diff --git a/0001-correctly-check-for-out-of-bounds-allocation-reqs.patch b/0001-correctly-check-for-out-of-bounds-allocation-reqs.patch deleted file mode 100644 index 85dfd2a..0000000 --- a/0001-correctly-check-for-out-of-bounds-allocation-reqs.patch +++ /dev/null @@ -1,107 +0,0 @@ -From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001 -From: Corinna Vinschen -Date: Tue, 17 Nov 2020 10:50:57 +0100 -Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds - allocation reqs -CVE: CVE-2021-3420 -Reference: https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e - -The overflow check in mEMALIGn erroneously checks for INT_MAX, -albeit the input parameter is size_t. Fix this to check for -__SIZE_MAX__ instead. Also, it misses to check the req against -adding the alignment before calling mALLOc. - -While at it, add out-of-bounds checks to pvALLOc, nano_memalign, -nano_valloc, and Cygwin's (unused) dlpvalloc. - -Signed-off-by: Corinna Vinschen ---- - newlib/libc/stdlib/mallocr.c | 7 ++++++- - newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++- - winsup/cygwin/malloc.cc | 4 ++++ - 3 files changed, 31 insertions(+), 2 deletions(-) - -diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c -index 26d1c89c..af877605 100644 ---- a/newlib/libc/stdlib/mallocr.c -+++ b/newlib/libc/stdlib/mallocr.c -@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes; - nb = request2size(bytes); - - /* Check for overflow. */ -- if (nb > INT_MAX || nb < bytes) -+ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes) - { - RERRNO = ENOMEM; - return 0; -@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes; - #endif - { - size_t pagesize = malloc_getpagesize; -+ if (bytes > __SIZE_MAX__ - pagesize) -+ { -+ RERRNO = ENOMEM; -+ return 0; -+ } - return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1)); - } - -diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c -index 13b72c99..edf68e7a 100644 ---- a/newlib/libc/stdlib/nano-mallocr.c -+++ b/newlib/libc/stdlib/nano-mallocr.c -@@ -568,8 +568,22 @@ void * nano_memalign(RARG size_t align, size_t s) - if ((align & (align-1)) != 0) return NULL; - - align = MAX(align, MALLOC_ALIGN); -+ -+ /* Make sure ma_size does not overflow */ -+ if (s > __SIZE_MAX__ - CHUNK_ALIGN) -+ { -+ RERRNO = ENOMEM; -+ return NULL; -+ } - ma_size = ALIGN_TO(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN); -- size_with_padding = ma_size + align - MALLOC_ALIGN; -+ -+ /* Make sure size_with_padding does not overflow */ -+ if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN)) -+ { -+ RERRNO = ENOMEM; -+ return NULL; -+ } -+ size_with_padding = ma_size + (align - MALLOC_ALIGN); - - allocated = nano_malloc(RCALL size_with_padding); - if (allocated == NULL) return NULL; -@@ -632,6 +646,12 @@ void * nano_valloc(RARG size_t s) - #ifdef DEFINE_PVALLOC - void * nano_pvalloc(RARG size_t s) - { -+ /* Make sure size given to nano_valloc does not overflow */ -+ if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN) -+ { -+ RERRNO = ENOMEM; -+ return NULL; -+ } - return nano_valloc(RCALL ALIGN_TO(s, MALLOC_PAGE_ALIGN)); - } - #endif /* DEFINE_PVALLOC */ -diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc -index 23c35407..8a1fc257 100644 ---- a/winsup/cygwin/malloc.cc -+++ b/winsup/cygwin/malloc.cc -@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) { - size_t pagesz; - ensure_initialization(); - pagesz = mparams.page_size; -+ if (bytes > MAX_REQUEST) { -+ MALLOC_FAILURE_ACTION; -+ return NULL; -+ } - return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE)); - } - --- -2.33.0.windows.2 - diff --git a/fix-CVE-2024-30949.patch b/fix-CVE-2024-30949.patch new file mode 100644 index 0000000..2363591 --- /dev/null +++ b/fix-CVE-2024-30949.patch @@ -0,0 +1,54 @@ +From 5f15d7c5817b07a6b18cbab17342c95cb7b42be4 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Fri, 20 Sep 2024 12:44:40 +0800 +Subject: [PATCH] fix CVE-2024-30949 + +RISC-V: Fix timeval conversion in _gettimeofday() + +Replace multiplication with division for microseconds calculation from +nanoseconds in _gettimeofday function. + +--- + libgloss/riscv/sys_gettimeofday.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/libgloss/riscv/sys_gettimeofday.c b/libgloss/riscv/sys_gettimeofday.c +index 457dcbc..5379a89 100644 +--- a/libgloss/riscv/sys_gettimeofday.c ++++ b/libgloss/riscv/sys_gettimeofday.c +@@ -1,10 +1,31 @@ + #include + #include ++#include + #include "internal_syscall.h" + + /* Get the current time. Only relatively correct. */ + int + _gettimeofday(struct timeval *tp, void *tzp) + { +- return syscall_errno (SYS_gettimeofday, tp, 0, 0, 0, 0, 0); ++#if __riscv_xlen == 32 ++ struct __timespec64 ++ { ++ int64_t tv_sec; /* Seconds */ ++# if BYTE_ORDER == BIG_ENDIAN ++ int32_t __padding; /* Padding */ ++ int32_t tv_nsec; /* Nanoseconds */ ++# else ++ int32_t tv_nsec; /* Nanoseconds */ ++ int32_t __padding; /* Padding */ ++# endif ++ }; ++ struct __timespec64 ts64; ++ int rv; ++ rv = syscall_errno (SYS_clock_gettime64, 2, 0, (long)&ts64, 0, 0, 0, 0); ++ tp->tv_sec = ts64.tv_sec; ++ tp->tv_usec = ts64.tv_nsec / 1000; ++ return rv; ++#else ++ return syscall_errno (SYS_gettimeofday, 1, tp, 0, 0, 0, 0, 0); ++#endif + } +-- +2.43.0 + diff --git a/newlib.spec b/newlib.spec index b7682c4..cb27b76 100644 --- a/newlib.spec +++ b/newlib.spec @@ -2,15 +2,15 @@ %global _newlib newlib Name: newlib Version: 3.3.0 -Release: 4 +Release: 5 Summary: Newlib is a C library intended for use on embedded systems. License: BSD URL: https://sourceware.org/newlib/ Source0: ftp://sourceware.org/pub/newlib/newlib-%{version}.tar.gz -Patch01: Modify-neon-instruction.patch - +Patch01: Modify-neon-instruction.patch +Patch02: fix-CVE-2024-30949.patch BuildRequires: make gcc binutils texinfo texinfo-tex Excludearch: loongarch64 @@ -64,6 +64,9 @@ cd .. %changelog +* Wed Sep 25 2024 changtao - 3.3.0-5 +- fix CVE-2024-30949 + * Sat Jun 08 2024 yueyuankun - 3.3.0-4 - add Excludearch: loongarch64