Hello community,
here is the log from the commit of package glibc for openSUSE:Factory checked
in at 2020-12-21 10:21:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/glibc (Old)
and /work/SRC/openSUSE:Factory/.glibc.new.5145 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc"
Mon Dec 21 10:21:57 2020 rev:243 rq:856526 version:2.32
Changes:
--------
--- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2020-11-15
15:17:27.406880775 +0100
+++ /work/SRC/openSUSE:Factory/.glibc.new.5145/glibc.changes 2020-12-21
10:22:26.331928894 +0100
@@ -1,0 +2,14 @@
+Tue Dec 15 16:41:29 UTC 2020 - Andreas Schwab <sch...@suse.de>
+
+- aarch64-static-pie.patch: fix static PIE start code for BTI
+ (bsc#1179450, BZ #27068)
+- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in
+ IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
+- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop
+ bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
+- printf-long-double-non-normal.patch: x86: Harden printf against
+ non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
+- get-nprocs-cpu-online-parsing.patch: Fix parsing of
+ /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
+
+-------------------------------------------------------------------
@@ -16 +30 @@
- and shadow stack in the dynamic loader. [jsc#PM-2110] [bsc#1175154]
+ and shadow stack in the dynamic loader (jsc#PM-2110, bsc#1175154)
New:
----
aarch64-static-pie.patch
get-nprocs-cpu-online-parsing.patch
iconv-redundant-shift.patch
iconv-ucs4-loop-bounds.patch
printf-long-double-non-normal.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.LuLwlg/_old 2020-12-21 10:22:27.787930173 +0100
+++ /var/tmp/diff_new_pack.LuLwlg/_new 2020-12-21 10:22:27.787930173 +0100
@@ -269,6 +269,16 @@
Patch1003: strerrorname-np.patch
# PATCH-FIX-UPSTREAM sysvipc: Fix SEM_STAT_ANY kernel argument pass (BZ
#26637, BZ #26639, BZ #26636)
Patch1004: sysvipc.patch
+# PATCH-FIX-UPSTREAM aarch64: fix static PIE start code for BTI (BZ #27068)
+Patch1005: aarch64-static-pie.patch
+# PATCH-FIX-UPSTREAM iconv: Accept redundant shift sequences in IBM1364
(CVE-2020-27618, BZ #26224)
+Patch1006: iconv-redundant-shift.patch
+# PATCH-FIX-UPSTREAM iconv: Fix incorrect UCS4 inner loop bounds
(CVE-2020-29562, BZ#26923)
+Patch1007: iconv-ucs4-loop-bounds.patch
+# PATCH-FIX-UPSTREAM x86: Harden printf against non-normal long double values
(CVE-2020-29573, BZ #26649)
+Patch1008: printf-long-double-non-normal.patch
+# PATCH-FIX-UPSTREAM Fix parsing of /sys/devices/system/cpu/online (BZ #25859)
+Patch1009: get-nprocs-cpu-online-parsing.patch
###
# Patches awaiting upstream approval
@@ -486,6 +496,11 @@
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
+%patch1005 -p1
+%patch1006 -p1
+%patch1007 -p1
+%patch1008 -p1
+%patch1009 -p1
%patch2000 -p1
%patch2001 -p1
++++++ aarch64-static-pie.patch ++++++
From d4136903a29baabeec8987b53081def8b4a49826 Mon Sep 17 00:00:00 2001
From: Guillaume Gardet <guillaume.gar...@arm.com>
Date: Mon, 14 Dec 2020 15:38:22 +0000
Subject: [PATCH] aarch64: fix static PIE start code for BTI [BZ #27068]
A bti c was missing from rcrt1.o which made all -static-pie
binaries fail at program startup on BTI enabled systems.
Fixes bug 27068.
---
sysdeps/aarch64/start.S | 1 +
1 file changed, 1 insertion(+)
Index: glibc-2.32/sysdeps/aarch64/start.S
===================================================================
--- glibc-2.32.orig/sysdeps/aarch64/start.S
+++ glibc-2.32/sysdeps/aarch64/start.S
@@ -101,6 +101,7 @@ _start:
because crt1.o and rcrt1.o share code and the later must avoid the
use of GOT relocations before __libc_start_main is called. */
__wrap_main:
+ BTI_C
b main
#endif
++++++ get-nprocs-cpu-online-parsing.patch ++++++
From b5eeca8cfd9d0fd92b5633a88901d9ff27f2b496 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <sch...@linux-m68k.org>
Date: Tue, 8 Dec 2020 19:17:41 +0100
Subject: [PATCH] Fix parsing of /sys/devices/system/cpu/online (bug 25859)
The file contains comma-separated ranges, not spaces.
---
sysdeps/unix/sysv/linux/getsysstats.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Index: glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c
===================================================================
--- glibc-2.32.orig/sysdeps/unix/sysv/linux/getsysstats.c
+++ glibc-2.32/sysdeps/unix/sysv/linux/getsysstats.c
@@ -143,6 +143,7 @@ __get_nprocs (void)
char *re = buffer_end;
const int flags = O_RDONLY | O_CLOEXEC;
+ /* This file contains comma-separated ranges. */
int fd = __open_nocancel ("/sys/devices/system/cpu/online", flags);
char *l;
int result = 0;
@@ -175,10 +176,10 @@ __get_nprocs (void)
result += m - n + 1;
l = endp;
- while (l < re && isspace (*l))
+ if (l < re && *l == ',')
++l;
}
- while (l < re);
+ while (l < re && *l != '\n');
__close_nocancel_nostatus (fd);
++++++ iconv-redundant-shift.patch ++++++
From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <ar...@redhat.com>
Date: Wed, 4 Nov 2020 12:19:38 +0100
Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
#26224]
The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
share converter logic (iconvdata/ibm1364.c) which would reject
redundant shift sequences when processing input in these character
sets. This led to a hang in the iconv program (CVE-2020-27618).
This commit adjusts the converter to ignore redundant shift sequences
and adds test cases for iconv_prog hangs that would be triggered upon
their rejection. This brings the implementation in line with other
converters that also ignore redundant shift sequences (e.g. IBM930
etc., fixed in commit 692de4b3960d).
Reviewed-by: Carlos O'Donell <car...@redhat.com>
---
NEWS | 4 +++-
iconv/tst-iconv_prog.sh | 16 ++++++++++------
iconvdata/ibm1364.c | 14 ++------------
3 files changed, 15 insertions(+), 19 deletions(-)
Index: glibc-2.32/iconv/tst-iconv_prog.sh
===================================================================
--- glibc-2.32.orig/iconv/tst-iconv_prog.sh
+++ glibc-2.32/iconv/tst-iconv_prog.sh
@@ -102,12 +102,16 @@ hangarray=(
"\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE"
"\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE"
"\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE"
-# These are known hangs that are yet to be fixed:
-# "\x00\x0f;-c;IBM1364;UTF-8"
-# "\x00\x0f;-c;IBM1371;UTF-8"
-# "\x00\x0f;-c;IBM1388;UTF-8"
-# "\x00\x0f;-c;IBM1390;UTF-8"
-# "\x00\x0f;-c;IBM1399;UTF-8"
+"\x00\x0f;-c;IBM1364;UTF-8"
+"\x0e\x0e;-c;IBM1364;UTF-8"
+"\x00\x0f;-c;IBM1371;UTF-8"
+"\x0e\x0e;-c;IBM1371;UTF-8"
+"\x00\x0f;-c;IBM1388;UTF-8"
+"\x0e\x0e;-c;IBM1388;UTF-8"
+"\x00\x0f;-c;IBM1390;UTF-8"
+"\x0e\x0e;-c;IBM1390;UTF-8"
+"\x00\x0f;-c;IBM1399;UTF-8"
+"\x0e\x0e;-c;IBM1399;UTF-8"
"\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE"
"\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE"
"\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE"
Index: glibc-2.32/iconvdata/ibm1364.c
===================================================================
--- glibc-2.32.orig/iconvdata/ibm1364.c
+++ glibc-2.32/iconvdata/ibm1364.c
@@ -158,24 +158,14 @@ enum
\
if (__builtin_expect (ch, 0) == SO)
\
{
\
- /* Shift OUT, change to DBCS converter. */ \
- if (curcs == db) \
- { \
- result = __GCONV_ILLEGAL_INPUT; \
- break; \
- } \
+ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \
curcs = db; \
++inptr; \
continue; \
}
\
if (__builtin_expect (ch, 0) == SI)
\
{
\
- /* Shift IN, change to SBCS converter. */ \
- if (curcs == sb) \
- { \
- result = __GCONV_ILLEGAL_INPUT; \
- break; \
- } \
+ /* Shift IN, change to SBCS converter (redundant escape okay). */ \
curcs = sb; \
++inptr; \
continue; \
++++++ iconv-ucs4-loop-bounds.patch ++++++
From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
From: Michael Colavita <mcolav...@fb.com>
Date: Thu, 19 Nov 2020 11:44:40 -0500
Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
Previously, in UCS4 conversion routines we limit the number of
characters we examine to the minimum of the number of characters in the
input and the number of characters in the output. This is not the
correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
an output character when we skip a code unit. Instead, track the input
and output pointers and terminate the loop when either reaches its
limit.
This resolves assertion failures when resetting the input buffer in a step of
iconv, which assumes that the input will be fully consumed given sufficient
output space.
---
iconv/Makefile | 2 +-
iconv/gconv_simple.c | 16 ++++----------
iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 13 deletions(-)
create mode 100644 iconv/tst-iconv8.c
Index: glibc-2.32/iconv/Makefile
===================================================================
--- glibc-2.32.orig/iconv/Makefile
+++ glibc-2.32/iconv/Makefile
@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERAT
CFLAGS-simple-hash.c += -I../locale
tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
- tst-iconv7 tst-iconv-mt tst-iconv-opt
+ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
others = iconv_prog iconvconfig
install-others-programs = $(inst_bindir)/iconv
Index: glibc-2.32/iconv/gconv_simple.c
===================================================================
--- glibc-2.32.orig/iconv/gconv_simple.c
+++ glibc-2.32/iconv/gconv_simple.c
@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step
int flags = step_data->__flags;
const unsigned char *inptr = *inptrp;
unsigned char *outptr = *outptrp;
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
int result;
- size_t cnt;
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
{
uint32_t inval;
@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __g
int flags = step_data->__flags;
const unsigned char *inptr = *inptrp;
unsigned char *outptr = *outptrp;
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
int result;
- size_t cnt;
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
{
if (__glibc_unlikely (inptr[0] > 0x80))
{
@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_ste
int flags = step_data->__flags;
const unsigned char *inptr = *inptrp;
unsigned char *outptr = *outptrp;
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
int result;
- size_t cnt;
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
{
uint32_t inval;
@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct _
int flags = step_data->__flags;
const unsigned char *inptr = *inptrp;
unsigned char *outptr = *outptrp;
- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
int result;
- size_t cnt;
- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
{
if (__glibc_unlikely (inptr[3] > 0x80))
{
Index: glibc-2.32/iconv/tst-iconv8.c
===================================================================
--- /dev/null
+++ glibc-2.32/iconv/tst-iconv8.c
@@ -0,0 +1,50 @@
+/* Test iconv behavior on UCS4 conversions with //IGNORE.
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+/* Derived from BZ #26923 */
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+ /*
+ * Convert sequence beginning with an irreversible character into buffer that
+ * is too small.
+ */
+ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
+ char *inptr = input;
+ size_t insize = sizeof (input);
+ char output[6];
+ char *outptr = output;
+ size_t outsize = sizeof (output);
+
+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
+ TEST_VERIFY (errno == E2BIG);
+
+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
++++++ printf-long-double-non-normal.patch ++++++
From 681900d29683722b1cb0a8e565a0585846ec5a61 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fwei...@redhat.com>
Date: Tue, 22 Sep 2020 19:07:48 +0200
Subject: [PATCH] x86: Harden printf against non-normal long double values (bug
26649)
The behavior of isnan/__builtin_isnan on bit patterns that do not
correspond to something that the CPU would produce from valid inputs
is currently under-defined in the toolchain. (The GCC built-in and
glibc disagree.)
The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c
assumes the GCC behavior that returns true for non-normal numbers
which are not specified as NaN. (The glibc implementation returns
false for such numbers.)
At present, passing non-normal numbers to __mpn_extract_long_double
causes this function to produce irregularly shaped multi-precision
integers, triggering undefined behavior in __printf_fp_l.
With GCC 10 and glibc 2.32, this behavior is not visible because
__builtin_isnan is used, which avoids calling
__mpn_extract_long_double in this case. This commit updates the
implementation of __mpn_extract_long_double so that regularly shaped
multi-precision integers are produced in this case, avoiding
undefined behavior in __printf_fp_l.
---
sysdeps/x86/Makefile | 4 ++
sysdeps/x86/ldbl2mpn.c | 8 ++++
sysdeps/x86/tst-ldbl-nonnormal-printf.c | 52 +++++++++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 sysdeps/x86/tst-ldbl-nonnormal-printf.c
Index: glibc-2.32/sysdeps/i386/ldbl2mpn.c
===================================================================
--- glibc-2.32.orig/sysdeps/i386/ldbl2mpn.c
+++ glibc-2.32/sysdeps/i386/ldbl2mpn.c
@@ -115,6 +115,14 @@ __mpn_extract_long_double (mp_ptr res_pt
&& res_ptr[N - 1] == 0)
/* Pseudo zero. */
*expt = 0;
+ else
+ /* Unlike other floating point formats, the most significant bit
+ is explicit and expected to be set for normal numbers. Set it
+ in case it is cleared in the input. Otherwise, callers will
+ not be able to produce the expected multi-precision integer
+ layout by shifting. */
+ res_ptr[N - 1] |= (mp_limb_t) 1 << (LDBL_MANT_DIG - 1
+ - ((N - 1) * BITS_PER_MP_LIMB));
return N;
}
Index: glibc-2.32/sysdeps/x86/Makefile
===================================================================
--- glibc-2.32.orig/sysdeps/x86/Makefile
+++ glibc-2.32/sysdeps/x86/Makefile
@@ -9,6 +9,10 @@ tests += tst-get-cpu-features tst-get-cp
tests-static += tst-get-cpu-features-static
endif
+ifeq ($(subdir),math)
+tests += tst-ldbl-nonnormal-printf
+endif # $(subdir) == math
+
ifeq ($(subdir),setjmp)
gen-as-const-headers += jmp_buf-ssp.sym
sysdep_routines += __longjmp_cancel
Index: glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c
===================================================================
--- /dev/null
+++ glibc-2.32/sysdeps/x86/tst-ldbl-nonnormal-printf.c
@@ -0,0 +1,52 @@
+/* Test printf with x86-specific non-normal long double value.
+ Copyright (C) 2020 Free Software Foundation, Inc.
+
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <string.h>
+#include <support/check.h>
+
+/* Fill the stack with non-zero values. This makes a crash in
+ snprintf more likely. */
+static void __attribute__ ((noinline, noclone))
+fill_stack (void)
+{
+ char buffer[65536];
+ memset (buffer, 0xc0, sizeof (buffer));
+ asm ("" ::: "memory");
+}
+
+static int
+do_test (void)
+{
+ fill_stack ();
+
+ long double value;
+ memcpy (&value, "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04", 10);
+
+ char buf[30];
+ int ret = snprintf (buf, sizeof (buf), "%Lg", value);
+ TEST_COMPARE (ret, strlen (buf));
+ if (strcmp (buf, "nan") != 0)
+ /* If snprintf does not recognize the non-normal number as a NaN,
+ it has added the missing explicit MSB. */
+ TEST_COMPARE_STRING (buf, "3.02201e-4624");
+ return 0;
+}
+
+#include <support/test-driver.c>
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
