This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/16009] Possible buffer overflow in strxfrm

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 11 Jul 2016 17:07:34 +0000
Subject: [Bug libc/16009] Possible buffer overflow in strxfrm
Auto-submitted: auto-generated
References: <bug-16009-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=16009

--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  66986dec455c2011085a04b72a5bd55d9f9c7d1c (commit)
       via  dea992adae5ff1194d7e49b698424eba741df62a (commit)
       via  1a43fd3240c587b403240cf316d241f91ce50d8f (commit)
      from  ce92632d1297d032e5781cfa077e300f5c167471 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=66986dec455c2011085a04b72a5bd55d9f9c7d1c

commit 66986dec455c2011085a04b72a5bd55d9f9c7d1c
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Oct 6 13:12:36 2015 +0200

    Harden tls_dtor_list with pointer mangling [BZ #19018]

    (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)

    Conflicts:
        NEWS
        stdlib/cxa_thread_atexit_impl.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dea992adae5ff1194d7e49b698424eba741df62a

commit dea992adae5ff1194d7e49b698424eba741df62a
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Oct 15 09:23:07 2015 +0200

    Always enable pointer guard [BZ #18928]

    Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
    has security implications.  This commit enables pointer guard
    unconditionally, and the environment variable is now ignored.

            [BZ #18928]
            * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
            _dl_pointer_guard member.
            * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
            initializer.
            (security_init): Always set up pointer guard.
            (process_envvars): Do not process LD_POINTER_GUARD.

    (cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1a43fd3240c587b403240cf316d241f91ce50d8f

commit 1a43fd3240c587b403240cf316d241f91ce50d8f
Author: Leonhard Holz <leonhard.holz@web.de>
Date:   Tue Jan 13 11:33:56 2015 +0530

    Fix memory handling in strxfrm_l [BZ #16009]

    [Modified from the original email by Siddhesh Poyarekar]

    This patch solves bug #16009 by implementing an additional path in
    strxfrm that does not depend on caching the weight and rule indices.

    In detail the following changed:

    * The old main loop was factored out of strxfrm_l into the function
    do_xfrm_cached to be able to alternativly use the non-caching version
    do_xfrm.

    * strxfrm_l allocates a a fixed size array on the stack. If this is not
    sufficiant to store the weight and rule indices, the non-caching path is
    taken. As the cache size is not dependent on the input there can be no
    problems with integer overflows or stack allocations greater than
    __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
    definition of strxfrm does not allow an oom errorhandling.

    * The uncached path determines the weight and rule index for every char
    and for every pass again.

    * Passing all the locale data array by array resulted in very long
    parameter lists, so I introduced a structure that holds them.

    * Checking for zero src string has been moved a bit upwards, it is
    before the locale data initialization now.

    * To verify that the non-caching path works correct I added a test run
    to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
    are patched up with spaces so that they are too large for the caching path.

    (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)

    Conflicts:
        NEWS
        string/strxfrm_l.c

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                       |   33 +++
 NEWS                            |   10 +-
 elf/rtld.c                      |   15 +-
 localedata/sort-test.sh         |    6 +
 localedata/xfrm-test.c          |   52 ++++-
 stdlib/cxa_thread_atexit_impl.c |   12 +-
 string/strxfrm_l.c              |  499 +++++++++++++++++++++++++++++++--------
 sysdeps/generic/ldsodefs.h      |    3 -
 8 files changed, 507 insertions(+), 123 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]