This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.18/master updated. glibc-2.18-25-g3252416
- From: tuliom at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 31 Dec 2015 12:47:01 -0000
- Subject: GNU C Library master sources branch release/2.18/master updated. glibc-2.18-25-g3252416
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.18/master has been updated
via 325241608584653c1275a2ea28ce349a04fc4d28 (commit)
via 161a7ef860561b0738f953c533eb8920cbf0b813 (commit)
via f0cb70a25452585ff950b3a89f811ea3d473ae83 (commit)
via 80e44fad705561e39d8001c8258a8bae9c149fc7 (commit)
from d4deb63367247eaddcbe10b872d39ff70659eaf4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=325241608584653c1275a2ea28ce349a04fc4d28
commit 325241608584653c1275a2ea28ce349a04fc4d28
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sun Feb 22 12:01:47 2015 -0800
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
diff --git a/ChangeLog b/ChangeLog
index 79a59d5..435d189 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-30 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2015-12-30 Andreas Schwab <schwab@suse.de>
[BZ #18032]
diff --git a/NEWS b/NEWS
index 3ae4211..0196d04 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18032, 18928, 19018.
+ 16943, 16958, 17269, 18032, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 8283930..19193e4 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=161a7ef860561b0738f953c533eb8920cbf0b813
commit 161a7ef860561b0738f953c533eb8920cbf0b813
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Feb 26 14:55:24 2015 +0100
Fix read past end of pattern in fnmatch (bug 18032)
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
Conflicts:
NEWS
posix/tst-fnmatch3.c
diff --git a/ChangeLog b/ChangeLog
index 14d95f8..79a59d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-12-30 Andreas Schwab <schwab@suse.de>
+
+ [BZ #18032]
+ * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+ over collating symbol inside a bracket expression. Minor cleanup.
+ * posix/tst-fnmatch3.c (do_test): Add test case.
+
2015-12-30 Florian Weimer <fweimer@redhat.com>
[BZ #19018]
diff --git a/NEWS b/NEWS
index 52e77ee..3ae4211 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18928, 19018.
+ 16943, 16958, 18032, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 078b982..5002ccb 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
}
else if (c == L('[') && *p == L('.'))
{
- ++p;
while (1)
{
c = *++p;
- if (c == '\0')
+ if (c == L('\0'))
return FNM_NOMATCH;
- if (*p == L('.') && p[1] == L(']'))
+ if (c == L('.') && p[1] == L(']'))
break;
}
p += 2;
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
new file mode 100644
index 0000000..75bc00a
--- /dev/null
+++ b/posix/tst-fnmatch3.c
@@ -0,0 +1,32 @@
+/* Test for fnmatch not reading past the end of the pattern.
+ Copyright (C) 2014-2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <fnmatch.h>
+
+int
+do_test (void)
+{
+ if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+ return 1;
+ if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+ return 1;
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f0cb70a25452585ff950b3a89f811ea3d473ae83
commit f0cb70a25452585ff950b3a89f811ea3d473ae83
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Oct 6 13:12:36 2015 +0200
Harden tls_dtor_list with pointer mangling [BZ #19018]
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
diff --git a/ChangeLog b/ChangeLog
index d90460f..14d95f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-12-30 Florian Weimer <fweimer@redhat.com>
+ [BZ #19018]
+ * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
+ Mangle function pointer before storing it.
+ (__call_tls_dtors): Demangle function pointer before calling it.
+
+2015-12-30 Florian Weimer <fweimer@redhat.com>
+
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
diff --git a/NEWS b/NEWS
index d8e7c4d..52e77ee 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18928.
+ 16943, 16958, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index dfd4c7e..6b7455d 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache;
int
__cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
{
+#ifdef PTR_MANGLE
+ PTR_MANGLE (func);
+#endif
+
/* Prepend. */
struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
new->func = func;
@@ -83,9 +87,13 @@ __call_tls_dtors (void)
while (tls_dtor_list)
{
struct dtor_list *cur = tls_dtor_list;
- tls_dtor_list = tls_dtor_list->next;
+ dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+ PTR_DEMANGLE (func);
+#endif
- cur->func (cur->obj);
+ tls_dtor_list = tls_dtor_list->next;
+ func (cur->obj);
__rtld_lock_lock_recursive (GL(dl_load_lock));
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=80e44fad705561e39d8001c8258a8bae9c149fc7
commit 80e44fad705561e39d8001c8258a8bae9c149fc7
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 15 09:23:07 2015 +0200
Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
diff --git a/ChangeLog b/ChangeLog
index 9c95cc0..d90460f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2015-12-30 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
2014-06-03 Guo Yixuan <culu.gyx@gmail.com>
[BZ #16882]
diff --git a/NEWS b/NEWS
index 31664e4..d8e7c4d 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958.
+ 16943, 16958, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+ disable the pointer guard feature. It is always enabled.
�
Version 2.18
diff --git a/elf/rtld.c b/elf/rtld.c
index 91da88c..b2fce26 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
._dl_hwcap_mask = HWCAP_IMPORTANT,
._dl_lazy = 1,
._dl_fpu_control = _FPU_DEFAULT,
- ._dl_pointer_guard = 1,
._dl_pagesize = EXEC_PAGESIZE,
._dl_inhibit_cache = 0,
@@ -857,15 +856,12 @@ security_init (void)
#endif
/* Set up the pointer guard as well, if necessary. */
- if (GLRO(dl_pointer_guard))
- {
- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
- stack_chk_guard);
+ uintptr_t pointer_chk_guard
+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
#ifdef THREAD_SET_POINTER_GUARD
- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
#endif
- __pointer_chk_guard_local = pointer_chk_guard;
- }
+ __pointer_chk_guard_local = pointer_chk_guard;
/* We do not need the _dl_random value anymore. The less
information we leave behind, the better, so clear the
@@ -2606,9 +2602,6 @@ process_envvars (enum mode *modep)
GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
break;
}
-
- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
- GLRO(dl_pointer_guard) = envline[14] != '0';
break;
case 14:
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index e7b0516..6ccbd71 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -589,9 +589,6 @@ struct rtld_global_ro
/* List of auditing interfaces. */
struct audit_ifaces *_dl_audit;
unsigned int _dl_naudit;
-
- /* 0 if internal pointer values should not be guarded, 1 if they should. */
- EXTERN int _dl_pointer_guard;
};
# define __rtld_global_attribute__
# ifdef IS_IN_rtld
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 30 +++++++++++++++++++++++++++
NEWS | 5 +++-
elf/rtld.c | 15 +++---------
libio/wstrops.c | 8 ++++++-
posix/fnmatch_loop.c | 5 +--
stdlib/tst-system.c => posix/tst-fnmatch3.c | 16 ++++++++------
stdlib/cxa_thread_atexit_impl.c | 12 +++++++++-
sysdeps/generic/ldsodefs.h | 3 --
8 files changed, 66 insertions(+), 28 deletions(-)
copy stdlib/tst-system.c => posix/tst-fnmatch3.c (72%)
hooks/post-receive
--
GNU C Library master sources