* [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488
@ 2016-05-06 7:11 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Armin Kuster @ 2016-05-06 7:11 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
.../gcc/gcc-5.3/CVE-2016-4488.patch | 73 ++++++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4488.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 9808be1..2ea5952 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -88,6 +88,7 @@ SRC_URI = "\
file://0056-Enable-libc-provide-ssp-and-gcc_cv_target_dl_iterate.patch \
file://0057-unwind-fix-for-musl.patch \
file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
+ file://CVE-2016-4488.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4488.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4488.patch
new file mode 100644
index 0000000..30e0ffe
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4488.patch
@@ -0,0 +1,73 @@
+From be3004dc350a820a5b0320b34bd05673ba534058 Mon Sep 17 00:00:00 2001
+From: law <law@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 31 Mar 2016 17:20:53 +0000
+Subject: [PATCH] * cplus-dem.c (squangle_mop_up): Zero bsize/ksize
+ after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add
+ coverage tests.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234645 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2016-4488
+
+patched ChangeLog and demangle-expected as patch is from tip.
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+---
+ libiberty/ChangeLog | 7 +++++++
+ libiberty/cplus-dem.c | 2 ++
+ libiberty/testsuite/demangle-expected | 10 ++++++++++
+ 3 files changed, 19 insertions(+)
+
+Index: gcc-5.3.0/libiberty/cplus-dem.c
+===================================================================
+--- gcc-5.3.0.orig/libiberty/cplus-dem.c
++++ gcc-5.3.0/libiberty/cplus-dem.c
+@@ -1237,11 +1237,13 @@ squangle_mop_up (struct work_stuff *work
+ {
+ free ((char *) work -> btypevec);
+ work->btypevec = NULL;
++ work->bsize = 0;
+ }
+ if (work -> ktypevec != NULL)
+ {
+ free ((char *) work -> ktypevec);
+ work->ktypevec = NULL;
++ work->ksize = 0;
+ }
+ }
+
+Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
+===================================================================
+--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
+@@ -4356,3 +4356,13 @@ _QueueNotification_QueueController__$4PP
+ --format=gnu-v3
+ _Z1fSsB3fooS_
+ f(std::string[abi:foo], std::string[abi:foo])
++#
++# Tests a use-after-free problem
++
++_Q.__0
++::Q.(void)
++#
++# Tests a use-after-free problem
++
++_Q10-__9cafebabe.
++cafebabe.::-(void)
+Index: gcc-5.3.0/libiberty/ChangeLog
+===================================================================
+--- gcc-5.3.0.orig/libiberty/ChangeLog
++++ gcc-5.3.0/libiberty/ChangeLog
+@@ -1,3 +1,10 @@
++2016-03-31 Mikhail Maltsev <maltsevm@gmail.com>
++ Marcel Bohme boehme.marcel@gmail.com
++
++ * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
++ btypevec/ktypevec.
++ * testsuite/demangle-expected: Add coverage tests.
++
+ 2015-12-04 Release Manager
+
+ * GCC 5.3.0 released.
--
2.3.5
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489
2016-05-06 7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
@ 2016-05-06 7:11 ` Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2 siblings, 0 replies; 10+ messages in thread
From: Armin Kuster @ 2016-05-06 7:11 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
.../gcc/gcc-5.3/CVE-2016-4489.patch | 56 ++++++++++++++++++++++
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4489.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 2ea5952..692758d 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -89,6 +89,7 @@ SRC_URI = "\
file://0057-unwind-fix-for-musl.patch \
file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
file://CVE-2016-4488.patch \
+ file://CVE-2016-4489.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4489.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4489.patch
new file mode 100644
index 0000000..68a0f85
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4489.patch
@@ -0,0 +1,56 @@
+From 053ec2207203a194d2ae82e2f164009aad3f14d2 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:06:59 +0000
+Subject: [PATCH] =?UTF-8?q?Handle=20an=20overflow=20case=20(PR70498,=20pat?=
+ =?UTF-8?q?ch=20by=20Marcel=20B=C3=B6hme).?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ PR c++/70498
+ * cplus-dem.c (gnu_special): Handle case where consume_count returns
+ -1.
+
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234828 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+CVE: CVE-2016-4489
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libiberty/ChangeLog | 6 ++++++
+ libiberty/cplus-dem.c | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+Index: gcc-5.3.0/libiberty/ChangeLog
+===================================================================
+--- gcc-5.3.0.orig/libiberty/ChangeLog
++++ gcc-5.3.0/libiberty/ChangeLog
+@@ -1,3 +1,9 @@
++2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
++
++ PR c++/70498
++ * cplus-dem.c (gnu_special): Handle case where consume_count returns
++ -1.
++
+ 2016-03-31 Mikhail Maltsev <maltsevm@gmail.com>
+ Marcel Bohme boehme.marcel@gmail.com
+
+Index: gcc-5.3.0/libiberty/cplus-dem.c
+===================================================================
+--- gcc-5.3.0.orig/libiberty/cplus-dem.c
++++ gcc-5.3.0/libiberty/cplus-dem.c
+@@ -3001,6 +3001,11 @@ gnu_special (struct work_stuff *work, co
+ success = 1;
+ break;
+ }
++ else if (n == -1)
++ {
++ success = 0;
++ break;
++ }
+ }
+ else
+ {
--
2.3.5
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226
2016-05-06 7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
@ 2016-05-06 7:11 ` Armin Kuster
2016-05-13 16:14 ` akuster808
2016-05-06 7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2 siblings, 1 reply; 10+ messages in thread
From: Armin Kuster @ 2016-05-06 7:11 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
.../gcc/gcc-5.3/CVE-2016-2226.patch | 103 +++++++++++++++++++++
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 692758d..5fede2a 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -90,6 +90,7 @@ SRC_URI = "\
file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
file://CVE-2016-4488.patch \
file://CVE-2016-4489.patch \
+ file://CVE-2016-2226.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
new file mode 100644
index 0000000..4decb84
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
+From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:10:21 +0000
+Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
+ =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ PR c++/69687
+ * cplus-dem.c: Include <limits.h> if available.
+ (INT_MAX): Define if necessary.
+ (remember_type, remember_Ktype, register_Btype, string_need):
+ Abort if we detect cases where we the size of the allocation would
+ overflow.
+
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2016-2226
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libiberty/ChangeLog | 7 +++++++
+ libiberty/cplus-dem.c | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e82a5f..2a34356 100644
+--- a/libiberty/ChangeLog
++++ b/libiberty/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
+
++ PR c++/69687
++ * cplus-dem.c: Include <limits.h> if available.
++ (INT_MAX): Define if necessary.
++ (remember_type, remember_Ktype, register_Btype, string_need):
++ Abort if we detect cases where we the size of the allocation would
++ overflow.
++
+ PR c++/70498
+ * cplus-dem.c (gnu_special): Handle case where consume_count returns
+ -1.
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index abba234..7514e57 100644
+--- a/libiberty/cplus-dem.c
++++ b/libiberty/cplus-dem.c
+@@ -56,6 +56,13 @@ void * malloc ();
+ void * realloc ();
+ #endif
+
++#ifdef HAVE_LIMITS_H
++#include <limits.h>
++#endif
++#ifndef INT_MAX
++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
++#endif
++
+ #include <demangle.h>
+ #undef CURRENT_DEMANGLING_STYLE
+ #define CURRENT_DEMANGLING_STYLE work->options
+@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
+ }
+ else
+ {
++ if (work -> typevec_size > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> typevec_size *= 2;
+ work -> typevec
+ = XRESIZEVEC (char *, work->typevec, work->typevec_size);
+@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
+ }
+ else
+ {
++ if (work -> ksize > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> ksize *= 2;
+ work -> ktypevec
+ = XRESIZEVEC (char *, work->ktypevec, work->ksize);
+@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
+ }
+ else
+ {
++ if (work -> bsize > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> bsize *= 2;
+ work -> btypevec
+ = XRESIZEVEC (char *, work->btypevec, work->bsize);
+@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
+ else if (s->e - s->p < n)
+ {
+ tem = s->p - s->b;
++ if (n > INT_MAX / 2 - tem)
++ xmalloc_failed (INT_MAX);
+ n += tem;
+ n *= 2;
+ s->b = XRESIZEVEC (char, s->b, n);
+--
+2.3.5
+
--
2.3.5
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-06 7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
@ 2016-05-06 7:11 ` Armin Kuster
2016-05-13 16:16 ` akuster808
2 siblings, 1 reply; 10+ messages in thread
From: Armin Kuster @ 2016-05-06 7:11 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
.../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
2 files changed, 271 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 5fede2a..445d003 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -91,6 +91,7 @@ SRC_URI = "\
file://CVE-2016-4488.patch \
file://CVE-2016-4489.patch \
file://CVE-2016-2226.patch \
+ file://CVE-2016-4490.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
new file mode 100644
index 0000000..4a9ed69
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
@@ -0,0 +1,270 @@
+From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Mon, 2 May 2016 17:06:40 +0000
+Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
+ =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ PR c++/70498
+ * cp-demangle.c: Parse numbers as integer instead of long to avoid
+ overflow after sanity checks. Include <limits.h> if available.
+ (INT_MAX): Define if necessary.
+ (d_make_template_param): Takes integer argument instead of long.
+ (d_make_function_param): Likewise.
+ (d_append_num): Likewise.
+ (d_identifier): Likewise.
+ (d_number): Parse as and return integer.
+ (d_compact_number): Handle overflow.
+ (d_source_name): Change variable type to integer for parsed number.
+ (d_java_resource): Likewise.
+ (d_special_name): Likewise.
+ (d_discriminator): Likewise.
+ (d_unnamed_type): Likewise.
+ * testsuite/demangle-expected: Add regression test cases.
+
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+
+CVE: CVE-2016-4490
+hand applied ChangeLog
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libiberty/ChangeLog | 19 +++++++++++++
+ libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
+ libiberty/testsuite/demangle-expected | 14 ++++++++--
+ 3 files changed, 61 insertions(+), 24 deletions(-)
+
+Index: gcc-5.3.0/libiberty/cp-demangle.c
+===================================================================
+--- gcc-5.3.0.orig/libiberty/cp-demangle.c
++++ gcc-5.3.0/libiberty/cp-demangle.c
+@@ -124,6 +124,13 @@ extern char *alloca ();
+ # endif /* alloca */
+ #endif /* HAVE_ALLOCA_H */
+
++#ifdef HAVE_LIMITS_H
++#include <limits.h>
++#endif
++#ifndef INT_MAX
++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
++#endif
++
+ #include "ansidecl.h"
+ #include "libiberty.h"
+ #include "demangle.h"
+@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
+ struct demangle_component *);
+
+ static struct demangle_component *
+-d_make_template_param (struct d_info *, long);
++d_make_template_param (struct d_info *, int);
+
+ static struct demangle_component *
+ d_make_sub (struct d_info *, const char *, int);
+@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
+
+ static struct demangle_component *d_source_name (struct d_info *);
+
+-static long d_number (struct d_info *);
++static int d_number (struct d_info *);
+
+ static struct demangle_component *d_identifier (struct d_info *, int);
+
+@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
+ /* Add a new template parameter. */
+
+ static struct demangle_component *
+-d_make_template_param (struct d_info *di, long i)
++d_make_template_param (struct d_info *di, int i)
+ {
+ struct demangle_component *p;
+
+@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
+ /* Add a new function parameter. */
+
+ static struct demangle_component *
+-d_make_function_param (struct d_info *di, long i)
++d_make_function_param (struct d_info *di, int i)
+ {
+ struct demangle_component *p;
+
+@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
+ static struct demangle_component *
+ d_source_name (struct d_info *di)
+ {
+- long len;
++ int len;
+ struct demangle_component *ret;
+
+ len = d_number (di);
+@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
+
+ /* number ::= [n] <(non-negative decimal integer)> */
+
+-static long
++static int
+ d_number (struct d_info *di)
+ {
+ int negative;
+ char peek;
+- long ret;
++ int ret;
+
+ negative = 0;
+ peek = d_peek_char (di);
+@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
+ {
+ struct demangle_component *p = NULL;
+ struct demangle_component *next = NULL;
+- long len, i;
++ int len, i;
+ char c;
+ const char *str;
+
+@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
+ case 'C':
+ {
+ struct demangle_component *derived_type;
+- long offset;
++ int offset;
+ struct demangle_component *base_type;
+
+ derived_type = cplus_demangle_type (di);
+@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
+
+ /* <non-negative number> _ */
+
+-static long
++static int
+ d_compact_number (struct d_info *di)
+ {
+- long num;
++ int num;
+ if (d_peek_char (di) == '_')
+ num = 0;
+ else if (d_peek_char (di) == 'n')
+@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
+ else
+ num = d_number (di) + 1;
+
+- if (! d_check_char (di, '_'))
++ if (num < 0 || ! d_check_char (di, '_'))
+ return -1;
+ return num;
+ }
+@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
+ static struct demangle_component *
+ d_template_param (struct d_info *di)
+ {
+- long param;
++ int param;
+
+ if (! d_check_char (di, 'T'))
+ return NULL;
+@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
+ }
+ else
+ {
+- index = d_compact_number (di) + 1;
+- if (index == 0)
++ index = d_compact_number (di);
++ if (index == INT_MAX || index == -1)
+ return NULL;
++ index ++;
+ }
+ return d_make_function_param (di, index);
+ }
+@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
+ static int
+ d_discriminator (struct d_info *di)
+ {
+- long discrim;
++ int discrim;
+
+ if (d_peek_char (di) != '_')
+ return 1;
+@@ -3511,7 +3519,7 @@ static struct demangle_component *
+ d_unnamed_type (struct d_info *di)
+ {
+ struct demangle_component *ret;
+- long num;
++ int num;
+
+ if (! d_check_char (di, 'U'))
+ return NULL;
+@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
+ }
+
+ static inline void
+-d_append_num (struct d_print_info *dpi, long l)
++d_append_num (struct d_print_info *dpi, int l)
+ {
+ char buf[25];
+- sprintf (buf,"%ld", l);
++ sprintf (buf,"%d", l);
+ d_append_string (dpi, buf);
+ }
+
+Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
+===================================================================
+--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
+@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
+ _Z1fSsB3fooS_
+ f(std::string[abi:foo], std::string[abi:foo])
+ #
+-# Tests a use-after-free problem
++# Tests a use-after-free problem PR70481
+
+ _Q.__0
+ ::Q.(void)
+ #
+-# Tests a use-after-free problem
++# Tests a use-after-free problem PR70481
+
+ _Q10-__9cafebabe.
+ cafebabe.::-(void)
++#
++# Tests integer overflow problem PR70492
++
++__vt_90000000000cafebabe
++__vt_90000000000cafebabe
++#
++# Tests write access violation PR70498
++
++_Z80800000000000000000000
++_Z80800000000000000000000
+Index: gcc-5.3.0/libiberty/ChangeLog
+===================================================================
+--- gcc-5.3.0.orig/libiberty/ChangeLog
++++ gcc-5.3.0/libiberty/ChangeLog
+@@ -1,3 +1,22 @@
++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
++
++ PR c++/70498
++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
++ overflow after sanity checks. Include <limits.h> if available.
++ (INT_MAX): Define if necessary.
++ (d_make_template_param): Takes integer argument instead of long.
++ (d_make_function_param): Likewise.
++ (d_append_num): Likewise.
++ (d_identifier): Likewise.
++ (d_number): Parse as and return integer.
++ (d_compact_number): Handle overflow.
++ (d_source_name): Change variable type to integer for parsed number.
++ (d_java_resource): Likewise.
++ (d_special_name): Likewise.
++ (d_discriminator): Likewise.
++ (d_unnamed_type): Likewise.
++ * testsuite/demangle-expected: Add regression test cases.
++
+ 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
+
+ PR c++/69687
--
2.3.5
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226
2016-05-06 7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
@ 2016-05-13 16:14 ` akuster808
0 siblings, 0 replies; 10+ messages in thread
From: akuster808 @ 2016-05-13 16:14 UTC (permalink / raw)
To: openembedded-core
this fix is in GCC 6.0
On 05/06/2016 12:11 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
> .../gcc/gcc-5.3/CVE-2016-2226.patch | 103 +++++++++++++++++++++
> 2 files changed, 104 insertions(+)
> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
>
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
> index 692758d..5fede2a 100644
> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
> @@ -90,6 +90,7 @@ SRC_URI = "\
> file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
> file://CVE-2016-4488.patch \
> file://CVE-2016-4489.patch \
> + file://CVE-2016-2226.patch \
> "
>
> BACKPORTS = ""
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> new file mode 100644
> index 0000000..4decb84
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> @@ -0,0 +1,103 @@
> +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Fri, 8 Apr 2016 12:10:21 +0000
> +Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
> + =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> + PR c++/69687
> + * cplus-dem.c: Include <limits.h> if available.
> + (INT_MAX): Define if necessary.
> + (remember_type, remember_Ktype, register_Btype, string_need):
> + Abort if we detect cases where we the size of the allocation would
> + overflow.
> +
> +
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
> +Upstream-Status: Backport
> +CVE: CVE-2016-2226
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + libiberty/ChangeLog | 7 +++++++
> + libiberty/cplus-dem.c | 15 +++++++++++++++
> + 2 files changed, 22 insertions(+)
> +
> +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
> +index 8e82a5f..2a34356 100644
> +--- a/libiberty/ChangeLog
> ++++ b/libiberty/ChangeLog
> +@@ -1,5 +1,12 @@
> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
> +
> ++ PR c++/69687
> ++ * cplus-dem.c: Include <limits.h> if available.
> ++ (INT_MAX): Define if necessary.
> ++ (remember_type, remember_Ktype, register_Btype, string_need):
> ++ Abort if we detect cases where we the size of the allocation would
> ++ overflow.
> ++
> + PR c++/70498
> + * cplus-dem.c (gnu_special): Handle case where consume_count returns
> + -1.
> +diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
> +index abba234..7514e57 100644
> +--- a/libiberty/cplus-dem.c
> ++++ b/libiberty/cplus-dem.c
> +@@ -56,6 +56,13 @@ void * malloc ();
> + void * realloc ();
> + #endif
> +
> ++#ifdef HAVE_LIMITS_H
> ++#include <limits.h>
> ++#endif
> ++#ifndef INT_MAX
> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
> ++#endif
> ++
> + #include <demangle.h>
> + #undef CURRENT_DEMANGLING_STYLE
> + #define CURRENT_DEMANGLING_STYLE work->options
> +@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
> + }
> + else
> + {
> ++ if (work -> typevec_size > INT_MAX / 2)
> ++ xmalloc_failed (INT_MAX);
> + work -> typevec_size *= 2;
> + work -> typevec
> + = XRESIZEVEC (char *, work->typevec, work->typevec_size);
> +@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
> + }
> + else
> + {
> ++ if (work -> ksize > INT_MAX / 2)
> ++ xmalloc_failed (INT_MAX);
> + work -> ksize *= 2;
> + work -> ktypevec
> + = XRESIZEVEC (char *, work->ktypevec, work->ksize);
> +@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
> + }
> + else
> + {
> ++ if (work -> bsize > INT_MAX / 2)
> ++ xmalloc_failed (INT_MAX);
> + work -> bsize *= 2;
> + work -> btypevec
> + = XRESIZEVEC (char *, work->btypevec, work->bsize);
> +@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
> + else if (s->e - s->p < n)
> + {
> + tem = s->p - s->b;
> ++ if (n > INT_MAX / 2 - tem)
> ++ xmalloc_failed (INT_MAX);
> + n += tem;
> + n *= 2;
> + s->b = XRESIZEVEC (char, s->b, n);
> +--
> +2.3.5
> +
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-06 7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
@ 2016-05-13 16:16 ` akuster808
2016-05-13 18:07 ` Khem Raj
0 siblings, 1 reply; 10+ messages in thread
From: akuster808 @ 2016-05-13 16:16 UTC (permalink / raw)
To: openembedded-core
this fix is not in gcc 6.0
On 05/06/2016 12:11 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
> .../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
> 2 files changed, 271 insertions(+)
> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
> index 5fede2a..445d003 100644
> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
> @@ -91,6 +91,7 @@ SRC_URI = "\
> file://CVE-2016-4488.patch \
> file://CVE-2016-4489.patch \
> file://CVE-2016-2226.patch \
> + file://CVE-2016-4490.patch \
> "
>
> BACKPORTS = ""
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
> new file mode 100644
> index 0000000..4a9ed69
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
> @@ -0,0 +1,270 @@
> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Mon, 2 May 2016 17:06:40 +0000
> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> + PR c++/70498
> + * cp-demangle.c: Parse numbers as integer instead of long to avoid
> + overflow after sanity checks. Include <limits.h> if available.
> + (INT_MAX): Define if necessary.
> + (d_make_template_param): Takes integer argument instead of long.
> + (d_make_function_param): Likewise.
> + (d_append_num): Likewise.
> + (d_identifier): Likewise.
> + (d_number): Parse as and return integer.
> + (d_compact_number): Handle overflow.
> + (d_source_name): Change variable type to integer for parsed number.
> + (d_java_resource): Likewise.
> + (d_special_name): Likewise.
> + (d_discriminator): Likewise.
> + (d_unnamed_type): Likewise.
> + * testsuite/demangle-expected: Add regression test cases.
> +
> +
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
> +
> +Upstream-Status: Backport
> +
> +CVE: CVE-2016-4490
> +hand applied ChangeLog
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + libiberty/ChangeLog | 19 +++++++++++++
> + libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
> + libiberty/testsuite/demangle-expected | 14 ++++++++--
> + 3 files changed, 61 insertions(+), 24 deletions(-)
> +
> +Index: gcc-5.3.0/libiberty/cp-demangle.c
> +===================================================================
> +--- gcc-5.3.0.orig/libiberty/cp-demangle.c
> ++++ gcc-5.3.0/libiberty/cp-demangle.c
> +@@ -124,6 +124,13 @@ extern char *alloca ();
> + # endif /* alloca */
> + #endif /* HAVE_ALLOCA_H */
> +
> ++#ifdef HAVE_LIMITS_H
> ++#include <limits.h>
> ++#endif
> ++#ifndef INT_MAX
> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
> ++#endif
> ++
> + #include "ansidecl.h"
> + #include "libiberty.h"
> + #include "demangle.h"
> +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
> + struct demangle_component *);
> +
> + static struct demangle_component *
> +-d_make_template_param (struct d_info *, long);
> ++d_make_template_param (struct d_info *, int);
> +
> + static struct demangle_component *
> + d_make_sub (struct d_info *, const char *, int);
> +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
> +
> + static struct demangle_component *d_source_name (struct d_info *);
> +
> +-static long d_number (struct d_info *);
> ++static int d_number (struct d_info *);
> +
> + static struct demangle_component *d_identifier (struct d_info *, int);
> +
> +@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
> + /* Add a new template parameter. */
> +
> + static struct demangle_component *
> +-d_make_template_param (struct d_info *di, long i)
> ++d_make_template_param (struct d_info *di, int i)
> + {
> + struct demangle_component *p;
> +
> +@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
> + /* Add a new function parameter. */
> +
> + static struct demangle_component *
> +-d_make_function_param (struct d_info *di, long i)
> ++d_make_function_param (struct d_info *di, int i)
> + {
> + struct demangle_component *p;
> +
> +@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
> + static struct demangle_component *
> + d_source_name (struct d_info *di)
> + {
> +- long len;
> ++ int len;
> + struct demangle_component *ret;
> +
> + len = d_number (di);
> +@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
> +
> + /* number ::= [n] <(non-negative decimal integer)> */
> +
> +-static long
> ++static int
> + d_number (struct d_info *di)
> + {
> + int negative;
> + char peek;
> +- long ret;
> ++ int ret;
> +
> + negative = 0;
> + peek = d_peek_char (di);
> +@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
> + {
> + struct demangle_component *p = NULL;
> + struct demangle_component *next = NULL;
> +- long len, i;
> ++ int len, i;
> + char c;
> + const char *str;
> +
> +@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
> + case 'C':
> + {
> + struct demangle_component *derived_type;
> +- long offset;
> ++ int offset;
> + struct demangle_component *base_type;
> +
> + derived_type = cplus_demangle_type (di);
> +@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
> +
> + /* <non-negative number> _ */
> +
> +-static long
> ++static int
> + d_compact_number (struct d_info *di)
> + {
> +- long num;
> ++ int num;
> + if (d_peek_char (di) == '_')
> + num = 0;
> + else if (d_peek_char (di) == 'n')
> +@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
> + else
> + num = d_number (di) + 1;
> +
> +- if (! d_check_char (di, '_'))
> ++ if (num < 0 || ! d_check_char (di, '_'))
> + return -1;
> + return num;
> + }
> +@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
> + static struct demangle_component *
> + d_template_param (struct d_info *di)
> + {
> +- long param;
> ++ int param;
> +
> + if (! d_check_char (di, 'T'))
> + return NULL;
> +@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
> + }
> + else
> + {
> +- index = d_compact_number (di) + 1;
> +- if (index == 0)
> ++ index = d_compact_number (di);
> ++ if (index == INT_MAX || index == -1)
> + return NULL;
> ++ index ++;
> + }
> + return d_make_function_param (di, index);
> + }
> +@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
> + static int
> + d_discriminator (struct d_info *di)
> + {
> +- long discrim;
> ++ int discrim;
> +
> + if (d_peek_char (di) != '_')
> + return 1;
> +@@ -3511,7 +3519,7 @@ static struct demangle_component *
> + d_unnamed_type (struct d_info *di)
> + {
> + struct demangle_component *ret;
> +- long num;
> ++ int num;
> +
> + if (! d_check_char (di, 'U'))
> + return NULL;
> +@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
> + }
> +
> + static inline void
> +-d_append_num (struct d_print_info *dpi, long l)
> ++d_append_num (struct d_print_info *dpi, int l)
> + {
> + char buf[25];
> +- sprintf (buf,"%ld", l);
> ++ sprintf (buf,"%d", l);
> + d_append_string (dpi, buf);
> + }
> +
> +Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
> +===================================================================
> +--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
> ++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
> +@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
> + _Z1fSsB3fooS_
> + f(std::string[abi:foo], std::string[abi:foo])
> + #
> +-# Tests a use-after-free problem
> ++# Tests a use-after-free problem PR70481
> +
> + _Q.__0
> + ::Q.(void)
> + #
> +-# Tests a use-after-free problem
> ++# Tests a use-after-free problem PR70481
> +
> + _Q10-__9cafebabe.
> + cafebabe.::-(void)
> ++#
> ++# Tests integer overflow problem PR70492
> ++
> ++__vt_90000000000cafebabe
> ++__vt_90000000000cafebabe
> ++#
> ++# Tests write access violation PR70498
> ++
> ++_Z80800000000000000000000
> ++_Z80800000000000000000000
> +Index: gcc-5.3.0/libiberty/ChangeLog
> +===================================================================
> +--- gcc-5.3.0.orig/libiberty/ChangeLog
> ++++ gcc-5.3.0/libiberty/ChangeLog
> +@@ -1,3 +1,22 @@
> ++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
> ++
> ++ PR c++/70498
> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
> ++ overflow after sanity checks. Include <limits.h> if available.
> ++ (INT_MAX): Define if necessary.
> ++ (d_make_template_param): Takes integer argument instead of long.
> ++ (d_make_function_param): Likewise.
> ++ (d_append_num): Likewise.
> ++ (d_identifier): Likewise.
> ++ (d_number): Parse as and return integer.
> ++ (d_compact_number): Handle overflow.
> ++ (d_source_name): Change variable type to integer for parsed number.
> ++ (d_java_resource): Likewise.
> ++ (d_special_name): Likewise.
> ++ (d_discriminator): Likewise.
> ++ (d_unnamed_type): Likewise.
> ++ * testsuite/demangle-expected: Add regression test cases.
> ++
> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
> +
> + PR c++/69687
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-13 16:16 ` akuster808
@ 2016-05-13 18:07 ` Khem Raj
2016-05-13 20:52 ` akuster808
0 siblings, 1 reply; 10+ messages in thread
From: Khem Raj @ 2016-05-13 18:07 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 10615 bytes --]
Thanks for noting. We will update gcc-6 to latest on gcc-6 branch sometime later and hopefully it will come in
please keep an eye on it
> On May 13, 2016, at 9:16 AM, akuster808 <akuster808@gmail.com> wrote:
>
> this fix is not in gcc 6.0
>
> On 05/06/2016 12:11 AM, Armin Kuster wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
>> .../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
>> 2 files changed, 271 insertions(+)
>> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>
>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
>> index 5fede2a..445d003 100644
>> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
>> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
>> @@ -91,6 +91,7 @@ SRC_URI = "\
>> file://CVE-2016-4488.patch \
>> file://CVE-2016-4489.patch \
>> file://CVE-2016-2226.patch \
>> + file://CVE-2016-4490.patch \
>> "
>>
>> BACKPORTS = ""
>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>> new file mode 100644
>> index 0000000..4a9ed69
>> --- /dev/null
>> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>> @@ -0,0 +1,270 @@
>> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
>> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
>> +Date: Mon, 2 May 2016 17:06:40 +0000
>> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
>> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> + PR c++/70498
>> + * cp-demangle.c: Parse numbers as integer instead of long to avoid
>> + overflow after sanity checks. Include <limits.h> if available.
>> + (INT_MAX): Define if necessary.
>> + (d_make_template_param): Takes integer argument instead of long.
>> + (d_make_function_param): Likewise.
>> + (d_append_num): Likewise.
>> + (d_identifier): Likewise.
>> + (d_number): Parse as and return integer.
>> + (d_compact_number): Handle overflow.
>> + (d_source_name): Change variable type to integer for parsed number.
>> + (d_java_resource): Likewise.
>> + (d_special_name): Likewise.
>> + (d_discriminator): Likewise.
>> + (d_unnamed_type): Likewise.
>> + * testsuite/demangle-expected: Add regression test cases.
>> +
>> +
>> +
>> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
>> +
>> +Upstream-Status: Backport
>> +
>> +CVE: CVE-2016-4490
>> +hand applied ChangeLog
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + libiberty/ChangeLog | 19 +++++++++++++
>> + libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
>> + libiberty/testsuite/demangle-expected | 14 ++++++++--
>> + 3 files changed, 61 insertions(+), 24 deletions(-)
>> +
>> +Index: gcc-5.3.0/libiberty/cp-demangle.c
>> +===================================================================
>> +--- gcc-5.3.0.orig/libiberty/cp-demangle.c
>> ++++ gcc-5.3.0/libiberty/cp-demangle.c
>> +@@ -124,6 +124,13 @@ extern char *alloca ();
>> + # endif /* alloca */
>> + #endif /* HAVE_ALLOCA_H */
>> +
>> ++#ifdef HAVE_LIMITS_H
>> ++#include <limits.h>
>> ++#endif
>> ++#ifndef INT_MAX
>> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
>> ++#endif
>> ++
>> + #include "ansidecl.h"
>> + #include "libiberty.h"
>> + #include "demangle.h"
>> +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
>> + struct demangle_component *);
>> +
>> + static struct demangle_component *
>> +-d_make_template_param (struct d_info *, long);
>> ++d_make_template_param (struct d_info *, int);
>> +
>> + static struct demangle_component *
>> + d_make_sub (struct d_info *, const char *, int);
>> +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
>> +
>> + static struct demangle_component *d_source_name (struct d_info *);
>> +
>> +-static long d_number (struct d_info *);
>> ++static int d_number (struct d_info *);
>> +
>> + static struct demangle_component *d_identifier (struct d_info *, int);
>> +
>> +@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
>> + /* Add a new template parameter. */
>> +
>> + static struct demangle_component *
>> +-d_make_template_param (struct d_info *di, long i)
>> ++d_make_template_param (struct d_info *di, int i)
>> + {
>> + struct demangle_component *p;
>> +
>> +@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
>> + /* Add a new function parameter. */
>> +
>> + static struct demangle_component *
>> +-d_make_function_param (struct d_info *di, long i)
>> ++d_make_function_param (struct d_info *di, int i)
>> + {
>> + struct demangle_component *p;
>> +
>> +@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
>> + static struct demangle_component *
>> + d_source_name (struct d_info *di)
>> + {
>> +- long len;
>> ++ int len;
>> + struct demangle_component *ret;
>> +
>> + len = d_number (di);
>> +@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
>> +
>> + /* number ::= [n] <(non-negative decimal integer)> */
>> +
>> +-static long
>> ++static int
>> + d_number (struct d_info *di)
>> + {
>> + int negative;
>> + char peek;
>> +- long ret;
>> ++ int ret;
>> +
>> + negative = 0;
>> + peek = d_peek_char (di);
>> +@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
>> + {
>> + struct demangle_component *p = NULL;
>> + struct demangle_component *next = NULL;
>> +- long len, i;
>> ++ int len, i;
>> + char c;
>> + const char *str;
>> +
>> +@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
>> + case 'C':
>> + {
>> + struct demangle_component *derived_type;
>> +- long offset;
>> ++ int offset;
>> + struct demangle_component *base_type;
>> +
>> + derived_type = cplus_demangle_type (di);
>> +@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
>> +
>> + /* <non-negative number> _ */
>> +
>> +-static long
>> ++static int
>> + d_compact_number (struct d_info *di)
>> + {
>> +- long num;
>> ++ int num;
>> + if (d_peek_char (di) == '_')
>> + num = 0;
>> + else if (d_peek_char (di) == 'n')
>> +@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
>> + else
>> + num = d_number (di) + 1;
>> +
>> +- if (! d_check_char (di, '_'))
>> ++ if (num < 0 || ! d_check_char (di, '_'))
>> + return -1;
>> + return num;
>> + }
>> +@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
>> + static struct demangle_component *
>> + d_template_param (struct d_info *di)
>> + {
>> +- long param;
>> ++ int param;
>> +
>> + if (! d_check_char (di, 'T'))
>> + return NULL;
>> +@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
>> + }
>> + else
>> + {
>> +- index = d_compact_number (di) + 1;
>> +- if (index == 0)
>> ++ index = d_compact_number (di);
>> ++ if (index == INT_MAX || index == -1)
>> + return NULL;
>> ++ index ++;
>> + }
>> + return d_make_function_param (di, index);
>> + }
>> +@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
>> + static int
>> + d_discriminator (struct d_info *di)
>> + {
>> +- long discrim;
>> ++ int discrim;
>> +
>> + if (d_peek_char (di) != '_')
>> + return 1;
>> +@@ -3511,7 +3519,7 @@ static struct demangle_component *
>> + d_unnamed_type (struct d_info *di)
>> + {
>> + struct demangle_component *ret;
>> +- long num;
>> ++ int num;
>> +
>> + if (! d_check_char (di, 'U'))
>> + return NULL;
>> +@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
>> + }
>> +
>> + static inline void
>> +-d_append_num (struct d_print_info *dpi, long l)
>> ++d_append_num (struct d_print_info *dpi, int l)
>> + {
>> + char buf[25];
>> +- sprintf (buf,"%ld", l);
>> ++ sprintf (buf,"%d", l);
>> + d_append_string (dpi, buf);
>> + }
>> +
>> +Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
>> +===================================================================
>> +--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
>> ++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
>> +@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
>> + _Z1fSsB3fooS_
>> + f(std::string[abi:foo], std::string[abi:foo])
>> + #
>> +-# Tests a use-after-free problem
>> ++# Tests a use-after-free problem PR70481
>> +
>> + _Q.__0
>> + ::Q.(void)
>> + #
>> +-# Tests a use-after-free problem
>> ++# Tests a use-after-free problem PR70481
>> +
>> + _Q10-__9cafebabe.
>> + cafebabe.::-(void)
>> ++#
>> ++# Tests integer overflow problem PR70492
>> ++
>> ++__vt_90000000000cafebabe
>> ++__vt_90000000000cafebabe
>> ++#
>> ++# Tests write access violation PR70498
>> ++
>> ++_Z80800000000000000000000
>> ++_Z80800000000000000000000
>> +Index: gcc-5.3.0/libiberty/ChangeLog
>> +===================================================================
>> +--- gcc-5.3.0.orig/libiberty/ChangeLog
>> ++++ gcc-5.3.0/libiberty/ChangeLog
>> +@@ -1,3 +1,22 @@
>> ++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
>> ++
>> ++ PR c++/70498
>> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
>> ++ overflow after sanity checks. Include <limits.h> if available.
>> ++ (INT_MAX): Define if necessary.
>> ++ (d_make_template_param): Takes integer argument instead of long.
>> ++ (d_make_function_param): Likewise.
>> ++ (d_append_num): Likewise.
>> ++ (d_identifier): Likewise.
>> ++ (d_number): Parse as and return integer.
>> ++ (d_compact_number): Handle overflow.
>> ++ (d_source_name): Change variable type to integer for parsed number.
>> ++ (d_java_resource): Likewise.
>> ++ (d_special_name): Likewise.
>> ++ (d_discriminator): Likewise.
>> ++ (d_unnamed_type): Likewise.
>> ++ * testsuite/demangle-expected: Add regression test cases.
>> ++
>> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
>> +
>> + PR c++/69687
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-13 18:07 ` Khem Raj
@ 2016-05-13 20:52 ` akuster808
2016-05-13 21:04 ` Khem Raj
0 siblings, 1 reply; 10+ messages in thread
From: akuster808 @ 2016-05-13 20:52 UTC (permalink / raw)
To: Khem Raj; +Cc: openembedded-core
On 05/13/2016 11:07 AM, Khem Raj wrote:
> Thanks for noting. We will update gcc-6 to latest on gcc-6 branch sometime later and hopefully it will come in
> please keep an eye on it
sure, np
So here is the problem. Per process, this fix can not be propagated to
the any stable branch until Master has the solution.
Now I believe there are times for exceptions and this is one of them. We
are in the middle for a major package update and odds are this issue
will resolved itself before 2.2 code freeze. It will become an issue if
it is still open at that point. A new patch will be required then.
So I hope folks wont have too much of an issue if this fix is in the
stable branches while we manage what happens in master in this case.
- Armin
>
>> On May 13, 2016, at 9:16 AM, akuster808 <akuster808@gmail.com> wrote:
>>
>> this fix is not in gcc 6.0
>>
>> On 05/06/2016 12:11 AM, Armin Kuster wrote:
>>> From: Armin Kuster <akuster@mvista.com>
>>>
>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>> ---
>>> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
>>> .../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
>>> 2 files changed, 271 insertions(+)
>>> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>
>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>> index 5fede2a..445d003 100644
>>> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>> @@ -91,6 +91,7 @@ SRC_URI = "\
>>> file://CVE-2016-4488.patch \
>>> file://CVE-2016-4489.patch \
>>> file://CVE-2016-2226.patch \
>>> + file://CVE-2016-4490.patch \
>>> "
>>>
>>> BACKPORTS = ""
>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>> new file mode 100644
>>> index 0000000..4a9ed69
>>> --- /dev/null
>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>> @@ -0,0 +1,270 @@
>>> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
>>> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
>>> +Date: Mon, 2 May 2016 17:06:40 +0000
>>> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
>>> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
>>> +MIME-Version: 1.0
>>> +Content-Type: text/plain; charset=UTF-8
>>> +Content-Transfer-Encoding: 8bit
>>> +
>>> + PR c++/70498
>>> + * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>> + overflow after sanity checks. Include <limits.h> if available.
>>> + (INT_MAX): Define if necessary.
>>> + (d_make_template_param): Takes integer argument instead of long.
>>> + (d_make_function_param): Likewise.
>>> + (d_append_num): Likewise.
>>> + (d_identifier): Likewise.
>>> + (d_number): Parse as and return integer.
>>> + (d_compact_number): Handle overflow.
>>> + (d_source_name): Change variable type to integer for parsed number.
>>> + (d_java_resource): Likewise.
>>> + (d_special_name): Likewise.
>>> + (d_discriminator): Likewise.
>>> + (d_unnamed_type): Likewise.
>>> + * testsuite/demangle-expected: Add regression test cases.
>>> +
>>> +
>>> +
>>> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
>>> +
>>> +Upstream-Status: Backport
>>> +
>>> +CVE: CVE-2016-4490
>>> +hand applied ChangeLog
>>> +
>>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>>> +
>>> +---
>>> + libiberty/ChangeLog | 19 +++++++++++++
>>> + libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
>>> + libiberty/testsuite/demangle-expected | 14 ++++++++--
>>> + 3 files changed, 61 insertions(+), 24 deletions(-)
>>> +
>>> +Index: gcc-5.3.0/libiberty/cp-demangle.c
>>> +===================================================================
>>> +--- gcc-5.3.0.orig/libiberty/cp-demangle.c
>>> ++++ gcc-5.3.0/libiberty/cp-demangle.c
>>> +@@ -124,6 +124,13 @@ extern char *alloca ();
>>> + # endif /* alloca */
>>> + #endif /* HAVE_ALLOCA_H */
>>> +
>>> ++#ifdef HAVE_LIMITS_H
>>> ++#include <limits.h>
>>> ++#endif
>>> ++#ifndef INT_MAX
>>> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
>>> ++#endif
>>> ++
>>> + #include "ansidecl.h"
>>> + #include "libiberty.h"
>>> + #include "demangle.h"
>>> +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
>>> + struct demangle_component *);
>>> +
>>> + static struct demangle_component *
>>> +-d_make_template_param (struct d_info *, long);
>>> ++d_make_template_param (struct d_info *, int);
>>> +
>>> + static struct demangle_component *
>>> + d_make_sub (struct d_info *, const char *, int);
>>> +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
>>> +
>>> + static struct demangle_component *d_source_name (struct d_info *);
>>> +
>>> +-static long d_number (struct d_info *);
>>> ++static int d_number (struct d_info *);
>>> +
>>> + static struct demangle_component *d_identifier (struct d_info *, int);
>>> +
>>> +@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
>>> + /* Add a new template parameter. */
>>> +
>>> + static struct demangle_component *
>>> +-d_make_template_param (struct d_info *di, long i)
>>> ++d_make_template_param (struct d_info *di, int i)
>>> + {
>>> + struct demangle_component *p;
>>> +
>>> +@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
>>> + /* Add a new function parameter. */
>>> +
>>> + static struct demangle_component *
>>> +-d_make_function_param (struct d_info *di, long i)
>>> ++d_make_function_param (struct d_info *di, int i)
>>> + {
>>> + struct demangle_component *p;
>>> +
>>> +@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
>>> + static struct demangle_component *
>>> + d_source_name (struct d_info *di)
>>> + {
>>> +- long len;
>>> ++ int len;
>>> + struct demangle_component *ret;
>>> +
>>> + len = d_number (di);
>>> +@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
>>> +
>>> + /* number ::= [n] <(non-negative decimal integer)> */
>>> +
>>> +-static long
>>> ++static int
>>> + d_number (struct d_info *di)
>>> + {
>>> + int negative;
>>> + char peek;
>>> +- long ret;
>>> ++ int ret;
>>> +
>>> + negative = 0;
>>> + peek = d_peek_char (di);
>>> +@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
>>> + {
>>> + struct demangle_component *p = NULL;
>>> + struct demangle_component *next = NULL;
>>> +- long len, i;
>>> ++ int len, i;
>>> + char c;
>>> + const char *str;
>>> +
>>> +@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
>>> + case 'C':
>>> + {
>>> + struct demangle_component *derived_type;
>>> +- long offset;
>>> ++ int offset;
>>> + struct demangle_component *base_type;
>>> +
>>> + derived_type = cplus_demangle_type (di);
>>> +@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
>>> +
>>> + /* <non-negative number> _ */
>>> +
>>> +-static long
>>> ++static int
>>> + d_compact_number (struct d_info *di)
>>> + {
>>> +- long num;
>>> ++ int num;
>>> + if (d_peek_char (di) == '_')
>>> + num = 0;
>>> + else if (d_peek_char (di) == 'n')
>>> +@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
>>> + else
>>> + num = d_number (di) + 1;
>>> +
>>> +- if (! d_check_char (di, '_'))
>>> ++ if (num < 0 || ! d_check_char (di, '_'))
>>> + return -1;
>>> + return num;
>>> + }
>>> +@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
>>> + static struct demangle_component *
>>> + d_template_param (struct d_info *di)
>>> + {
>>> +- long param;
>>> ++ int param;
>>> +
>>> + if (! d_check_char (di, 'T'))
>>> + return NULL;
>>> +@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
>>> + }
>>> + else
>>> + {
>>> +- index = d_compact_number (di) + 1;
>>> +- if (index == 0)
>>> ++ index = d_compact_number (di);
>>> ++ if (index == INT_MAX || index == -1)
>>> + return NULL;
>>> ++ index ++;
>>> + }
>>> + return d_make_function_param (di, index);
>>> + }
>>> +@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
>>> + static int
>>> + d_discriminator (struct d_info *di)
>>> + {
>>> +- long discrim;
>>> ++ int discrim;
>>> +
>>> + if (d_peek_char (di) != '_')
>>> + return 1;
>>> +@@ -3511,7 +3519,7 @@ static struct demangle_component *
>>> + d_unnamed_type (struct d_info *di)
>>> + {
>>> + struct demangle_component *ret;
>>> +- long num;
>>> ++ int num;
>>> +
>>> + if (! d_check_char (di, 'U'))
>>> + return NULL;
>>> +@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
>>> + }
>>> +
>>> + static inline void
>>> +-d_append_num (struct d_print_info *dpi, long l)
>>> ++d_append_num (struct d_print_info *dpi, int l)
>>> + {
>>> + char buf[25];
>>> +- sprintf (buf,"%ld", l);
>>> ++ sprintf (buf,"%d", l);
>>> + d_append_string (dpi, buf);
>>> + }
>>> +
>>> +Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
>>> +===================================================================
>>> +--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
>>> ++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
>>> +@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
>>> + _Z1fSsB3fooS_
>>> + f(std::string[abi:foo], std::string[abi:foo])
>>> + #
>>> +-# Tests a use-after-free problem
>>> ++# Tests a use-after-free problem PR70481
>>> +
>>> + _Q.__0
>>> + ::Q.(void)
>>> + #
>>> +-# Tests a use-after-free problem
>>> ++# Tests a use-after-free problem PR70481
>>> +
>>> + _Q10-__9cafebabe.
>>> + cafebabe.::-(void)
>>> ++#
>>> ++# Tests integer overflow problem PR70492
>>> ++
>>> ++__vt_90000000000cafebabe
>>> ++__vt_90000000000cafebabe
>>> ++#
>>> ++# Tests write access violation PR70498
>>> ++
>>> ++_Z80800000000000000000000
>>> ++_Z80800000000000000000000
>>> +Index: gcc-5.3.0/libiberty/ChangeLog
>>> +===================================================================
>>> +--- gcc-5.3.0.orig/libiberty/ChangeLog
>>> ++++ gcc-5.3.0/libiberty/ChangeLog
>>> +@@ -1,3 +1,22 @@
>>> ++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
>>> ++
>>> ++ PR c++/70498
>>> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>> ++ overflow after sanity checks. Include <limits.h> if available.
>>> ++ (INT_MAX): Define if necessary.
>>> ++ (d_make_template_param): Takes integer argument instead of long.
>>> ++ (d_make_function_param): Likewise.
>>> ++ (d_append_num): Likewise.
>>> ++ (d_identifier): Likewise.
>>> ++ (d_number): Parse as and return integer.
>>> ++ (d_compact_number): Handle overflow.
>>> ++ (d_source_name): Change variable type to integer for parsed number.
>>> ++ (d_java_resource): Likewise.
>>> ++ (d_special_name): Likewise.
>>> ++ (d_discriminator): Likewise.
>>> ++ (d_unnamed_type): Likewise.
>>> ++ * testsuite/demangle-expected: Add regression test cases.
>>> ++
>>> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
>>> +
>>> + PR c++/69687
>>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-13 20:52 ` akuster808
@ 2016-05-13 21:04 ` Khem Raj
2016-05-14 3:26 ` akuster808
0 siblings, 1 reply; 10+ messages in thread
From: Khem Raj @ 2016-05-13 21:04 UTC (permalink / raw)
To: akuster808; +Cc: Patches and discussions about the oe-core layer
On Fri, May 13, 2016 at 1:52 PM, akuster808 <akuster808@gmail.com> wrote:
>
>
> On 05/13/2016 11:07 AM, Khem Raj wrote:
>> Thanks for noting. We will update gcc-6 to latest on gcc-6 branch sometime later and hopefully it will come in
>> please keep an eye on it
>
> sure, np
>
> So here is the problem. Per process, this fix can not be propagated to
> the any stable branch until Master has the solution.
>
> Now I believe there are times for exceptions and this is one of them. We
> are in the middle for a major package update and odds are this issue
> will resolved itself before 2.2 code freeze. It will become an issue if
> it is still open at that point. A new patch will be required then.
>
> So I hope folks wont have too much of an issue if this fix is in the
> stable branches while we manage what happens in master in this case.
I guess its ok as long as we keep track of it.
>
> - Armin
>
>
>>
>>> On May 13, 2016, at 9:16 AM, akuster808 <akuster808@gmail.com> wrote:
>>>
>>> this fix is not in gcc 6.0
>>>
>>> On 05/06/2016 12:11 AM, Armin Kuster wrote:
>>>> From: Armin Kuster <akuster@mvista.com>
>>>>
>>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>>> ---
>>>> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
>>>> .../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
>>>> 2 files changed, 271 insertions(+)
>>>> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>>
>>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>> index 5fede2a..445d003 100644
>>>> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>> @@ -91,6 +91,7 @@ SRC_URI = "\
>>>> file://CVE-2016-4488.patch \
>>>> file://CVE-2016-4489.patch \
>>>> file://CVE-2016-2226.patch \
>>>> + file://CVE-2016-4490.patch \
>>>> "
>>>>
>>>> BACKPORTS = ""
>>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>> new file mode 100644
>>>> index 0000000..4a9ed69
>>>> --- /dev/null
>>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>> @@ -0,0 +1,270 @@
>>>> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
>>>> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
>>>> +Date: Mon, 2 May 2016 17:06:40 +0000
>>>> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
>>>> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
>>>> +MIME-Version: 1.0
>>>> +Content-Type: text/plain; charset=UTF-8
>>>> +Content-Transfer-Encoding: 8bit
>>>> +
>>>> + PR c++/70498
>>>> + * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>>> + overflow after sanity checks. Include <limits.h> if available.
>>>> + (INT_MAX): Define if necessary.
>>>> + (d_make_template_param): Takes integer argument instead of long.
>>>> + (d_make_function_param): Likewise.
>>>> + (d_append_num): Likewise.
>>>> + (d_identifier): Likewise.
>>>> + (d_number): Parse as and return integer.
>>>> + (d_compact_number): Handle overflow.
>>>> + (d_source_name): Change variable type to integer for parsed number.
>>>> + (d_java_resource): Likewise.
>>>> + (d_special_name): Likewise.
>>>> + (d_discriminator): Likewise.
>>>> + (d_unnamed_type): Likewise.
>>>> + * testsuite/demangle-expected: Add regression test cases.
>>>> +
>>>> +
>>>> +
>>>> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
>>>> +
>>>> +Upstream-Status: Backport
>>>> +
>>>> +CVE: CVE-2016-4490
>>>> +hand applied ChangeLog
>>>> +
>>>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>>>> +
>>>> +---
>>>> + libiberty/ChangeLog | 19 +++++++++++++
>>>> + libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
>>>> + libiberty/testsuite/demangle-expected | 14 ++++++++--
>>>> + 3 files changed, 61 insertions(+), 24 deletions(-)
>>>> +
>>>> +Index: gcc-5.3.0/libiberty/cp-demangle.c
>>>> +===================================================================
>>>> +--- gcc-5.3.0.orig/libiberty/cp-demangle.c
>>>> ++++ gcc-5.3.0/libiberty/cp-demangle.c
>>>> +@@ -124,6 +124,13 @@ extern char *alloca ();
>>>> + # endif /* alloca */
>>>> + #endif /* HAVE_ALLOCA_H */
>>>> +
>>>> ++#ifdef HAVE_LIMITS_H
>>>> ++#include <limits.h>
>>>> ++#endif
>>>> ++#ifndef INT_MAX
>>>> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
>>>> ++#endif
>>>> ++
>>>> + #include "ansidecl.h"
>>>> + #include "libiberty.h"
>>>> + #include "demangle.h"
>>>> +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
>>>> + struct demangle_component *);
>>>> +
>>>> + static struct demangle_component *
>>>> +-d_make_template_param (struct d_info *, long);
>>>> ++d_make_template_param (struct d_info *, int);
>>>> +
>>>> + static struct demangle_component *
>>>> + d_make_sub (struct d_info *, const char *, int);
>>>> +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
>>>> +
>>>> + static struct demangle_component *d_source_name (struct d_info *);
>>>> +
>>>> +-static long d_number (struct d_info *);
>>>> ++static int d_number (struct d_info *);
>>>> +
>>>> + static struct demangle_component *d_identifier (struct d_info *, int);
>>>> +
>>>> +@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
>>>> + /* Add a new template parameter. */
>>>> +
>>>> + static struct demangle_component *
>>>> +-d_make_template_param (struct d_info *di, long i)
>>>> ++d_make_template_param (struct d_info *di, int i)
>>>> + {
>>>> + struct demangle_component *p;
>>>> +
>>>> +@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
>>>> + /* Add a new function parameter. */
>>>> +
>>>> + static struct demangle_component *
>>>> +-d_make_function_param (struct d_info *di, long i)
>>>> ++d_make_function_param (struct d_info *di, int i)
>>>> + {
>>>> + struct demangle_component *p;
>>>> +
>>>> +@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
>>>> + static struct demangle_component *
>>>> + d_source_name (struct d_info *di)
>>>> + {
>>>> +- long len;
>>>> ++ int len;
>>>> + struct demangle_component *ret;
>>>> +
>>>> + len = d_number (di);
>>>> +@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
>>>> +
>>>> + /* number ::= [n] <(non-negative decimal integer)> */
>>>> +
>>>> +-static long
>>>> ++static int
>>>> + d_number (struct d_info *di)
>>>> + {
>>>> + int negative;
>>>> + char peek;
>>>> +- long ret;
>>>> ++ int ret;
>>>> +
>>>> + negative = 0;
>>>> + peek = d_peek_char (di);
>>>> +@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
>>>> + {
>>>> + struct demangle_component *p = NULL;
>>>> + struct demangle_component *next = NULL;
>>>> +- long len, i;
>>>> ++ int len, i;
>>>> + char c;
>>>> + const char *str;
>>>> +
>>>> +@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
>>>> + case 'C':
>>>> + {
>>>> + struct demangle_component *derived_type;
>>>> +- long offset;
>>>> ++ int offset;
>>>> + struct demangle_component *base_type;
>>>> +
>>>> + derived_type = cplus_demangle_type (di);
>>>> +@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
>>>> +
>>>> + /* <non-negative number> _ */
>>>> +
>>>> +-static long
>>>> ++static int
>>>> + d_compact_number (struct d_info *di)
>>>> + {
>>>> +- long num;
>>>> ++ int num;
>>>> + if (d_peek_char (di) == '_')
>>>> + num = 0;
>>>> + else if (d_peek_char (di) == 'n')
>>>> +@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
>>>> + else
>>>> + num = d_number (di) + 1;
>>>> +
>>>> +- if (! d_check_char (di, '_'))
>>>> ++ if (num < 0 || ! d_check_char (di, '_'))
>>>> + return -1;
>>>> + return num;
>>>> + }
>>>> +@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
>>>> + static struct demangle_component *
>>>> + d_template_param (struct d_info *di)
>>>> + {
>>>> +- long param;
>>>> ++ int param;
>>>> +
>>>> + if (! d_check_char (di, 'T'))
>>>> + return NULL;
>>>> +@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
>>>> + }
>>>> + else
>>>> + {
>>>> +- index = d_compact_number (di) + 1;
>>>> +- if (index == 0)
>>>> ++ index = d_compact_number (di);
>>>> ++ if (index == INT_MAX || index == -1)
>>>> + return NULL;
>>>> ++ index ++;
>>>> + }
>>>> + return d_make_function_param (di, index);
>>>> + }
>>>> +@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
>>>> + static int
>>>> + d_discriminator (struct d_info *di)
>>>> + {
>>>> +- long discrim;
>>>> ++ int discrim;
>>>> +
>>>> + if (d_peek_char (di) != '_')
>>>> + return 1;
>>>> +@@ -3511,7 +3519,7 @@ static struct demangle_component *
>>>> + d_unnamed_type (struct d_info *di)
>>>> + {
>>>> + struct demangle_component *ret;
>>>> +- long num;
>>>> ++ int num;
>>>> +
>>>> + if (! d_check_char (di, 'U'))
>>>> + return NULL;
>>>> +@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
>>>> + }
>>>> +
>>>> + static inline void
>>>> +-d_append_num (struct d_print_info *dpi, long l)
>>>> ++d_append_num (struct d_print_info *dpi, int l)
>>>> + {
>>>> + char buf[25];
>>>> +- sprintf (buf,"%ld", l);
>>>> ++ sprintf (buf,"%d", l);
>>>> + d_append_string (dpi, buf);
>>>> + }
>>>> +
>>>> +Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
>>>> +===================================================================
>>>> +--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
>>>> ++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
>>>> +@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
>>>> + _Z1fSsB3fooS_
>>>> + f(std::string[abi:foo], std::string[abi:foo])
>>>> + #
>>>> +-# Tests a use-after-free problem
>>>> ++# Tests a use-after-free problem PR70481
>>>> +
>>>> + _Q.__0
>>>> + ::Q.(void)
>>>> + #
>>>> +-# Tests a use-after-free problem
>>>> ++# Tests a use-after-free problem PR70481
>>>> +
>>>> + _Q10-__9cafebabe.
>>>> + cafebabe.::-(void)
>>>> ++#
>>>> ++# Tests integer overflow problem PR70492
>>>> ++
>>>> ++__vt_90000000000cafebabe
>>>> ++__vt_90000000000cafebabe
>>>> ++#
>>>> ++# Tests write access violation PR70498
>>>> ++
>>>> ++_Z80800000000000000000000
>>>> ++_Z80800000000000000000000
>>>> +Index: gcc-5.3.0/libiberty/ChangeLog
>>>> +===================================================================
>>>> +--- gcc-5.3.0.orig/libiberty/ChangeLog
>>>> ++++ gcc-5.3.0/libiberty/ChangeLog
>>>> +@@ -1,3 +1,22 @@
>>>> ++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
>>>> ++
>>>> ++ PR c++/70498
>>>> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>>> ++ overflow after sanity checks. Include <limits.h> if available.
>>>> ++ (INT_MAX): Define if necessary.
>>>> ++ (d_make_template_param): Takes integer argument instead of long.
>>>> ++ (d_make_function_param): Likewise.
>>>> ++ (d_append_num): Likewise.
>>>> ++ (d_identifier): Likewise.
>>>> ++ (d_number): Parse as and return integer.
>>>> ++ (d_compact_number): Handle overflow.
>>>> ++ (d_source_name): Change variable type to integer for parsed number.
>>>> ++ (d_java_resource): Likewise.
>>>> ++ (d_special_name): Likewise.
>>>> ++ (d_discriminator): Likewise.
>>>> ++ (d_unnamed_type): Likewise.
>>>> ++ * testsuite/demangle-expected: Add regression test cases.
>>>> ++
>>>> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
>>>> +
>>>> + PR c++/69687
>>>>
>>> --
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490
2016-05-13 21:04 ` Khem Raj
@ 2016-05-14 3:26 ` akuster808
0 siblings, 0 replies; 10+ messages in thread
From: akuster808 @ 2016-05-14 3:26 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer
On 05/13/2016 02:04 PM, Khem Raj wrote:
> On Fri, May 13, 2016 at 1:52 PM, akuster808 <akuster808@gmail.com> wrote:
>>
>>
>> On 05/13/2016 11:07 AM, Khem Raj wrote:
>>> Thanks for noting. We will update gcc-6 to latest on gcc-6 branch sometime later and hopefully it will come in
>>> please keep an eye on it
>>
>> sure, np
>>
>> So here is the problem. Per process, this fix can not be propagated to
>> the any stable branch until Master has the solution.
>>
>> Now I believe there are times for exceptions and this is one of them. We
>> are in the middle for a major package update and odds are this issue
>> will resolved itself before 2.2 code freeze. It will become an issue if
>> it is still open at that point. A new patch will be required then.
>>
>> So I hope folks wont have too much of an issue if this fix is in the
>> stable branches while we manage what happens in master in this case.
>
> I guess its ok as long as we keep track of it.
Yocto bug 9632 opened to track that action.
- armin
>
>
>
>>
>> - Armin
>>
>>
>>>
>>>> On May 13, 2016, at 9:16 AM, akuster808 <akuster808@gmail.com> wrote:
>>>>
>>>> this fix is not in gcc 6.0
>>>>
>>>> On 05/06/2016 12:11 AM, Armin Kuster wrote:
>>>>> From: Armin Kuster <akuster@mvista.com>
>>>>>
>>>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>>>> ---
>>>>> meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
>>>>> .../gcc/gcc-5.3/CVE-2016-4490.patch | 270 +++++++++++++++++++++
>>>>> 2 files changed, 271 insertions(+)
>>>>> create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>>>
>>>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>>> index 5fede2a..445d003 100644
>>>>> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
>>>>> @@ -91,6 +91,7 @@ SRC_URI = "\
>>>>> file://CVE-2016-4488.patch \
>>>>> file://CVE-2016-4489.patch \
>>>>> file://CVE-2016-2226.patch \
>>>>> + file://CVE-2016-4490.patch \
>>>>> "
>>>>>
>>>>> BACKPORTS = ""
>>>>> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>>> new file mode 100644
>>>>> index 0000000..4a9ed69
>>>>> --- /dev/null
>>>>> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
>>>>> @@ -0,0 +1,270 @@
>>>>> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
>>>>> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
>>>>> +Date: Mon, 2 May 2016 17:06:40 +0000
>>>>> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
>>>>> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
>>>>> +MIME-Version: 1.0
>>>>> +Content-Type: text/plain; charset=UTF-8
>>>>> +Content-Transfer-Encoding: 8bit
>>>>> +
>>>>> + PR c++/70498
>>>>> + * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>>>> + overflow after sanity checks. Include <limits.h> if available.
>>>>> + (INT_MAX): Define if necessary.
>>>>> + (d_make_template_param): Takes integer argument instead of long.
>>>>> + (d_make_function_param): Likewise.
>>>>> + (d_append_num): Likewise.
>>>>> + (d_identifier): Likewise.
>>>>> + (d_number): Parse as and return integer.
>>>>> + (d_compact_number): Handle overflow.
>>>>> + (d_source_name): Change variable type to integer for parsed number.
>>>>> + (d_java_resource): Likewise.
>>>>> + (d_special_name): Likewise.
>>>>> + (d_discriminator): Likewise.
>>>>> + (d_unnamed_type): Likewise.
>>>>> + * testsuite/demangle-expected: Add regression test cases.
>>>>> +
>>>>> +
>>>>> +
>>>>> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
>>>>> +
>>>>> +Upstream-Status: Backport
>>>>> +
>>>>> +CVE: CVE-2016-4490
>>>>> +hand applied ChangeLog
>>>>> +
>>>>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>>>>> +
>>>>> +---
>>>>> + libiberty/ChangeLog | 19 +++++++++++++
>>>>> + libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
>>>>> + libiberty/testsuite/demangle-expected | 14 ++++++++--
>>>>> + 3 files changed, 61 insertions(+), 24 deletions(-)
>>>>> +
>>>>> +Index: gcc-5.3.0/libiberty/cp-demangle.c
>>>>> +===================================================================
>>>>> +--- gcc-5.3.0.orig/libiberty/cp-demangle.c
>>>>> ++++ gcc-5.3.0/libiberty/cp-demangle.c
>>>>> +@@ -124,6 +124,13 @@ extern char *alloca ();
>>>>> + # endif /* alloca */
>>>>> + #endif /* HAVE_ALLOCA_H */
>>>>> +
>>>>> ++#ifdef HAVE_LIMITS_H
>>>>> ++#include <limits.h>
>>>>> ++#endif
>>>>> ++#ifndef INT_MAX
>>>>> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
>>>>> ++#endif
>>>>> ++
>>>>> + #include "ansidecl.h"
>>>>> + #include "libiberty.h"
>>>>> + #include "demangle.h"
>>>>> +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
>>>>> + struct demangle_component *);
>>>>> +
>>>>> + static struct demangle_component *
>>>>> +-d_make_template_param (struct d_info *, long);
>>>>> ++d_make_template_param (struct d_info *, int);
>>>>> +
>>>>> + static struct demangle_component *
>>>>> + d_make_sub (struct d_info *, const char *, int);
>>>>> +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
>>>>> +
>>>>> + static struct demangle_component *d_source_name (struct d_info *);
>>>>> +
>>>>> +-static long d_number (struct d_info *);
>>>>> ++static int d_number (struct d_info *);
>>>>> +
>>>>> + static struct demangle_component *d_identifier (struct d_info *, int);
>>>>> +
>>>>> +@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
>>>>> + /* Add a new template parameter. */
>>>>> +
>>>>> + static struct demangle_component *
>>>>> +-d_make_template_param (struct d_info *di, long i)
>>>>> ++d_make_template_param (struct d_info *di, int i)
>>>>> + {
>>>>> + struct demangle_component *p;
>>>>> +
>>>>> +@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
>>>>> + /* Add a new function parameter. */
>>>>> +
>>>>> + static struct demangle_component *
>>>>> +-d_make_function_param (struct d_info *di, long i)
>>>>> ++d_make_function_param (struct d_info *di, int i)
>>>>> + {
>>>>> + struct demangle_component *p;
>>>>> +
>>>>> +@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
>>>>> + static struct demangle_component *
>>>>> + d_source_name (struct d_info *di)
>>>>> + {
>>>>> +- long len;
>>>>> ++ int len;
>>>>> + struct demangle_component *ret;
>>>>> +
>>>>> + len = d_number (di);
>>>>> +@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
>>>>> +
>>>>> + /* number ::= [n] <(non-negative decimal integer)> */
>>>>> +
>>>>> +-static long
>>>>> ++static int
>>>>> + d_number (struct d_info *di)
>>>>> + {
>>>>> + int negative;
>>>>> + char peek;
>>>>> +- long ret;
>>>>> ++ int ret;
>>>>> +
>>>>> + negative = 0;
>>>>> + peek = d_peek_char (di);
>>>>> +@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
>>>>> + {
>>>>> + struct demangle_component *p = NULL;
>>>>> + struct demangle_component *next = NULL;
>>>>> +- long len, i;
>>>>> ++ int len, i;
>>>>> + char c;
>>>>> + const char *str;
>>>>> +
>>>>> +@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
>>>>> + case 'C':
>>>>> + {
>>>>> + struct demangle_component *derived_type;
>>>>> +- long offset;
>>>>> ++ int offset;
>>>>> + struct demangle_component *base_type;
>>>>> +
>>>>> + derived_type = cplus_demangle_type (di);
>>>>> +@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
>>>>> +
>>>>> + /* <non-negative number> _ */
>>>>> +
>>>>> +-static long
>>>>> ++static int
>>>>> + d_compact_number (struct d_info *di)
>>>>> + {
>>>>> +- long num;
>>>>> ++ int num;
>>>>> + if (d_peek_char (di) == '_')
>>>>> + num = 0;
>>>>> + else if (d_peek_char (di) == 'n')
>>>>> +@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
>>>>> + else
>>>>> + num = d_number (di) + 1;
>>>>> +
>>>>> +- if (! d_check_char (di, '_'))
>>>>> ++ if (num < 0 || ! d_check_char (di, '_'))
>>>>> + return -1;
>>>>> + return num;
>>>>> + }
>>>>> +@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
>>>>> + static struct demangle_component *
>>>>> + d_template_param (struct d_info *di)
>>>>> + {
>>>>> +- long param;
>>>>> ++ int param;
>>>>> +
>>>>> + if (! d_check_char (di, 'T'))
>>>>> + return NULL;
>>>>> +@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
>>>>> + }
>>>>> + else
>>>>> + {
>>>>> +- index = d_compact_number (di) + 1;
>>>>> +- if (index == 0)
>>>>> ++ index = d_compact_number (di);
>>>>> ++ if (index == INT_MAX || index == -1)
>>>>> + return NULL;
>>>>> ++ index ++;
>>>>> + }
>>>>> + return d_make_function_param (di, index);
>>>>> + }
>>>>> +@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
>>>>> + static int
>>>>> + d_discriminator (struct d_info *di)
>>>>> + {
>>>>> +- long discrim;
>>>>> ++ int discrim;
>>>>> +
>>>>> + if (d_peek_char (di) != '_')
>>>>> + return 1;
>>>>> +@@ -3511,7 +3519,7 @@ static struct demangle_component *
>>>>> + d_unnamed_type (struct d_info *di)
>>>>> + {
>>>>> + struct demangle_component *ret;
>>>>> +- long num;
>>>>> ++ int num;
>>>>> +
>>>>> + if (! d_check_char (di, 'U'))
>>>>> + return NULL;
>>>>> +@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
>>>>> + }
>>>>> +
>>>>> + static inline void
>>>>> +-d_append_num (struct d_print_info *dpi, long l)
>>>>> ++d_append_num (struct d_print_info *dpi, int l)
>>>>> + {
>>>>> + char buf[25];
>>>>> +- sprintf (buf,"%ld", l);
>>>>> ++ sprintf (buf,"%d", l);
>>>>> + d_append_string (dpi, buf);
>>>>> + }
>>>>> +
>>>>> +Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
>>>>> +===================================================================
>>>>> +--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
>>>>> ++++ gcc-5.3.0/libiberty/testsuite/demangle-expected
>>>>> +@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
>>>>> + _Z1fSsB3fooS_
>>>>> + f(std::string[abi:foo], std::string[abi:foo])
>>>>> + #
>>>>> +-# Tests a use-after-free problem
>>>>> ++# Tests a use-after-free problem PR70481
>>>>> +
>>>>> + _Q.__0
>>>>> + ::Q.(void)
>>>>> + #
>>>>> +-# Tests a use-after-free problem
>>>>> ++# Tests a use-after-free problem PR70481
>>>>> +
>>>>> + _Q10-__9cafebabe.
>>>>> + cafebabe.::-(void)
>>>>> ++#
>>>>> ++# Tests integer overflow problem PR70492
>>>>> ++
>>>>> ++__vt_90000000000cafebabe
>>>>> ++__vt_90000000000cafebabe
>>>>> ++#
>>>>> ++# Tests write access violation PR70498
>>>>> ++
>>>>> ++_Z80800000000000000000000
>>>>> ++_Z80800000000000000000000
>>>>> +Index: gcc-5.3.0/libiberty/ChangeLog
>>>>> +===================================================================
>>>>> +--- gcc-5.3.0.orig/libiberty/ChangeLog
>>>>> ++++ gcc-5.3.0/libiberty/ChangeLog
>>>>> +@@ -1,3 +1,22 @@
>>>>> ++2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
>>>>> ++
>>>>> ++ PR c++/70498
>>>>> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid
>>>>> ++ overflow after sanity checks. Include <limits.h> if available.
>>>>> ++ (INT_MAX): Define if necessary.
>>>>> ++ (d_make_template_param): Takes integer argument instead of long.
>>>>> ++ (d_make_function_param): Likewise.
>>>>> ++ (d_append_num): Likewise.
>>>>> ++ (d_identifier): Likewise.
>>>>> ++ (d_number): Parse as and return integer.
>>>>> ++ (d_compact_number): Handle overflow.
>>>>> ++ (d_source_name): Change variable type to integer for parsed number.
>>>>> ++ (d_java_resource): Likewise.
>>>>> ++ (d_special_name): Likewise.
>>>>> ++ (d_discriminator): Likewise.
>>>>> ++ (d_unnamed_type): Likewise.
>>>>> ++ * testsuite/demangle-expected: Add regression test cases.
>>>>> ++
>>>>> + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
>>>>> +
>>>>> + PR c++/69687
>>>>>
>>>> --
>>>> _______________________________________________
>>>> Openembedded-core mailing list
>>>> Openembedded-core@lists.openembedded.org
>>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-05-14 3:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-06 7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
2016-05-13 16:14 ` akuster808
2016-05-06 7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2016-05-13 16:16 ` akuster808
2016-05-13 18:07 ` Khem Raj
2016-05-13 20:52 ` akuster808
2016-05-13 21:04 ` Khem Raj
2016-05-14 3:26 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox