From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1880 invoked by alias); 25 Oct 2013 14:00:06 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 1090 invoked by uid 55); 25 Oct 2013 14:00:00 -0000 From: "cvs-commit at gcc dot gnu.org" To: glibc-bugs@sourceware.org Subject: [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit Date: Fri, 25 Oct 2013 14:00:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: 2.19 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-10/txt/msg00323.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=14699 --- Comment #6 from cvs-commit at gcc dot gnu.org --- via 0b0e50ce9efe2fec10e147eddba4f0802235a042 (commit) via 54377921e7092f709c6a5985688769404637055f (commit) via 9a010a5f6328aa7ba353679e9a9e07465917d6a0 (commit) via f03cfdf9bf62f776338171fe2ba6eebbf8948875 (commit) via 6957bcb15456b5118c44bb49754b199462336639 (commit) via 56532663f2881ce7b7996d75dbb6bbb438187457 (commit) via 52b8d67f22068991f404c51b38b30e7e35c1bb99 (commit) via dc7ba1835ba16cb49d6c38d50e153b70beb2a091 (commit) via 8f29d3b5ae201ae4af368d2221381c5a856913d5 (commit) via 63e9a36056fe53621fa3001fe22b4833a9ea9457 (commit) via a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e (commit) from 642c8732a111450a97e4ae41c12a920bc7f02ee0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0b0e50ce9efe2fec10e147eddba4f0802235a042 commit 0b0e50ce9efe2fec10e147eddba4f0802235a042 Author: Siddhesh Poyarekar Date: Fri Oct 25 10:22:12 2013 +0530 Fix stack overflow due to large AF_INET6 requests Resolves #16072 (CVE-2013-4458). This patch fixes another stack overflow in getaddrinfo when it is called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914, but the AF_INET6 case went undetected back then. (cherry picked from commit 7cbcdb3699584db8913ca90f705d6337633ee10f) Conflicts: NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=54377921e7092f709c6a5985688769404637055f commit 54377921e7092f709c6a5985688769404637055f Author: Allan McRae Date: Fri Oct 25 14:25:38 2013 +1000 Fix incorrect getaddrinfo assertion trigger [BZ #9954] With the following /etc/hosts: 127.0.0.1 www.my-domain.es 127.0.1.1 www.my-domain.es 192.168.0.1 www.my-domain.es Using getaddrinfo() on www.my-domain.es, trigger the following assertion: ../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion `src->results[i].native == -1 || src->results[i].native == a1_native' failed. This is due to two different bugs: - In rfc3484_sort() rule 7, src->results[i].native is assigned even if src->results[i].index is -1, meaning that no interface is associated. - In getaddrinfo() the source IP address used with the lo interface needs a special case, as it can be any IP within 127.X.Y.Z. (cherry picked from commit 894f3f1049135dcbeaab8f18690973663ef3147c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9a010a5f6328aa7ba353679e9a9e07465917d6a0 commit 9a010a5f6328aa7ba353679e9a9e07465917d6a0 Author: Carlos O'Donell Date: Mon Sep 23 01:44:38 2013 -0400 BZ #15754: Fix test case for ARM. Statically built binaries use __pointer_chk_guard_local, while dynamically built binaries use __pointer_chk_guard. Provide the right definition depending on the test case we are building. https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f03cfdf9bf62f776338171fe2ba6eebbf8948875 commit f03cfdf9bf62f776338171fe2ba6eebbf8948875 Author: Carlos O'Donell Date: Mon Sep 23 00:52:09 2013 -0400 BZ #15754: CVE-2013-4788 The pointer guard used for pointer mangling was not initialized for static applications resulting in the security feature being disabled. The pointer guard is now correctly initialized to a random value for static applications. Existing static applications need to be recompiled to take advantage of the fix. The test tst-ptrguard1-static and tst-ptrguard1 add regression coverage to ensure the pointer guards are sufficiently random and initialized to a default value. Conflicts: NEWS ports/ChangeLog.ia64 ports/ChangeLog.tile https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6957bcb15456b5118c44bb49754b199462336639 commit 6957bcb15456b5118c44bb49754b199462336639 Author: Siddhesh Poyarekar Date: Mon Sep 23 11:24:30 2013 +0530 Check for integer overflow in cache size computation in strcoll strcoll is implemented using a cache for indices and weights of collation sequences in the strings so that subsequent passes do not have to search through collation data again. For very large string inputs, the cache size computation could overflow. In such a case, use the fallback function that does not cache indices and weights of collation sequences. Fixes CVE-2012-4412. (cherry picked from commit 303e567a8062200dc06acde7c76fc34679f08d8f) Conflicts: NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=56532663f2881ce7b7996d75dbb6bbb438187457 commit 56532663f2881ce7b7996d75dbb6bbb438187457 Author: Siddhesh Poyarekar Date: Mon Sep 23 11:20:02 2013 +0530 Fall back to non-cached sequence traversal and comparison on malloc fail strcoll currently falls back to alloca if malloc fails, resulting in a possible stack overflow. This patch implements sequence traversal and comparison without caching indices and rules. Fixes CVE-2012-4424. (cherry picked from commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883) Conflicts: NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52b8d67f22068991f404c51b38b30e7e35c1bb99 commit 52b8d67f22068991f404c51b38b30e7e35c1bb99 Author: Siddhesh Poyarekar Date: Tue Aug 20 08:40:05 2013 +0530 Simplify strcoll implementation Break up strcoll into simpler functions so that the logic is easier to follow and maintain. (cherry picked from commit 1326ba1af22068db9488c2328bdaf852b8a93dcf) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc7ba1835ba16cb49d6c38d50e153b70beb2a091 commit dc7ba1835ba16cb49d6c38d50e153b70beb2a091 Author: Will Newton Date: Fri Aug 16 12:54:29 2013 +0100 malloc: Check for integer overflow in memalign. A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. (cherry picked from commit b73ed247781d533628b681f57257dc85882645d3) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f29d3b5ae201ae4af368d2221381c5a856913d5 commit 8f29d3b5ae201ae4af368d2221381c5a856913d5 Author: Will Newton Date: Fri Aug 16 11:59:37 2013 +0100 malloc: Check for integer overflow in valloc. A large bytes parameter to valloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton [BZ #15856] * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. (cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=63e9a36056fe53621fa3001fe22b4833a9ea9457 commit 63e9a36056fe53621fa3001fe22b4833a9ea9457 Author: Will Newton Date: Mon Aug 12 15:08:02 2013 +0100 malloc: Check for integer overflow in pvalloc. A large bytes parameter to pvalloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton [BZ #15855] * malloc/malloc.c (__libc_pvalloc): Check the value of bytes does not overflow. (cherry picked from commit 1159a193696ad48ec86e5895f6dee3e539619c0e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e commit a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e Author: Florian Weimer Date: Fri Aug 16 09:38:52 2013 +0200 CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r * sysdeps/posix/dirstream.h (struct __dirstream): Add errcode member. * sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode member. * sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member. * sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit. Return delayed error code. Remove GETDENTS_64BIT_ALIGNED conditional. * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define GETDENTS_64BIT_ALIGNED. * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise. * manual/filesys.texi (Reading/Closing Directory): Document ENAMETOOLONG return value of readdir_r. Recommend readdir more strongly. * manual/conf.texi (Limits for Files): Add portability note to NAME_MAX, PATH_MAX. (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX. (cherry picked from commit 91ce40854d0b7f865cf5024ef95a8026b76096f3) Conflicts: NEWS ----------------------------------------------------------------------- Summary of changes: ChangeLog | 118 +++ csu/libc-start.c | 16 + elf/Makefile | 12 +- elf/tst-ptrguard1-static.c | 1 + elf/tst-ptrguard1.c | 202 +++++ malloc/malloc.c | 21 + manual/conf.texi | 9 + manual/filesys.texi | 73 ++- ports/ChangeLog.ia64 | 5 + ports/ChangeLog.tile | 5 + ports/sysdeps/ia64/stackguard-macros.h | 3 + ports/sysdeps/tile/stackguard-macros.h | 6 + string/Makefile | 2 + string/strcoll_l.c | 926 +++++++++++++---------- string/tst-strcoll-overflow.c | 61 ++ sysdeps/generic/stackguard-macros.h | 8 + sysdeps/i386/stackguard-macros.h | 8 + sysdeps/posix/dirstream.h | 2 + sysdeps/posix/getaddrinfo.c | 33 +- sysdeps/posix/opendir.c | 1 + sysdeps/posix/readdir_r.c | 42 +- sysdeps/posix/rewinddir.c | 1 + sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 + sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 + sysdeps/s390/s390-32/stackguard-macros.h | 11 + sysdeps/s390/s390-64/stackguard-macros.h | 14 + sysdeps/sparc/sparc32/stackguard-macros.h | 3 + sysdeps/sparc/sparc64/stackguard-macros.h | 3 + sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 - sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 - sysdeps/x86_64/stackguard-macros.h | 5 + 31 files changed, 1159 insertions(+), 454 deletions(-) create mode 100644 elf/tst-ptrguard1-static.c create mode 100644 elf/tst-ptrguard1.c create mode 100644 string/tst-strcoll-overflow.c -- You are receiving this mail because: You are on the CC list for the bug.