* [PATCH 0/4][fido] Glibc security fixes
@ 2016-01-25 19:34 Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
noticed this did not hit the patchwork. resending.
Please consider these for the next fido update.
The following changes since commit 9845a542a76156adb5aef6fd33ad5bc5777acf64:
openssh: CVE-2016-077x (2016-01-20 17:08:30 +0000)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib akuster/fido_glibc_cve_fixes
http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/fido_glibc_cve_fixes
Armin Kuster (4):
glibc: CVE-2015-8777
glibc: CVE-2015-8779
glibc: CVE-2015-9761
glibc: CVE_2015-8776
meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 +++
meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++
meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 4 +
5 files changed, 2057 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
--
2.3.5
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/4] glibc: CVE-2015-8777
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 144 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000..4041af6
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,143 @@
+From fd3a7f229e52be32414d889977fef245da6055d4 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:13:00 -0800
+Subject: [PATCH 1/4] glibc: CVE-2015-8777.patch
+
+The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
+libc6) before 2.23 allows local users to bypass a pointer-guarding protection
+mechanism via a zero value of the LD_POINTER_GUARD environment variable.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 123 ++++++++++++++++++++++
+ 2 files changed, 124 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+@@ -0,0 +1,123 @@
++From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
++From: Florian Weimer <fweimer@redhat.com>
++Date: Thu, 15 Oct 2015 09:23:07 +0200
++Subject: [PATCH] Always enable pointer guard [BZ #18928]
++
++Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
++has security implications. This commit enables pointer guard
++unconditionally, and the environment variable is now ignored.
++
++ [BZ #18928]
++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
++ _dl_pointer_guard member.
++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
++ initializer.
++ (security_init): Always set up pointer guard.
++ (process_envvars): Do not process LD_POINTER_GUARD.
++
++Upstream-Status: Backport
++CVE: CVE-2015-8777
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 10 ++++++++++
++ NEWS | 13 ++++++++-----
++ elf/rtld.c | 15 ++++-----------
++ sysdeps/generic/ldsodefs.h | 3 ---
++ 4 files changed, 22 insertions(+), 19 deletions(-)
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,14 @@
+++2015-10-15 Florian Weimer <fweimer@redhat.com>
+++
+++ [BZ #18928]
+++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+++ _dl_pointer_guard member.
+++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+++ initializer.
+++ (security_init): Always set up pointer guard.
+++ (process_envvars): Do not process LD_POINTER_GUARD.
+++
+++
++ 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
++
++ [BZ #18778]
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -34,7 +34,10 @@ Version 2.22
++ 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
++ 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
++ 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
++- 18657, 18676, 18694, 18696.
+++ 18657, 18676, 18694, 18696, 18928.
+++
+++* The LD_POINTER_GUARD environment variable can no longer be used to
+++ disable the pointer guard feature. It is always enabled.
++
++ * Cache information can be queried via sysconf() function on s390 e.g. with
++ _SC_LEVEL1_ICACHE_SIZE as argument.
++Index: git/elf/rtld.c
++===================================================================
++--- git.orig/elf/rtld.c
+++++ git/elf/rtld.c
++@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
++ ._dl_hwcap_mask = HWCAP_IMPORTANT,
++ ._dl_lazy = 1,
++ ._dl_fpu_control = _FPU_DEFAULT,
++- ._dl_pointer_guard = 1,
++ ._dl_pagesize = EXEC_PAGESIZE,
++ ._dl_inhibit_cache = 0,
++
++@@ -710,15 +709,12 @@ security_init (void)
++ #endif
++
++ /* Set up the pointer guard as well, if necessary. */
++- if (GLRO(dl_pointer_guard))
++- {
++- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
++- stack_chk_guard);
+++ uintptr_t pointer_chk_guard
+++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
++ #ifdef THREAD_SET_POINTER_GUARD
++- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++ #endif
++- __pointer_chk_guard_local = pointer_chk_guard;
++- }
+++ __pointer_chk_guard_local = pointer_chk_guard;
++
++ /* We do not need the _dl_random value anymore. The less
++ information we leave behind, the better, so clear the
++@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
++ GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
++ break;
++ }
++-
++- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
++- GLRO(dl_pointer_guard) = envline[14] != '0';
++ break;
++
++ case 14:
++Index: git/sysdeps/generic/ldsodefs.h
++===================================================================
++--- git.orig/sysdeps/generic/ldsodefs.h
+++++ git/sysdeps/generic/ldsodefs.h
++@@ -600,9 +600,6 @@ struct rtld_global_ro
++ /* List of auditing interfaces. */
++ struct audit_ifaces *_dl_audit;
++ unsigned int _dl_naudit;
++-
++- /* 0 if internal pointer values should not be guarded, 1 if they should. */
++- EXTERN int _dl_pointer_guard;
++ };
++ # define __rtld_global_attribute__
++ # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 3bba734..efbcc9c 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\
#
CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+ file://CVE-2015-8777.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/4] glibc: CVE-2015-8779
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 283 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000..78268c3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,282 @@
+From fb410c22544dfd6cc82f59523ac9824d88880325 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:19:24 -0800
+Subject: [PATCH 2/4] glibc: CVE-2015-8779
+
+A stack overflow vulnerability in the catopen function was found, causing
+applications which pass long strings to the catopen function to crash or,
+potentially execute arbitrary code.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 262 ++++++++++++++++++++++
+ 2 files changed, 263 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+@@ -0,0 +1,262 @@
++From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
++From: Paul Pluzhnikov <ppluzhnikov@google.com>
++Date: Sat, 8 Aug 2015 15:53:03 -0700
++Subject: [PATCH] Fix BZ #17905
++
++Upstream-Status: Backport
++CVE: CVE-2015-8779
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 8 ++++++++
++ NEWS | 2 +-
++ catgets/Makefile | 9 ++++++++-
++ catgets/catgets.c | 19 ++++++++++++-------
++ catgets/open_catalog.c | 23 ++++++++++++++---------
++ catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
++ 6 files changed, 74 insertions(+), 18 deletions(-)
++
++Index: git/catgets/Makefile
++===================================================================
++--- git.orig/catgets/Makefile
+++++ git/catgets/Makefile
++@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
++ ifeq ($(run-built-tests),yes)
++ tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
++ $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+++tests-special += $(objpfx)tst-catgets-mem.out
++ endif
++ endif
++ gencat-modules = xmalloc
++@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
++
++ generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
++ test-gencat.h
+++generated += tst-catgets.mtrace tst-catgets-mem.out
+++
++ generated-dirs += de
++
++-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
++
++ ifeq ($(run-built-tests),yes)
++ # This test just checks whether the program produces any error or not.
++@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
++ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
++ $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
++ $(evaluate-test)
+++
+++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+++ $(evaluate-test)
++ endif
++Index: git/catgets/catgets.c
++===================================================================
++--- git.orig/catgets/catgets.c
+++++ git/catgets/catgets.c
++@@ -16,7 +16,6 @@
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++-#include <alloca.h>
++ #include <errno.h>
++ #include <locale.h>
++ #include <nl_types.h>
++@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
++ __nl_catd result;
++ const char *env_var = NULL;
++ const char *nlspath = NULL;
+++ char *tmp = NULL;
++
++ if (strchr (cat_name, '/') == NULL)
++ {
++@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
++ {
++ /* Append the system dependent directory. */
++ size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
++- char *tmp = alloca (len);
+++ tmp = malloc (len);
+++
+++ if (__glibc_unlikely (tmp == NULL))
+++ return (nl_catd) -1;
++
++ __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
++ nlspath = tmp;
++@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
++
++ result = (__nl_catd) malloc (sizeof (*result));
++ if (result == NULL)
++- /* We cannot get enough memory. */
++- return (nl_catd) -1;
++-
++- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+++ {
+++ /* We cannot get enough memory. */
+++ result = (nl_catd) -1;
+++ }
+++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
++ {
++ /* Couldn't open the file. */
++ free ((void *) result);
++- return (nl_catd) -1;
+++ result = (nl_catd) -1;
++ }
++
+++ free (tmp);
++ return (nl_catd) result;
++ }
++
++Index: git/catgets/open_catalog.c
++===================================================================
++--- git.orig/catgets/open_catalog.c
+++++ git/catgets/open_catalog.c
++@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
++ size_t tab_size;
++ const char *lastp;
++ int result = -1;
+++ char *buf = NULL;
++
++ if (strchr (cat_name, '/') != NULL || nlspath == NULL)
++ fd = open_not_cancel_2 (cat_name, O_RDONLY);
++@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
++ if (__glibc_unlikely (bufact + (n) >= bufmax)) \
++ { \
++ char *old_buf = buf; \
++- bufmax += 256 + (n); \
++- buf = (char *) alloca (bufmax); \
++- memcpy (buf, old_buf, bufact); \
+++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
+++ buf = realloc (buf, bufmax); \
+++ if (__glibc_unlikely (buf == NULL)) \
+++ { \
+++ free (old_buf); \
+++ return -1; \
+++ } \
++ }
++
++ /* The RUN_NLSPATH variable contains a colon separated list of
++ descriptions where we expect to find catalogs. We have to
++ recognize certain % substitutions and stop when we found the
++ first existing file. */
++- char *buf;
++ size_t bufact;
++- size_t bufmax;
+++ size_t bufmax = 0;
++ size_t len;
++
++- buf = NULL;
++- bufmax = 0;
++-
++ fd = -1;
++ while (*run_nlspath != '\0')
++ {
++@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
++
++ /* Avoid dealing with directories and block devices */
++ if (__builtin_expect (fd, 0) < 0)
++- return -1;
+++ {
+++ free (buf);
+++ return -1;
+++ }
++
++ if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
++ goto close_unlock_return;
++@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
++ /* Release the lock again. */
++ close_unlock_return:
++ close_not_cancel_no_status (fd);
+++ free (buf);
++
++ return result;
++ }
++Index: git/catgets/tst-catgets.c
++===================================================================
++--- git.orig/catgets/tst-catgets.c
+++++ git/catgets/tst-catgets.c
++@@ -1,7 +1,10 @@
+++#include <assert.h>
++ #include <mcheck.h>
++ #include <nl_types.h>
++ #include <stdio.h>
+++#include <stdlib.h>
++ #include <string.h>
+++#include <sys/resource.h>
++
++
++ static const char *msgs[] =
++@@ -12,6 +15,33 @@ static const char *msgs[] =
++ };
++ #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
++
+++
+++/* Test for unbounded alloca. */
+++static int
+++do_bz17905 (void)
+++{
+++ char *buf;
+++ struct rlimit rl;
+++ nl_catd result;
+++
+++ const int sz = 1024 * 1024;
+++
+++ getrlimit (RLIMIT_STACK, &rl);
+++ rl.rlim_cur = sz;
+++ setrlimit (RLIMIT_STACK, &rl);
+++
+++ buf = malloc (sz + 1);
+++ memset (buf, 'A', sz);
+++ buf[sz] = '\0';
+++ setenv ("NLSPATH", buf, 1);
+++
+++ result = catopen (buf, NL_CAT_LOCALE);
+++ assert (result == (nl_catd) -1);
+++
+++ free (buf);
+++ return 0;
+++}
+++
++ #define ROUNDS 5
++
++ static int
++@@ -62,6 +92,7 @@ do_test (void)
++ }
++ }
++
+++ result += do_bz17905 ();
++ return result;
++ }
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,11 @@
+++2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
+++
+++ [BZ #17905]
+++ * catgets/Makefile (tst-catgets-mem): New test.
+++ * catgets/catgets.c (catopen): Don't use unbounded alloca.
+++ * catgets/open_catalog.c (__open_catalog): Likewise.
+++ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+++
++ 2015-10-15 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18928]
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -9,7 +9,7 @@ Version 2.22.1
++
++ * The following bugs are resolved with this release:
++
++- 18778, 18781, 18787.
+++ 18778, 18781, 18787, 17905.
++ \f
++ Version 2.22
++
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index efbcc9c..afe32d5 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -49,6 +49,7 @@ EGLIBCPATCHES = "\
CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
file://CVE-2015-8777.patch \
+ file://CVE-2015-8779.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/4] glibc: CVE-2015-9761
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
4 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 1453 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch b/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
new file mode 100644
index 0000000..262820e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
@@ -0,0 +1,1452 @@
+From 9b9738e57a358e30ca4d7731f99928715482737c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:23:04 -0800
+Subject: [PATCH 3/4] glibc: CVE-2015-9761
+
+A stack overflow vulnerability was found in nan* functions that could cause
+applications which process long strings with the nan function to crash or,
+potentially, execute arbitrary code.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ .../recipes-core/glibc/glibc/CVE-2015-9761_1.patch | 1039 ++++++++++++++++++++
+ .../recipes-core/glibc/glibc/CVE-2015-9761_2.patch | 385 ++++++++
+ meta/recipes-core/glibc/glibc_2.22.bb | 2 +
+ 3 files changed, 1426 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+@@ -0,0 +1,1039 @@
++From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
++From: Joseph Myers <joseph@codesourcery.com>
++Date: Tue, 24 Nov 2015 22:24:52 +0000
++Subject: [PATCH] Refactor strtod parsing of NaN payloads.
++
++The nan* functions handle their string argument by constructing a
++NAN(...) string on the stack as a VLA and passing it to strtod
++functions.
++
++This approach has problems discussed in bug 16961 and bug 16962: the
++stack usage is unbounded, and it gives incorrect results in certain
++cases where the argument is not a valid n-char-sequence.
++
++The natural fix for both issues is to refactor the NaN payload parsing
++out of strtod into a separate function that the nan* functions can
++call directly, so that no temporary string needs constructing on the
++stack at all. This patch does that refactoring in preparation for
++fixing those bugs (but without actually using the new functions from
++nan* - which will also require exporting them from libc at version
++GLIBC_PRIVATE). This patch is not intended to change any user-visible
++behavior, so no tests are added (fixes for the above bugs will of
++course add tests for them).
++
++This patch builds on my recent fixes for strtol and strtod issues in
++Turkish locales. Given those fixes, the parsing of NaN payloads is
++locale-independent; thus, the new functions do not need to take a
++locale_t argument.
++
++Tested for x86_64, x86, mips64 and powerpc.
++
++ * stdlib/strtod_nan.c: New file.
++ * stdlib/strtod_nan_double.h: Likewise.
++ * stdlib/strtod_nan_float.h: Likewise.
++ * stdlib/strtod_nan_main.c: Likewise.
++ * stdlib/strtod_nan_narrow.h: Likewise.
++ * stdlib/strtod_nan_wide.h: Likewise.
++ * stdlib/strtof_nan.c: Likewise.
++ * stdlib/strtold_nan.c: Likewise.
++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
++ * wcsmbs/wcstod_nan.c: Likewise.
++ * wcsmbs/wcstof_nan.c: Likewise.
++ * wcsmbs/wcstold_nan.c: Likewise.
++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
++ strtold_nan.
++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
++ wcstof_nan.
++ * include/stdlib.h (__strtof_nan): Declare and use
++ libc_hidden_proto.
++ (__strtod_nan): Likewise.
++ (__strtold_nan): Likewise.
++ (__wcstof_nan): Likewise.
++ (__wcstod_nan): Likewise.
++ (__wcstold_nan): Likewise.
++ * include/wchar.h (____wcstoull_l_internal): Declare.
++ * stdlib/strtod_l.c: Do not include <ieee754.h>.
++ (____strtoull_l_internal): Remove declaration.
++ (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ (STRTOULL): Likewise.
++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
++ (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
++ macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
++ macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
++
++Upstream-Status: Backport
++CVE: CVE-2015-9761 patch #1
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 49 ++++++++++++++++++
++ include/stdlib.h | 18 +++++++
++ include/wchar.h | 3 ++
++ stdlib/Makefile | 1 +
++ stdlib/strtod_l.c | 48 ++++--------------
++ stdlib/strtod_nan.c | 24 +++++++++
++ stdlib/strtod_nan_double.h | 30 +++++++++++
++ stdlib/strtod_nan_float.h | 29 +++++++++++
++ stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++
++ stdlib/strtod_nan_narrow.h | 22 +++++++++
++ stdlib/strtod_nan_wide.h | 22 +++++++++
++ stdlib/strtof_l.c | 11 +----
++ stdlib/strtof_nan.c | 24 +++++++++
++ stdlib/strtold_nan.c | 30 +++++++++++
++ sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++
++ sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +----
++ sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
++ sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +---
++ sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +----
++ sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++
++ sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +---
++ wcsmbs/Makefile | 1 +
++ wcsmbs/wcstod_l.c | 3 --
++ wcsmbs/wcstod_nan.c | 23 +++++++++
++ wcsmbs/wcstof_l.c | 3 --
++ wcsmbs/wcstof_nan.c | 23 +++++++++
++ wcsmbs/wcstold_l.c | 3 --
++ wcsmbs/wcstold_nan.c | 30 +++++++++++
++ 28 files changed, 504 insertions(+), 95 deletions(-)
++ create mode 100644 stdlib/strtod_nan.c
++ create mode 100644 stdlib/strtod_nan_double.h
++ create mode 100644 stdlib/strtod_nan_float.h
++ create mode 100644 stdlib/strtod_nan_main.c
++ create mode 100644 stdlib/strtod_nan_narrow.h
++ create mode 100644 stdlib/strtod_nan_wide.h
++ create mode 100644 stdlib/strtof_nan.c
++ create mode 100644 stdlib/strtold_nan.c
++ create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++ create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++ create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++ create mode 100644 wcsmbs/wcstod_nan.c
++ create mode 100644 wcsmbs/wcstof_nan.c
++ create mode 100644 wcsmbs/wcstold_nan.c
++
++Index: git/include/stdlib.h
++===================================================================
++--- git.orig/include/stdlib.h
+++++ git/include/stdlib.h
++@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
++ libc_hidden_proto (strtoul)
++ libc_hidden_proto (strtoull)
++
+++extern float __strtof_nan (const char *, char **, char) internal_function;
+++extern double __strtod_nan (const char *, char **, char) internal_function;
+++extern long double __strtold_nan (const char *, char **, char)
+++ internal_function;
+++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++
+++libc_hidden_proto (__strtof_nan)
+++libc_hidden_proto (__strtod_nan)
+++libc_hidden_proto (__strtold_nan)
+++libc_hidden_proto (__wcstof_nan)
+++libc_hidden_proto (__wcstod_nan)
+++libc_hidden_proto (__wcstold_nan)
+++
++ extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
++ int *__restrict __sign);
++ extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
++Index: git/include/wchar.h
++===================================================================
++--- git.orig/include/wchar.h
+++++ git/include/wchar.h
++@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
++ __restrict __endptr,
++ int __base,
++ int __group) __THROW;
+++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
+++ wchar_t **, int, int,
+++ __locale_t);
++ libc_hidden_proto (__wcstof_internal)
++ libc_hidden_proto (__wcstod_internal)
++ libc_hidden_proto (__wcstold_internal)
++Index: git/stdlib/Makefile
++===================================================================
++--- git.orig/stdlib/Makefile
+++++ git/stdlib/Makefile
++@@ -51,6 +51,7 @@ routines-y := \
++ strtol_l strtoul_l strtoll_l strtoull_l \
++ strtof strtod strtold \
++ strtof_l strtod_l strtold_l \
+++ strtof_nan strtod_nan strtold_nan \
++ system canonicalize \
++ a64l l64a \
++ getsubopt xpg_basename \
++Index: git/stdlib/strtod_l.c
++===================================================================
++--- git.orig/stdlib/strtod_l.c
+++++ git/stdlib/strtod_l.c
++@@ -21,8 +21,6 @@
++ #include <xlocale.h>
++
++ extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
++-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
++- int, int, __locale_t);
++
++ /* Configuration part. These macros are defined by `strtold.c',
++ `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
++@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
++ # ifdef USE_WIDE_CHAR
++ # define STRTOF wcstod_l
++ # define __STRTOF __wcstod_l
+++# define STRTOF_NAN __wcstod_nan
++ # else
++ # define STRTOF strtod_l
++ # define __STRTOF __strtod_l
+++# define STRTOF_NAN __strtod_nan
++ # endif
++ # define MPN2FLOAT __mpn_construct_double
++ # define FLOAT_HUGE_VAL HUGE_VAL
++-# define SET_MANTISSA(flt, mant) \
++- do { union ieee754_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = (mant) >> 32; \
++- u.ieee_nan.mantissa1 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
++- (flt) = u.d; \
++- } while (0)
++ #endif
++ /* End of configuration part. */
++ \f
++ #include <ctype.h>
++ #include <errno.h>
++ #include <float.h>
++-#include <ieee754.h>
++ #include "../locale/localeinfo.h"
++ #include <locale.h>
++ #include <math.h>
++@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
++ # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
++ # define STRNCASECMP(S1, S2, N) \
++ __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
++-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
++ #else
++ # define STRING_TYPE char
++ # define CHAR_TYPE char
++@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
++ # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
++ # define STRNCASECMP(S1, S2, N) \
++ __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
++-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
++ #endif
++
++
++@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
++ if (*cp == L_('('))
++ {
++ const STRING_TYPE *startp = cp;
++- do
++- ++cp;
++- while ((*cp >= L_('0') && *cp <= L_('9'))
++- || ({ CHAR_TYPE lo = TOLOWER (*cp);
++- lo >= L_('a') && lo <= L_('z'); })
++- || *cp == L_('_'));
++-
++- if (*cp != L_(')'))
++- /* The closing brace is missing. Only match the NAN
++- part. */
++- cp = startp;
+++ STRING_TYPE *endp;
+++ retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
+++ if (*endp == L_(')'))
+++ /* Consume the closing parenthesis. */
+++ cp = endp + 1;
++ else
++- {
++- /* This is a system-dependent way to specify the
++- bitmask used for the NaN. We expect it to be
++- a number which is put in the mantissa of the
++- number. */
++- STRING_TYPE *endp;
++- unsigned long long int mant;
++-
++- mant = STRTOULL (startp + 1, &endp, 0);
++- if (endp == cp)
++- SET_MANTISSA (retval, mant);
++-
++- /* Consume the closing brace. */
++- ++cp;
++- }
+++ /* Only match the NAN part. */
+++ cp = startp;
++ }
++
++ if (endptr != NULL)
++Index: git/stdlib/strtod_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan.c
++@@ -0,0 +1,24 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <strtod_nan_narrow.h>
+++#include <strtod_nan_double.h>
+++
+++#define STRTOD_NAN __strtod_nan
+++#include <strtod_nan_main.c>
++Index: git/stdlib/strtod_nan_double.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_double.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For double.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee754_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.ieee_nan.mantissa1 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/stdlib/strtod_nan_float.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_float.h
++@@ -0,0 +1,29 @@
+++/* Convert string for NaN payload to corresponding NaN. For float.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT float
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee754_float u; \
+++ u.f = (flt); \
+++ u.ieee_nan.mantissa = (mant); \
+++ if (u.ieee.mantissa != 0) \
+++ (flt) = u.f; \
+++ } \
+++ while (0)
++Index: git/stdlib/strtod_nan_main.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_main.c
++@@ -0,0 +1,63 @@
+++/* Convert string for NaN payload to corresponding NaN.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <ieee754.h>
+++#include <locale.h>
+++#include <math.h>
+++#include <stdlib.h>
+++#include <wchar.h>
+++
+++
+++/* If STR starts with an optional n-char-sequence as defined by ISO C
+++ (a sequence of ASCII letters, digits and underscores), followed by
+++ ENDC, return a NaN whose payload is set based on STR. Otherwise,
+++ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point
+++ to the character after the initial n-char-sequence. */
+++
+++internal_function
+++FLOAT
+++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc)
+++{
+++ const STRING_TYPE *cp = str;
+++
+++ while ((*cp >= L_('0') && *cp <= L_('9'))
+++ || (*cp >= L_('A') && *cp <= L_('Z'))
+++ || (*cp >= L_('a') && *cp <= L_('z'))
+++ || *cp == L_('_'))
+++ ++cp;
+++
+++ FLOAT retval = NAN;
+++ if (*cp != endc)
+++ goto out;
+++
+++ /* This is a system-dependent way to specify the bitmask used for
+++ the NaN. We expect it to be a number which is put in the
+++ mantissa of the number. */
+++ STRING_TYPE *endp;
+++ unsigned long long int mant;
+++
+++ mant = STRTOULL (str, &endp, 0);
+++ if (endp == cp)
+++ SET_MANTISSA (retval, mant);
+++
+++ out:
+++ if (endptr != NULL)
+++ *endptr = (STRING_TYPE *) cp;
+++ return retval;
+++}
+++libc_hidden_def (STRTOD_NAN)
++Index: git/stdlib/strtod_nan_narrow.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_narrow.h
++@@ -0,0 +1,22 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow strings.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define STRING_TYPE char
+++#define L_(Ch) Ch
+++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \
+++ _nl_C_locobj_ptr)
++Index: git/stdlib/strtod_nan_wide.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_wide.h
++@@ -0,0 +1,22 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define STRING_TYPE wchar_t
+++#define L_(Ch) L##Ch
+++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \
+++ _nl_C_locobj_ptr)
++Index: git/stdlib/strtof_l.c
++===================================================================
++--- git.orig/stdlib/strtof_l.c
+++++ git/stdlib/strtof_l.c
++@@ -20,26 +20,19 @@
++ #include <xlocale.h>
++
++ extern float ____strtof_l_internal (const char *, char **, int, __locale_t);
++-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
++- int, int, __locale_t);
++
++ #define FLOAT float
++ #define FLT FLT
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstof_l
++ # define __STRTOF __wcstof_l
+++# define STRTOF_NAN __wcstof_nan
++ #else
++ # define STRTOF strtof_l
++ # define __STRTOF __strtof_l
+++# define STRTOF_NAN __strtof_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_float
++ #define FLOAT_HUGE_VAL HUGE_VALF
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee754_float u; \
++- u.f = (flt); \
++- u.ieee_nan.mantissa = (mant); \
++- if (u.ieee.mantissa != 0) \
++- (flt) = u.f; \
++- } while (0)
++
++ #include "strtod_l.c"
++Index: git/stdlib/strtof_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtof_nan.c
++@@ -0,0 +1,24 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, float.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <strtod_nan_narrow.h>
+++#include <strtod_nan_float.h>
+++
+++#define STRTOD_NAN __strtof_nan
+++#include <strtod_nan_main.c>
++Index: git/stdlib/strtold_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtold_nan.c
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, long double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++
+++/* This function is unused if long double and double have the same
+++ representation. */
+++#ifndef __NO_LONG_DOUBLE_MATH
+++# include <strtod_nan_narrow.h>
+++# include <strtod_nan_ldouble.h>
+++
+++# define STRTOD_NAN __strtold_nan
+++# include <strtod_nan_main.c>
+++#endif
++Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++@@ -0,0 +1,33 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-128.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee854_long_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = 0; \
+++ u.ieee_nan.mantissa1 = 0; \
+++ u.ieee_nan.mantissa2 = (mant) >> 32; \
+++ u.ieee_nan.mantissa3 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
+++ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-128/strtold_l.c
++@@ -25,22 +25,13 @@
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstold_l
++ # define __STRTOF __wcstold_l
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ # define STRTOF strtold_l
++ # define __STRTOF __strtold_l
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = 0; \
++- u.ieee_nan.mantissa1 = 0; \
++- u.ieee_nan.mantissa2 = (mant) >> 32; \
++- u.ieee_nan.mantissa3 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
++- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <strtod_l.c>
++Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ibm_extended_long_double u; \
+++ u.ld = (flt); \
+++ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.d[0].ieee_nan.mantissa1 = (mant); \
+++ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
+++ (flt) = u.ld; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
++@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co
++ # define STRTOF __new_wcstold_l
++ # define __STRTOF ____new_wcstold_l
++ # define ____STRTOF_INTERNAL ____wcstold_l_internal
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ extern long double ____new_strtold_l (const char *, char **, __locale_t);
++ # define STRTOF __new_strtold_l
++ # define __STRTOF ____new_strtold_l
++ # define ____STRTOF_INTERNAL ____strtold_l_internal
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ extern __typeof (__STRTOF) STRTOF;
++ libc_hidden_proto (__STRTOF)
++ libc_hidden_proto (STRTOF)
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-# define SET_MANTISSA(flt, mant) \
++- do { union ibm_extended_long_double u; \
++- u.ld = (flt); \
++- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
++- u.d[0].ieee_nan.mantissa1 = (mant); \
++- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
++- (flt) = u.ld; \
++- } while (0)
++
++ #include <strtod_l.c>
++
++Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
++@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co
++ # define STRTOF __new_wcstold_l
++ # define __STRTOF ____new_wcstold_l
++ # define ____STRTOF_INTERNAL ____wcstold_l_internal
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ extern long double ____new_strtold_l (const char *, char **, __locale_t);
++ # define STRTOF __new_strtold_l
++ # define __STRTOF ____new_strtold_l
++ # define ____STRTOF_INTERNAL ____strtold_l_internal
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ extern __typeof (__STRTOF) STRTOF;
++ libc_hidden_proto (__STRTOF)
++ libc_hidden_proto (STRTOF)
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = 0; \
++- u.ieee_nan.mantissa1 = 0; \
++- u.ieee_nan.mantissa2 = (mant) >> 32; \
++- u.ieee_nan.mantissa3 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
++- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <strtod_l.c>
++
++Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-96.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee854_long_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.ieee_nan.mantissa1 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-96/strtold_l.c
++@@ -25,19 +25,13 @@
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstold_l
++ # define __STRTOF __wcstold_l
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ # define STRTOF strtold_l
++ # define __STRTOF __strtold_l
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = (mant) >> 32; \
++- u.ieee_nan.mantissa1 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <stdlib/strtod_l.c>
++Index: git/wcsmbs/Makefile
++===================================================================
++--- git.orig/wcsmbs/Makefile
+++++ git/wcsmbs/Makefile
++@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR
++ wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \
++ wcstol_l wcstoul_l wcstoll_l wcstoull_l \
++ wcstod_l wcstold_l wcstof_l \
+++ wcstod_nan wcstold_nan wcstof_nan \
++ wcscoll wcsxfrm \
++ wcwidth wcswidth \
++ wcscoll_l wcsxfrm_l \
++Index: git/wcsmbs/wcstod_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstod_l.c
+++++ git/wcsmbs/wcstod_l.c
++@@ -23,9 +23,6 @@
++
++ extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #define USE_WIDE_CHAR 1
++
++Index: git/wcsmbs/wcstod_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstod_nan.c
++@@ -0,0 +1,23 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings, double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include "../stdlib/strtod_nan_wide.h"
+++#include "../stdlib/strtod_nan_double.h"
+++
+++#define STRTOD_NAN __wcstod_nan
+++#include "../stdlib/strtod_nan_main.c"
++Index: git/wcsmbs/wcstof_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstof_l.c
+++++ git/wcsmbs/wcstof_l.c
++@@ -25,8 +25,5 @@
++
++ extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #include <stdlib/strtof_l.c>
++Index: git/wcsmbs/wcstof_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstof_nan.c
++@@ -0,0 +1,23 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings, float.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include "../stdlib/strtod_nan_wide.h"
+++#include "../stdlib/strtod_nan_float.h"
+++
+++#define STRTOD_NAN __wcstof_nan
+++#include "../stdlib/strtod_nan_main.c"
++Index: git/wcsmbs/wcstold_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstold_l.c
+++++ git/wcsmbs/wcstold_l.c
++@@ -24,8 +24,5 @@
++
++ extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #include <strtold_l.c>
++Index: git/wcsmbs/wcstold_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstold_nan.c
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings,
+++ long double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++
+++/* This function is unused if long double and double have the same
+++ representation. */
+++#ifndef __NO_LONG_DOUBLE_MATH
+++# include "../stdlib/strtod_nan_wide.h"
+++# include <strtod_nan_ldouble.h>
+++
+++# define STRTOD_NAN __wcstold_nan
+++# include "../stdlib/strtod_nan_main.c"
+++#endif
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,57 @@
+++2015-11-24 Joseph Myers <joseph@codesourcery.com>
+++
+++ * stdlib/strtod_nan.c: New file.
+++ * stdlib/strtod_nan_double.h: Likewise.
+++ * stdlib/strtod_nan_float.h: Likewise.
+++ * stdlib/strtod_nan_main.c: Likewise.
+++ * stdlib/strtod_nan_narrow.h: Likewise.
+++ * stdlib/strtod_nan_wide.h: Likewise.
+++ * stdlib/strtof_nan.c: Likewise.
+++ * stdlib/strtold_nan.c: Likewise.
+++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
+++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
+++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
+++ * wcsmbs/wcstod_nan.c: Likewise.
+++ * wcsmbs/wcstof_nan.c: Likewise.
+++ * wcsmbs/wcstold_nan.c: Likewise.
+++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
+++ strtold_nan.
+++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
+++ wcstof_nan.
+++ * include/stdlib.h (__strtof_nan): Declare and use
+++ libc_hidden_proto.
+++ (__strtod_nan): Likewise.
+++ (__strtold_nan): Likewise.
+++ (__wcstof_nan): Likewise.
+++ (__wcstod_nan): Likewise.
+++ (__wcstold_nan): Likewise.
+++ * include/wchar.h (____wcstoull_l_internal): Declare.
+++ * stdlib/strtod_l.c: Do not include <ieee754.h>.
+++ (____strtoull_l_internal): Remove declaration.
+++ (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ (STRTOULL): Likewise.
+++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
+++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
+++ (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
+++ macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
+++ macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
+++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
+++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
+++
+++ [BZ #19266]
+++ * stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for
+++ upper case and lower case letters inside NAN(), not using TOLOWER.
++ 2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
++
++ [BZ #17905]
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+@@ -0,0 +1,385 @@
++From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
++From: Joseph Myers <joseph@codesourcery.com>
++Date: Fri, 4 Dec 2015 20:36:28 +0000
++Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug
++ 16962).
++
++The nan, nanf and nanl functions handle payload strings by doing e.g.:
++
++ if (tagp[0] != '\0')
++ {
++ char buf[6 + strlen (tagp)];
++ sprintf (buf, "NAN(%s)", tagp);
++ return strtod (buf, NULL);
++ }
++
++This is an unbounded stack allocation based on the length of the
++argument. Furthermore, if the argument starts with an n-char-sequence
++followed by ')', that n-char-sequence is wrongly treated as
++significant for determining the payload of the resulting NaN, when ISO
++C says the call should be equivalent to strtod ("NAN", NULL), without
++being affected by that initial n-char-sequence. This patch fixes both
++those problems by using the __strtod_nan etc. functions recently
++factored out of strtod etc. for that purpose, with those functions
++being exported from libc at version GLIBC_PRIVATE.
++
++Tested for x86_64, x86, mips64 and powerpc.
++
++ [BZ #16961]
++ [BZ #16962]
++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
++ string on the stack for strtod.
++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
++ a string on the stack for strtof.
++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
++ constructing a string on the stack for strtold.
++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
++ __strtold_nan to GLIBC_PRIVATE.
++ * math/test-nan-overflow.c: New file.
++ * math/test-nan-payload.c: Likewise.
++ * math/Makefile (tests): Add test-nan-overflow and
++ test-nan-payload.
++
++Upstream-Status: Backport
++CVE: CVE-2015-9761 patch #2
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 17 +++++++
++ NEWS | 6 +++
++ math/Makefile | 3 +-
++ math/s_nan.c | 9 +---
++ math/s_nanf.c | 9 +---
++ math/s_nanl.c | 9 +---
++ math/test-nan-overflow.c | 66 +++++++++++++++++++++++++
++ math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
++ stdlib/Versions | 1 +
++ 9 files changed, 217 insertions(+), 25 deletions(-)
++ create mode 100644 math/test-nan-overflow.c
++ create mode 100644 math/test-nan-payload.c
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,20 @@
+++2015-12-04 Joseph Myers <joseph@codesourcery.com>
+++
+++ [BZ #16961]
+++ [BZ #16962]
+++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
+++ string on the stack for strtod.
+++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
+++ a string on the stack for strtof.
+++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
+++ constructing a string on the stack for strtold.
+++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
+++ __strtold_nan to GLIBC_PRIVATE.
+++ * math/test-nan-overflow.c: New file.
+++ * math/test-nan-payload.c: Likewise.
+++ * math/Makefile (tests): Add test-nan-overflow and
+++ test-nan-payload.
+++
++ 2015-11-24 Joseph Myers <joseph@codesourcery.com>
++
++ * stdlib/strtod_nan.c: New file.
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -99,6 +99,12 @@ Version 2.22
++ \f
++ Version 2.21
++
+++Security related changes:
+++
+++* The nan, nanf and nanl functions no longer have unbounded stack usage
+++ depending on the length of the string passed as an argument to the
+++ functions. Reported by Joseph Myers.
+++
++ * The following bugs are resolved with this release:
++
++ 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
++Index: git/math/Makefile
++===================================================================
++--- git.orig/math/Makefile
+++++ git/math/Makefile
++@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp
++ test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
++ test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
++ test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \
+++ test-nan-overflow test-nan-payload \
++ $(tests-static)
++ tests-static = test-fpucw-static test-fpucw-ieee-static
++ # We do the `long double' tests only if this data type is available and
++Index: git/math/s_nan.c
++===================================================================
++--- git.orig/math/s_nan.c
+++++ git/math/s_nan.c
++@@ -28,14 +28,7 @@
++ double
++ __nan (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtod (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtod_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nan, nan)
++ #ifdef NO_LONG_DOUBLE
++Index: git/math/s_nanf.c
++===================================================================
++--- git.orig/math/s_nanf.c
+++++ git/math/s_nanf.c
++@@ -28,13 +28,6 @@
++ float
++ __nanf (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtof (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtof_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nanf, nanf)
++Index: git/math/s_nanl.c
++===================================================================
++--- git.orig/math/s_nanl.c
+++++ git/math/s_nanl.c
++@@ -28,13 +28,6 @@
++ long double
++ __nanl (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtold (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtold_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nanl, nanl)
++Index: git/math/test-nan-overflow.c
++===================================================================
++--- /dev/null
+++++ git/math/test-nan-overflow.c
++@@ -0,0 +1,66 @@
+++/* Test nan functions stack overflow (bug 16962).
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++#include <stdio.h>
+++#include <string.h>
+++#include <sys/resource.h>
+++
+++#define STACK_LIM 1048576
+++#define STRING_SIZE (2 * STACK_LIM)
+++
+++static int
+++do_test (void)
+++{
+++ int result = 0;
+++ struct rlimit lim;
+++ getrlimit (RLIMIT_STACK, &lim);
+++ lim.rlim_cur = STACK_LIM;
+++ setrlimit (RLIMIT_STACK, &lim);
+++ char *nanstr = malloc (STRING_SIZE);
+++ if (nanstr == NULL)
+++ {
+++ puts ("malloc failed, cannot test");
+++ return 77;
+++ }
+++ memset (nanstr, '0', STRING_SIZE - 1);
+++ nanstr[STRING_SIZE - 1] = 0;
+++#define NAN_TEST(TYPE, FUNC) \
+++ do \
+++ { \
+++ char *volatile p = nanstr; \
+++ volatile TYPE v = FUNC (p); \
+++ if (isnan (v)) \
+++ puts ("PASS: " #FUNC); \
+++ else \
+++ { \
+++ puts ("FAIL: " #FUNC); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++ NAN_TEST (float, nanf);
+++ NAN_TEST (double, nan);
+++#ifndef NO_LONG_DOUBLE
+++ NAN_TEST (long double, nanl);
+++#endif
+++ return result;
+++}
+++
+++#define TEST_FUNCTION do_test ()
+++#include "../test-skeleton.c"
++Index: git/math/test-nan-payload.c
++===================================================================
++--- /dev/null
+++++ git/math/test-nan-payload.c
++@@ -0,0 +1,122 @@
+++/* Test nan functions payload handling (bug 16961).
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <float.h>
+++#include <math.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++
+++/* Avoid built-in functions. */
+++#define WRAP_NAN(FUNC, STR) \
+++ ({ const char *volatile wns = (STR); FUNC (wns); })
+++#define WRAP_STRTO(FUNC, STR) \
+++ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
+++
+++#define CHECK_IS_NAN(TYPE, A) \
+++ do \
+++ { \
+++ if (isnan (A)) \
+++ puts ("PASS: " #TYPE " " #A); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++#define CHECK_SAME_NAN(TYPE, A, B) \
+++ do \
+++ { \
+++ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
+++ puts ("PASS: " #TYPE " " #A " = " #B); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A " = " #B); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++#define CHECK_DIFF_NAN(TYPE, A, B) \
+++ do \
+++ { \
+++ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
+++ puts ("PASS: " #TYPE " " #A " != " #B); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A " != " #B); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++/* Cannot test payloads by memcmp for formats where NaNs have padding
+++ bits. */
+++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
+++
+++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
+++ do \
+++ { \
+++ TYPE n123 = WRAP_NAN (FUNC, "123"); \
+++ CHECK_IS_NAN (TYPE, n123); \
+++ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
+++ CHECK_IS_NAN (TYPE, s123); \
+++ TYPE n456 = WRAP_NAN (FUNC, "456"); \
+++ CHECK_IS_NAN (TYPE, n456); \
+++ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
+++ CHECK_IS_NAN (TYPE, s456); \
+++ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
+++ CHECK_IS_NAN (TYPE, n123x); \
+++ TYPE nemp = WRAP_NAN (FUNC, ""); \
+++ CHECK_IS_NAN (TYPE, nemp); \
+++ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
+++ CHECK_IS_NAN (TYPE, semp); \
+++ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
+++ CHECK_IS_NAN (TYPE, sx); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n123, s123); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n456, s456); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, nemp, semp); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n123x, sx); \
+++ CHECK_DIFF_NAN (TYPE, n123, n456); \
+++ CHECK_DIFF_NAN (TYPE, n123, nemp); \
+++ CHECK_DIFF_NAN (TYPE, n123, n123x); \
+++ CHECK_DIFF_NAN (TYPE, n456, nemp); \
+++ CHECK_DIFF_NAN (TYPE, n456, n123x); \
+++ } \
+++ while (0)
+++
+++static int
+++do_test (void)
+++{
+++ int result = 0;
+++ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
+++ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
+++#ifndef NO_LONG_DOUBLE
+++ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
+++#endif
+++ return result;
+++}
+++
+++#define TEST_FUNCTION do_test ()
+++#include "../test-skeleton.c"
++Index: git/stdlib/Versions
++===================================================================
++--- git.orig/stdlib/Versions
+++++ git/stdlib/Versions
++@@ -118,5 +118,6 @@ libc {
++ # Used from other libraries
++ __libc_secure_getenv;
++ __call_tls_dtors;
+++ __strtof_nan; __strtod_nan; __strtold_nan;
++ }
++ }
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index afe32d5..5d05f0c 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -50,6 +50,7 @@ CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
file://CVE-2015-8777.patch \
file://CVE-2015-8779.patch \
+ file://CVE-2015-9761.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/4] glibc: CVE_2015-8776
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
` (2 preceding siblings ...)
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
4 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 177 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 0000000..118958f
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,176 @@
+From 08564114d5c0150131ce3b29037f0202f2d4002b Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:25:19 -0800
+Subject: [PATCH 4/4] glibc: CVE-2015-8776
+
+it was found that out-of-range time values passed to the strftime function may
+cause it to crash, leading to a denial of service, or potentially disclosure
+information.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 155 ++++++++++++++++++++++
+ meta/recipes-core/glibc/glibc_2.22.bb | 1 +
+ 2 files changed, 156 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+@@ -0,0 +1,155 @@
++From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
++From: Paul Pluzhnikov <ppluzhnikov@google.com>
++Date: Sat, 26 Sep 2015 13:27:48 -0700
++Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
++ segfault
++
++Upstream-Status: Backport
++CVE: CVE-2015-8776
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 8 ++++++++
++ NEWS | 2 +-
++ time/strftime_l.c | 20 +++++++++++++-------
++ time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
++ 4 files changed, 73 insertions(+), 9 deletions(-)
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,11 @@
+++2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
+++
+++ [BZ #18985]
+++ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
+++ (__strftime_internal): Likewise.
+++ * time/tst-strftime.c (do_bz18985): New test.
+++ (do_test): Call it.
+++
++ 2015-12-04 Joseph Myers <joseph@codesourcery.com>
++
++ [BZ #16961]
++Index: git/time/strftime_l.c
++===================================================================
++--- git.orig/time/strftime_l.c
+++++ git/time/strftime_l.c
++@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
++ only a few elements. Dereference the pointers only if the format
++ requires this. Then it is ok to fail if the pointers are invalid. */
++ # define a_wkday \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
++ # define f_wkday \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
++ # define a_month \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
++ # define f_month \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
++ # define ampm \
++ ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
++ ? NLW(PM_STR) : NLW(AM_STR)))
++@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
++ # define ap_len STRLEN (ampm)
++ #else
++ # if !HAVE_STRFTIME
++-# define f_wkday (weekday_name[tp->tm_wday])
++-# define f_month (month_name[tp->tm_mon])
+++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : weekday_name[tp->tm_wday])
+++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : month_name[tp->tm_mon])
++ # define a_wkday f_wkday
++ # define a_month f_month
++ # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
++@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
++ *tzset_called = true;
++ }
++ # endif
++- zone = tzname[tp->tm_isdst];
+++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
++ }
++ #endif
++ if (! zone)
++Index: git/time/tst-strftime.c
++===================================================================
++--- git.orig/time/tst-strftime.c
+++++ git/time/tst-strftime.c
++@@ -4,6 +4,56 @@
++ #include <time.h>
++
++
+++static int
+++do_bz18985 (void)
+++{
+++ char buf[1000];
+++ struct tm ttm;
+++ int rc, ret = 0;
+++
+++ memset (&ttm, 1, sizeof (ttm));
+++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+++
+++ if (rc == 66)
+++ {
+++ const char expected[]
+++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+++ if (0 != strcmp (buf, expected))
+++ {
+++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+++ ret += 1;
+++ }
+++ }
+++ else
+++ {
+++ printf ("expected 66, got %d\n", rc);
+++ ret += 1;
+++ }
+++
+++ /* Check negative values as well. */
+++ memset (&ttm, 0xFF, sizeof (ttm));
+++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+++
+++ if (rc == 30)
+++ {
+++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
+++ if (0 != strcmp (buf, expected))
+++ {
+++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+++ ret += 1;
+++ }
+++ }
+++ else
+++ {
+++ printf ("expected 30, got %d\n", rc);
+++ ret += 1;
+++ }
+++
+++ return ret;
+++}
+++
++ static struct
++ {
++ const char *fmt;
++@@ -104,7 +154,7 @@ do_test (void)
++ }
++ }
++
++- return result;
+++ return result + do_bz18985 ();
++ }
++
++ #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 5d05f0c..1829647 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -51,6 +51,7 @@ CVEPATCHES = "\
file://CVE-2015-8777.patch \
file://CVE-2015-8779.patch \
file://CVE-2015-9761.patch \
+ file://CVE-2015-8776.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/4][fido] Glibc security fixes
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
` (3 preceding siblings ...)
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
@ 2016-01-25 20:00 ` Khem Raj
4 siblings, 0 replies; 7+ messages in thread
From: Khem Raj @ 2016-01-25 20:00 UTC (permalink / raw)
To: Armin Kuster; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]
Patches are ok. I was wondering if BACKPORTS variable was good enough for
cve patches too. Anyway the patch name ha cve informations
On Jan 25, 2016 12:35 PM, "Armin Kuster" <akuster808@gmail.com> wrote:
> noticed this did not hit the patchwork. resending.
>
> Please consider these for the next fido update.
>
> The following changes since commit
> 9845a542a76156adb5aef6fd33ad5bc5777acf64:
>
> openssh: CVE-2016-077x (2016-01-20 17:08:30 +0000)
>
> are available in the git repository at:
>
> git://git.yoctoproject.org/poky-contrib akuster/fido_glibc_cve_fixes
>
> http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/fido_glibc_cve_fixes
>
> Armin Kuster (4):
> glibc: CVE-2015-8777
> glibc: CVE-2015-8779
> glibc: CVE-2015-9761
> glibc: CVE_2015-8776
>
> meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 +++
> meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++
> meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++
> meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452
> +++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.21.bb | 4 +
> 5 files changed, 2057 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
>
> --
> 2.3.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 2495 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/4] glibc: CVE-2015-8779
2016-01-25 19:25 [PATCH 0/4][jethro] " Armin Kuster
@ 2016-01-25 19:25 ` Armin Kuster
0 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2016-01-25 19:25 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 262 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.22.bb | 1 +
2 files changed, 263 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000..4dc93c7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,262 @@
+From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Sat, 8 Aug 2015 15:53:03 -0700
+Subject: [PATCH] Fix BZ #17905
+
+Upstream-Status: Backport
+CVE: CVE-2015-8779
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 8 ++++++++
+ NEWS | 2 +-
+ catgets/Makefile | 9 ++++++++-
+ catgets/catgets.c | 19 ++++++++++++-------
+ catgets/open_catalog.c | 23 ++++++++++++++---------
+ catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
+ 6 files changed, 74 insertions(+), 18 deletions(-)
+
+Index: git/catgets/Makefile
+===================================================================
+--- git.orig/catgets/Makefile
++++ git/catgets/Makefile
+@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
+ ifeq ($(run-built-tests),yes)
+ tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
+ $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
++tests-special += $(objpfx)tst-catgets-mem.out
+ endif
+ endif
+ gencat-modules = xmalloc
+@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
+
+ generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
+ test-gencat.h
++generated += tst-catgets.mtrace tst-catgets-mem.out
++
+ generated-dirs += de
+
+-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
+
+ ifeq ($(run-built-tests),yes)
+ # This test just checks whether the program produces any error or not.
+@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
+ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
+ $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
+ $(evaluate-test)
++
++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
++ $(evaluate-test)
+ endif
+Index: git/catgets/catgets.c
+===================================================================
+--- git.orig/catgets/catgets.c
++++ git/catgets/catgets.c
+@@ -16,7 +16,6 @@
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+-#include <alloca.h>
+ #include <errno.h>
+ #include <locale.h>
+ #include <nl_types.h>
+@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
+ __nl_catd result;
+ const char *env_var = NULL;
+ const char *nlspath = NULL;
++ char *tmp = NULL;
+
+ if (strchr (cat_name, '/') == NULL)
+ {
+@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
+ {
+ /* Append the system dependent directory. */
+ size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
+- char *tmp = alloca (len);
++ tmp = malloc (len);
++
++ if (__glibc_unlikely (tmp == NULL))
++ return (nl_catd) -1;
+
+ __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
+ nlspath = tmp;
+@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
+
+ result = (__nl_catd) malloc (sizeof (*result));
+ if (result == NULL)
+- /* We cannot get enough memory. */
+- return (nl_catd) -1;
+-
+- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
++ {
++ /* We cannot get enough memory. */
++ result = (nl_catd) -1;
++ }
++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+ {
+ /* Couldn't open the file. */
+ free ((void *) result);
+- return (nl_catd) -1;
++ result = (nl_catd) -1;
+ }
+
++ free (tmp);
+ return (nl_catd) result;
+ }
+
+Index: git/catgets/open_catalog.c
+===================================================================
+--- git.orig/catgets/open_catalog.c
++++ git/catgets/open_catalog.c
+@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
+ size_t tab_size;
+ const char *lastp;
+ int result = -1;
++ char *buf = NULL;
+
+ if (strchr (cat_name, '/') != NULL || nlspath == NULL)
+ fd = open_not_cancel_2 (cat_name, O_RDONLY);
+@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
+ if (__glibc_unlikely (bufact + (n) >= bufmax)) \
+ { \
+ char *old_buf = buf; \
+- bufmax += 256 + (n); \
+- buf = (char *) alloca (bufmax); \
+- memcpy (buf, old_buf, bufact); \
++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
++ buf = realloc (buf, bufmax); \
++ if (__glibc_unlikely (buf == NULL)) \
++ { \
++ free (old_buf); \
++ return -1; \
++ } \
+ }
+
+ /* The RUN_NLSPATH variable contains a colon separated list of
+ descriptions where we expect to find catalogs. We have to
+ recognize certain % substitutions and stop when we found the
+ first existing file. */
+- char *buf;
+ size_t bufact;
+- size_t bufmax;
++ size_t bufmax = 0;
+ size_t len;
+
+- buf = NULL;
+- bufmax = 0;
+-
+ fd = -1;
+ while (*run_nlspath != '\0')
+ {
+@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
+
+ /* Avoid dealing with directories and block devices */
+ if (__builtin_expect (fd, 0) < 0)
+- return -1;
++ {
++ free (buf);
++ return -1;
++ }
+
+ if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
+ goto close_unlock_return;
+@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
+ /* Release the lock again. */
+ close_unlock_return:
+ close_not_cancel_no_status (fd);
++ free (buf);
+
+ return result;
+ }
+Index: git/catgets/tst-catgets.c
+===================================================================
+--- git.orig/catgets/tst-catgets.c
++++ git/catgets/tst-catgets.c
+@@ -1,7 +1,10 @@
++#include <assert.h>
+ #include <mcheck.h>
+ #include <nl_types.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/resource.h>
+
+
+ static const char *msgs[] =
+@@ -12,6 +15,33 @@ static const char *msgs[] =
+ };
+ #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+
++
++/* Test for unbounded alloca. */
++static int
++do_bz17905 (void)
++{
++ char *buf;
++ struct rlimit rl;
++ nl_catd result;
++
++ const int sz = 1024 * 1024;
++
++ getrlimit (RLIMIT_STACK, &rl);
++ rl.rlim_cur = sz;
++ setrlimit (RLIMIT_STACK, &rl);
++
++ buf = malloc (sz + 1);
++ memset (buf, 'A', sz);
++ buf[sz] = '\0';
++ setenv ("NLSPATH", buf, 1);
++
++ result = catopen (buf, NL_CAT_LOCALE);
++ assert (result == (nl_catd) -1);
++
++ free (buf);
++ return 0;
++}
++
+ #define ROUNDS 5
+
+ static int
+@@ -62,6 +92,7 @@ do_test (void)
+ }
+ }
+
++ result += do_bz17905 ();
+ return result;
+ }
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
++
++ [BZ #17905]
++ * catgets/Makefile (tst-catgets-mem): New test.
++ * catgets/catgets.c (catopen): Don't use unbounded alloca.
++ * catgets/open_catalog.c (__open_catalog): Likewise.
++ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
++
+ 2015-10-15 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -9,7 +9,7 @@ Version 2.22.1
+
+ * The following bugs are resolved with this release:
+
+- 18778, 18781, 18787.
++ 18778, 18781, 18787, 17905.
+ \f
+ Version 2.22
+
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index 8348313..382c992 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -42,6 +42,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
file://CVE-2015-8777.patch \
+ file://CVE-2015-8779.patch \
"
SRC_URI += "\
--
2.3.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-01-25 20:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
-- strict thread matches above, loose matches on Subject: below --
2016-01-25 19:25 [PATCH 0/4][jethro] " Armin Kuster
2016-01-25 19:25 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.