[OE-core] [jethro][PATCH v2] glibc: add patch from release/2.22/master fix memory corruption
Jens Rehsack
rehsack at gmail.com
Fri Feb 12 09:16:49 UTC 2016
Since default fstab contains empty lines, this might be a reasonable patch
long running services using getmntent.
This patch is backported from:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=3007f797a1a596e954f44879a5a7267966186ba4
Signed-off-by: Jens Rehsack <sno at netbsd.org>
---
...ntent-fix-memory-corruption-w-blank-lines.patch | 199 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.22.bb | 1 +
2 files changed, 200 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/getmntent-fix-memory-corruption-w-blank-lines.patch
diff --git a/meta/recipes-core/glibc/glibc/getmntent-fix-memory-corruption-w-blank-lines.patch b/meta/recipes-core/glibc/glibc/getmntent-fix-memory-corruption-w-blank-lines.patch
new file mode 100644
index 0000000..7f9b4bc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/getmntent-fix-memory-corruption-w-blank-lines.patch
@@ -0,0 +1,199 @@
+commit 3007f797a1a596e954f44879a5a7267966186ba4
+Author: Mike Frysinger <vapier at gentoo.org>
+Date: Fri Aug 28 17:08:49 2015 -0400
+
+ getmntent: fix memory corruption w/blank lines [BZ #18887]
+
+ The fix for BZ #17273 introduced a single byte of memory corruption when
+ the line is entirely blank. It would walk back past the start of the
+ buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte.
+ buffer = '\n';
+ end_ptr = buffer;
+ while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
+ end_ptr--;
+ *end_ptr = '\0';
+
+ Fix that and rework the tests. Adding the testcase for BZ #17273 to the
+ existing \040 parser does not really make sense as it's unrelated, and
+ leads to confusing behavior: it implicitly relies on the new entry being
+ longer than the previous entry (since it just rewinds the FILE*). Split
+ it out into its own dedicated testcase instead.
+
+ (cherry picked from commit b0e805fa0d6fea33745952df7b7f5442ca4c374f)
+
+ Upstream-Status: Backport
+ - Backported from https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=3007f797a1a596e954f44879a5a7267966186ba4
+ because of incompatibility with other patches for glibc.
+
+ Signed-off-by: Jens Rehsack <sno at netbsd.org>
+
+diff --git a/misc/Makefile b/misc/Makefile
+index aecb0da..2f5edf6 100644
+--- a/misc/Makefile
++++ b/misc/Makefile
+@@ -76,7 +76,8 @@ install-lib := libg.a
+ gpl2lgpl := error.c error.h
+
+ tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \
+- tst-pselect tst-insremque tst-mntent2 bug-hsearch1
++ tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
++ tst-mntent-blank-corrupt tst-mntent-blank-passno
+ tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1
+ tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt
+ ifeq ($(run-built-tests),yes)
+diff --git a/misc/mntent_r.c b/misc/mntent_r.c
+index 6159873..4f26998 100644
+--- a/misc/mntent_r.c
++++ b/misc/mntent_r.c
+@@ -136,7 +136,9 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz)
+ end_ptr = strchr (buffer, '\n');
+ if (end_ptr != NULL) /* chop newline */
+ {
+- while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')
++ /* Do not walk past the start of buffer if it's all whitespace. */
++ while (end_ptr != buffer
++ && (end_ptr[-1] == ' ' || end_ptr[-1] == '\t'))
+ end_ptr--;
+ *end_ptr = '\0';
+ }
+diff --git a/misc/tst-mntent-blank-corrupt.c b/misc/tst-mntent-blank-corrupt.c
+new file mode 100644
+index 0000000..92266a3
+--- /dev/null
++++ b/misc/tst-mntent-blank-corrupt.c
+@@ -0,0 +1,45 @@
++/* Make sure blank lines does not cause memory corruption BZ #18887.
++
++ Copyright (C) 2009-2015 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <mntent.h>
++#include <stdio.h>
++#include <string.h>
++
++/* Make sure blank lines don't trigger memory corruption. This doesn't happen
++ for all targets though, so it's a best effort test BZ #18887. */
++static int
++do_test (void)
++{
++ FILE *fp;
++
++ fp = tmpfile ();
++ fputs ("\n \n/foo\\040dir /bar\\040dir auto bind \t \n", fp);
++ rewind (fp);
++
++ /* The corruption happens here ... */
++ getmntent (fp);
++ /* ... but trigers here. */
++ endmntent (fp);
++
++ /* If the test failed, we would crash, and not hit this point. */
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/misc/tst-mntent-blank-passno.c b/misc/tst-mntent-blank-passno.c
+new file mode 100644
+index 0000000..fc04291
+--- /dev/null
++++ b/misc/tst-mntent-blank-passno.c
+@@ -0,0 +1,53 @@
++/* Make sure trailing whitespace is handled properly BZ #17273.
++
++ Copyright (C) 2009-2015 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <mntent.h>
++#include <stdio.h>
++#include <string.h>
++
++/* Check entries to make sure trailing whitespace is ignored and we return the
++ correct passno value BZ #17273. */
++static int
++do_test (void)
++{
++ int result = 0;
++ FILE *fp;
++ struct mntent *mnt;
++
++ fp = tmpfile ();
++ fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);
++ rewind (fp);
++
++ mnt = getmntent (fp);
++ if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
++ || strcmp (mnt->mnt_dir, "/bar dir") != 0
++ || strcmp (mnt->mnt_type, "auto") != 0
++ || strcmp (mnt->mnt_opts, "bind") != 0
++ || mnt->mnt_freq != 0
++ || mnt->mnt_passno != 0)
++ {
++ puts ("Error while reading entry with trailing whitespaces");
++ result = 1;
++ }
++
++ return result;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/misc/tst-mntent.c b/misc/tst-mntent.c
+index 876c89f..820b354 100644
+--- a/misc/tst-mntent.c
++++ b/misc/tst-mntent.c
+@@ -73,26 +73,6 @@ main (int argc, char *argv[])
+ puts ("Error while reading written entry back in");
+ result = 1;
+ }
+-
+- /* Part III: Entry with whitespaces at the end of a line. */
+- rewind (fp);
+-
+- fputs ("/foo\\040dir /bar\\040dir auto bind \t \n", fp);
+-
+- rewind (fp);
+-
+- mnt = getmntent (fp);
+-
+- if (strcmp (mnt->mnt_fsname, "/foo dir") != 0
+- || strcmp (mnt->mnt_dir, "/bar dir") != 0
+- || strcmp (mnt->mnt_type, "auto") != 0
+- || strcmp (mnt->mnt_opts, "bind") != 0
+- || mnt->mnt_freq != 0
+- || mnt->mnt_passno != 0)
+- {
+- puts ("Error while reading entry with trailing whitespaces");
+- result = 1;
+- }
+ }
+
+ return result;
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index e512672..7183f46 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://CVE-2015-9761_1.patch \
file://CVE-2015-9761_2.patch \
file://CVE-2015-8776.patch \
+ file://getmntent-fix-memory-corruption-w-blank-lines.patch \
"
SRC_URI += "\
--
2.6.3
--
Jens Rehsack - rehsack at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160212/e7463fa6/attachment-0002.sig>
More information about the Openembedded-core
mailing list