| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
second fallback mode for DNS requests), there is a code path which
returns early, before *resplen2 is initialized. This happens if the
name server address is immediately recognized as invalid (because of
lack of protocol support, or if it is a broadcast address such
255.255.255.255, or another invalid address).
If this happens and *resplen2 was non-zero (which is the case if a
previous query resulted in a failure), __libc_res_nquery would reuse
an existing second answer buffer. This answer has been previously
identified as unusable (for example, it could be an NXDOMAIN
response). Due to the presence of a second answer, no name server
switching will occur. The result is a name resolution failure,
although a successful resolution would have been possible if name
servers have been switched and queries had proceeded along the search
path.
The above paragraph still simplifies the situation. Before glibc
2.23, if the second answer needed malloc, the stub resolver would
still attempt to reuse the second answer, but this is not possible
because __libc_res_nsearch has freed it, after the unsuccessful call
to __libc_res_nquerydomain, and set the buffer pointer to NULL. This
eventually leads to an assertion failure in __libc_res_nquery:
/* Make sure both hp and hp2 are defined */
assert((hp != NULL) && (hp2 != NULL));
If assertions are disabled, the consequence is a NULL pointer
dereference on the next line.
Starting with glibc 2.23, as a result of commit
e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
stack-based buffer overflow (Bug 18665)), the second answer is always
allocated with malloc. This means that the assertion failure happens
with small responses as well because there is no buffer to reuse, as
soon as there is a name resolution failure which triggers a search for
an answer along the search path.
This commit addresses the issue by ensuring that *resplen2 is
initialized before the send_dg function returns.
This commit also addresses a bug where an invalid second reply is
incorrectly returned as a valid to the caller.
(cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
|
|
(cherry picked from commit 45af2f6fe19b8a776373cac5a2691460179aa1a3)
|
|
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
(cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
|
|
[Modified from the original email by Siddhesh Poyarekar]
This patch solves bug #16009 by implementing an additional path in
strxfrm that does not depend on caching the weight and rule indices.
In detail the following changed:
* The old main loop was factored out of strxfrm_l into the function
do_xfrm_cached to be able to alternativly use the non-caching version
do_xfrm.
* strxfrm_l allocates a a fixed size array on the stack. If this is not
sufficiant to store the weight and rule indices, the non-caching path is
taken. As the cache size is not dependent on the input there can be no
problems with integer overflows or stack allocations greater than
__MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
definition of strxfrm does not allow an oom errorhandling.
* The uncached path determines the weight and rule index for every char
and for every pass again.
* Passing all the locale data array by array resulted in very long
parameter lists, so I introduced a structure that holds them.
* Checking for zero src string has been moved a bit upwards, it is
before the locale data initialization now.
* To verify that the non-caching path works correct I added a test run
to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
are patched up with spaces so that they are too large for the caching path.
(cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)
Conflicts:
NEWS
string/strxfrm_l.c
|
|
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
|
|
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
Conflicts:
NEWS
posix/tst-fnmatch3.c
|
|
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
|
|
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
|
|
[BZ #16882]
* nptl/sysdeps/sparc/sparc32/pthread_spin_lock.S
(pthread_spin_lock): Branch out of spin loop to proper location.
* nptl/sysdeps/sparc/sparc64/pthread_spin_lock.S
(pthread_spin_lock): Likewise.
* nptl/tst-spin4.c: New test.
* nptl/Makefile (tests): Add tst-spin4.
|
|
* sysdeps/sparc/sparc64/multiarch/memcpy-niagara2.S: Add missing
membar to avoid block loads/stores to overlap previous stores.
|
|
prlimit and prlimit64 have been added in the main <bits/resource.h>, but
not in the SPARC specific version. Fix that.
Note: this is Debian bug#703559, reported by Emilio Pozuelo Monfort
<pochu@debian.org>
(cherry picked from commit d16e6ec7ca2c861ba681e3a2fbd431725774292e)
|
|
EFD_SEMAPHORE has been added in the main <bits/eventfd.h>, but not in
the SPARC specific version. Fix that.
(cherry picked from commit 83df9ad0cc861ef24f08a88c5a4c055e2516d33c)
|
|
|
|
[BZ #16885]
* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
multiple zero bytes exist at the end of a string.
Reported by Aurelien Jarno <aurelien@aurel32.net>
* string/test-strcmp.c (check): Add explicit test for situations where
there are multiple zero bytes after the first.
|
|
When i386 and x86-64 mathinline.h was merged into a single mathinline.h,
"gcc -m32" enables x87 inline functions on x86-64 even when -mfpmath=sse
and SSE2 is enabled. It is a regression on x86-64. We should check
__SSE2_MATH__ instead of __x86_64__ when disabling x87 inline functions.
(cherry picked from commit 409e00bd69b8d8dd74d7327085351d26769ea6fc)
Conflicts:
ChangeLog
NEWS
|
|
[BZ #16169] Add CFI directives to the AArch64 clone.S implementation
and ensure that the FP in the child is zero'd in order to comply with
AAPCS.
(cherry picked from commit 3a3acb6afc753475675b5724f206e619d0c9590d)
Conflicts:
NEWS
|
|
In BZ #15605 fix with addding memset/memmove alias in symbol-hacks.h,
x32 symbol-hacks.h change was missing. Fixed by including
<sysdeps/generic/symbol-hacks.h> in x32 symbol-hacks.h.
|
|
[BZ #16387] Fix FP_ROUNDMODE to extract the correct bits from FPCR.
Conflicts:
NEWS
|
|
|
|
Perform sanity check only if we have_lock. Due to lockless nature of fastbins
we need to be careful derefencing pointers to fastbin entries (chunksize(old)
in this case) in multithreaded environments.
The fix is to add have_lock to the if-condition checks. The rest of the patch
only makes code more readable.
* malloc/malloc.c (_int_free): Perform sanity check only if we
have_lock.
Conflicts:
ChangeLog
NEWS
|
|
[BZ #15128] Ensure all argument passing registers are saved and
restored on entry to dynamic linker.
(cherry picked from commit 9dbebe1a67bbedfcb39c6b739f15bc639e8d40a2)
Conflicts:
NEWS
|
|
|
|
[BZ #16150]
* sysdeps/sparc/sparc64/multiarch/add_n.S: Resolve to the correct generic
symbol in the non-vis3 case in static builds.
* sysdeps/sparc/sparc64/multiarch/addmul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/mul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/sub_n.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/submul_1.S: Likewise.
|
|
We cannot use fnegd in this code, as fnegd was added in v9.
Only fnegs exists in v8 and earlier.
[BZ #15985]
* sysdeps/sparc/sparc32/fpu/s_fdim.S (__fdim): Do not use fnegd
on pre-v9 cpus, use a fnegs+fmovs sequence instead.
|
|
Fixes BZ #15996.
The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead
of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the
already existing convenience macro USE_REQUEUE_PI.
|
|
* po/zh_TW.po: Update Chinese (traditional) translation from
translation project.
|
|
The mov lr, pc instruction will lose the Thumb bit from the return address
so use blx lr instead.
ports/ChangeLog.arm:
2013-08-30 Will Newton <will.newton@linaro.org>
[BZ #15909]
* sysdeps/unix/sysv/linux/arm/clone.S (__clone): Use blx
instead of mov lr, pc.
(cherry picked from commit 6b06ac56cdfc9293908724e51e827534e97819aa)
|
|
* po/uk.po: Add Ukrainian translations from translation project.
|
|
* po/ca.po: Update Catalan translation from translation project.
|
|
|
|
|
|
* po/ko.po: Update Korean translation from translation project.
|
|
* manual/contrib.texi: Update entry for Siddhesh Poyarekar. Add
entries for Will Newton, Andi Kleen, David Holsgrove, and Ondrej
Bilka.
|
|
* po/fr.po: Update French translation from translation project.
|
|
* po/cs.po: Update Czech translation from translation project.
|
|
* po/sv.po: Update Swedish translation from translation project.
|
|
* po/eo.po: Update Esperanto translation from translation project.
|
|
* po/vi.po: Update Vietnamese translation from translation project.
|
|
* po/de.po: Update German translation from translation project.
|
|
* po/bg.po: Update Bulgarian translation from translation project.
|
|
* po/nl.po: Update Dutch translation from translation project.
* po/pl.po: Update Polish translation from translation project.
* po/ru.po: Update Russian translation from translation project.
|
|
|
|
* po/libc.pot: Update.
|
|
|
|
|
|
* tst-cancel4.c (WRITE_BUFFER_SIZE): Adjust comment.
|
|
This patch fixes dlfcn/tststatic5 for PowerPC where pagesize
variable was not properly initialized in certain cases. This patch
is based on other architecture code.
|
|
* tst-cancel4.c (WRITE_BUFFER_SIZE): Increase to 16384.
|
|
We returned without calling __munmap if not in the simulator.
Now we call a separate sim_dlclose() function to make the
control flow work correctly.
|
|
|
