From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) by mail.openembedded.org (Postfix) with ESMTP id E87696FF84 for ; Thu, 17 Dec 2015 16:35:27 +0000 (UTC) Received: by mail-pa0-f51.google.com with SMTP id wq6so44925837pac.1 for ; Thu, 17 Dec 2015 08:35:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=PgLHxfHrpQ0ub6d/+qhvUHtd/gOWlkWH5EHgNAt3wRQ=; b=eMjm1/MImSN4eGJPCpEBYgRhTOUVMeQfe8IbD/obS/wWEgkixV4RkWjBZYw9QJwvEB +fciU5g7d1PLJpJjJkZT2UV5hS2ldOxHgtbyJ+xxvrELfHCHLsAJjAOOuoqMO+NJlOCE TaYacUi/eGWGKqS7hLBXfDZqI1yVD8epvG+FQRC0CqgSd/O0NFhfpHT8/NeJ77iCfnLS UyevvatMZmzBLgOBrWqaceUVbnHbGDim0C5EXUceB8Yx7fB/ZpGbQH6MOwAT+lFgXIbv w9FrR4vorPbvmKu2PeChwLnILQUh+qjMghrVvowF4yNEaOPV5qKtQ54/M2GTUvskKXqz reMA== X-Received: by 10.66.97.71 with SMTP id dy7mr38217062pab.8.1450370128588; Thu, 17 Dec 2015 08:35:28 -0800 (PST) Received: from ?IPv6:2601:202:4000:1239:8467:8a02:be30:5a28? ([2601:202:4000:1239:8467:8a02:be30:5a28]) by smtp.googlemail.com with ESMTPSA id dg1sm16893060pad.18.2015.12.17.08.35.26 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 Dec 2015 08:35:27 -0800 (PST) To: Sona Sarmadi , openembedded-core@lists.openembedded.org References: <1450095853-48305-1-git-send-email-sona.sarmadi@enea.com> From: akuster808 Message-ID: <5672E44D.9000900@gmail.com> Date: Thu, 17 Dec 2015 08:35:25 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <1450095853-48305-1-git-send-email-sona.sarmadi@enea.com> Subject: Re: [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2015 16:35:28 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit all in series merged to staging. git@git.yoctoproject.org/poky-contrib.git akuster/dizzy-next thanks, Armin On 12/14/2015 04:24 AM, Sona Sarmadi wrote: > Fixes a heap buffer overflow in glibc wscanf. > > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472 > https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html > http://openwall.com/lists/oss-security/2015/02/04/1 > > Reference to upstream fix: > https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit; > h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 > > Signed-off-by: Sona Sarmadi > Signed-off-by: Tudor Florea > --- > ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++ > meta/recipes-core/glibc/glibc_2.20.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch > new file mode 100644 > index 0000000..ab513aa > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch > @@ -0,0 +1,108 @@ > +CVE-2015-1472: wscanf allocates too little memory > + > +BZ #16618 > + > +Under certain conditions wscanf can allocate too little memory for the > +to-be-scanned arguments and overflow the allocated buffer. The > +implementation now correctly computes the required buffer size when > +using malloc. > + > +A regression test was added to tst-sscanf. > + > +Upstream-Status: Backport > + > +The patch is from (Paul Pluzhnikov ): > +[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06] > + > +diff -ruN a/ChangeLog b/ChangeLog > +--- a/ChangeLog 2015-09-22 10:20:14.399408389 +0200 > ++++ b/ChangeLog 2015-09-22 10:33:07.374388595 +0200 > +@@ -1,3 +1,12 @@ > ++2015-02-05 Paul Pluzhnikov > ++ > ++ [BZ #16618] CVE-2015-1472 > ++ * stdio-common/tst-sscanf.c (main): Test for buffer overflow. > ++ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed > ++ size in bytes. Store needed elements in wpmax. Use needed size > ++ in bytes for extend_alloca. > ++ > ++ > + 2014-12-16 Florian Weimer > + > + [BZ #17630] > +diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c > +--- a/stdio-common/tst-sscanf.c 2015-09-22 10:20:09.995596201 +0200 > ++++ b/stdio-common/tst-sscanf.c 2015-09-22 10:21:39.211791399 +0200 > +@@ -233,5 +233,38 @@ > + } > + } > + > ++ /* BZ #16618 > ++ The test will segfault during SSCANF if the buffer overflow > ++ is not fixed. The size of `s` is such that it forces the use > ++ of malloc internally and this triggers the incorrect computation. > ++ Thus the value for SIZE is arbitrariy high enough that malloc > ++ is used. */ > ++ { > ++#define SIZE 131072 > ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); > ++ if (s == NULL) > ++ abort (); > ++ for (size_t i = 0; i < SIZE; i++) > ++ s[i] = L('0'); > ++ s[SIZE] = L('\0'); > ++ int i = 42; > ++ /* Scan multi-digit zero into `i`. */ > ++ if (SSCANF (s, L("%d"), &i) != 1) > ++ { > ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); > ++ result = 1; > ++ } > ++ if (i != 0) > ++ { > ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); > ++ result = 1; > ++ } > ++ free (s); > ++ if (result != 1) > ++ printf ("PASS: bug16618: Did not crash.\n"); > ++#undef SIZE > ++ } > ++ > ++ > + return result; > + } > +diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c > +--- a/stdio-common/vfscanf.c 2015-09-22 10:20:14.051423230 +0200 > ++++ b/stdio-common/vfscanf.c 2015-09-22 10:21:39.215791228 +0200 > +@@ -279,9 +279,10 @@ > + if (__glibc_unlikely (wpsize == wpmax)) \ > + { \ > + CHAR_T *old = wp; \ > +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ > +- ? UCHAR_MAX + 1 : 2 * wpmax); \ > +- if (use_malloc || !__libc_use_alloca (newsize)) \ > ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ > ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ > ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ > ++ if (!__libc_use_alloca (newsize)) \ > + { \ > + wp = realloc (use_malloc ? wp : NULL, newsize); \ > + if (wp == NULL) \ > +@@ -293,14 +294,13 @@ > + } \ > + if (! use_malloc) \ > + MEMCPY (wp, old, wpsize); \ > +- wpmax = newsize; \ > ++ wpmax = wpneed; \ > + use_malloc = true; \ > + } \ > + else \ > + { \ > + size_t s = wpmax * sizeof (CHAR_T); \ > +- wp = (CHAR_T *) extend_alloca (wp, s, \ > +- newsize * sizeof (CHAR_T)); \ > ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ > + wpmax = s / sizeof (CHAR_T); \ > + if (old != NULL) \ > + MEMCPY (wp, old, wpsize); \ > diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb > index a0736cd..cfbc1c2 100644 > --- a/meta/recipes-core/glibc/glibc_2.20.bb > +++ b/meta/recipes-core/glibc/glibc_2.20.bb > @@ -48,6 +48,7 @@ CVEPATCHES = "\ > file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ > file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ > file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ > + file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ > " > LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ > file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ >