From 2f3bd411aefa9747f17740e9ab06676d51241098 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 27 Mar 2014 07:15:22 +0530 Subject: Fix nscd lookup for innetgr when netgroup has wildcards (BZ #16758) nscd works correctly when the request in innetgr is a wildcard, i.e. when one or more of host, user or domain parameters is NULL. However, it does not work when the the triplet in the netgroup definition has a wildcard. This is easy to reproduce for a triplet defined as follows: foonet (,foo,) Here, an innetgr call that looks like this: innetgr ("foonet", "foohost", "foo", NULL); should succeed and so should: innetgr ("foonet", NULL, "foo", "foodomain"); It does succeed with nscd disabled, but not with nscd enabled. This fix adds this additional check for all three parts of the triplet so that it gives the correct result. [BZ #16758] * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has blank values. (cherry picked from commit fbd6b5a4052316f7eb03c4617eebfaafc59dcc06) --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 4502ab2..3cb4c4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-12-20 Siddhesh Poyarekar + + [BZ #16758] + * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has + blank values. + 2015-11-24 Andreas Schwab [BZ #17062] -- cgit v1.1 From 56b2cf5633f90c722b8f4ed257311b23ebed7399 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 27 Mar 2014 19:49:51 +0530 Subject: Return NULL for wildcard values in getnetgrent from nscd (BZ #16759) getnetgrent is supposed to return NULL for values that are wildcards in the (host, user, domain) triplet. This works correctly with nscd disabled, but with it enabled, it returns a blank ("") instead of a NULL. This is easily seen with the output of `getent netgroup foonet` for a netgroup foonet defined as follows in /etc/netgroup: foonet (,foo,) The output with nscd disabled is: foonet ( ,foo,) while with nscd enabled, it is: foonet (,foo,) The extra space with nscd disabled is due to the fact that `getent netgroup` adds it if the return value from getnetgrent is NULL for either host or user. (cherry picked from commit dd3022d75e6fb8957843d6d84257a5d8457822d5) --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 3cb4c4d..896b564 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has blank values. + [BZ #16759] + * inet/getnetgrent_r.c (get_nonempty_val): New function. + (nscd_getnetgrent): Use it. + 2015-11-24 Andreas Schwab [BZ #17062] -- cgit v1.1 From b963026c07a304bcfcf56ad5ee9b4f0797c7d3df Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 27 Mar 2014 19:48:15 +0530 Subject: Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760) Calls to stpcpy from nscd netgroups code will have overlapping source and destination when all three values in the returned triplet are non-NULL and in the expected (host,user,domain) order. This is seen in valgrind as: ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48) ==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3181== by 0x12567A: addgetnetgrentX (string3.h:111) ==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665) ==3181== by 0x11114C: nscd_run_worker (connections.c:1338) ==3181== by 0x4E3C102: start_thread (pthread_create.c:309) ==3181== by 0x59B81AC: clone (clone.S:111) ==3181== Fix this by using memmove instead of stpcpy. (cherry picked from commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a) --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 896b564..e82ba7d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ * inet/getnetgrent_r.c (get_nonempty_val): New function. (nscd_getnetgrent): Use it. + [BZ #16760] + * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead + of stpcpy. + 2015-11-24 Andreas Schwab [BZ #17062] -- cgit v1.1 From e12c42df43d80e46a6576dba94d31134727d868e Mon Sep 17 00:00:00 2001 From: Paul Pluzhnikov Date: Sat, 8 Aug 2015 15:53:03 -0700 Subject: Fix BZ #17905 (cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e) --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index e82ba7d..0770353 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2015-08-08 Paul Pluzhnikov + + [BZ #17905] + * catgets/Makefile (tst-catgets-mem): New test. + * catgets/catgets.c (catopen): Don't use unbounded alloca. + * catgets/open_catalog.c (__open_catalog): Likewise. + * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. + 2015-12-20 Siddhesh Poyarekar [BZ #16758] -- cgit v1.1 From fd6e33ebd157966fed025a8cf68f2f0835dcbf02 Mon Sep 17 00:00:00 2001 From: Paul Pluzhnikov Date: Sat, 26 Sep 2015 13:27:48 -0700 Subject: Fix BZ #18985 -- out of range data to strftime() causes a segfault (cherry picked from commit d36c75fc0d44deec29635dd239b0fbd206ca49b7) --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 0770353..871c722 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2015-09-26 Paul Pluzhnikov + + [BZ #18985] + * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check. + (__strftime_internal): Likewise. + * time/tst-strftime.c (do_bz18985): New test. + (do_test): Call it. + 2015-08-08 Paul Pluzhnikov [BZ #17905] -- cgit v1.1 From b5cba5cff937e5336ff23380785da80cab09146c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20B=C3=ADlka?= Date: Sat, 11 Jul 2015 17:44:10 +0200 Subject: Handle overflow in __hcreate_r Hi, As in bugzilla entry there is overflow in hsearch when looking for prime number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large inputs before looking for prime. * misc/hsearch_r.c (__hcreate_r): Handle overflow. (cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc) --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 871c722..1ea2c73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2015-08-25 Ondřej Bílka + + [BZ #18240] + * misc/hsearch_r.c (__hcreate_r): Handle overflow. + 2015-09-26 Paul Pluzhnikov [BZ #18985] -- cgit v1.1 From 3c9e8d9477aba0f514171bb4706670052544479b Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 28 Jan 2016 13:59:11 +0100 Subject: Improve check against integer wraparound in hcreate_r [BZ #18240] (cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb) --- ChangeLog | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 1ea2c73..e17bd64 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2016-01-27 Paul Eggert + + [BZ #18240] + * misc/hsearch_r.c (isprime, __hcreate_r): Protect against + unsigned int wraparound. + +2016-01-27 Florian Weimer + + [BZ #18240] + * misc/bug18240.c: New test. + * misc/Makefile (tests): Add it. + 2015-08-25 Ondřej Bílka [BZ #18240] -- cgit v1.1 From 78c76f7374df7f3caff43840a01247bb7d25597e Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 12 Feb 2016 12:57:40 +0100 Subject: hsearch_r: Apply VM size limit in test case (cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c) --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index e17bd64..9907019 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2016-02-12 Florian Weimer + + * misc/bug18240.c (do_test): Set RLIMIT_AS. + 2016-01-27 Paul Eggert [BZ #18240] -- cgit v1.1 From a02f3e795993ae0f80242b488061b74666605625 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 29 Mar 2016 12:57:56 +0200 Subject: CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4) --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 9907019..685dd90 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-04-01 Florian Weimer + + [BZ #19879] + CVE-2016-3075 + * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not + copy name. + 2016-02-12 Florian Weimer * misc/bug18240.c (do_test): Set RLIMIT_AS. -- cgit v1.1 From aa60d72514a2bc51017edeb0ccdd9904b8c2e745 Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Thu, 28 Apr 2016 10:12:05 +0200 Subject: S/390: Fix setcontext/swapcontext which are not restoring sigmask. [BZ #18080] This patch uses sigprocmask(SIG_SETMASK) instead of SIG_BLOCK in setcontext, swapcontext. (cherry picked from commit 2e807f29595eb5b1e5d0decc6e356a3562ecc58e) --- ChangeLog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 685dd90..9b6e9f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2016-04-28 Stefan Liebler + + [BZ #18080] + * sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S + (__setcontext): Use SIG_SETMASK instead of SIG_BLOCK. + * sysdeps/unix/sysv/linux/s390/s390-64/setcontext.S + (__setcontext): Likewise. + * sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S + (__swapcontext): Use SIG_SETMASK instead of SIG_BLOCK. + Call rt_sigprocmask syscall one time to set new signal mask + and retrieve the current signal mask instead of two calls. + * sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S + (__swapcontext): Likewise. + * stdlib/Makefile (tests): Add new testcase tst-setcontext2. + * stdlib/tst-setcontext2.c: New file. + 2016-04-01 Florian Weimer [BZ #19879] -- cgit v1.1 From 05cc5bbd3cf037daee848c11792a6471de01298d Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Thu, 28 Apr 2016 10:21:58 +0200 Subject: S390: Fix "backtrace() returns infinitely deep stack frames with makecontext()" [BZ #18508]. On s390/s390x backtrace(buffer, size) returns the series of called functions until "makecontext_ret" and additional entries (up to "size") with "makecontext_ret". GDB-backtrace is also warning: "Backtrace stopped: previous frame identical to this frame (corrupt stack?)" To reproduce this scenario you have to setup a new context with makecontext() and activate it with setcontext(). See e.g. cf() function in testcase stdlib/tst-makecontext.c. Or see bug in libgo "Bug 66303 - runtime.Caller() returns infinitely deep stack frames on s390x " (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66303). This patch omits the cfi_startproc/cfi_endproc directives in ENTRY/END macro of __makecontext_ret. Thus no frame information is generated in .eh_frame and backtrace stops after __makecontext_ret. There is also no .eh_frame info for _start or thread_start functions. ChangeLog: [BZ #18508] * stdlib/Makefile ($(objpfx)tst-makecontext3): Depend on $(libdl). * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace is not called infinitely times. (backtrace_helper): New function. (trace_arg): New struct. (st1): Enlarge stack size. * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S: (__makecontext_ret): Omit cfi_startproc and cfi_endproc. * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S: Likewise. (cherry picked from commit 890b7a4b33d482b5c768ab47d70758b80227e9bc) --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 9b6e9f5..ac7f870 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,20 @@ 2016-04-28 Stefan Liebler + [BZ #18508] + * stdlib/Makefile ($(objpfx)tst-makecontext3): + Depend on $(libdl). + * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace + is not called infinitely times. + (backtrace_helper): New function. + (trace_arg): New struct. + (st1): Enlarge stack size. + * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S: + (__makecontext_ret): Omit cfi_startproc and cfi_endproc. + * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S: + Likewise. + +2016-04-28 Stefan Liebler + [BZ #18080] * sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S (__setcontext): Use SIG_SETMASK instead of SIG_BLOCK. -- cgit v1.1 From 5ae82aa4bf45cdaafeb1c25e09897eabff210de9 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 29 Apr 2016 09:33:07 +0200 Subject: glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir Previously, application code had to set up the d_namlen member if the target supported it, involving conditional compilation. After this change, glob will use the length of the string in d_name instead of d_namlen to determine the file name length. All glibc targets provide the d_type and d_ino members, and setting them as needed for gl_readdir is straightforward. Changing the behavior with regards to d_ino is left to a future cleanup. (cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f) --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index ac7f870..cb3db03 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2016-04-29 Florian Weimer + + glob: Simplify and document the interface for the GLOB_ALTDIRFUNC + callback function gl_readdir. + * posix/glob.c (NAMELEN, CONVERT_D_NAMLEN): Remove. + (CONVERT_DIRENT_DIRENT64): Use strcpy instead of memcpy. + (glob_in_dir): Remove len. Use strdup instead of malloc and + memcpy to copy the name. + * manual/pattern.texi (Calling Glob): Document requirements for + implementations of the gl_readdir callback function. + * manual/examples/mkdirent.c: New example. + * posix/bug-glob2.c (my_readdir): Set d_ino to 1 unconditionally, + per the manual guidance. + * posix/tst-gnuglob.c (my_readdir): Likewise. + 2016-04-28 Stefan Liebler [BZ #18508] -- cgit v1.1 From e97fb84811238c627f93e5e703a11eb841601947 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 4 May 2016 12:09:35 +0200 Subject: CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779] Instead, we store the data we need from the return value of readdir in an object of the new type struct readdir_result. This type is independent of the layout of struct dirent. (cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea) --- ChangeLog | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index cb3db03..c55bff5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +2016-05-04 Florian Weimer + + [BZ #19779] + CVE-2016-1234 + Avoid copying names of directory entries. + * posix/glob.c (DIRENT_MUST_BE, DIRENT_MIGHT_BE_SYMLINK) + (DIRENT_MIGHT_BE_DIR, CONVERT_D_INO, CONVERT_D_TYPE) + (CONVERT_DIRENT_DIRENT64, REAL_DIR_ENTRY): Remove macros. + (struct readdir_result): New type. + (D_TYPE_TO_RESULT, D_INO_TO_RESULT, READDIR_RESULT_INITIALIZER) + (GL_READDIR): New macros. + (readdir_result_might_be_symlink, readdir_result_might_be_dir) + (convert_dirent, convert_dirent64): New functions. + (glob_in_dir): Use struct readdir_result. Call convert_dirent or + convert_dirent64. Adjust references to the readdir result. + * sysdeps/unix/sysv/linux/i386/glob64.c: + (convert_dirent, GL_READDIR): Redefine for second file inclusion. + * posix/bug-glob2.c (LONG_NAME): Define. + (filesystem): Add LONG_NAME. + (my_DIR): Increase the size of room_for_dirent. + 2016-04-29 Florian Weimer glob: Simplify and document the interface for the GLOB_ALTDIRFUNC -- cgit v1.1 From 762aafec34478bcef01a16acf1959732ab8bb2b6 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 29 Apr 2016 10:35:34 +0200 Subject: CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010] When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) used alloca, without malloc fallback for large responses. This commit changes this code to use calloc unconditionally. This commit also consolidated a second hostent-to-gaih_addrtuple conversion loop (in gaih_inet) to use the new conversion function. (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9) --- ChangeLog | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index c55bff5..671f2bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2016-04-29 Florian Weimer + + [BZ #20010] + CVE-2016-3706 + * sysdeps/posix/getaddrinfo.c + (convert_hostent_to_gaih_addrtuple): New function. + (gethosts): Call convert_hostent_to_gaih_addrtuple. + (gaih_inet): Use convert_hostent_to_gaih_addrtuple to convert + AF_INET data. + 2016-05-04 Florian Weimer [BZ #19779] -- cgit v1.1 From c08e8bd0ef1d16d0139dbc80a976e2cbf2517f02 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Tue, 16 Feb 2016 21:26:37 -0500 Subject: CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665). * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family. The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by _nss_dns_gethostbyname4_r. Buffer management is simplified to remove the overflow. Thanks to the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. (CVE-2015-7547) See also: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca) --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 671f2bf..df32997 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2016-02-15 Carlos O'Donell + + [BZ #18665] + * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set + *herrno_p. + (gaih_getanswer): Document functional behviour. Return tryagain + if any result is tryagain. + * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero + when freed. + * resolv/res_send.c: Add copyright text. + (__libc_res_nsend): Document that MAXPACKET is expected. + (send_vc): Document. Remove buffer reuse. + (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the + size of the buffer. Add Dprint for truncated UDP buffer. + 2016-04-29 Florian Weimer [BZ #20010] -- cgit v1.1 From 10d268070a8aa9a878668e7f060e92ed668de146 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 25 Mar 2016 11:49:51 +0100 Subject: resolv: Always set *resplen2 out parameter in send_dg [BZ #19791] Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement second fallback mode for DNS requests), there is a code path which returns early, before *resplen2 is initialized. This happens if the name server address is immediately recognized as invalid (because of lack of protocol support, or if it is a broadcast address such 255.255.255.255, or another invalid address). If this happens and *resplen2 was non-zero (which is the case if a previous query resulted in a failure), __libc_res_nquery would reuse an existing second answer buffer. This answer has been previously identified as unusable (for example, it could be an NXDOMAIN response). Due to the presence of a second answer, no name server switching will occur. The result is a name resolution failure, although a successful resolution would have been possible if name servers have been switched and queries had proceeded along the search path. The above paragraph still simplifies the situation. Before glibc 2.23, if the second answer needed malloc, the stub resolver would still attempt to reuse the second answer, but this is not possible because __libc_res_nsearch has freed it, after the unsuccessful call to __libc_res_nquerydomain, and set the buffer pointer to NULL. This eventually leads to an assertion failure in __libc_res_nquery: /* Make sure both hp and hp2 are defined */ assert((hp != NULL) && (hp2 != NULL)); If assertions are disabled, the consequence is a NULL pointer dereference on the next line. Starting with glibc 2.23, as a result of commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665)), the second answer is always allocated with malloc. This means that the assertion failure happens with small responses as well because there is no buffer to reuse, as soon as there is a name resolution failure which triggers a search for an answer along the search path. This commit addresses the issue by ensuring that *resplen2 is initialized before the send_dg function returns. This commit also addresses a bug where an invalid second reply is incorrectly returned as a valid to the caller. (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577) --- ChangeLog | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index df32997..f9a9e33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2016-03-25 Florian Weimer + + [BZ #19791] + * resolv/res_send.c (close_and_return_error): New function. + (send_dg): Initialize *resplen2 after reopen failure. Call + close_and_return_error for error returns. On error paths without + __res_iclose, initialze *resplen2 explicitly. Update comment for + successful return. + 2016-02-15 Carlos O'Donell [BZ #18665] -- cgit v1.1 From ce92632d1297d032e5781cfa077e300f5c167471 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 23 May 2016 20:18:34 +0200 Subject: CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index f9a9e33..fb2d7ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-05-23 Florian Weimer + + CVE-2016-4429 + [BZ #20112] + * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error + payload. + 2016-03-25 Florian Weimer [BZ #19791] -- cgit v1.1 From 1a43fd3240c587b403240cf316d241f91ce50d8f Mon Sep 17 00:00:00 2001 From: Leonhard Holz Date: Tue, 13 Jan 2015 11:33:56 +0530 Subject: Fix memory handling in strxfrm_l [BZ #16009] [Modified from the original email by Siddhesh Poyarekar] This patch solves bug #16009 by implementing an additional path in strxfrm that does not depend on caching the weight and rule indices. In detail the following changed: * The old main loop was factored out of strxfrm_l into the function do_xfrm_cached to be able to alternativly use the non-caching version do_xfrm. * strxfrm_l allocates a a fixed size array on the stack. If this is not sufficiant to store the weight and rule indices, the non-caching path is taken. As the cache size is not dependent on the input there can be no problems with integer overflows or stack allocations greater than __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the definition of strxfrm does not allow an oom errorhandling. * The uncached path determines the weight and rule index for every char and for every pass again. * Passing all the locale data array by array resulted in very long parameter lists, so I introduced a structure that holds them. * Checking for zero src string has been moved a bit upwards, it is before the locale data initialization now. * To verify that the non-caching path works correct I added a test run to localedata/sort-test.sh & localedata/xfrm-test.c where all strings are patched up with spaces so that they are too large for the caching path. (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa) Conflicts: NEWS string/strxfrm_l.c --- ChangeLog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index fb2d7ff..53e173f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2016-07-11 Leonhard Holz + + [BZ #16009] + * string/strxfrm_l.c (STRXFRM): Allocate fixed size cache for + weights and rules. Use do_xfrm_cached if data fits in cache, + do_xfrm otherwise. Moved former main loop to... + * (do_xfrm_cached): New function. + * (do_xfrm): Non-caching version of do_xfrm_cached. Uses + find_idx, find_position and stack_push. + * (find_idx): New function. + * (find_position): Likewise. + * localedata/sort-test.sh: Added test run for do_xfrm. + * localedata/xfrm-test.c (main): Added command line option + -nocache to run the test with strings that are too large for + the STRXFRM cache. + 2016-05-23 Florian Weimer CVE-2016-4429 -- cgit v1.1 From dea992adae5ff1194d7e49b698424eba741df62a Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 15 Oct 2015 09:23:07 +0200 Subject: Always enable pointer guard [BZ #18928] Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode has security implications. This commit enables pointer guard unconditionally, and the environment variable is now ignored. [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard initializer. (security_init): Always set up pointer guard. (process_envvars): Do not process LD_POINTER_GUARD. (cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7) Conflicts: NEWS --- ChangeLog | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 53e173f..f0bd736 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2016-07-11 Florian Weimer + + [BZ #18928] + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove + _dl_pointer_guard member. + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard + initializer. + (security_init): Always set up pointer guard. + (process_envvars): Do not process LD_POINTER_GUARD. + 2016-07-11 Leonhard Holz [BZ #16009] -- cgit v1.1 From 66986dec455c2011085a04b72a5bd55d9f9c7d1c Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 6 Oct 2015 13:12:36 +0200 Subject: Harden tls_dtor_list with pointer mangling [BZ #19018] (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549) Conflicts: NEWS stdlib/cxa_thread_atexit_impl.c --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index f0bd736..5d3bc8f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ 2016-07-11 Florian Weimer + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + +2016-07-11 Florian Weimer + [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. -- cgit v1.1