Backport Paul Pluzhnikov's glibc patch for CVE-2015-1472: Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. The implementation now correctly computes the required buffer size when using malloc.
https://sourceware.org/bugzilla/show_bug.cgi?id=16618 Signed-off-by: Haris Okanovic <[email protected]> Signed-off-by: Ken Sharp <[email protected]> Reviewed-by: Rich Tollerton <[email protected]> --- Natinst-CAR-ID: 518552 Natinst-ReviewBoard-ID: 96712 --- ...5-1472-wscanf-allocates-too-little-memory.patch | 127 +++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.20.bb | 1 + 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000..4ffd609 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch @@ -0,0 +1,127 @@ +From 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <[email protected]> +Date: Fri, 6 Feb 2015 00:30:42 -0500 +Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory + +BZ #16618 + +Under certain conditions wscanf can allocate too little memory for the +to-be-scanned arguments and overflow the allocated buffer. The +implementation now correctly computes the required buffer size when +using malloc. + +A regression test was added to tst-sscanf. + +Upstream-Status: Backport +https://sourceware.org/bugzilla/show_bug.cgi?id=16618 +--- + stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++ + stdio-common/vfscanf.c | 12 ++++++------ + 2 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c +index aece3f2f290088b2c08441cf85f2b915a61b9789..8a2eb9e39c4752a30941753d7f0325c2aa352fd1 100644 +--- a/stdio-common/tst-sscanf.c ++++ b/stdio-common/tst-sscanf.c +@@ -226,12 +226,45 @@ main (void) + result = 1; + } + else if (ret == 2 && c != double_tests2[i].residual) + { + printf ("double_tests2[%d] stopped at '%c' != '%c'\n", + i, c, double_tests2[i].residual); + result = 1; + } + } + ++ /* BZ #16618 ++ The test will segfault during SSCANF if the buffer overflow ++ is not fixed. The size of `s` is such that it forces the use ++ of malloc internally and this triggers the incorrect computation. ++ Thus the value for SIZE is arbitrariy high enough that malloc ++ is used. */ ++ { ++#define SIZE 131072 ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); ++ if (s == NULL) ++ abort (); ++ for (size_t i = 0; i < SIZE; i++) ++ s[i] = L('0'); ++ s[SIZE] = L('\0'); ++ int i = 42; ++ /* Scan multi-digit zero into `i`. */ ++ if (SSCANF (s, L("%d"), &i) != 1) ++ { ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); ++ result = 1; ++ } ++ if (i != 0) ++ { ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); ++ result = 1; ++ } ++ free (s); ++ if (result != 1) ++ printf ("PASS: bug16618: Did not crash.\n"); ++#undef SIZE ++ } ++ ++ + return result; + } +diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c +index cd129a81dee57e5e06ccb0e676e0de3fd52469ca..0e204e7b326d848716222f40b5b82b8256ed1b77 100644 +--- a/stdio-common/vfscanf.c ++++ b/stdio-common/vfscanf.c +@@ -265,42 +265,42 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + CHAR_T *wp = NULL; /* Workspace. */ + size_t wpmax = 0; /* Maximal size of workspace. */ + size_t wpsize; /* Currently used bytes in workspace. */ + bool use_malloc = false; + #define ADDW(Ch) \ + do \ + { \ + if (__glibc_unlikely (wpsize == wpmax)) \ + { \ + CHAR_T *old = wp; \ +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ +- ? UCHAR_MAX + 1 : 2 * wpmax); \ +- if (use_malloc || !__libc_use_alloca (newsize)) \ ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ ++ if (!__libc_use_alloca (newsize)) \ + { \ + wp = realloc (use_malloc ? wp : NULL, newsize); \ + if (wp == NULL) \ + { \ + if (use_malloc) \ + free (old); \ + done = EOF; \ + goto errout; \ + } \ + if (! use_malloc) \ + MEMCPY (wp, old, wpsize); \ +- wpmax = newsize; \ ++ wpmax = wpneed; \ + use_malloc = true; \ + } \ + else \ + { \ + size_t s = wpmax * sizeof (CHAR_T); \ +- wp = (CHAR_T *) extend_alloca (wp, s, \ +- newsize * sizeof (CHAR_T)); \ ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ + wpmax = s / sizeof (CHAR_T); \ + if (old != NULL) \ + MEMCPY (wp, old, wpsize); \ + } \ + } \ + wp[wpsize++] = (Ch); \ + } \ + while (0) + + #ifdef __va_copy +-- +2.2.2 + diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index 3277f7a..e3427dd 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb @@ -46,6 +46,7 @@ CVEPATCHES = "\ file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ + file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ " LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ -- 2.2.2 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
