|
%patch1006 -p1
|
||||||
|
%patch1007 -p1
|
||||||
|
%patch1008 -p1
|
||||||
|
%patch1009 -p1
|
||||||
|
|
||||||
%patch2000 -p1
|
%patch2000 -p1
|
||||||
%patch2001 -p1
|
%patch2001 -p1
|
||||||
|
82
iconv-redundant-shift.patch
Normal file
82
iconv-redundant-shift.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Arjun Shankar <arjun@redhat.com>
|
||||||
|
Date: Wed, 4 Nov 2020 12:19:38 +0100
|
||||||
|
Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
|
||||||
|
#26224]
|
||||||
|
|
||||||
|
The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
|
||||||
|
share converter logic (iconvdata/ibm1364.c) which would reject
|
||||||
|
redundant shift sequences when processing input in these character
|
||||||
|
sets. This led to a hang in the iconv program (CVE-2020-27618).
|
||||||
|
|
||||||
|
This commit adjusts the converter to ignore redundant shift sequences
|
||||||
|
and adds test cases for iconv_prog hangs that would be triggered upon
|
||||||
|
their rejection. This brings the implementation in line with other
|
||||||
|
converters that also ignore redundant shift sequences (e.g. IBM930
|
||||||
|
etc., fixed in commit 692de4b3960d).
|
||||||
|
|
||||||
|
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
||||||
|
---
|
||||||
|
NEWS | 4 +++-
|
||||||
|
iconv/tst-iconv_prog.sh | 16 ++++++++++------
|
||||||
|
iconvdata/ibm1364.c | 14 ++------------
|
||||||
|
3 files changed, 15 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
Index: glibc-2.32/iconv/tst-iconv_prog.sh
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/iconv/tst-iconv_prog.sh
|
||||||
|
+++ glibc-2.32/iconv/tst-iconv_prog.sh
|
||||||
|
@@ -102,12 +102,16 @@ hangarray=(
|
||||||
|
"\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
"\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
"\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
-# These are known hangs that are yet to be fixed:
|
||||||
|
-# "\x00\x0f;-c;IBM1364;UTF-8"
|
||||||
|
-# "\x00\x0f;-c;IBM1371;UTF-8"
|
||||||
|
-# "\x00\x0f;-c;IBM1388;UTF-8"
|
||||||
|
-# "\x00\x0f;-c;IBM1390;UTF-8"
|
||||||
|
-# "\x00\x0f;-c;IBM1399;UTF-8"
|
||||||
|
+"\x00\x0f;-c;IBM1364;UTF-8"
|
||||||
|
+"\x0e\x0e;-c;IBM1364;UTF-8"
|
||||||
|
+"\x00\x0f;-c;IBM1371;UTF-8"
|
||||||
|
+"\x0e\x0e;-c;IBM1371;UTF-8"
|
||||||
|
+"\x00\x0f;-c;IBM1388;UTF-8"
|
||||||
|
+"\x0e\x0e;-c;IBM1388;UTF-8"
|
||||||
|
+"\x00\x0f;-c;IBM1390;UTF-8"
|
||||||
|
+"\x0e\x0e;-c;IBM1390;UTF-8"
|
||||||
|
+"\x00\x0f;-c;IBM1399;UTF-8"
|
||||||
|
+"\x0e\x0e;-c;IBM1399;UTF-8"
|
||||||
|
"\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
"\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
"\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE"
|
||||||
|
Index: glibc-2.32/iconvdata/ibm1364.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/iconvdata/ibm1364.c
|
||||||
|
+++ glibc-2.32/iconvdata/ibm1364.c
|
||||||
|
@@ -158,24 +158,14 @@ enum
|
||||||
|
\
|
||||||
|
if (__builtin_expect (ch, 0) == SO) \
|
||||||
|
{ \
|
||||||
|
- /* Shift OUT, change to DBCS converter. */ \
|
||||||
|
- if (curcs == db) \
|
||||||
|
- { \
|
||||||
|
- result = __GCONV_ILLEGAL_INPUT; \
|
||||||
|
- break; \
|
||||||
|
- } \
|
||||||
|
+ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \
|
||||||
|
curcs = db; \
|
||||||
|
++inptr; \
|
||||||
|
continue; \
|
||||||
|
} \
|
||||||
|
if (__builtin_expect (ch, 0) == SI) \
|
||||||
|
{ \
|
||||||
|
- /* Shift IN, change to SBCS converter. */ \
|
||||||
|
- if (curcs == sb) \
|
||||||
|
- { \
|
||||||
|
- result = __GCONV_ILLEGAL_INPUT; \
|
||||||
|
- break; \
|
||||||
|
- } \
|
||||||
|
+ /* Shift IN, change to SBCS converter (redundant escape okay). */ \
|
||||||
|
curcs = sb; \
|
||||||
|
++inptr; \
|
||||||
|
continue; \
|
147
iconv-ucs4-loop-bounds.patch
Normal file
147
iconv-ucs4-loop-bounds.patch
Normal file
@ -0,0 +1,147 @@
|
|||||||
|
From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Colavita <mcolavita@fb.com>
|
||||||
|
Date: Thu, 19 Nov 2020 11:44:40 -0500
|
||||||
|
Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
|
||||||
|
|
||||||
|
Previously, in UCS4 conversion routines we limit the number of
|
||||||
|
characters we examine to the minimum of the number of characters in the
|
||||||
|
input and the number of characters in the output. This is not the
|
||||||
|
correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
|
||||||
|
an output character when we skip a code unit. Instead, track the input
|
||||||
|
and output pointers and terminate the loop when either reaches its
|
||||||
|
limit.
|
||||||
|
|
||||||
|
This resolves assertion failures when resetting the input buffer in a step of
|
||||||
|
iconv, which assumes that the input will be fully consumed given sufficient
|
||||||
|
output space.
|
||||||
|
---
|
||||||
|
iconv/Makefile | 2 +-
|
||||||
|
iconv/gconv_simple.c | 16 ++++----------
|
||||||
|
iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 55 insertions(+), 13 deletions(-)
|
||||||
|
create mode 100644 iconv/tst-iconv8.c
|
||||||
|
|
||||||
|
Index: glibc-2.32/iconv/Makefile
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/iconv/Makefile
|
||||||
|
+++ glibc-2.32/iconv/Makefile
|
||||||
|
@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERAT
|
||||||
|
CFLAGS-simple-hash.c += -I../locale
|
||||||
|
|
||||||
|
tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
|
||||||
|
- tst-iconv7 tst-iconv-mt tst-iconv-opt
|
||||||
|
+ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
|
||||||
|
|
||||||
|
others = iconv_prog iconvconfig
|
||||||
|
install-others-programs = $(inst_bindir)/iconv
|
||||||
|
Index: glibc-2.32/iconv/gconv_simple.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/iconv/gconv_simple.c
|
||||||
|
+++ glibc-2.32/iconv/gconv_simple.c
|
||||||
|
@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step
|
||||||
|
int flags = step_data->__flags;
|
||||||
|
const unsigned char *inptr = *inptrp;
|
||||||
|
unsigned char *outptr = *outptrp;
|
||||||
|
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
|
||||||
|
int result;
|
||||||
|
- size_t cnt;
|
||||||
|
|
||||||
|
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
|
||||||
|
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
|
||||||
|
{
|
||||||
|
uint32_t inval;
|
||||||
|
|
||||||
|
@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __g
|
||||||
|
int flags = step_data->__flags;
|
||||||
|
const unsigned char *inptr = *inptrp;
|
||||||
|
unsigned char *outptr = *outptrp;
|
||||||
|
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
|
||||||
|
int result;
|
||||||
|
- size_t cnt;
|
||||||
|
|
||||||
|
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
|
||||||
|
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
|
||||||
|
{
|
||||||
|
if (__glibc_unlikely (inptr[0] > 0x80))
|
||||||
|
{
|
||||||
|
@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_ste
|
||||||
|
int flags = step_data->__flags;
|
||||||
|
const unsigned char *inptr = *inptrp;
|
||||||
|
unsigned char *outptr = *outptrp;
|
||||||
|
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
|
||||||
|
int result;
|
||||||
|
- size_t cnt;
|
||||||
|
|
||||||
|
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
|
||||||
|
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
|
||||||
|
{
|
||||||
|
uint32_t inval;
|
||||||
|
|
||||||
|
@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct _
|
||||||
|
int flags = step_data->__flags;
|
||||||
|
const unsigned char *inptr = *inptrp;
|
||||||
|
unsigned char *outptr = *outptrp;
|
||||||
|
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
|
||||||
|
int result;
|
||||||
|
- size_t cnt;
|
||||||
|
|
||||||
|
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
|
||||||
|
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
|
||||||
|
{
|
||||||
|
if (__glibc_unlikely (inptr[3] > 0x80))
|
||||||
|
{
|
||||||
|
Index: glibc-2.32/iconv/tst-iconv8.c
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ glibc-2.32/iconv/tst-iconv8.c
|
||||||
|
@@ -0,0 +1,50 @@
|
||||||
|
+/* Test iconv behavior on UCS4 conversions with //IGNORE.
|
||||||
|
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||||||
|
+ This file is part of the GNU C Library.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is free software; you can redistribute it and/or
|
||||||
|
+ modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ License as published by the Free Software Foundation; either
|
||||||
|
+ version 2.1 of the License, or (at your option) any later version.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ Lesser General Public License for more details.
|
||||||
|
+
|
||||||
|
+ You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ License along with the GNU C Library; if not, see
|
||||||
|
+ <http://www.gnu.org/licenses/>. */
|
||||||
|
+
|
||||||
|
+/* Derived from BZ #26923 */
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <iconv.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <support/check.h>
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+do_test (void)
|
||||||
|
+{
|
||||||
|
+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
|
||||||
|
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Convert sequence beginning with an irreversible character into buffer that
|
||||||
|
+ * is too small.
|
||||||
|
+ */
|
||||||
|
+ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
|
||||||
|
+ char *inptr = input;
|
||||||
|
+ size_t insize = sizeof (input);
|
||||||
|
+ char output[6];
|
||||||
|
+ char *outptr = output;
|
||||||
|
+ size_t outsize = sizeof (output);
|
||||||
|
+
|
||||||
|
+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
|
||||||
|
+ TEST_VERIFY (errno == E2BIG);
|
||||||
|
+
|
||||||
|
+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#include <support/test-driver.c>
|
124
printf-long-double-non-normal.patch
Normal file
124
printf-long-double-non-normal.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From 681900d29683722b1cb0a8e565a0585846ec5a61 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Tue, 22 Sep 2020 19:07:48 +0200
|
||||||
|
Subject: [PATCH] x86: Harden printf against non-normal long double values (bug
|
||||||
|
26649)
|
||||||
|
|
||||||
|
The behavior of isnan/__builtin_isnan on bit patterns that do not
|
||||||
|
correspond to something that the CPU would produce from valid inputs
|
||||||
|
is currently under-defined in the toolchain. (The GCC built-in and
|
||||||
|
glibc disagree.)
|
||||||
|
|
||||||
|
The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c
|
||||||
|
assumes the GCC behavior that returns true for non-normal numbers
|
||||||
|
which are not specified as NaN. (The glibc implementation returns
|
||||||
|
false for such numbers.)
|
||||||
|
|
||||||
|
At present, passing non-normal numbers to __mpn_extract_long_double
|
||||||
|
causes this function to produce irregularly shaped multi-precision
|
||||||
|
integers, triggering undefined behavior in __printf_fp_l.
|
||||||
|
|
||||||
|
With GCC 10 and glibc 2.32, this behavior is not visible because
|
||||||
|
__builtin_isnan is used, which avoids calling
|
||||||
|
__mpn_extract_long_double in this case. This commit updates the
|
||||||
|
implementation of __mpn_extract_long_double so that regularly shaped
|
||||||
|
multi-precision integers are produced in this case, avoiding
|
||||||
|
undefined behavior in __printf_fp_l.
|
||||||
|
---
|
||||||
|
sysdeps/x86/Makefile | 4 ++
|
||||||
|
sysdeps/x86/ldbl2mpn.c | 8 ++++
|
||||||
|
sysdeps/x86/tst-ldbl-nonnormal-printf.c | 52 +++++++++++++++++++++++++
|
||||||
|
3 files changed, 64 insertions(+)
|
||||||
|
create mode 100644 sysdeps/x86/tst-ldbl-nonnormal-printf.c
|
||||||
|
|
||||||
|
Index: glibc-2.32/sysdeps/i386/ldbl2mpn.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/sysdeps/i386/ldbl2mpn.c
|
||||||
|
+++ glibc-2.32/sysdeps/i386/ldbl2mpn.c
|
||||||
|
@@ -115,6 +115,14 @@ __mpn_extract_long_double (mp_ptr res_pt
|
||||||
|
&& res_ptr[N - 1] == 0)
|
||||||
|
/* Pseudo zero. */
|
||||||
|
*expt = 0;
|
||||||
|
+ else
|
||||||
|
+ /* Unlike other floating point formats, the most significant bit
|
||||||
|
+ is explicit and expected to be set for normal numbers. Set it
|
||||||
|
+ in case it is cleared in the input. Otherwise, callers will
|
||||||
|
+ not be able to produce the expected multi-precision integer
|
||||||
|
+ layout by shifting. */
|
||||||
|
+ res_ptr[N - 1] |= (mp_limb_t) 1 << (LDBL_MANT_DIG - 1
|
||||||
|
+ - ((N - 1) * BITS_PER_MP_LIMB));
|
||||||
|
|
||||||
|
return N;
|
||||||
|
}
|
||||||
|
Index: glibc-2.32/sysdeps/x86/Makefile
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.32.orig/sysdeps/x86/Makefile
|
||||||
|
+++ glibc-2.32/sysdeps/x86/Makefile
|
||||||
|
@@ -9,6 +9,10 @@ tests += tst-get-cpu-features tst-get-cp
|
||||||
|
tests-static += tst-get-cpu-features-static
|
||||||
|
endif
|
||||||
|
|
||||||
|
+ifeq ($(subdir),math)
|
||||||
|
+tests += tst-ldbl-nonnormal-printf
|
||||||
|
+endif # $(subdir) == math
|
||||||
|
+
|
||||||
|
ifeq ($(subdir),setjmp)
|
||||||
|
gen-as-const-headers += jmp_buf-ssp.sym
|
||||||
|
sysdep_routines += __longjmp_cancel
|
||||||
|
Index: glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c
|
||||||
|
@@ -0,0 +1,52 @@
|
||||||
|
+/* Test printf with x86-specific non-normal long double value.
|
||||||
|
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||||||
|
+
|
||||||
|
+ This file is part of the GNU C Library.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is free software; you can redistribute it and/or
|
||||||
|
+ modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ License as published by the Free Software Foundation; either
|
||||||
|
+ version 2.1 of the License, or (at your option) any later version.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ Lesser General Public License for more details.
|
||||||
|
+
|
||||||
|
+ You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ License along with the GNU C Library; if not, see
|
||||||
|
+ <https://www.gnu.org/licenses/>. */
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <support/check.h>
|
||||||
|
+
|
||||||
|
+/* Fill the stack with non-zero values. This makes a crash in
|
||||||
|
+ snprintf more likely. */
|
||||||
|
+static void __attribute__ ((noinline, noclone))
|
||||||
|
+fill_stack (void)
|
||||||
|
+{
|
||||||
|
+ char buffer[65536];
|
||||||
|
+ memset (buffer, 0xc0, sizeof (buffer));
|
||||||
|
+ asm ("" ::: "memory");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+do_test (void)
|
||||||
|
+{
|
||||||
|
+ fill_stack ();
|
||||||
|
+
|
||||||
|
+ long double value;
|
||||||
|
+ memcpy (&value, "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04", 10);
|
||||||
|
+
|
||||||
|
+ char buf[30];
|
||||||
|
+ int ret = snprintf (buf, sizeof (buf), "%Lg", value);
|
||||||
|
+ TEST_COMPARE (ret, strlen (buf));
|
||||||
|
+ if (strcmp (buf, "nan") != 0)
|
||||||
|
+ /* If snprintf does not recognize the non-normal number as a NaN,
|
||||||
|
+ it has added the missing explicit MSB. */
|
||||||
|
+ TEST_COMPARE_STRING (buf, "3.02201e-4624");
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#include <support/test-driver.c>
|
Loading…
Reference in New Issue
Block a user