r5857 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any patches/kfreebsd

To: debian-glibc@lists.debian.org
Subject: r5857 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any patches/kfreebsd
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Tue, 3 Dec 2013 15:25:36 +0000
Message-id: <[🔎] E1Vnrqz-0007hX-CY@moszumanska.debian.org>
Author: aurel32
Date: 2013-12-03 15:25:36 +0000 (Tue, 03 Dec 2013)
New Revision: 5857

Added:
   glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff
Removed:
   glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff
Modified:
   glibc-package/branches/glibc-branch-wheezy/debian/changelog
   glibc-package/branches/glibc-branch-wheezy/debian/patches/series
   glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64
   glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386
Log:
patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
#718890, #730336). patches/kfreebsd/local-readdir_r.diff: remove
superseeded by the CVE patch.



Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog	2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog	2013-12-03 15:25:36 UTC (rev 5857)
@@ -9,9 +9,13 @@
     addressing CVE-2013-0242 (Closes: #699399).
   * patches/cvs-CVE-2013-1914.diff: backport stack overflow fixes in
     getaddrinfo() addressing CVE-2013-1914 (Closes: #704623).
+  * patches/any/cvs-CVE-2013-4237.diff: backport buffer overwrite fix in
+    readdir_r for file systems returning file names longer than NAME_MAX
+    characters, addressing CVE-2013-4237 (Closes: #719558).
   * patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
     a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
-    #718890, #730336).
+    #718890, #730336). patches/kfreebsd/local-readdir_r.diff: remove
+    superseeded by the CVE patch.
   * patches/mips/cvs-prlimit64.diff: patch from upstream to fix getrlimit64
     and setrlimit64 with recent 64-bit kernels (Closes: #665897).
     

Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff	                        (rev 0)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff	2013-12-03 15:25:36 UTC (rev 5857)
@@ -0,0 +1,164 @@
+2013-10-10  David S. Miller  <davem@davemloft.net>
+
+	* sysdeps/posix/dirstream.h (struct __dirstream): Fix alignment of
+	directory block.
+
+2013-08-16  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #14699]
+	CVE-2013-4237
+	* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
+	member.
+	* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
+	member.
+	* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
+	* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
+	Return delayed error code.  Remove GETDENTS_64BIT_ALIGNED
+	conditional.
+	* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
+	GETDENTS_64BIT_ALIGNED.
+	* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
+	* manual/filesys.texi (Reading/Closing Directory): Document
+	ENAMETOOLONG return value of readdir_r.  Recommend readdir more
+	strongly.
+	* manual/conf.texi (Limits for Files): Add portability note to
+	NAME_MAX, PATH_MAX.
+	(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
+
+--- a/sysdeps/unix/dirstream.h
++++ b/sysdeps/unix/dirstream.h
+@@ -40,8 +40,15 @@
+ 
+     off_t filepos;		/* Position of next entry to read.  */
+ 
+-    /* Directory block.  */
+-    char data[0] __attribute__ ((aligned (__alignof__ (void*))));
++    int errcode;		/* Delayed error code.  */
++
++    /* Directory block.  We must make sure that this block starts
++       at an address that is aligned adequately enough to store
++       dirent entries.  Using the alignment of "void *" is not
++       sufficient because dirents on 32-bit platforms can require
++       64-bit alignment.  We use "long double" here to be consistent
++       with what malloc uses.  */
++    char data[0] __attribute__ ((aligned (__alignof__ (long double))));
+   };
+ 
+ #define _DIR_dirfd(dirp)	((dirp)->fd)
+--- a/sysdeps/unix/opendir.c
++++ b/sysdeps/unix/opendir.c
+@@ -210,6 +210,7 @@
+   dirp->size = 0;
+   dirp->offset = 0;
+   dirp->filepos = 0;
++  dirp->errcode = 0;
+ 
+   return dirp;
+ }
+--- a/sysdeps/unix/readdir_r.c
++++ b/sysdeps/unix/readdir_r.c
+@@ -42,6 +42,7 @@
+   DIRENT_TYPE *dp;
+   size_t reclen;
+   const int saved_errno = errno;
++  int ret;
+ 
+   __libc_lock_lock (dirp->lock);
+ 
+@@ -72,10 +73,10 @@
+ 		  bytes = 0;
+ 		  __set_errno (saved_errno);
+ 		}
++	      if (bytes < 0)
++		dirp->errcode = errno;
+ 
+ 	      dp = NULL;
+-	      /* Reclen != 0 signals that an error occurred.  */
+-	      reclen = bytes != 0;
+ 	      break;
+ 	    }
+ 	  dirp->size = (size_t) bytes;
+@@ -108,29 +109,46 @@
+       dirp->filepos += reclen;
+ #endif
+ 
+-      /* Skip deleted files.  */
++#ifdef NAME_MAX
++      if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
++	{
++	  /* The record is very long.  It could still fit into the
++	     caller-supplied buffer if we can skip padding at the
++	     end.  */
++	  size_t namelen = _D_EXACT_NAMLEN (dp);
++	  if (namelen <= NAME_MAX)
++	    reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
++	  else
++	    {
++	      /* The name is too long.  Ignore this file.  */
++	      dirp->errcode = ENAMETOOLONG;
++	      dp->d_ino = 0;
++	      continue;
++	    }
++	}
++#endif
++
++      /* Skip deleted and ignored files.  */
+     }
+   while (dp->d_ino == 0);
+ 
+   if (dp != NULL)
+     {
+-#ifdef GETDENTS_64BIT_ALIGNED
+-      /* The d_reclen value might include padding which is not part of
+-	 the DIRENT_TYPE data structure.  */
+-      reclen = MIN (reclen,
+-		    offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
+-#endif
+       *result = memcpy (entry, dp, reclen);
+-#ifdef GETDENTS_64BIT_ALIGNED
++#ifdef _DIRENT_HAVE_D_RECLEN
+       entry->d_reclen = reclen;
+ #endif
++      ret = 0;
+     }
+   else
+-    *result = NULL;
++    {
++      *result = NULL;
++      ret = dirp->errcode;
++    }
+ 
+   __libc_lock_unlock (dirp->lock);
+ 
+-  return dp != NULL ? 0 : reclen ? errno : 0;
++  return ret;
+ }
+ 
+ #ifdef __READDIR_R_ALIAS
+--- a/sysdeps/unix/rewinddir.c
++++ b/sysdeps/unix/rewinddir.c
+@@ -33,5 +33,6 @@
+   dirp->filepos = 0;
+   dirp->offset = 0;
+   dirp->size = 0;
++  dirp->errcode = 0;
+   __libc_lock_unlock (dirp->lock);
+ }
+--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
++++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+@@ -19,7 +19,6 @@
+ #define __READDIR_R __readdir64_r
+ #define __GETDENTS __getdents64
+ #define DIRENT_TYPE struct dirent64
+-#define GETDENTS_64BIT_ALIGNED 1
+ 
+ #include <sysdeps/unix/readdir_r.c>
+ 
+--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
++++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+@@ -1,5 +1,4 @@
+ #define readdir64_r __no_readdir64_r_decl
+-#define GETDENTS_64BIT_ALIGNED 1
+ #include <sysdeps/unix/readdir_r.c>
+ #undef readdir64_r
+ weak_alias (__readdir_r, readdir64_r)

Deleted: glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff	2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff	2013-12-03 15:25:36 UTC (rev 5857)
@@ -1,47 +0,0 @@
----
- sysdeps/unix/readdir_r.c |   33 +++++++++++++++++++++++++--------
- 1 file changed, 25 insertions(+), 8 deletions(-)
-
---- a/sysdeps/unix/readdir_r.c
-+++ b/sysdeps/unix/readdir_r.c
-@@ -114,15 +114,32 @@
- 
-   if (dp != NULL)
-     {
--#ifdef GETDENTS_64BIT_ALIGNED
--      /* The d_reclen value might include padding which is not part of
--	 the DIRENT_TYPE data structure.  */
--      reclen = MIN (reclen,
--		    offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
--#endif
-+	/* The required size of *entry, according to POSIX, is
-+	offsetof (DIRENT_TYPE, d_name[0]) + NAME_MAX + 1.
-+	We must not write beyond the end of *entry.  On some operating
-+	systems, dp->d_reclen may be larger; in this case, copy only as
-+	many bytes as needed.  Also give an error if d_name is too long.  */
-+#ifdef _DIRENT_HAVE_D_RECLEN
-+      /* DIRENT_TYPE is of variable size, with d_name as its last entry.  */
-+      size_t namelen;
-+# ifdef _DIRENT_HAVE_D_NAMLEN
-+      namelen = dp->d_namlen;
-+# else
-+      namelen = strlen (dp->d_name);
-+# endif
-+
-+      if (namelen <= NAME_MAX)
-+	*result = memcpy (entry, dp,
-+			  offsetof (DIRENT_TYPE, d_name[0]) + namelen + 1);
-+      else
-+	{
-+          errno = EOVERFLOW;
-+          dp = NULL;
-+          *result = NULL;
-+        }
-+#else
-+      /* DIRENT_TYPE is of fixed size.  */
-       *result = memcpy (entry, dp, reclen);
--#ifdef GETDENTS_64BIT_ALIGNED
--      entry->d_reclen = reclen;
- #endif
-     }
-   else

Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series	2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series	2013-12-03 15:25:36 UTC (rev 5857)
@@ -378,4 +378,5 @@
 any/cvs-CVE-2012-44xx.diff
 any/cvs-CVE-2013-0242.diff
 any/cvs-CVE-2013-1914.diff
+any/cvs-CVE-2013-4237.diff
 any/cvs-findlocale-div-by-zero.diff

Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64	2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64	2013-12-03 15:25:36 UTC (rev 5857)
@@ -4,7 +4,6 @@
 kfreebsd/local-nosavesse.diff
 kfreebsd/local-memusage_no_mremap.diff
 kfreebsd/local-pthread_at_fork.diff
-kfreebsd/local-readdir_r.diff
 kfreebsd/local-scripts.diff
 kfreebsd/local-sys_queue_h.diff
 kfreebsd/local-sysdeps.diff

Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386	2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386	2013-12-03 15:25:36 UTC (rev 5857)
@@ -4,7 +4,6 @@
 kfreebsd/local-nosavesse.diff
 kfreebsd/local-memusage_no_mremap.diff
 kfreebsd/local-pthread_at_fork.diff
-kfreebsd/local-readdir_r.diff
 kfreebsd/local-scripts.diff
 kfreebsd/local-sys_queue_h.diff
 kfreebsd/local-sysdeps.diff
Reply to:
Prev by Date: r5856 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Next by Date: r5858 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Previous by thread: r5856 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Next by thread: r5858 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Index(es):
- Date
- Thread