[glibc] 01/01: Fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability (CVE-2016-6323). Closes: #834752.

To: debian-glibc@lists.debian.org
Subject: [glibc] 01/01: Fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability (CVE-2016-6323). Closes: #834752.
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Fri, 19 Aug 2016 07:34:25 +0000
Message-id: <[🔎] E1baeJt-0001wN-2o@moszumanska.debian.org>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>
In-reply-to: <[🔎] 20160819073424.6443.88458@moszumanska.debian.org>
References: <[🔎] 20160819073424.6443.88458@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch jessie
in repository glibc.

commit 2f4445ac9243c4d11adafd895f955ce83610062b
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Fri Aug 19 09:33:49 2016 +0200

    Fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability (CVE-2016-6323).  Closes: #834752.
---
 debian/changelog                |  2 ++
 debian/patches/git-updates.diff | 44 +++++++++++++++++++++++++++++++++++++----
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 89fe119..bf495d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 glibc (2.19-18+deb8u6) UNRELEASED; urgency=medium
 
   * Update from upstream stable branch:
+    - Fix backtrace hang on armel/armhf, possibly causing a minor
+      denial-of-service vulnerability (CVE-2016-6323).  Closes: #834752.
     - Fix open and openat functions with O_TMPFILE.  Closes: #832521.
     - Drop debian/patches/any/cvs-ld_pointer_guard.diff (merged upstream).
     - Drop debian/patches/any/cvs-mangle-tls_dtor_list.diff (merged upstream).
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 5e71afb..d2d83f7 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,16 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
 
 diff --git a/ChangeLog b/ChangeLog
-index 81c393a..3d2063b 100644
+index 81c393a..30da116 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,616 @@
+@@ -1,3 +1,622 @@
++2016-08-15  Andreas Schwab  <schwab@suse.de>
++
++	[BZ #20435]
++	* ports/sysdeps/unix/sysv/linux/arm/setcontext.S (__startcontext):
++	Mark as .cantunwind.
++
 +2015-02-24  Eric Rannaud  <e@nanocritical.com>
 +
 +	[BZ #17523]
@@ -622,10 +628,10 @@ index 81c393a..3d2063b 100644
  
  	[BZ #16529]
 diff --git a/NEWS b/NEWS
-index 98b479e..473e35a 100644
+index 98b479e..a1bb834 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,98 @@ See the end for copying conditions.
+@@ -5,6 +5,104 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -720,6 +726,12 @@ index 98b479e..473e35a 100644
 +* The Sun RPC UDP client could exhaust all available stack space when
 +  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
 +  alloca plugin for GCC.  (CVE-2016-4429)
++
++* On ARM EABI (32-bit), generating a backtrace for execution contexts which
++  have been created with makecontext could fail to terminate due to a
++  missing .cantunwind annotation.  This has been observed to lead to a hang
++  (denial of service) in some Go applications compiled with gccgo.  Reported
++  by Andreas Schwab.  (CVE-2016-6323)
 +
  Version 2.19
  
@@ -3356,6 +3368,30 @@ index f6903b5..fed1dcb 100644
  #   define SINGLE_THREAD_P_PIC(x) SINGLE_THREAD_P
  #  endif
  # endif
+diff --git a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+index 7b9b511..7da16a9 100644
+--- a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
++++ b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)
+ 
+ 	/* Called when a makecontext() context returns.  Start the
+ 	   context in R4 or fall through to exit().  */
++	/* Unwind descriptors are looked up based on PC - 2, so we have to
++	   make sure to mark the instruction preceding the __startcontext
++	   label as .cantunwind.  */
++	.fnstart
++	.cantunwind
++	nop
+ ENTRY(__startcontext)
+ 	movs    r0, r4
+ 	bne     PLTJMP(__setcontext)
+ 
+ 	@ New context was 0 - exit
+ 	b       PLTJMP(HIDDEN_JUMPTARGET(_exit))
++	.fnend
+ END(__startcontext)
+ 
+ #ifdef PIC
 diff --git a/ports/sysdeps/unix/sysv/linux/generic/open.c b/ports/sysdeps/unix/sysv/linux/generic/open.c
 index 4f73fa0..b4c6834 100644
 --- a/ports/sysdeps/unix/sysv/linux/generic/open.c

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git

Reply to:

References:
- [glibc] branch jessie updated (003992b -> 2f4445a)
  - From: Aurelien Jarno <aurel32@moszumanska.debian.org>

Prev by Date: [glibc] branch glibc-2.24 updated (a66efaa -> e2ed4ec)
Next by Date: Processed: Bug#834752 marked as pending
Previous by thread: [glibc] branch jessie updated (003992b -> 2f4445a)
Next by thread: Bug#834844: libc6: Illegal instruction updating from 2.21-8 to 2.23-4 on mipsel
Index(es):
- Date
- Thread