From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3308 invoked by alias); 17 Feb 2015 07:25:32 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 3127 invoked by uid 55); 17 Feb 2015 07:25:23 -0000 From: "cvs-commit at gcc dot gnu.org" To: glibc-bugs@sourceware.org Subject: [Bug libc/16009] Possible buffer overflow in strxfrm Date: Tue, 17 Feb 2015 07:25:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: siddhesh at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00201.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=16009 --- Comment #6 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.20/master has been updated via 4d54424420c6300efbf57a7b9aa8635a8b8c1942 (commit) via 1bf9d48aec087062e2a14b77cb5ee1fa81be334c (commit) via f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 (commit) via b0694b9e98ee64cb25490de0921ce307f3872749 (commit) from f80af76648ed97a76745fad6caa3315a79cb1c7c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d54424420c6300efbf57a7b9aa8635a8b8c1942 commit 4d54424420c6300efbf57a7b9aa8635a8b8c1942 Author: Paul Pluzhnikov Date: Fri Feb 6 00:30:42 2015 -0500 CVE-2015-1472: wscanf allocates too little memory BZ #16618 Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. The implementation now correctly computes the required buffer size when using malloc. A regression test was added to tst-sscanf. (cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06) Conflicts: ChangeLog NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1bf9d48aec087062e2a14b77cb5ee1fa81be334c commit 1bf9d48aec087062e2a14b77cb5ee1fa81be334c Author: H.J. Lu Date: Fri Jan 30 06:50:20 2015 -0800 Use AVX unaligned memcpy only if AVX2 is available memcpy with unaligned 256-bit AVX register loads/stores are slow on older processorsl like Sandy Bridge. This patch adds bit_AVX_Fast_Unaligned_Load and sets it only when AVX2 is available. [BZ #17801] * sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features): Set the bit_AVX_Fast_Unaligned_Load bit for AVX2. * sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load): New. (index_AVX_Fast_Unaligned_Load): Likewise. (HAS_AVX_FAST_UNALIGNED_LOAD): Likewise. * sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit. * sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise. * sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise. * sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise. * sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD. * sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise. (cherry picked from commit 5f3d0b78e011d2a72f9e88b0e9ef5bc081d18f97) Conflicts: ChangeLog NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 commit f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 Author: Leonhard Holz Date: Tue Jan 13 11:33:56 2015 +0530 Fix memory handling in strxfrm_l [BZ #16009] [Modified from the original email by Siddhesh Poyarekar] This patch solves bug #16009 by implementing an additional path in strxfrm that does not depend on caching the weight and rule indices. In detail the following changed: * The old main loop was factored out of strxfrm_l into the function do_xfrm_cached to be able to alternativly use the non-caching version do_xfrm. * strxfrm_l allocates a a fixed size array on the stack. If this is not sufficiant to store the weight and rule indices, the non-caching path is taken. As the cache size is not dependent on the input there can be no problems with integer overflows or stack allocations greater than __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the definition of strxfrm does not allow an oom errorhandling. * The uncached path determines the weight and rule index for every char and for every pass again. * Passing all the locale data array by array resulted in very long parameter lists, so I introduced a structure that holds them. * Checking for zero src string has been moved a bit upwards, it is before the locale data initialization now. * To verify that the non-caching path works correct I added a test run to localedata/sort-test.sh & localedata/xfrm-test.c where all strings are patched up with spaces so that they are too large for the caching path. (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa) Conflicts: ChangeLog NEWS https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b0694b9e98ee64cb25490de0921ce307f3872749 commit b0694b9e98ee64cb25490de0921ce307f3872749 Author: Roland McGrath Date: Thu Sep 11 16:02:17 2014 -0700 Move findidx nested functions to top-level. Needed in order to backport strxfrm_l security fix cleanly. (cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8) Conflicts: ChangeLog ----------------------------------------------------------------------- Summary of changes: ChangeLog | 77 +++++ NEWS | 8 +- locale/weight.h | 13 +- locale/weightwc.h | 13 +- localedata/sort-test.sh | 7 + localedata/xfrm-test.c | 52 +++- posix/fnmatch.c | 8 + posix/fnmatch_loop.c | 17 +- posix/regcomp.c | 10 +- posix/regex_internal.h | 7 +- posix/regexec.c | 8 +- stdio-common/tst-sscanf.c | 33 +++ stdio-common/vfscanf.c | 12 +- string/strcoll_l.c | 9 +- string/strxfrm_l.c | 491 +++++++++++++++++++++++++------- sysdeps/x86_64/multiarch/init-arch.c | 9 +- sysdeps/x86_64/multiarch/init-arch.h | 4 + sysdeps/x86_64/multiarch/memcpy.S | 2 +- sysdeps/x86_64/multiarch/memcpy_chk.S | 2 +- sysdeps/x86_64/multiarch/memmove.c | 2 +- sysdeps/x86_64/multiarch/memmove_chk.c | 2 +- sysdeps/x86_64/multiarch/mempcpy.S | 2 +- sysdeps/x86_64/multiarch/mempcpy_chk.S | 2 +- 23 files changed, 642 insertions(+), 148 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug.