r5214 - in glibc-package/trunk/debian: . patches patches/any
Author: aurel32
Date: 2012-04-26 16:06:34 +0000 (Thu, 26 Apr 2012)
New Revision: 5214
Added:
glibc-package/trunk/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
upstream to fix FORTIFY_SOURCE format string protection bypass. Closes:
#660611.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2012-04-26 16:02:28 UTC (rev 5213)
+++ glibc-package/trunk/debian/changelog 2012-04-26 16:06:34 UTC (rev 5214)
@@ -57,6 +57,9 @@
#667687.
* patches/any/local-disable-nscd-host-caching.diff: remove, as the host
caching issue has been fixed in the meanwhile. Closes: #669304.
+ * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
+ upstream to fix FORTIFY_SOURCE format string protection bypass. Closes:
+ #660611.
-- Aurelien Jarno <aurel32@debian.org> Thu, 26 Apr 2012 16:37:27 +0200
Added: glibc-package/trunk/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff 2012-04-26 16:06:34 UTC (rev 5214)
@@ -0,0 +1,86 @@
+2012-03-02 Kees Cook <keescook@chromium.org>
+
+ [BZ #13656]
+ * stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
+ possibly allocate from heap instead of stack.
+
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ 0 if unknown. */
+ int readonly_format = 0;
+
++ /* For the argument descriptions, which may be allocated on the heap. */
++ void *args_malloced = NULL;
++
+ /* This table maps a character into a number representing a
+ class. In each step there is a destination label for each
+ class. */
+@@ -1647,9 +1650,10 @@ do_positional:
+ determine the size of the array needed to store the argument
+ attributes. */
+ size_t nargs = 0;
+- int *args_type;
+- union printf_arg *args_value = NULL;
++ size_t bytes_per_arg;
++ union printf_arg *args_value;
+ int *args_size;
++ int *args_type;
+
+ /* Positional parameters refer to arguments directly. This could
+ also determine the maximum number of arguments. Track the
+@@ -1698,13 +1702,38 @@ do_positional:
+
+ /* Determine the number of arguments the format string consumes. */
+ nargs = MAX (nargs, max_ref_arg);
++ /* Calculate total size needed to represent a single argument across
++ all three argument-related arrays. */
++ bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++ + sizeof (*args_type);
++
++ /* Check for potential integer overflow. */
++ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
+
+- /* Allocate memory for the argument descriptions. */
+- args_type = alloca (nargs * sizeof (int));
++ /* Allocate memory for all three argument arrays. */
++ if (__libc_use_alloca (nargs * bytes_per_arg))
++ args_value = alloca (nargs * bytes_per_arg);
++ else
++ {
++ args_value = args_malloced = malloc (nargs * bytes_per_arg);
++ if (args_value == NULL)
++ {
++ done = -1;
++ goto all_done;
++ }
++ }
++
++ /* Set up the remaining two arrays to each point past the end of the
++ prior array, since space for all three has been allocated now. */
++ args_size = &args_value[nargs].pa_int;
++ args_type = &args_size[nargs];
+ memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+- nargs * sizeof (int));
+- args_value = alloca (nargs * sizeof (union printf_arg));
+- args_size = alloca (nargs * sizeof (int));
++ nargs * sizeof (*args_type));
+
+ /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+ still zero after this loop, format is invalid. For now we
+@@ -1973,8 +2002,8 @@ do_positional:
+ }
+
+ all_done:
+- if (__builtin_expect (workstart != NULL, 0))
+- free (workstart);
++ free (args_malloced);
++ free (workstart);
+ /* Unlock the stream. */
+ _IO_funlockfile (s);
+ _IO_cleanup_region_end (0);
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2012-04-26 16:02:28 UTC (rev 5213)
+++ glibc-package/trunk/debian/patches/series 2012-04-26 16:06:34 UTC (rev 5214)
@@ -338,3 +338,4 @@
any/submitted-resolv-first-query-failure.diff
any/cvs-getaddrinfo-AI_V4MAPPED.diff
any/local-linuxthreads-setclock.diff
+any/cvs-FORTIFY_SOURCE-format-strings.diff
Reply to: