packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-6096 and some bugs

Browse Source
This commit is contained in:
wangshuo 2020-07-24 09:53:41 +08:00
parent ed4da6c78e
commit 817b947c74
6 changed files with 4075 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
Fix-CVE-2020-6096-001.patch Normal file
View File

@ -0,0 +1,189 @@
From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
From: Evgeny Eremin <e.eremin@omprussia.ru>
Date: Wed, 8 Jul 2020 14:18:19 +0200
Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
length [BZ #25620]
Unsigned branch instructions could be used for r2 to fix the wrong
behavior when a negative length is passed to memcpy and memmove.
This commit fixes the generic arm implementation of memcpy amd memmove.
---
sysdeps/arm/memcpy.S | 24 ++++++++++--------------
sysdeps/arm/memmove.S | 24 ++++++++++--------------
2 files changed, 20 insertions(+), 28 deletions(-)
diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
index 510e8adaf2..bcfbc51d99 100644
--- a/sysdeps/arm/memcpy.S
+++ b/sysdeps/arm/memcpy.S
@@ -68,7 +68,7 @@ ENTRY(memcpy)
cfi_remember_state
subs r2, r2, #4
- blt 8f
+ blo 8f
ands ip, r0, #3
PLD( pld [r1, #0] )
bne 9f
@@ -82,7 +82,7 @@ ENTRY(memcpy)
cfi_rel_offset (r6, 4)
cfi_rel_offset (r7, 8)
cfi_rel_offset (r8, 12)
- blt 5f
+ blo 5f
CALGN( ands ip, r1, #31 )
CALGN( rsb r3, ip, #32 )
@@ -98,9 +98,9 @@ ENTRY(memcpy)
#endif
PLD( pld [r1, #0] )
-2: PLD( subs r2, r2, #96 )
+2: PLD( cmp r2, #96 )
PLD( pld [r1, #28] )
- PLD( blt 4f )
+ PLD( blo 4f )
PLD( pld [r1, #60] )
PLD( pld [r1, #92] )
@@ -108,9 +108,7 @@ ENTRY(memcpy)
4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
subs r2, r2, #32
stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
- bge 3b
- PLD( cmn r2, #96 )
- PLD( bge 4b )
+ bhs 3b
5: ands ip, r2, #28
rsb ip, ip, #32
@@ -222,7 +220,7 @@ ENTRY(memcpy)
strbge r4, [r0], #1
subs r2, r2, ip
strb lr, [r0], #1
- blt 8b
+ blo 8b
ands ip, r1, #3
beq 1b
@@ -236,7 +234,7 @@ ENTRY(memcpy)
.macro forward_copy_shift pull push
subs r2, r2, #28
- blt 14f
+ blo 14f
CALGN( ands ip, r1, #31 )
CALGN( rsb ip, ip, #32 )
@@ -253,9 +251,9 @@ ENTRY(memcpy)
cfi_rel_offset (r10, 16)
PLD( pld [r1, #0] )
- PLD( subs r2, r2, #96 )
+ PLD( cmp r2, #96 )
PLD( pld [r1, #28] )
- PLD( blt 13f )
+ PLD( blo 13f )
PLD( pld [r1, #60] )
PLD( pld [r1, #92] )
@@ -280,9 +278,7 @@ ENTRY(memcpy)
mov ip, ip, PULL #\pull
orr ip, ip, lr, PUSH #\push
stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
- bge 12b
- PLD( cmn r2, #96 )
- PLD( bge 13b )
+ bhs 12b
pop {r5 - r8, r10}
cfi_adjust_cfa_offset (-20)
diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
index 954037ef3a..0d07b76ee6 100644
--- a/sysdeps/arm/memmove.S
+++ b/sysdeps/arm/memmove.S
@@ -85,7 +85,7 @@ ENTRY(memmove)
add r1, r1, r2
add r0, r0, r2
subs r2, r2, #4
- blt 8f
+ blo 8f
ands ip, r0, #3
PLD( pld [r1, #-4] )
bne 9f
@@ -99,7 +99,7 @@ ENTRY(memmove)
cfi_rel_offset (r6, 4)
cfi_rel_offset (r7, 8)
cfi_rel_offset (r8, 12)
- blt 5f
+ blo 5f
CALGN( ands ip, r1, #31 )
CALGN( sbcsne r4, ip, r2 ) @ C is always set here
@@ -114,9 +114,9 @@ ENTRY(memmove)
#endif
PLD( pld [r1, #-4] )
-2: PLD( subs r2, r2, #96 )
+2: PLD( cmp r2, #96 )
PLD( pld [r1, #-32] )
- PLD( blt 4f )
+ PLD( blo 4f )
PLD( pld [r1, #-64] )
PLD( pld [r1, #-96] )
@@ -124,9 +124,7 @@ ENTRY(memmove)
4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
subs r2, r2, #32
stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
- bge 3b
- PLD( cmn r2, #96 )
- PLD( bge 4b )
+ bhs 3b
5: ands ip, r2, #28
rsb ip, ip, #32
@@ -237,7 +235,7 @@ ENTRY(memmove)
strbge r4, [r0, #-1]!
subs r2, r2, ip
strb lr, [r0, #-1]!
- blt 8b
+ blo 8b
ands ip, r1, #3
beq 1b
@@ -251,7 +249,7 @@ ENTRY(memmove)
.macro backward_copy_shift push pull
subs r2, r2, #28
- blt 14f
+ blo 14f
CALGN( ands ip, r1, #31 )
CALGN( rsb ip, ip, #32 )
@@ -268,9 +266,9 @@ ENTRY(memmove)
cfi_rel_offset (r10, 16)
PLD( pld [r1, #-4] )
- PLD( subs r2, r2, #96 )
+ PLD( cmp r2, #96 )
PLD( pld [r1, #-32] )
- PLD( blt 13f )
+ PLD( blo 13f )
PLD( pld [r1, #-64] )
PLD( pld [r1, #-96] )
@@ -295,9 +293,7 @@ ENTRY(memmove)
mov r4, r4, PUSH #\push
orr r4, r4, r3, PULL #\pull
stmdb r0!, {r4 - r8, r10, ip, lr}
- bge 12b
- PLD( cmn r2, #96 )
- PLD( bge 13b )
+ bhs 12b
pop {r5 - r8, r10}
cfi_adjust_cfa_offset (-20)
--
2.19.1

107
Fix-CVE-2020-6096-002.patch Normal file
View File

@ -0,0 +1,107 @@
From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
From: Alexander Anisimov <a.anisimov@omprussia.ru>
Date: Wed, 8 Jul 2020 14:18:31 +0200
Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
[BZ #25620]
Unsigned branch instructions could be used for r2 to fix the wrong
behavior when a negative length is passed to memcpy.
This commit fixes the armv7 version.
---
sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
index bf4ac7077f..379bb56fc9 100644
--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
@@ -268,7 +268,7 @@ ENTRY(memcpy)
mov dst, dstin /* Preserve dstin, we need to return it. */
cmp count, #64
- bge .Lcpy_not_short
+ bhs .Lcpy_not_short
/* Deal with small copies quickly by dropping straight into the
exit block. */
@@ -351,10 +351,10 @@ ENTRY(memcpy)
1:
subs tmp2, count, #64 /* Use tmp2 for count. */
- blt .Ltail63aligned
+ blo .Ltail63aligned
cmp tmp2, #512
- bge .Lcpy_body_long
+ bhs .Lcpy_body_long
.Lcpy_body_medium: /* Count in tmp2. */
#ifdef USE_VFP
@@ -378,7 +378,7 @@ ENTRY(memcpy)
add src, src, #64
vstr d1, [dst, #56]
add dst, dst, #64
- bge 1b
+ bhs 1b
tst tmp2, #0x3f
beq .Ldone
@@ -412,7 +412,7 @@ ENTRY(memcpy)
ldrd A_l, A_h, [src, #64]!
strd A_l, A_h, [dst, #64]!
subs tmp2, tmp2, #64
- bge 1b
+ bhs 1b
tst tmp2, #0x3f
bne 1f
ldr tmp2,[sp], #FRAME_SIZE
@@ -482,7 +482,7 @@ ENTRY(memcpy)
add src, src, #32
subs tmp2, tmp2, #prefetch_lines * 64 * 2
- blt 2f
+ blo 2f
1:
cpy_line_vfp d3, 0
cpy_line_vfp d4, 64
@@ -494,7 +494,7 @@ ENTRY(memcpy)
add dst, dst, #2 * 64
add src, src, #2 * 64
subs tmp2, tmp2, #prefetch_lines * 64
- bge 1b
+ bhs 1b
2:
cpy_tail_vfp d3, 0
@@ -615,8 +615,8 @@ ENTRY(memcpy)
1:
pld [src, #(3 * 64)]
subs count, count, #64
- ldrmi tmp2, [sp], #FRAME_SIZE
- bmi .Ltail63unaligned
+ ldrlo tmp2, [sp], #FRAME_SIZE
+ blo .Ltail63unaligned
pld [src, #(4 * 64)]
#ifdef USE_NEON
@@ -633,7 +633,7 @@ ENTRY(memcpy)
neon_load_multi d0-d3, src
neon_load_multi d4-d7, src
subs count, count, #64
- bmi 2f
+ blo 2f
1:
pld [src, #(4 * 64)]
neon_store_multi d0-d3, dst
@@ -641,7 +641,7 @@ ENTRY(memcpy)
neon_store_multi d4-d7, dst
neon_load_multi d4-d7, src
subs count, count, #64
- bpl 1b
+ bhs 1b
2:
neon_store_multi d0-d3, dst
neon_store_multi d4-d7, dst
--
2.19.1

36
Fix-double-free-in-__printf_fp_l-bug-26214.patch Normal file
View File

@ -0,0 +1,36 @@
From ede56038e50235cd1ca7de3602c9491d3b84b49b Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Thu, 9 Jul 2020 21:51:49 +0000
Subject: [PATCH] Fix double free in __printf_fp_l (bug 26214).
__printf_fp_l has a double free bug in the case where it allocates
memory with malloc internally, then has an I/O error while outputting
trailing padding and tries to free that already-freed memory when the
error occurs. This patch fixes this by setting the relevant pointer
to NULL after the first free (the only free of this pointer that isn't
immediately followed by returning from the function).
note that this patch is parts of the origin one.
Tested for x86_64 and x86.
---
stdio-common/printf_fp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c
index 66ab59ba..c310eb8e 100644
--- a/stdio-common/printf_fp.c
+++ b/stdio-common/printf_fp.c
@@ -1250,6 +1250,9 @@ __printf_fp_l (FILE *fp, locale_t loc,
{
free (buffer);
free (wbuffer);
+ /* Avoid a double free if the subsequent PADN encounters an
+ I/O error. */
+ wbuffer = NULL;
}
}
--
2.23.0

87
Fix-memory-leak-in-__printf_fp_l-bug-26215.patch Normal file
View File

@ -0,0 +1,87 @@
From 90663e9c814a919fa1fb41a878c06ef2fae58ed2 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Thu, 9 Jul 2020 21:52:24 +0000
Subject: [PATCH] Fix memory leak in __printf_fp_l (bug 26215).
__printf_fp_l has a memory leak in the case of some I/O errors, where
both buffer and wbuffer have been malloced but the handling of I/O
errors only frees wbuffer. This patch fixes this by moving the
declaration of buffer to an outer scope and ensuring that it is freed
when wbuffer is freed.
note that this patch is parts of the origin one.
Tested for x86_64 and x86.
---
stdio-common/printf_fp.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c
index c310eb8e..b88e9cc6 100644
--- a/stdio-common/printf_fp.c
+++ b/stdio-common/printf_fp.c
@@ -72,7 +72,10 @@
if (putc (outc, fp) == EOF) \
{ \
if (buffer_malloced) \
- free (wbuffer); \
+ { \
+ free (buffer); \
+ free (wbuffer); \
+ } \
return -1; \
} \
++done; \
@@ -87,7 +90,10 @@
if (PUT (fp, wide ? (const char *) wptr : ptr, outlen) != outlen) \
{ \
if (buffer_malloced) \
- free (wbuffer); \
+ { \
+ free (buffer); \
+ free (wbuffer); \
+ } \
return -1; \
} \
ptr += outlen; \
@@ -110,7 +116,10 @@
if (PAD (fp, ch, len) != len) \
{ \
if (buffer_malloced) \
- free (wbuffer); \
+ { \
+ free (buffer); \
+ free (wbuffer); \
+ } \
return -1; \
} \
done += len; \
@@ -259,7 +268,8 @@ __printf_fp_l (FILE *fp, locale_t loc,
/* Buffer in which we produce the output. */
wchar_t *wbuffer = NULL;
- /* Flag whether wbuffer is malloc'ed or not. */
+ char *buffer = NULL;
+ /* Flag whether wbuffer and buffer are malloc'ed or not. */
int buffer_malloced = 0;
p.expsign = 0;
@@ -1172,7 +1182,6 @@ __printf_fp_l (FILE *fp, locale_t loc,
PADN ('0', width);
{
- char *buffer = NULL;
char *buffer_end = NULL;
char *cp = NULL;
char *tmpptr;
@@ -1252,6 +1261,7 @@ __printf_fp_l (FILE *fp, locale_t loc,
free (wbuffer);
/* Avoid a double free if the subsequent PADN encounters an
I/O error. */
+ buffer = NULL;
wbuffer = NULL;
}
}
--
2.23.0

3646
Fix-strtod-multiple-precision-division-bug-bug-26137.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11
glibc.spec
View File

@ -59,7 +59,7 @@
##############################################################################
Name: glibc
Version: 2.31
Release: 1
Release: 2
Summary: The GNU libc libraries
License: %{all_license}
URL: http://www.gnu.org/software/glibc/
@ -84,6 +84,11 @@ Patch6005: x86-64-Use-RDX_LP-on-__x86_shared_non_temporal_thres.patch
Patch6006: x86_64-Use-xmmN-with-vpxor-to-clear-a-vector-registe.patch
Patch6007: nptl-Don-t-madvise-user-provided-stack.patch
Patch6008: turn-REP_STOSB_THRESHOLD-from-2k-to-1M.patch
Patch6009: Fix-strtod-multiple-precision-division-bug-bug-26137.patch
Patch6010: Fix-double-free-in-__printf_fp_l-bug-26214.patch
Patch6011: Fix-memory-leak-in-__printf_fp_l-bug-26215.patch
Patch6012: Fix-CVE-2020-6096-001.patch
Patch6013: Fix-CVE-2020-6096-002.patch
Patch9000: delete-no-hard-link-to-avoid-all_language-package-to.patch
@ -1162,6 +1167,10 @@ fi
%doc hesiod/README.hesiod
%changelog
* Fri Jul 24 2020 Wang Shuo<wangshuo_1994@foxmail.com> - 2.31-2
- fix CVE-2020-6096
- fix bugzilla 26137, 26214 and 26215
* Thu Jul 9 2020 wuxu<wuxu.wu@hotmail.com> - 2.31-1
- upgrade glibc to 2.31-1
- delete build-locale-archive command