new file mode 100644

@@ -0,0 +1,152 @@

+From 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Mon Sep 17 00:00:00 2001

+From: "Dmitry V. Levin" <ldv@altlinux.org>

+Date: Sun, 7 Jan 2018 02:03:41 +0000

+Subject: [PATCH] linux: make getcwd(3) fail if it cannot obtain an absolute

+ path [BZ #22679]

+

+Currently getcwd(3) can succeed without returning an absolute path

+because the underlying getcwd syscall, starting with linux commit

+v2.6.36-rc1~96^2~2, may succeed without returning an absolute path.

+

+This is a conformance issue because "The getcwd() function shall

+place an absolute pathname of the current working directory

+in the array pointed to by buf, and return buf".

+

+This is also a security issue because a non-absolute path returned

+by getcwd(3) causes a buffer underflow in realpath(3).

+

+Fix this by checking the path returned by getcwd syscall and falling

+back to generic_getcwd if the path is not absolute, effectively making

+getcwd(3) fail with ENOENT.  The error code is chosen for consistency

+with the case when the current directory is unlinked.

+

+[BZ #22679]

+CVE-2018-1000001

+* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to

+generic_getcwd if the path returned by getcwd syscall is not absolute.

+* io/tst-getcwd-abspath.c: New test.

+* io/Makefile (tests): Add tst-getcwd-abspath.

+---

+ ChangeLog                        |  9 ++++++

+ NEWS                             |  4 +++

+ io/Makefile                      |  2 +-

+ io/tst-getcwd-abspath.c          | 66 ++++++++++++++++++++++++++++++++++++++++

+ sysdeps/unix/sysv/linux/getcwd.c |  8 ++---

+ 5 files changed, 84 insertions(+), 5 deletions(-)

+ create mode 100644 io/tst-getcwd-abspath.c

+

+diff --git a/io/Makefile b/io/Makefile

+index 2f26bf5..566f03c 100644

+--- a/io/Makefile

+@@ -71,7 +71,7 @@ tests		:= test-utime test-stat test-stat2 test-lfs tst-getcwd \

+ 		   tst-renameat tst-fchownat tst-fchmodat tst-faccessat \

+ 		   tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \

+ 		   tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \

+-		   tst-posix_fallocate

++		   tst-posix_fallocate tst-getcwd-abspath

+ 

+ ifeq ($(run-built-tests),yes)

+ tests-special += $(objpfx)ftwtest.out

+diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c

+new file mode 100644

+index 0000000..3a3636f

+--- /dev/null

+@@ -0,0 +1,66 @@

++/* BZ #22679 getcwd(3) should not succeed without returning an absolute path.

++

++   Copyright (C) 2018 Free Software Foundation, Inc.

++   This file is part of the GNU C Library.

++

++   The GNU C Library is free software; you can redistribute it and/or

++   modify it under the terms of the GNU Lesser General Public

++   License as published by the Free Software Foundation; either

++   version 2.1 of the License, or (at your option) any later version.

++

++   The GNU C Library is distributed in the hope that it will be useful,

++   but WITHOUT ANY WARRANTY; without even the implied warranty of

++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

++   Lesser General Public License for more details.

++

++   You should have received a copy of the GNU Lesser General Public

++   License along with the GNU C Library; if not, see

++   <https://www.gnu.org/licenses/>.  */

++

++#include <errno.h>

++#include <stdio.h>

++#include <stdlib.h>

++#include <support/check.h>

++#include <support/namespace.h>

++#include <support/support.h>

++#include <support/temp_file.h>

++#include <support/test-driver.h>

++#include <support/xunistd.h>

++#include <unistd.h>

++

++static char *chroot_dir;

++

++/* The actual test.  Run it in a subprocess, so that the test harness

++   can remove the temporary directory in --direct mode.  */

++static void

++getcwd_callback (void *closure)

++{

++  xchroot (chroot_dir);

++

++  errno = 0;

++  char *cwd = getcwd (NULL, 0);

++  TEST_COMPARE (errno, ENOENT);

++  TEST_VERIFY (cwd == NULL);

++

++  errno = 0;

++  cwd = realpath (".", NULL);

++  TEST_COMPARE (errno, ENOENT);

++  TEST_VERIFY (cwd == NULL);

++

++  _exit (0);

++}

++

++static int

++do_test (void)

++{

++  support_become_root ();

++  if (!support_can_chroot ())

++    return EXIT_UNSUPPORTED;

++

++  chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-");

++  support_isolate_in_subprocess (getcwd_callback, NULL);

++

++  return 0;

++}

++

++#include <support/test-driver.c>

+diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c

+index f545106..866b9d2 100644

+--- a/sysdeps/unix/sysv/linux/getcwd.c

+@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)

+   int retval;

+ 

+   retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);

+-  if (retval >= 0)

++  if (retval > 0 && path[0] == '/')

+     {

+ #ifndef NO_ALLOCATION

+       if (buf == NULL && size == 0)

+@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)

+       return buf;

+     }

+ 

+-  /* The system call cannot handle paths longer than a page.

+-     Neither can the magic symlink in /proc/self.  Just use the

++  /* The system call either cannot handle paths longer than a page

++     or can succeed without returning an absolute path.  Just use the

+      generic implementation right away.  */

+-  if (errno == ENAMETOOLONG)

++  if (retval >= 0 || errno == ENAMETOOLONG)

+     {

+ #ifndef NO_ALLOCATION

+       if (buf == NULL && size == 0)

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,345 @@

+From 9331dbdcd7aa8e997eb4caa9b1b0cb6c804320c8 Mon Sep 17 00:00:00 2001

+From: Arjun Shankar <arjun@redhat.com>

+Date: Thu, 18 Jan 2018 16:47:06 +0000

+Subject: [PATCH] Fix integer overflows in internal memalign and malloc [BZ

+ #22343] [BZ #22774]

+

+When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT

+and a requested size close to SIZE_MAX, it falls back to malloc code

+(because the alignment of a block returned by malloc is sufficient to

+satisfy the call).  In this case, an integer overflow in _int_malloc leads

+to posix_memalign incorrectly returning successfully.

+

+Upon fixing this and writing a somewhat thorough regression test, it was

+discovered that when posix_memalign is called with an alignment larger than

+MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size

+close to SIZE_MAX, a different integer overflow in _int_memalign leads to

+posix_memalign incorrectly returning successfully.

+

+Both integer overflows affect other memory allocation functions that use

+_int_malloc (one affected malloc in x86) or _int_memalign as well.

+

+This commit fixes both integer overflows.  In addition to this, it adds a

+regression test to guard against false successful allocations by the

+following memory allocation functions when called with too-large allocation

+sizes and, where relevant, various valid alignments:

+malloc, realloc, calloc, memalign, posix_memalign, aligned_alloc, valloc,

+and pvalloc.

+

+(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)

+---

+ ChangeLog                     |  13 +++

+ NEWS                          |  10 ++

+ malloc/Makefile               |   1 +

+ malloc/malloc.c               |  30 ++++--

+ malloc/tst-malloc-too-large.c | 237 ++++++++++++++++++++++++++++++++++++++++++

+ 5 files changed, 283 insertions(+), 8 deletions(-)

+ create mode 100644 malloc/tst-malloc-too-large.c

+

+diff --git a/malloc/Makefile b/malloc/Makefile

+index 89fce91..9b40e87 100644

+--- a/malloc/Makefile

+@@ -28,7 +28,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \

+ 	 tst-mallocstate tst-mcheck tst-mallocfork tst-trim1 \

+ 	 tst-malloc-usable tst-realloc tst-posix_memalign \

+ 	 tst-pvalloc tst-memalign tst-mallopt tst-scratch_buffer \

+-	 tst-malloc-backtrace

++	 tst-malloc-backtrace tst-malloc-too-large

+ test-srcs = tst-mtrace

+ 

+ routines = malloc morecore mcheck mtrace obstack \

+diff --git a/malloc/malloc.c b/malloc/malloc.c

+index 4e07663..0686e5d 100644

+--- a/malloc/malloc.c

+@@ -1202,14 +1202,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+    MINSIZE :                                                      \

+    ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)

+ 

+-/*  Same, except also perform argument check */

+-

+-#define checked_request2size(req, sz)                             \

+-  if (REQUEST_OUT_OF_RANGE (req)) {					      \

+-      __set_errno (ENOMEM);						      \

+-      return 0;								      \

+-    }									      \

+-  (sz) = request2size (req);

++/* Same, except also perform an argument and result check.  First, we check

++   that the padding done by request2size didn't result in an integer

++   overflow.  Then we check (using REQUEST_OUT_OF_RANGE) that the resulting

++   size isn't so large that a later alignment would lead to another integer

++   overflow.  */

++#define checked_request2size(req, sz) \

++({				    \

++  (sz) = request2size (req);	    \

++  if (((sz) < (req))		    \

++      || REQUEST_OUT_OF_RANGE (sz)) \

++    {				    \

++      __set_errno (ENOMEM);	    \

++      return 0;			    \

++    }				    \

++})

+ 

+ /*

+    --------------- Physical chunk operations ---------------

+@@ -4423,6 +4430,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)

+    */

+ 

+ 

++  /* Check for overflow.  */

++  if (nb > SIZE_MAX - alignment - MINSIZE)

++    {

++      __set_errno (ENOMEM);

++      return 0;

++    }

++

+   /* Call malloc with worst case padding to hit alignment. */

+ 

+   m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));

+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c

+new file mode 100644

+index 0000000..1f7bf29

+--- /dev/null

+@@ -0,0 +1,237 @@

++/* Test and verify that too-large memory allocations fail with ENOMEM.

++   Copyright (C) 2018 Free Software Foundation, Inc.

++   This file is part of the GNU C Library.

++

++   The GNU C Library is free software; you can redistribute it and/or

++   modify it under the terms of the GNU Lesser General Public

++   License as published by the Free Software Foundation; either

++   version 2.1 of the License, or (at your option) any later version.

++

++   The GNU C Library is distributed in the hope that it will be useful,

++   but WITHOUT ANY WARRANTY; without even the implied warranty of

++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

++   Lesser General Public License for more details.

++

++   You should have received a copy of the GNU Lesser General Public

++   License along with the GNU C Library; if not, see

++   <http://www.gnu.org/licenses/>.  */

++

++/* Bug 22375 reported a regression in malloc where if after malloc'ing then

++   free'ing a small block of memory, malloc is then called with a really

++   large size argument (close to SIZE_MAX): instead of returning NULL and

++   setting errno to ENOMEM, malloc incorrectly returns the previously

++   allocated block instead.  Bug 22343 reported a similar case where

++   posix_memalign incorrectly returns successfully when called with an with

++   a really large size argument.

++

++   Both of these were caused by integer overflows in the allocator when it

++   was trying to pad the requested size to allow for book-keeping or

++   alignment.  This test guards against such bugs by repeatedly allocating

++   and freeing small blocks of memory then trying to allocate various block

++   sizes larger than the memory bus width of 64-bit targets, or almost

++   as large as SIZE_MAX on 32-bit targets supported by glibc.  In each case,

++   it verifies that such impossibly large allocations correctly fail.  */

++

++

++#include <stdlib.h>

++#include <malloc.h>

++#include <errno.h>

++#include <stdint.h>

++#include <sys/resource.h>

++#include <libc-internal.h>

++#include <support/check.h>

++#include <unistd.h>

++#include <sys/param.h>

++

++

++/* This function prepares for each 'too-large memory allocation' test by

++   performing a small successful malloc/free and resetting errno prior to

++   the actual test.  */

++static void

++test_setup (void)

++{

++  void *volatile ptr = malloc (16);

++  TEST_VERIFY_EXIT (ptr != NULL);

++  free (ptr);

++  errno = 0;

++}

++

++

++/* This function tests each of:

++   - malloc (SIZE)

++   - realloc (PTR_FOR_REALLOC, SIZE)

++   - for various values of NMEMB:

++    - calloc (NMEMB, SIZE/NMEMB)

++    - calloc (SIZE/NMEMB, NMEMB)

++   and precedes each of these tests with a small malloc/free before it.  */

++static void

++test_large_allocations (size_t size)

++{

++  void * ptr_to_realloc;

++

++  test_setup ();

++  TEST_VERIFY (malloc (size) == NULL);

++  TEST_VERIFY (errno == ENOMEM);

++

++  ptr_to_realloc = malloc (16);

++  TEST_VERIFY_EXIT (ptr_to_realloc != NULL);

++  test_setup ();

++  TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL);

++  TEST_VERIFY (errno == ENOMEM);

++  free (ptr_to_realloc);

++

++  for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2)

++    if ((size % nmemb) == 0)

++      {

++        test_setup ();

++        TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL);

++        TEST_VERIFY (errno == ENOMEM);

++

++        test_setup ();

++        TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL);

++        TEST_VERIFY (errno == ENOMEM);

++      }

++    else

++      break;

++}

++

++

++static long pagesize;

++

++/* This function tests the following aligned memory allocation functions

++   using several valid alignments and precedes each allocation test with a

++   small malloc/free before it:

++   memalign, posix_memalign, aligned_alloc, valloc, pvalloc.  */

++static void

++test_large_aligned_allocations (size_t size)

++{

++  /* ptr stores the result of posix_memalign but since all those calls

++     should fail, posix_memalign should never change ptr.  We set it to

++     NULL here and later on we check that it remains NULL after each

++     posix_memalign call.  */

++  void * ptr = NULL;

++

++  size_t align;

++

++  /* All aligned memory allocation functions expect an alignment that is a

++     power of 2.  Given this, we test each of them with every valid

++     alignment from 1 thru PAGESIZE.  */

++  for (align = 1; align <= pagesize; align *= 2)

++    {

++      test_setup ();

++      TEST_VERIFY (memalign (align, size) == NULL);

++      TEST_VERIFY (errno == ENOMEM);

++

++      /* posix_memalign expects an alignment that is a power of 2 *and* a

++         multiple of sizeof (void *).  */

++      if ((align % sizeof (void *)) == 0)

++        {

++          test_setup ();

++          TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM);

++          TEST_VERIFY (ptr == NULL);

++        }

++

++      /* aligned_alloc expects a size that is a multiple of alignment.  */

++      if ((size % align) == 0)

++        {

++          test_setup ();

++          TEST_VERIFY (aligned_alloc (align, size) == NULL);

++          TEST_VERIFY (errno == ENOMEM);

++        }

++    }

++

++  /* Both valloc and pvalloc return page-aligned memory.  */

++

++  test_setup ();

++  TEST_VERIFY (valloc (size) == NULL);

++  TEST_VERIFY (errno == ENOMEM);

++

++  test_setup ();

++  TEST_VERIFY (pvalloc (size) == NULL);

++  TEST_VERIFY (errno == ENOMEM);

++}

++

++

++#define FOURTEEN_ON_BITS ((1UL << 14) - 1)

++#define FIFTY_ON_BITS ((1UL << 50) - 1)

++

++

++static int

++do_test (void)

++{

++

++#if __WORDSIZE >= 64

++

++  /* This test assumes that none of the supported targets have an address

++     bus wider than 50 bits, and that therefore allocations for sizes wider

++     than 50 bits will fail.  Here, we ensure that the assumption continues

++     to be true in the future when we might have address buses wider than 50

++     bits.  */

++

++  struct rlimit alloc_size_limit

++    = {

++        .rlim_cur = FIFTY_ON_BITS,

++        .rlim_max = FIFTY_ON_BITS

++      };

++

++  setrlimit (RLIMIT_AS, &alloc_size_limit);

++

++#endif /* __WORDSIZE >= 64 */

++

++  DIAG_PUSH_NEEDS_COMMENT;

++#if __GNUC_PREREQ (7, 0)

++  /* GCC 7 warns about too-large allocations; here we want to test

++     that they fail.  */

++  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");

++#endif

++

++  /* Aligned memory allocation functions need to be tested up to alignment

++     size equivalent to page size, which should be a power of 2.  */

++  pagesize = sysconf (_SC_PAGESIZE);

++  TEST_VERIFY_EXIT (powerof2 (pagesize));

++

++  /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.

++     in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.

++

++     We can expect that this range of allocation sizes will always lead to

++     an allocation failure on both 64 and 32 bit targets, because:

++

++     1. no currently supported 64-bit target has an address bus wider than

++     50 bits -- and (2^64 - 2^14) is much wider than that;

++

++     2. on 32-bit targets, even though 2^32 is only 4 GB and potentially

++     addressable, glibc itself is more than 2^14 bytes in size, and

++     therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain

++     available.  */

++

++  for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++)

++    {

++      test_large_allocations (SIZE_MAX - i);

++      test_large_aligned_allocations (SIZE_MAX - i);

++    }

++

++#if __WORDSIZE >= 64

++  /* On 64-bit targets, we need to test a much wider range of too-large

++     sizes, so we test at intervals of (1 << 50) that allocation sizes

++     ranging from SIZE_MAX down to (1 << 50) fail:

++     The 14 MSBs are decremented starting from "all ON" going down to 1,

++     the 50 LSBs are "all ON" and then "all OFF" during every iteration.  */

++  for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--)

++    {

++      size_t size = (msbs << 50) | FIFTY_ON_BITS;

++      test_large_allocations (size);

++      test_large_aligned_allocations (size);

++

++      size = msbs << 50;

++      test_large_allocations (size);

++      test_large_aligned_allocations (size);

++    }

++#endif /* __WORDSIZE >= 64 */

++

++  DIAG_POP_NEEDS_COMMENT;

++

++  return 0;

++}

++

++

++#include <support/test-driver.c>

+-- 

+2.9.3

+

@@ -6,7 +6,7 @@

 Summary:        Main C library

 Name:           glibc

 Version:        2.22

-Release:        18%{?dist}

+Release:        19%{?dist}

 License:        LGPLv2+

 URL:            http://www.gnu.org/software/libc

 Group:          Applications/System

@@ -46,6 +46,8 @@ Patch19:        glibc-fix-CVE-2015-5180.patch

 #https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38

 Patch20:        glibc-2.22-CVE-2016-5417.patch

 Patch21:        glibc-fix-CVE-2017-16997.patch

+Patch22:        glibc-fix-CVE-2018-1000001.patch

+Patch23:        glibc-fix-CVE-2018-6485.patch

 Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

@@ -93,6 +95,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch19 -p1

 %patch20 -p1

 %patch21 -p1

+%patch22 -p1

+%patch23 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -219,6 +223,8 @@ popd

 %{_datarootdir}/locale/locale.alias

 %changelog

+*   Tue Jan 20 2018 Xiaolin Li <xiaolinl@vmware.com> 2.22-19

+-   Fix CVE-2018-1000001 and CVE-2018-6485

 *   Mon Jan 08 2018 Xiaolin Li <xiaolinl@vmware.com> 2.22-18

 -   Fix CVE-2017-16997

 *   Tue Dec 5 2017 Anish Swaminathan <anishs@vmware.com> 2.22-17