From: akuster808 <akuster808@gmail.com>
To: Sona Sarmadi <sona.sarmadi@enea.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472
Date: Thu, 17 Dec 2015 08:35:25 -0800 [thread overview]
Message-ID: <5672E44D.9000900@gmail.com> (raw)
In-Reply-To: <1450095853-48305-1-git-send-email-sona.sarmadi@enea.com>
all in series merged to staging.
git@git.yoctoproject.org/poky-contrib.git akuster/dizzy-next
thanks,
Armin
On 12/14/2015 04:24 AM, Sona Sarmadi wrote:
> Fixes a heap buffer overflow in glibc wscanf.
>
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
> https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
> http://openwall.com/lists/oss-security/2015/02/04/1
>
> Reference to upstream fix:
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> ---
> ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.20.bb | 1 +
> 2 files changed, 109 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> new file mode 100644
> index 0000000..ab513aa
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> @@ -0,0 +1,108 @@
> +CVE-2015-1472: wscanf allocates too little memory
> +
> +BZ #16618
> +
> +Under certain conditions wscanf can allocate too little memory for the
> +to-be-scanned arguments and overflow the allocated buffer. The
> +implementation now correctly computes the required buffer size when
> +using malloc.
> +
> +A regression test was added to tst-sscanf.
> +
> +Upstream-Status: Backport
> +
> +The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
> +[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
> +
> +diff -ruN a/ChangeLog b/ChangeLog
> +--- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200
> ++++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200
> +@@ -1,3 +1,12 @@
> ++2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
> ++
> ++ [BZ #16618] CVE-2015-1472
> ++ * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
> ++ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
> ++ size in bytes. Store needed elements in wpmax. Use needed size
> ++ in bytes for extend_alloca.
> ++
> ++
> + 2014-12-16 Florian Weimer <fweimer@redhat.com>
> +
> + [BZ #17630]
> +diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
> +--- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200
> ++++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200
> +@@ -233,5 +233,38 @@
> + }
> + }
> +
> ++ /* BZ #16618
> ++ The test will segfault during SSCANF if the buffer overflow
> ++ is not fixed. The size of `s` is such that it forces the use
> ++ of malloc internally and this triggers the incorrect computation.
> ++ Thus the value for SIZE is arbitrariy high enough that malloc
> ++ is used. */
> ++ {
> ++#define SIZE 131072
> ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
> ++ if (s == NULL)
> ++ abort ();
> ++ for (size_t i = 0; i < SIZE; i++)
> ++ s[i] = L('0');
> ++ s[SIZE] = L('\0');
> ++ int i = 42;
> ++ /* Scan multi-digit zero into `i`. */
> ++ if (SSCANF (s, L("%d"), &i) != 1)
> ++ {
> ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
> ++ result = 1;
> ++ }
> ++ if (i != 0)
> ++ {
> ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
> ++ result = 1;
> ++ }
> ++ free (s);
> ++ if (result != 1)
> ++ printf ("PASS: bug16618: Did not crash.\n");
> ++#undef SIZE
> ++ }
> ++
> ++
> + return result;
> + }
> +diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
> +--- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200
> ++++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200
> +@@ -279,9 +279,10 @@
> + if (__glibc_unlikely (wpsize == wpmax)) \
> + { \
> + CHAR_T *old = wp; \
> +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
> +- ? UCHAR_MAX + 1 : 2 * wpmax); \
> +- if (use_malloc || !__libc_use_alloca (newsize)) \
> ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
> ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
> ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
> ++ if (!__libc_use_alloca (newsize)) \
> + { \
> + wp = realloc (use_malloc ? wp : NULL, newsize); \
> + if (wp == NULL) \
> +@@ -293,14 +294,13 @@
> + } \
> + if (! use_malloc) \
> + MEMCPY (wp, old, wpsize); \
> +- wpmax = newsize; \
> ++ wpmax = wpneed; \
> + use_malloc = true; \
> + } \
> + else \
> + { \
> + size_t s = wpmax * sizeof (CHAR_T); \
> +- wp = (CHAR_T *) extend_alloca (wp, s, \
> +- newsize * sizeof (CHAR_T)); \
> ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
> + wpmax = s / sizeof (CHAR_T); \
> + if (old != NULL) \
> + MEMCPY (wp, old, wpsize); \
> diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
> index a0736cd..cfbc1c2 100644
> --- a/meta/recipes-core/glibc/glibc_2.20.bb
> +++ b/meta/recipes-core/glibc/glibc_2.20.bb
> @@ -48,6 +48,7 @@ CVEPATCHES = "\
> file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
> file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
> file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
> + file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
> "
> LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
> file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>
prev parent reply other threads:[~2015-12-17 16:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-14 12:24 [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472 Sona Sarmadi
2015-12-14 12:24 ` [PATCH][dizzy 2/6] libxml2: CVE-2015-7942 Sona Sarmadi
2015-12-14 12:24 ` [PATCH][dizzy 3/6] unzip: CVE-2015-7696, CVE-2015-7697 Sona Sarmadi
2015-12-14 12:24 ` [PATCH][dizzy 4/6] grep2.19: CVE-2015-1345 Sona Sarmadi
2015-12-14 12:24 ` [PATCH][dizzy 5/6] libxml2: CVE-2015-8035 Sona Sarmadi
2015-12-14 12:24 ` [PATCH][dizzy 6/6] libxml2: CVE-2015-8241 Sona Sarmadi
2015-12-15 0:52 ` [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472 Khem Raj
2015-12-17 16:35 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5672E44D.9000900@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=sona.sarmadi@enea.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.