[OE-core] [PATCH 2/3] glibc: Security fix CVE-2017-15671
Armin Kuster
akuster808 at gmail.com
Thu Nov 23 03:52:16 UTC 2017
From: Armin Kuster <akuster at mvista.com>
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
Affects: glibc < 2.27
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2017-15671.patch | 215 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.26.bb | 1 +
2 files changed, 216 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
new file mode 100644
index 0000000..425aaa7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
@@ -0,0 +1,215 @@
+From 6182b3708b7af316454c81467538a8c20c1b046d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Sat, 21 Oct 2017 18:03:30 +0200
+Subject: [PATCH] glob: Add new test tst-glob-tilde
+
+The new test checks for memory leaks (see bug 22325) and attempts
+to trigger the buffer overflow in bug 22320.
+
+(cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)
+
+Upstream-Status: Backport
+CVE: CVE-2017-15671
+Affects: glibx < 2.27
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog | 8 +++
+ posix/Makefile | 11 +++-
+ posix/tst-glob-tilde.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 153 insertions(+), 2 deletions(-)
+ create mode 100644 posix/tst-glob-tilde.c
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2017-10-21 Florian Weimer <fweimer at redhat.com>
++
++ * posix/Makefile (tests): Add tst-glob-tilde.
++ (tests-special): Add tst-glob-tilde-mem.out
++ (tst-glob-tilde-ENV): Set MALLOC_TRACE.
++ (tst-glob-tilde-mem.out): Add mtrace check.
++ * posix/tst-glob-tilde.c: New file.
++
+ 2017-10-20 Paul Eggert <eggert at cs.ucla.edu>
+
+ [BZ #22320]
+Index: git/posix/Makefile
+===================================================================
+--- git.orig/posix/Makefile
++++ git/posix/Makefile
+@@ -93,7 +93,7 @@ tests := test-errno tstgetopt testfnm r
+ tst-fnmatch3 bug-regex36 tst-getaddrinfo5 \
+ tst-posix_spawn-fd tst-posix_spawn-setsid \
+ tst-posix_fadvise tst-posix_fadvise64 \
+- tst-sysconf-empty-chroot
++ tst-sysconf-empty-chroot tst-glob-tilde
+ tests-internal := bug-regex5 bug-regex20 bug-regex33 \
+ tst-rfc3484 tst-rfc3484-2 tst-rfc3484-3
+ xtests := bug-ga2
+@@ -141,7 +141,8 @@ tests-special += $(objpfx)bug-regex2-mem
+ $(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \
+ $(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
+ $(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
+- $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out
++ $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
++ $(objpfx)tst-glob-tilde-mem.out
+ xtests-special += $(objpfx)bug-ga2-mem.out
+ endif
+
+@@ -350,6 +351,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug
+ $(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \
+ $(evaluate-test)
+
++tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace
++
++$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out
++ $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \
++ $(evaluate-test)
++
+ $(inst_libexecdir)/getconf: $(inst_bindir)/getconf \
+ $(objpfx)getconf.speclist FORCE
+ $(addprefix $(..)./scripts/mkinstalldirs ,\
+Index: git/posix/tst-glob-tilde.c
+===================================================================
+--- /dev/null
++++ git/posix/tst-glob-tilde.c
+@@ -0,0 +1,136 @@
++/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
++ Copyright (C) 2017 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <glob.h>
++#include <mcheck.h>
++#include <nss.h>
++#include <pwd.h>
++#include <stdlib.h>
++#include <string.h>
++#include <support/check.h>
++#include <support/support.h>
++
++/* Flag which indicates whether to pass the GLOB_ONLYDIR flag. */
++static int do_onlydir;
++
++/* Flag which indicates whether to pass the GLOB_NOCHECK flag. */
++static int do_nocheck;
++
++/* Flag which indicates whether to pass the GLOB_MARK flag. */
++static int do_mark;
++
++static void
++one_test (const char *prefix, const char *middle, const char *suffix)
++{
++ char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix);
++ int flags = GLOB_TILDE;
++ if (do_onlydir)
++ flags |= GLOB_ONLYDIR;
++ if (do_nocheck)
++ flags |= GLOB_NOCHECK;
++ if (do_mark)
++ flags |= GLOB_MARK;
++ glob_t gl;
++ /* This glob call might result in crashes or memory leaks. */
++ if (glob (pattern, flags, NULL, &gl) == 0)
++ globfree (&gl);
++ free (pattern);
++}
++
++enum
++ {
++ /* The largest base being tested. */
++ largest_base_size = 500000,
++
++ /* The actual size is the base size plus a variable whose absolute
++ value is not greater than this. This helps malloc to trigger
++ overflows. */
++ max_size_skew = 16,
++
++ /* The maximum string length supported by repeating_string
++ below. */
++ repeat_size = largest_base_size + max_size_skew,
++ };
++
++/* Used to construct strings which repeat a single character 'x'. */
++static char *repeat;
++
++/* Return a string of SIZE characters. */
++const char *
++repeating_string (int size)
++{
++ TEST_VERIFY (size >= 0);
++ TEST_VERIFY (size <= repeat_size);
++ const char *repeated_shifted = repeat + repeat_size - size;
++ TEST_VERIFY (strlen (repeated_shifted) == size);
++ return repeated_shifted;
++}
++
++static int
++do_test (void)
++{
++ /* Avoid network-based NSS modules and initialize nss_files with a
++ dummy lookup. This has to come before mtrace because NSS does
++ not free all memory. */
++ __nss_configure_lookup ("passwd", "files");
++ (void) getpwnam ("root");
++
++ mtrace ();
++
++ repeat = xmalloc (repeat_size + 1);
++ memset (repeat, 'x', repeat_size);
++ repeat[repeat_size] = '\0';
++
++ /* These numbers control the size of the user name. The values
++ cover the minimum (0), a typical size (8), a large
++ stack-allocated size (100000), and a somewhat large
++ heap-allocated size (largest_base_size). */
++ static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 };
++
++ for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
++ for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
++ for (do_mark = 0; do_mark < 2; ++do_mark)
++ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
++ {
++ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
++ ++size_skew)
++ {
++ int size = base_sizes[base_idx] + size_skew;
++ if (size < 0)
++ continue;
++
++ const char *user_name = repeating_string (size);
++ one_test ("~", user_name, "/a/b");
++ }
++
++ const char *user_name = repeating_string (base_sizes[base_idx]);
++ one_test ("~", user_name, "");
++ one_test ("~", user_name, "/");
++ one_test ("~", user_name, "/a");
++ one_test ("~", user_name, "/*/*");
++ one_test ("~", user_name, "\\/");
++ one_test ("/~", user_name, "");
++ one_test ("*/~", user_name, "/a/b");
++ }
++
++ free (repeat);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index ed4ea4f..e4ba28f 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
file://CVE-2017-15670.patch \
+ file://CVE-2017-15671.patch \
"
NATIVESDKFIXES ?= ""
--
2.7.4
More information about the Openembedded-core
mailing list