From: "akuster" <akuster808@gmail.com>
To: Zhixiong Chi <zhixiong.chi@windriver.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [ZEUS][OE-core][PATCH] glibc: CVE-2020-1751
Date: Mon, 20 Apr 2020 19:31:09 -0700 [thread overview]
Message-ID: <ff30484f-76fc-544b-0dc7-2cbf0631cf00@gmail.com> (raw)
In-Reply-To: <20200420095802.15290-1-zhixiong.chi@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 4100 bytes --]
On 4/20/20 2:58 AM, Zhixiong Chi wrote:
> Backport the CVE patch from upstream:
> git://sourceware.org/git/glibc.git
> commit d93769405996dfc11d216ddbe415946617b5a494
Is Dunfell or Master affected ?
- armin
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
> .../glibc/glibc/CVE-2020-1751.patch | 70 +++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.30.bb | 1 +
> 2 files changed, 71 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
> new file mode 100644
> index 0000000000..0ed92d50e9
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch
> @@ -0,0 +1,70 @@
> +From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001
> +From: Andreas Schwab <schwab@suse.de>
> +Date: Mon, 20 Jan 2020 17:01:50 +0100
> +Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423)
> +
> +When unwinding through a signal frame the backtrace function on PowerPC
> +didn't check array bounds when storing the frame address. Fixes commit
> +d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
> +
> +CVE: CVE-2020-1751
> +Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +---
> + debug/tst-backtrace5.c | 12 ++++++++++++
> + sysdeps/powerpc/powerpc32/backtrace.c | 2 ++
> + sysdeps/powerpc/powerpc64/backtrace.c | 2 ++
> + 3 files changed, 16 insertions(+)
> +
> +diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
> +index e7ce410845..b2f46160e7 100644
> +--- a/debug/tst-backtrace5.c
> ++++ b/debug/tst-backtrace5.c
> +@@ -89,6 +89,18 @@ handle_signal (int signum)
> + }
> + /* Symbol names are not available for static functions, so we do not
> + check do_test. */
> ++
> ++ /* Check that backtrace does not return more than what fits in the array
> ++ (bug 25423). */
> ++ for (int j = 0; j < NUM_FUNCTIONS; j++)
> ++ {
> ++ n = backtrace (addresses, j);
> ++ if (n > j)
> ++ {
> ++ FAIL ();
> ++ return;
> ++ }
> ++ }
> + }
> +
> + NO_INLINE int
> +diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
> +index 7c2d4726f8..d1456c8ae4 100644
> +--- a/sysdeps/powerpc/powerpc32/backtrace.c
> ++++ b/sysdeps/powerpc/powerpc32/backtrace.c
> +@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
> + }
> + if (gregset)
> + {
> ++ if (count + 1 == size)
> ++ break;
> + array[++count] = (void*)((*gregset)[PT_NIP]);
> + current = (void*)((*gregset)[PT_R1]);
> + }
> +diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
> +index 65c260ab76..8a53a1088f 100644
> +--- a/sysdeps/powerpc/powerpc64/backtrace.c
> ++++ b/sysdeps/powerpc/powerpc64/backtrace.c
> +@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
> + if (is_sigtramp_address (current->return_address))
> + {
> + struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
> ++ if (count + 1 == size)
> ++ break;
> + array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
> + current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
> + }
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
> index c9e44a396d..84a6538ea1 100644
> --- a/meta/recipes-core/glibc/glibc_2.30.bb
> +++ b/meta/recipes-core/glibc/glibc_2.30.bb
> @@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
> file://CVE-2019-19126.patch \
> file://CVE-2020-10029.patch \
> + file://CVE-2020-1751.patch \
> "
> S = "${WORKDIR}/git"
> B = "${WORKDIR}/build-${TARGET_SYS}"
>
>
[-- Attachment #2: Type: text/html, Size: 5172 bytes --]
next prev parent reply other threads:[~2020-04-21 2:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-20 9:58 [ZEUS][OE-core][PATCH] glibc: CVE-2020-1751 Zhixiong Chi
2020-04-21 2:31 ` akuster [this message]
2020-04-21 4:21 ` Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff30484f-76fc-544b-0dc7-2cbf0631cf00@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=zhixiong.chi@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.