new file mode 100644

@@ -0,0 +1,150 @@

+From af7519f7b35024224c163e32a89fb247b0c446fc Mon Sep 17 00:00:00 2001

+From: Paul Pluzhnikov <ppluzhnikov@google.com>

+Date: Tue, 8 May 2018 18:12:41 -0700

+Subject: [PATCH] Fix path length overflow in realpath [BZ #22786]

+

+Integer addition overflow may cause stack buffer overflow

+when realpath() input length is close to SSIZE_MAX.

+

+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

+

+	[BZ #22786]

+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length

+	computation.

+	* stdlib/Makefile (test-bz22786): New test.

+	* stdlib/test-bz22786.c: New test.

+

+(cherry picked from commit 5460617d1567657621107d895ee2dd83bc1f88f2)

+---

+ ChangeLog             |  8 +++++

+ NEWS                  |  1 +

+ stdlib/Makefile       |  2 +-

+ stdlib/canonicalize.c |  2 +-

+ stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++

+ 5 files changed, 101 insertions(+), 2 deletions(-)

+ create mode 100644 stdlib/test-bz22786.c

+

+diff --git a/stdlib/Makefile b/stdlib/Makefile

+index 0314d59..5cdc910 100644

+--- a/stdlib/Makefile

+@@ -80,7 +80,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \

+ 		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \

+ 		   tst-quick_exit tst-thread-quick_exit tst-width	    \

+ 		   tst-width-stdint tst-strfrom tst-strfrom-locale	    \

+-		   tst-getrandom

++		   tst-getrandom test-bz22786

+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \

+ 		   tst-tls-atexit tst-tls-atexit-nodelete

+ tests-static	:= tst-secure-getenv

+diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c

+index c3d892c..a497d06 100644

+--- a/stdlib/canonicalize.c

+@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)

+ 		extra_buf = __alloca (path_max);

+ 

+ 	      len = strlen (end);

+-	      if ((long int) (n + len) >= path_max)

++	      if (path_max - n <= len)

+ 		{

+ 		  __set_errno (ENAMETOOLONG);

+ 		  goto error;

+diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c

+new file mode 100644

+index 0000000..e7837f9

+--- /dev/null

+@@ -0,0 +1,90 @@

++/* Bug 22786: test for buffer overflow in realpath.

++   Copyright (C) 2018 Free Software Foundation, Inc.

++   This file is part of the GNU C Library.

++

++   The GNU C Library is free software; you can redistribute it and/or

++   modify it under the terms of the GNU Lesser General Public

++   License as published by the Free Software Foundation; either

++   version 2.1 of the License, or (at your option) any later version.

++

++   The GNU C Library is distributed in the hope that it will be useful,

++   but WITHOUT ANY WARRANTY; without even the implied warranty of

++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

++   Lesser General Public License for more details.

++

++   You should have received a copy of the GNU Lesser General Public

++   License along with the GNU C Library; if not, see

++   <http://www.gnu.org/licenses/>.  */

++

++/* This file must be run from within a directory called "stdlib".  */

++

++#include <errno.h>

++#include <limits.h>

++#include <stdio.h>

++#include <stdlib.h>

++#include <string.h>

++#include <unistd.h>

++#include <sys/stat.h>

++#include <sys/types.h>

++#include <support/test-driver.h>

++#include <libc-diag.h>

++

++static int

++do_test (void)

++{

++  const char dir[] = "bz22786";

++  const char lnk[] = "bz22786/symlink";

++

++  rmdir (dir);

++  if (mkdir (dir, 0755) != 0 && errno != EEXIST)

++    {

++      printf ("mkdir %s: %m\n", dir);

++      return EXIT_FAILURE;

++    }

++  if (symlink (".", lnk) != 0 && errno != EEXIST)

++    {

++      printf ("symlink (%s, %s): %m\n", dir, lnk);

++      return EXIT_FAILURE;

++    }

++

++  const size_t path_len = (size_t) INT_MAX + 1;

++

++  DIAG_PUSH_NEEDS_COMMENT;

++#if __GNUC_PREREQ (7, 0)

++  /* GCC 7 warns about too-large allocations; here we need such

++     allocation to succeed for the test to work.  */

++  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");

++#endif

++  char *path = malloc (path_len);

++  DIAG_POP_NEEDS_COMMENT;

++

++  if (path == NULL)

++    {

++      printf ("malloc (%zu): %m\n", path_len);

++      return EXIT_UNSUPPORTED;

++    }

++

++  /* Construct very long path = "bz22786/symlink/aaaa....."  */

++  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);

++  *(p++) = '/';

++  memset (p, 'a', path_len - (path - p) - 2);

++  p[path_len - (path - p) - 1] = '\0';

++

++  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */

++  p = realpath (path, NULL);

++

++  if (p != NULL || errno != ENAMETOOLONG)

++    {

++      printf ("realpath: %s (%m)", p);

++      return EXIT_FAILURE;

++    }

++

++  /* Cleanup.  */

++  unlink (lnk);

++  rmdir (dir);

++

++  return 0;

++}

++

++#define TEST_FUNCTION do_test

++#include <support/test-driver.c>

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,117 @@

+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001

+From: Andreas Schwab <schwab@suse.de>

+Date: Tue, 22 May 2018 10:37:59 +0200

+Subject: [PATCH] Don't write beyond destination in

+ __mempcpy_avx512_no_vzeroupper (bug 23196)

+

+When compiled as mempcpy, the return value is the end of the destination

+buffer, thus it cannot be used to refer to the start of it.

+---

+ ChangeLog                                               | 9 +++++++++

+ string/test-mempcpy.c                                   | 1 +

+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--

+ 3 files changed, 13 insertions(+), 2 deletions(-)

+

+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c

+index c08fba8..d98ecdd 100644

+--- a/string/test-mempcpy.c

+@@ -18,6 +18,7 @@

+    <http://www.gnu.org/licenses/>.  */

+ 

+ #define MEMCPY_RESULT(dst, len) (dst) + (len)

++#define MIN_PAGE_SIZE 131072

+ #define TEST_MAIN

+ #define TEST_NAME "mempcpy"

+ #include "test-string.h"

+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S

+index 23c0f7a..effc3ac 100644

+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S

+@@ -336,6 +336,7 @@ L(preloop_large):

+ 	vmovups	(%rsi), %zmm4

+ 	vmovups	0x40(%rsi), %zmm5

+ 

++	mov	%rdi, %r11

+ /* Align destination for access with non-temporal stores in the loop.  */

+ 	mov	%rdi, %r8

+ 	and	$-0x80, %rdi

+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):

+ 	cmp	$256, %rdx

+ 	ja	L(gobble_256bytes_nt_loop)

+ 	sfence

+-	vmovups	%zmm4, (%rax)

+-	vmovups	%zmm5, 0x40(%rax)

++	vmovups	%zmm4, (%r11)

++	vmovups	%zmm5, 0x40(%r11)

+ 	jmp	L(check)

+ 

+ L(preloop_large_bkw):

+

+diff --git a/string/test-memcpy.c b/string/test-memcpy.c

+index 45f20a6..3c8066d 100644

+--- a/string/test-memcpy.c

+@@ -212,6 +212,50 @@ do_random_tests (void)

+     }

+ }

+ 

++static void

++do_test1 (void)

++{

++  size_t size = 0x100000;

++  void *large_buf;

++

++  large_buf = mmap (NULL, size * 2 + page_size, PROT_READ | PROT_WRITE,

++		    MAP_PRIVATE | MAP_ANON, -1, 0);

++  if (large_buf == MAP_FAILED)

++    {

++      puts ("Failed to allocat large_buf, skipping do_test1");

++      return;

++    }

++

++  if (mprotect (large_buf + size, page_size, PROT_NONE))

++    error (EXIT_FAILURE, errno, "mprotect failed");

++

++  size_t arrary_size = size / sizeof (uint32_t);

++  uint32_t *dest = large_buf;

++  uint32_t *src = large_buf + size + page_size;

++  size_t i;

++

++  for (i = 0; i < arrary_size; i++)

++    src[i] = (uint32_t) i;

++

++  FOR_EACH_IMPL (impl, 0)

++    {

++      memset (dest, -1, size);

++      CALL (impl, (char *) dest, (char *) src, size);

++      for (i = 0; i < arrary_size; i++)

++	if (dest[i] != src[i])

++	  {

++	    error (0, 0,

++		   "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",

++		   impl->name, dest, src, i);

++	    ret = 1;

++	    break;

++	  }

++    }

++

++  munmap ((void *) dest, size);

++  munmap ((void *) src, size);

++}

++

+ int

+ test_main (void)

+ {

+@@ -253,6 +297,9 @@ test_main (void)

+   do_test (0, 0, getpagesize ());

+ 

+   do_random_tests ();

++

++  do_test1 ();

++

+   return ret;

+ }

+ 

+-- 

+2.9.3

@@ -4,7 +4,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.26

-Release:        12%{?dist}

+Release:        13%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -26,6 +26,8 @@ Patch8:         glibc-fix-CVE-2018-1000001.patch

 Patch9:         glibc-fix-CVE-2018-6485.patch

 Patch10:        glibc-fix-CVE-2017-15671.patch

 Patch11:        glibc-fix-CVE-2017-18269.patch

+Patch12:        glibc-fix-CVE-2018-11236.patch

+Patch13:        glibc-fix-CVE-2018-11237.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -91,6 +93,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch9 -p1

 %patch10 -p1

 %patch11 -p1

+%patch12 -p1

+%patch13 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

@@ -295,6 +299,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:

 %changelog

+*   Tue Jun 26 2018 Keerthana K <keerthanak@vmware.com> 2.26-13

+-   Fix for CVE-2018-11236, CVE-2018-11237.

 *   Mon Jun 25 2018 Keerthana K <keerthanak@vmware.com> 2.26-12

 -   Fix for CVE-2017-18269.

 *   Tue Jun 19 2018 Dweep Advani <dadvani@vmware.com> 2.26-11