new file mode 100644

@@ -0,0 +1,310 @@

+From 20f534e0abd81149c71cef082c8c058bb9d953af Mon Sep 17 00:00:00 2001

+From: Florian Weimer <fweimer@redhat.com>

+Date: Sat, 31 Dec 2016 20:22:09 +0100

+Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ

+ #18784]

+

+Also rename T_UNSPEC because an upcoming public header file

+update will use that name.

+

+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)

+(cherry picked from commit b3b37f1a5559a7620e31c8053ed1b44f798f2b6d)

+---

+ include/arpa/nameser_compat.h |   6 +-

+ resolv/Makefile               |   5 ++

+ resolv/nss_dns/dns-host.c     |   2 +-

+ resolv/res_mkquery.c          |   4 +

+ resolv/res_query.c            |   6 +-

+ resolv/tst-resolv-qtypes.c    | 185 ++++++++++++++++++++++++++++++++++++++++++

+ 6 files changed, 201 insertions(+), 7 deletions(-)

+ create mode 100644 resolv/tst-resolv-qtypes.c

+

+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h

+index 2e735ed..7c0deed 100644

+--- a/include/arpa/nameser_compat.h

+@@ -1,8 +1,8 @@

+ #ifndef _ARPA_NAMESER_COMPAT_

+ #include <resolv/arpa/nameser_compat.h>

+ 

+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,

+-   T_A and T_AAAA).  */

+-#define T_UNSPEC 62321

++/* The number is outside the 16-bit RR type range and is used

++   internally by the implementation.  */

++#define T_QUERY_A_AND_AAAA 439963904

+ 

+ #endif

+diff --git a/resolv/Makefile b/resolv/Makefile

+index 8be41d3..a4c86b9 100644

+--- a/resolv/Makefile

+@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)

+ extra-libs += libanl

+ routines += gai_sigqueue

+ tests += tst-res_hconf_reorder

++

++# This test sends millions of packets and is rather slow.

++xtests += tst-resolv-qtypes

+ endif

+ extra-libs-others = $(extra-libs)

+ libresolv-routines := gethnamaddr res_comp res_debug	\

+@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace

+ $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out

+ 	$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \

+ 	$(evaluate-test)

++

++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)

+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c

+index 5f9e357..d16fa4b 100644

+--- a/resolv/nss_dns/dns-host.c

+@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,

+ 

+   int olderr = errno;

+   enum nss_status status;

+-  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,

++  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,

+ 			      host_buffer.buf->buf, 2048, &host_buffer.ptr,

+ 			      &ans2p, &nans2p, &resplen2, &ans2p_malloced);

+   if (n >= 0)

+diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c

+index 12f9730..d80b531 100644

+--- a/resolv/res_mkquery.c

+@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,

+ 	int n;

+ 	u_char *dnptrs[20], **dpp, **lastdnptr;

+ 

++	if (class < 0 || class > 65535

++	    || type < 0 || type > 65535)

++	  return -1;

++

+ #ifdef DEBUG

+ 	if (statp->options & RES_DEBUG)

+ 		printf(";; res_nmkquery(%s, %s, %s, %s)\n",

+diff --git a/resolv/res_query.c b/resolv/res_query.c

+index 944d1a9..07dc6f6 100644

+--- a/resolv/res_query.c

+@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,

+ 	int n, use_malloc = 0;

+ 	u_int oflags = statp->_flags;

+ 

+-	size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;

++	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;

+ 	u_char *buf = alloca (bufsize);

+ 	u_char *query1 = buf;

+ 	int nquery1 = -1;

+@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,

+ 		printf(";; res_query(%s, %d, %d)\n", name, class, type);

+ #endif

+ 

+-	if (type == T_UNSPEC)

++	if (type == T_QUERY_A_AND_AAAA)

+ 	  {

+ 	    n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,

+ 			     query1, bufsize);

+@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,

+ 	if (__builtin_expect (n <= 0, 0) && !use_malloc) {

+ 		/* Retry just in case res_nmkquery failed because of too

+ 		   short buffer.  Shouldn't happen.  */

+-		bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;

++		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;

+ 		buf = malloc (bufsize);

+ 		if (buf != NULL) {

+ 			query1 = buf;

+diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c

+new file mode 100644

+index 0000000..b3e60c6

+--- /dev/null

+@@ -0,0 +1,185 @@

++/* Exercise low-level query functions with different QTYPEs.

++   Copyright (C) 2016 Free Software Foundation, Inc.

++   This file is part of the GNU C Library.

++

++   The GNU C Library is free software; you can redistribute it and/or

++   modify it under the terms of the GNU Lesser General Public

++   License as published by the Free Software Foundation; either

++   version 2.1 of the License, or (at your option) any later version.

++

++   The GNU C Library is distributed in the hope that it will be useful,

++   but WITHOUT ANY WARRANTY; without even the implied warranty of

++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

++   Lesser General Public License for more details.

++

++   You should have received a copy of the GNU Lesser General Public

++   License along with the GNU C Library; if not, see

++   <http://www.gnu.org/licenses/>.  */

++

++#include <resolv.h>

++#include <string.h>

++#include <support/check.h>

++#include <support/check_nss.h>

++#include <support/resolv_test.h>

++#include <support/support.h>

++#include <support/test-driver.h>

++#include <support/xmemstream.h>

++

++/* If ture, the response function will send the actual response packet

++   over TCP instead of UDP.  */

++static volatile bool force_tcp;

++

++/* Send back a fake resource record matching the QTYPE.  */

++static void

++response (const struct resolv_response_context *ctx,

++          struct resolv_response_builder *b,

++          const char *qname, uint16_t qclass, uint16_t qtype)

++{

++  if (force_tcp && ctx->tcp)

++    {

++      resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });

++      resolv_response_add_question (b, qname, qclass, qtype);

++      return;

++    }

++

++  resolv_response_init (b, (struct resolv_response_flags) { });

++  resolv_response_add_question (b, qname, qclass, qtype);

++  resolv_response_section (b, ns_s_an);

++  resolv_response_open_record (b, qname, qclass, qtype, 0);

++  resolv_response_add_data (b, &qtype, sizeof (qtype));

++  resolv_response_close_record (b);

++}

++

++static const const char *domain = "www.example.com";

++

++static int

++wrap_res_query (int type, unsigned char *answer, int answer_length)

++{

++  return res_query (domain, C_IN, type, answer, answer_length);

++}

++

++static int

++wrap_res_search (int type, unsigned char *answer, int answer_length)

++{

++  return res_query (domain, C_IN, type, answer, answer_length);

++}

++

++static int

++wrap_res_querydomain (int type, unsigned char *answer, int answer_length)

++{

++  return res_querydomain ("www", "example.com", C_IN, type,

++                           answer, answer_length);

++}

++

++static int

++wrap_res_send (int type, unsigned char *answer, int answer_length)

++{

++  unsigned char buf[512];

++  int ret = res_mkquery (QUERY, domain, C_IN, type,

++                         (const unsigned char *) "", 0, NULL,

++                         buf, sizeof (buf));

++  if (type < 0 || type >= 65536)

++    {

++      /* res_mkquery fails for out-of-range record types.  */

++      TEST_VERIFY_EXIT (ret == -1);

++      return -1;

++    }

++  TEST_VERIFY_EXIT (ret > 12);  /* DNS header length.  */

++  return res_send (buf, ret, answer, answer_length);

++}

++

++static int

++wrap_res_nquery (int type, unsigned char *answer, int answer_length)

++{

++  return res_nquery (&_res, domain, C_IN, type, answer, answer_length);

++}

++

++static int

++wrap_res_nsearch (int type, unsigned char *answer, int answer_length)

++{

++  return res_nquery (&_res, domain, C_IN, type, answer, answer_length);

++}

++

++static int

++wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)

++{

++  return res_nquerydomain (&_res, "www", "example.com", C_IN, type,

++                           answer, answer_length);

++}

++

++static int

++wrap_res_nsend (int type, unsigned char *answer, int answer_length)

++{

++  unsigned char buf[512];

++  int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,

++                         (const unsigned char *) "", 0, NULL,

++                         buf, sizeof (buf));

++  if (type < 0 || type >= 65536)

++    {

++      /* res_mkquery fails for out-of-range record types.  */

++      TEST_VERIFY_EXIT (ret == -1);

++      return -1;

++    }

++  TEST_VERIFY_EXIT (ret > 12);  /* DNS header length.  */

++  return res_nsend (&_res, buf, ret, answer, answer_length);

++}

++

++static void

++test_function (const char *fname,

++               int (*func) (int type,

++                            unsigned char *answer, int answer_length))

++{

++  unsigned char buf[512];

++  for (int tcp = 0; tcp < 2; ++tcp)

++    {

++      force_tcp = tcp;

++      for (unsigned int type = 1; type <= 65535; ++type)

++        {

++          if (test_verbose)

++            printf ("info: sending QTYPE %d with %s (tcp=%d)\n",

++                    type, fname, tcp);

++          int ret = func (type, buf, sizeof (buf));

++          if (ret != 47)

++            FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",

++                        fname,tcp, type, ret);

++          /* One question, one answer record.  */

++          TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);

++          /* Question section.  */

++          static const char qname[] = "\3www\7example\3com";

++          size_t qname_length = sizeof (qname);

++          TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);

++          /* RDATA part of answer.  */

++          uint16_t type16 = type;

++          TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);

++        }

++    }

++

++  TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));

++  TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));

++}

++

++static int

++do_test (void)

++{

++  struct resolv_redirect_config config =

++    {

++      .response_callback = response,

++    };

++  struct resolv_test *obj = resolv_test_start (config);

++

++  test_function ("res_query", &wrap_res_query);

++  test_function ("res_search", &wrap_res_search);

++  test_function ("res_querydomain", &wrap_res_querydomain);

++  test_function ("res_send", &wrap_res_send);

++

++  test_function ("res_nquery", &wrap_res_nquery);

++  test_function ("res_nsearch", &wrap_res_nsearch);

++  test_function ("res_nquerydomain", &wrap_res_nquerydomain);

++  test_function ("res_nsend", &wrap_res_nsend);

++

++  resolv_test_end (obj);

++  return 0;

++}

++

++#define TIMEOUT 300

++#include <support/test-driver.c>

+-- 

+2.9.3

+

@@ -6,7 +6,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.22

-Release:        15%{?dist}

+Release:        16%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -41,6 +41,8 @@ Patch15:        glibc-fix-CVE-2017-1000366.patch

 Patch16:        glibc-fix-CVE-2017-12133.patch

 Patch17:        glibc-fix-CVE-2017-15670.patch

 Patch18:        glibc-fix-CVE-2017-15804.patch

+#https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=20f534e0abd81149c71cef082c8c058bb9d953af

+Patch19:        glibc-fix-CVE-2015-5180.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -85,6 +87,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch16 -p1

 %patch17 -p1

 %patch18 -p1

+%patch19 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -210,8 +213,9 @@ popd

 %defattr(-,root,root)

 %{_datarootdir}/locale/locale.alias

-

 %changelog

+*   Tue Nov 14 2017 Xiaolin Li <xiaolinl@vmware.com> 2.22-16

+-   Fix CVE-2015-5180

 *   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.22-15

 -   Fix CVE-2017-15670, CVE-2017-15804

 *   Thu Oct 19 2017 Xiaolin Li <xiaolinl@vmware.com> 2.22-14