Change-Id: If5d935365e609cd7114f26947e5184ddf8719c11
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4814
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Dheeraj S Shetty <dheerajs@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,152 @@ |
0 |
+From 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: "Dmitry V. Levin" <ldv@altlinux.org> |
|
2 |
+Date: Sun, 7 Jan 2018 02:03:41 +0000 |
|
3 |
+Subject: [PATCH] linux: make getcwd(3) fail if it cannot obtain an absolute |
|
4 |
+ path [BZ #22679] |
|
5 |
+ |
|
6 |
+Currently getcwd(3) can succeed without returning an absolute path |
|
7 |
+because the underlying getcwd syscall, starting with linux commit |
|
8 |
+v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. |
|
9 |
+ |
|
10 |
+This is a conformance issue because "The getcwd() function shall |
|
11 |
+place an absolute pathname of the current working directory |
|
12 |
+in the array pointed to by buf, and return buf". |
|
13 |
+ |
|
14 |
+This is also a security issue because a non-absolute path returned |
|
15 |
+by getcwd(3) causes a buffer underflow in realpath(3). |
|
16 |
+ |
|
17 |
+Fix this by checking the path returned by getcwd syscall and falling |
|
18 |
+back to generic_getcwd if the path is not absolute, effectively making |
|
19 |
+getcwd(3) fail with ENOENT. The error code is chosen for consistency |
|
20 |
+with the case when the current directory is unlinked. |
|
21 |
+ |
|
22 |
+[BZ #22679] |
|
23 |
+CVE-2018-1000001 |
|
24 |
+* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to |
|
25 |
+generic_getcwd if the path returned by getcwd syscall is not absolute. |
|
26 |
+* io/tst-getcwd-abspath.c: New test. |
|
27 |
+* io/Makefile (tests): Add tst-getcwd-abspath. |
|
28 |
+--- |
|
29 |
+ ChangeLog | 9 ++++++ |
|
30 |
+ NEWS | 4 +++ |
|
31 |
+ io/Makefile | 2 +- |
|
32 |
+ io/tst-getcwd-abspath.c | 66 ++++++++++++++++++++++++++++++++++++++++ |
|
33 |
+ sysdeps/unix/sysv/linux/getcwd.c | 8 ++--- |
|
34 |
+ 5 files changed, 84 insertions(+), 5 deletions(-) |
|
35 |
+ create mode 100644 io/tst-getcwd-abspath.c |
|
36 |
+ |
|
37 |
+diff --git a/io/Makefile b/io/Makefile |
|
38 |
+index 2f26bf5..566f03c 100644 |
|
39 |
+--- a/io/Makefile |
|
40 |
+@@ -71,7 +71,7 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \ |
|
41 |
+ tst-renameat tst-fchownat tst-fchmodat tst-faccessat \ |
|
42 |
+ tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \ |
|
43 |
+ tst-mknodat tst-mkfifoat tst-ttyname_r bug-ftw5 \ |
|
44 |
+- tst-posix_fallocate |
|
45 |
++ tst-posix_fallocate tst-getcwd-abspath |
|
46 |
+ |
|
47 |
+ ifeq ($(run-built-tests),yes) |
|
48 |
+ tests-special += $(objpfx)ftwtest.out |
|
49 |
+diff --git a/io/tst-getcwd-abspath.c b/io/tst-getcwd-abspath.c |
|
50 |
+new file mode 100644 |
|
51 |
+index 0000000..3a3636f |
|
52 |
+--- /dev/null |
|
53 |
+@@ -0,0 +1,66 @@ |
|
54 |
++/* BZ #22679 getcwd(3) should not succeed without returning an absolute path. |
|
55 |
++ |
|
56 |
++ Copyright (C) 2018 Free Software Foundation, Inc. |
|
57 |
++ This file is part of the GNU C Library. |
|
58 |
++ |
|
59 |
++ The GNU C Library is free software; you can redistribute it and/or |
|
60 |
++ modify it under the terms of the GNU Lesser General Public |
|
61 |
++ License as published by the Free Software Foundation; either |
|
62 |
++ version 2.1 of the License, or (at your option) any later version. |
|
63 |
++ |
|
64 |
++ The GNU C Library is distributed in the hope that it will be useful, |
|
65 |
++ but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
66 |
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
67 |
++ Lesser General Public License for more details. |
|
68 |
++ |
|
69 |
++ You should have received a copy of the GNU Lesser General Public |
|
70 |
++ License along with the GNU C Library; if not, see |
|
71 |
++ <https://www.gnu.org/licenses/>. */ |
|
72 |
++ |
|
73 |
++#include <errno.h> |
|
74 |
++#include <stdio.h> |
|
75 |
++#include <stdlib.h> |
|
76 |
++#include <support/check.h> |
|
77 |
++#include <support/namespace.h> |
|
78 |
++#include <support/support.h> |
|
79 |
++#include <support/temp_file.h> |
|
80 |
++#include <support/test-driver.h> |
|
81 |
++#include <support/xunistd.h> |
|
82 |
++#include <unistd.h> |
|
83 |
++ |
|
84 |
++static char *chroot_dir; |
|
85 |
++ |
|
86 |
++/* The actual test. Run it in a subprocess, so that the test harness |
|
87 |
++ can remove the temporary directory in --direct mode. */ |
|
88 |
++static void |
|
89 |
++getcwd_callback (void *closure) |
|
90 |
++{ |
|
91 |
++ xchroot (chroot_dir); |
|
92 |
++ |
|
93 |
++ errno = 0; |
|
94 |
++ char *cwd = getcwd (NULL, 0); |
|
95 |
++ TEST_COMPARE (errno, ENOENT); |
|
96 |
++ TEST_VERIFY (cwd == NULL); |
|
97 |
++ |
|
98 |
++ errno = 0; |
|
99 |
++ cwd = realpath (".", NULL); |
|
100 |
++ TEST_COMPARE (errno, ENOENT); |
|
101 |
++ TEST_VERIFY (cwd == NULL); |
|
102 |
++ |
|
103 |
++ _exit (0); |
|
104 |
++} |
|
105 |
++ |
|
106 |
++static int |
|
107 |
++do_test (void) |
|
108 |
++{ |
|
109 |
++ support_become_root (); |
|
110 |
++ if (!support_can_chroot ()) |
|
111 |
++ return EXIT_UNSUPPORTED; |
|
112 |
++ |
|
113 |
++ chroot_dir = support_create_temp_directory ("tst-getcwd-abspath-"); |
|
114 |
++ support_isolate_in_subprocess (getcwd_callback, NULL); |
|
115 |
++ |
|
116 |
++ return 0; |
|
117 |
++} |
|
118 |
++ |
|
119 |
++#include <support/test-driver.c> |
|
120 |
+diff --git a/sysdeps/unix/sysv/linux/getcwd.c b/sysdeps/unix/sysv/linux/getcwd.c |
|
121 |
+index f545106..866b9d2 100644 |
|
122 |
+--- a/sysdeps/unix/sysv/linux/getcwd.c |
|
123 |
+@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size) |
|
124 |
+ int retval; |
|
125 |
+ |
|
126 |
+ retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size); |
|
127 |
+- if (retval >= 0) |
|
128 |
++ if (retval > 0 && path[0] == '/') |
|
129 |
+ { |
|
130 |
+ #ifndef NO_ALLOCATION |
|
131 |
+ if (buf == NULL && size == 0) |
|
132 |
+@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size) |
|
133 |
+ return buf; |
|
134 |
+ } |
|
135 |
+ |
|
136 |
+- /* The system call cannot handle paths longer than a page. |
|
137 |
+- Neither can the magic symlink in /proc/self. Just use the |
|
138 |
++ /* The system call either cannot handle paths longer than a page |
|
139 |
++ or can succeed without returning an absolute path. Just use the |
|
140 |
+ generic implementation right away. */ |
|
141 |
+- if (errno == ENAMETOOLONG) |
|
142 |
++ if (retval >= 0 || errno == ENAMETOOLONG) |
|
143 |
+ { |
|
144 |
+ #ifndef NO_ALLOCATION |
|
145 |
+ if (buf == NULL && size == 0) |
|
146 |
+-- |
|
147 |
+2.9.3 |
|
148 |
+ |
0 | 149 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,345 @@ |
0 |
+From 9331dbdcd7aa8e997eb4caa9b1b0cb6c804320c8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Arjun Shankar <arjun@redhat.com> |
|
2 |
+Date: Thu, 18 Jan 2018 16:47:06 +0000 |
|
3 |
+Subject: [PATCH] Fix integer overflows in internal memalign and malloc [BZ |
|
4 |
+ #22343] [BZ #22774] |
|
5 |
+ |
|
6 |
+When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT |
|
7 |
+and a requested size close to SIZE_MAX, it falls back to malloc code |
|
8 |
+(because the alignment of a block returned by malloc is sufficient to |
|
9 |
+satisfy the call). In this case, an integer overflow in _int_malloc leads |
|
10 |
+to posix_memalign incorrectly returning successfully. |
|
11 |
+ |
|
12 |
+Upon fixing this and writing a somewhat thorough regression test, it was |
|
13 |
+discovered that when posix_memalign is called with an alignment larger than |
|
14 |
+MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size |
|
15 |
+close to SIZE_MAX, a different integer overflow in _int_memalign leads to |
|
16 |
+posix_memalign incorrectly returning successfully. |
|
17 |
+ |
|
18 |
+Both integer overflows affect other memory allocation functions that use |
|
19 |
+_int_malloc (one affected malloc in x86) or _int_memalign as well. |
|
20 |
+ |
|
21 |
+This commit fixes both integer overflows. In addition to this, it adds a |
|
22 |
+regression test to guard against false successful allocations by the |
|
23 |
+following memory allocation functions when called with too-large allocation |
|
24 |
+sizes and, where relevant, various valid alignments: |
|
25 |
+malloc, realloc, calloc, memalign, posix_memalign, aligned_alloc, valloc, |
|
26 |
+and pvalloc. |
|
27 |
+ |
|
28 |
+(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22) |
|
29 |
+--- |
|
30 |
+ ChangeLog | 13 +++ |
|
31 |
+ NEWS | 10 ++ |
|
32 |
+ malloc/Makefile | 1 + |
|
33 |
+ malloc/malloc.c | 30 ++++-- |
|
34 |
+ malloc/tst-malloc-too-large.c | 237 ++++++++++++++++++++++++++++++++++++++++++ |
|
35 |
+ 5 files changed, 283 insertions(+), 8 deletions(-) |
|
36 |
+ create mode 100644 malloc/tst-malloc-too-large.c |
|
37 |
+ |
|
38 |
+diff --git a/malloc/Makefile b/malloc/Makefile |
|
39 |
+index 89fce91..9b40e87 100644 |
|
40 |
+--- a/malloc/Makefile |
|
41 |
+@@ -28,7 +28,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ |
|
42 |
+ tst-mallocstate tst-mcheck tst-mallocfork tst-trim1 \ |
|
43 |
+ tst-malloc-usable tst-realloc tst-posix_memalign \ |
|
44 |
+ tst-pvalloc tst-memalign tst-mallopt tst-scratch_buffer \ |
|
45 |
+- tst-malloc-backtrace |
|
46 |
++ tst-malloc-backtrace tst-malloc-too-large |
|
47 |
+ test-srcs = tst-mtrace |
|
48 |
+ |
|
49 |
+ routines = malloc morecore mcheck mtrace obstack \ |
|
50 |
+diff --git a/malloc/malloc.c b/malloc/malloc.c |
|
51 |
+index 4e07663..0686e5d 100644 |
|
52 |
+--- a/malloc/malloc.c |
|
53 |
+@@ -1202,14 +1202,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
54 |
+ MINSIZE : \ |
|
55 |
+ ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK) |
|
56 |
+ |
|
57 |
+-/* Same, except also perform argument check */ |
|
58 |
+- |
|
59 |
+-#define checked_request2size(req, sz) \ |
|
60 |
+- if (REQUEST_OUT_OF_RANGE (req)) { \ |
|
61 |
+- __set_errno (ENOMEM); \ |
|
62 |
+- return 0; \ |
|
63 |
+- } \ |
|
64 |
+- (sz) = request2size (req); |
|
65 |
++/* Same, except also perform an argument and result check. First, we check |
|
66 |
++ that the padding done by request2size didn't result in an integer |
|
67 |
++ overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting |
|
68 |
++ size isn't so large that a later alignment would lead to another integer |
|
69 |
++ overflow. */ |
|
70 |
++#define checked_request2size(req, sz) \ |
|
71 |
++({ \ |
|
72 |
++ (sz) = request2size (req); \ |
|
73 |
++ if (((sz) < (req)) \ |
|
74 |
++ || REQUEST_OUT_OF_RANGE (sz)) \ |
|
75 |
++ { \ |
|
76 |
++ __set_errno (ENOMEM); \ |
|
77 |
++ return 0; \ |
|
78 |
++ } \ |
|
79 |
++}) |
|
80 |
+ |
|
81 |
+ /* |
|
82 |
+ --------------- Physical chunk operations --------------- |
|
83 |
+@@ -4423,6 +4430,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) |
|
84 |
+ */ |
|
85 |
+ |
|
86 |
+ |
|
87 |
++ /* Check for overflow. */ |
|
88 |
++ if (nb > SIZE_MAX - alignment - MINSIZE) |
|
89 |
++ { |
|
90 |
++ __set_errno (ENOMEM); |
|
91 |
++ return 0; |
|
92 |
++ } |
|
93 |
++ |
|
94 |
+ /* Call malloc with worst case padding to hit alignment. */ |
|
95 |
+ |
|
96 |
+ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); |
|
97 |
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c |
|
98 |
+new file mode 100644 |
|
99 |
+index 0000000..1f7bf29 |
|
100 |
+--- /dev/null |
|
101 |
+@@ -0,0 +1,237 @@ |
|
102 |
++/* Test and verify that too-large memory allocations fail with ENOMEM. |
|
103 |
++ Copyright (C) 2018 Free Software Foundation, Inc. |
|
104 |
++ This file is part of the GNU C Library. |
|
105 |
++ |
|
106 |
++ The GNU C Library is free software; you can redistribute it and/or |
|
107 |
++ modify it under the terms of the GNU Lesser General Public |
|
108 |
++ License as published by the Free Software Foundation; either |
|
109 |
++ version 2.1 of the License, or (at your option) any later version. |
|
110 |
++ |
|
111 |
++ The GNU C Library is distributed in the hope that it will be useful, |
|
112 |
++ but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
113 |
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
114 |
++ Lesser General Public License for more details. |
|
115 |
++ |
|
116 |
++ You should have received a copy of the GNU Lesser General Public |
|
117 |
++ License along with the GNU C Library; if not, see |
|
118 |
++ <http://www.gnu.org/licenses/>. */ |
|
119 |
++ |
|
120 |
++/* Bug 22375 reported a regression in malloc where if after malloc'ing then |
|
121 |
++ free'ing a small block of memory, malloc is then called with a really |
|
122 |
++ large size argument (close to SIZE_MAX): instead of returning NULL and |
|
123 |
++ setting errno to ENOMEM, malloc incorrectly returns the previously |
|
124 |
++ allocated block instead. Bug 22343 reported a similar case where |
|
125 |
++ posix_memalign incorrectly returns successfully when called with an with |
|
126 |
++ a really large size argument. |
|
127 |
++ |
|
128 |
++ Both of these were caused by integer overflows in the allocator when it |
|
129 |
++ was trying to pad the requested size to allow for book-keeping or |
|
130 |
++ alignment. This test guards against such bugs by repeatedly allocating |
|
131 |
++ and freeing small blocks of memory then trying to allocate various block |
|
132 |
++ sizes larger than the memory bus width of 64-bit targets, or almost |
|
133 |
++ as large as SIZE_MAX on 32-bit targets supported by glibc. In each case, |
|
134 |
++ it verifies that such impossibly large allocations correctly fail. */ |
|
135 |
++ |
|
136 |
++ |
|
137 |
++#include <stdlib.h> |
|
138 |
++#include <malloc.h> |
|
139 |
++#include <errno.h> |
|
140 |
++#include <stdint.h> |
|
141 |
++#include <sys/resource.h> |
|
142 |
++#include <libc-internal.h> |
|
143 |
++#include <support/check.h> |
|
144 |
++#include <unistd.h> |
|
145 |
++#include <sys/param.h> |
|
146 |
++ |
|
147 |
++ |
|
148 |
++/* This function prepares for each 'too-large memory allocation' test by |
|
149 |
++ performing a small successful malloc/free and resetting errno prior to |
|
150 |
++ the actual test. */ |
|
151 |
++static void |
|
152 |
++test_setup (void) |
|
153 |
++{ |
|
154 |
++ void *volatile ptr = malloc (16); |
|
155 |
++ TEST_VERIFY_EXIT (ptr != NULL); |
|
156 |
++ free (ptr); |
|
157 |
++ errno = 0; |
|
158 |
++} |
|
159 |
++ |
|
160 |
++ |
|
161 |
++/* This function tests each of: |
|
162 |
++ - malloc (SIZE) |
|
163 |
++ - realloc (PTR_FOR_REALLOC, SIZE) |
|
164 |
++ - for various values of NMEMB: |
|
165 |
++ - calloc (NMEMB, SIZE/NMEMB) |
|
166 |
++ - calloc (SIZE/NMEMB, NMEMB) |
|
167 |
++ and precedes each of these tests with a small malloc/free before it. */ |
|
168 |
++static void |
|
169 |
++test_large_allocations (size_t size) |
|
170 |
++{ |
|
171 |
++ void * ptr_to_realloc; |
|
172 |
++ |
|
173 |
++ test_setup (); |
|
174 |
++ TEST_VERIFY (malloc (size) == NULL); |
|
175 |
++ TEST_VERIFY (errno == ENOMEM); |
|
176 |
++ |
|
177 |
++ ptr_to_realloc = malloc (16); |
|
178 |
++ TEST_VERIFY_EXIT (ptr_to_realloc != NULL); |
|
179 |
++ test_setup (); |
|
180 |
++ TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL); |
|
181 |
++ TEST_VERIFY (errno == ENOMEM); |
|
182 |
++ free (ptr_to_realloc); |
|
183 |
++ |
|
184 |
++ for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2) |
|
185 |
++ if ((size % nmemb) == 0) |
|
186 |
++ { |
|
187 |
++ test_setup (); |
|
188 |
++ TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL); |
|
189 |
++ TEST_VERIFY (errno == ENOMEM); |
|
190 |
++ |
|
191 |
++ test_setup (); |
|
192 |
++ TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL); |
|
193 |
++ TEST_VERIFY (errno == ENOMEM); |
|
194 |
++ } |
|
195 |
++ else |
|
196 |
++ break; |
|
197 |
++} |
|
198 |
++ |
|
199 |
++ |
|
200 |
++static long pagesize; |
|
201 |
++ |
|
202 |
++/* This function tests the following aligned memory allocation functions |
|
203 |
++ using several valid alignments and precedes each allocation test with a |
|
204 |
++ small malloc/free before it: |
|
205 |
++ memalign, posix_memalign, aligned_alloc, valloc, pvalloc. */ |
|
206 |
++static void |
|
207 |
++test_large_aligned_allocations (size_t size) |
|
208 |
++{ |
|
209 |
++ /* ptr stores the result of posix_memalign but since all those calls |
|
210 |
++ should fail, posix_memalign should never change ptr. We set it to |
|
211 |
++ NULL here and later on we check that it remains NULL after each |
|
212 |
++ posix_memalign call. */ |
|
213 |
++ void * ptr = NULL; |
|
214 |
++ |
|
215 |
++ size_t align; |
|
216 |
++ |
|
217 |
++ /* All aligned memory allocation functions expect an alignment that is a |
|
218 |
++ power of 2. Given this, we test each of them with every valid |
|
219 |
++ alignment from 1 thru PAGESIZE. */ |
|
220 |
++ for (align = 1; align <= pagesize; align *= 2) |
|
221 |
++ { |
|
222 |
++ test_setup (); |
|
223 |
++ TEST_VERIFY (memalign (align, size) == NULL); |
|
224 |
++ TEST_VERIFY (errno == ENOMEM); |
|
225 |
++ |
|
226 |
++ /* posix_memalign expects an alignment that is a power of 2 *and* a |
|
227 |
++ multiple of sizeof (void *). */ |
|
228 |
++ if ((align % sizeof (void *)) == 0) |
|
229 |
++ { |
|
230 |
++ test_setup (); |
|
231 |
++ TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM); |
|
232 |
++ TEST_VERIFY (ptr == NULL); |
|
233 |
++ } |
|
234 |
++ |
|
235 |
++ /* aligned_alloc expects a size that is a multiple of alignment. */ |
|
236 |
++ if ((size % align) == 0) |
|
237 |
++ { |
|
238 |
++ test_setup (); |
|
239 |
++ TEST_VERIFY (aligned_alloc (align, size) == NULL); |
|
240 |
++ TEST_VERIFY (errno == ENOMEM); |
|
241 |
++ } |
|
242 |
++ } |
|
243 |
++ |
|
244 |
++ /* Both valloc and pvalloc return page-aligned memory. */ |
|
245 |
++ |
|
246 |
++ test_setup (); |
|
247 |
++ TEST_VERIFY (valloc (size) == NULL); |
|
248 |
++ TEST_VERIFY (errno == ENOMEM); |
|
249 |
++ |
|
250 |
++ test_setup (); |
|
251 |
++ TEST_VERIFY (pvalloc (size) == NULL); |
|
252 |
++ TEST_VERIFY (errno == ENOMEM); |
|
253 |
++} |
|
254 |
++ |
|
255 |
++ |
|
256 |
++#define FOURTEEN_ON_BITS ((1UL << 14) - 1) |
|
257 |
++#define FIFTY_ON_BITS ((1UL << 50) - 1) |
|
258 |
++ |
|
259 |
++ |
|
260 |
++static int |
|
261 |
++do_test (void) |
|
262 |
++{ |
|
263 |
++ |
|
264 |
++#if __WORDSIZE >= 64 |
|
265 |
++ |
|
266 |
++ /* This test assumes that none of the supported targets have an address |
|
267 |
++ bus wider than 50 bits, and that therefore allocations for sizes wider |
|
268 |
++ than 50 bits will fail. Here, we ensure that the assumption continues |
|
269 |
++ to be true in the future when we might have address buses wider than 50 |
|
270 |
++ bits. */ |
|
271 |
++ |
|
272 |
++ struct rlimit alloc_size_limit |
|
273 |
++ = { |
|
274 |
++ .rlim_cur = FIFTY_ON_BITS, |
|
275 |
++ .rlim_max = FIFTY_ON_BITS |
|
276 |
++ }; |
|
277 |
++ |
|
278 |
++ setrlimit (RLIMIT_AS, &alloc_size_limit); |
|
279 |
++ |
|
280 |
++#endif /* __WORDSIZE >= 64 */ |
|
281 |
++ |
|
282 |
++ DIAG_PUSH_NEEDS_COMMENT; |
|
283 |
++#if __GNUC_PREREQ (7, 0) |
|
284 |
++ /* GCC 7 warns about too-large allocations; here we want to test |
|
285 |
++ that they fail. */ |
|
286 |
++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); |
|
287 |
++#endif |
|
288 |
++ |
|
289 |
++ /* Aligned memory allocation functions need to be tested up to alignment |
|
290 |
++ size equivalent to page size, which should be a power of 2. */ |
|
291 |
++ pagesize = sysconf (_SC_PAGESIZE); |
|
292 |
++ TEST_VERIFY_EXIT (powerof2 (pagesize)); |
|
293 |
++ |
|
294 |
++ /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. |
|
295 |
++ in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. |
|
296 |
++ |
|
297 |
++ We can expect that this range of allocation sizes will always lead to |
|
298 |
++ an allocation failure on both 64 and 32 bit targets, because: |
|
299 |
++ |
|
300 |
++ 1. no currently supported 64-bit target has an address bus wider than |
|
301 |
++ 50 bits -- and (2^64 - 2^14) is much wider than that; |
|
302 |
++ |
|
303 |
++ 2. on 32-bit targets, even though 2^32 is only 4 GB and potentially |
|
304 |
++ addressable, glibc itself is more than 2^14 bytes in size, and |
|
305 |
++ therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain |
|
306 |
++ available. */ |
|
307 |
++ |
|
308 |
++ for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++) |
|
309 |
++ { |
|
310 |
++ test_large_allocations (SIZE_MAX - i); |
|
311 |
++ test_large_aligned_allocations (SIZE_MAX - i); |
|
312 |
++ } |
|
313 |
++ |
|
314 |
++#if __WORDSIZE >= 64 |
|
315 |
++ /* On 64-bit targets, we need to test a much wider range of too-large |
|
316 |
++ sizes, so we test at intervals of (1 << 50) that allocation sizes |
|
317 |
++ ranging from SIZE_MAX down to (1 << 50) fail: |
|
318 |
++ The 14 MSBs are decremented starting from "all ON" going down to 1, |
|
319 |
++ the 50 LSBs are "all ON" and then "all OFF" during every iteration. */ |
|
320 |
++ for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--) |
|
321 |
++ { |
|
322 |
++ size_t size = (msbs << 50) | FIFTY_ON_BITS; |
|
323 |
++ test_large_allocations (size); |
|
324 |
++ test_large_aligned_allocations (size); |
|
325 |
++ |
|
326 |
++ size = msbs << 50; |
|
327 |
++ test_large_allocations (size); |
|
328 |
++ test_large_aligned_allocations (size); |
|
329 |
++ } |
|
330 |
++#endif /* __WORDSIZE >= 64 */ |
|
331 |
++ |
|
332 |
++ DIAG_POP_NEEDS_COMMENT; |
|
333 |
++ |
|
334 |
++ return 0; |
|
335 |
++} |
|
336 |
++ |
|
337 |
++ |
|
338 |
++#include <support/test-driver.c> |
|
339 |
+-- |
|
340 |
+2.9.3 |
|
341 |
+ |
... | ... |
@@ -6,7 +6,7 @@ |
6 | 6 |
Summary: Main C library |
7 | 7 |
Name: glibc |
8 | 8 |
Version: 2.22 |
9 |
-Release: 18%{?dist} |
|
9 |
+Release: 19%{?dist} |
|
10 | 10 |
License: LGPLv2+ |
11 | 11 |
URL: http://www.gnu.org/software/libc |
12 | 12 |
Group: Applications/System |
... | ... |
@@ -46,6 +46,8 @@ Patch19: glibc-fix-CVE-2015-5180.patch |
46 | 46 |
#https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 |
47 | 47 |
Patch20: glibc-2.22-CVE-2016-5417.patch |
48 | 48 |
Patch21: glibc-fix-CVE-2017-16997.patch |
49 |
+Patch22: glibc-fix-CVE-2018-1000001.patch |
|
50 |
+Patch23: glibc-fix-CVE-2018-6485.patch |
|
49 | 51 |
Provides: rtld(GNU_HASH) |
50 | 52 |
Requires: filesystem |
51 | 53 |
%description |
... | ... |
@@ -93,6 +95,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile |
93 | 93 |
%patch19 -p1 |
94 | 94 |
%patch20 -p1 |
95 | 95 |
%patch21 -p1 |
96 |
+%patch22 -p1 |
|
97 |
+%patch23 -p1 |
|
96 | 98 |
install -vdm 755 %{_builddir}/%{name}-build |
97 | 99 |
# do not try to explicitly provide GLIBC_PRIVATE versioned libraries |
98 | 100 |
%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh |
... | ... |
@@ -219,6 +223,8 @@ popd |
219 | 219 |
%{_datarootdir}/locale/locale.alias |
220 | 220 |
|
221 | 221 |
%changelog |
222 |
+* Tue Jan 20 2018 Xiaolin Li <xiaolinl@vmware.com> 2.22-19 |
|
223 |
+- Fix CVE-2018-1000001 and CVE-2018-6485 |
|
222 | 224 |
* Mon Jan 08 2018 Xiaolin Li <xiaolinl@vmware.com> 2.22-18 |
223 | 225 |
- Fix CVE-2017-16997 |
224 | 226 |
* Tue Dec 5 2017 Anish Swaminathan <anishs@vmware.com> 2.22-17 |