This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug stdio/16618] wscanf allocates too little memory (CVE-2015-1472, CVE-2015-1473)

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 17 Feb 2015 07:25:21 +0000
Subject: [Bug stdio/16618] wscanf allocates too little memory (CVE-2015-1472, CVE-2015-1473)
Auto-submitted: auto-generated
References: <bug-16618-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=16618

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.20/master has been updated
       via  4d54424420c6300efbf57a7b9aa8635a8b8c1942 (commit)
       via  1bf9d48aec087062e2a14b77cb5ee1fa81be334c (commit)
       via  f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 (commit)
       via  b0694b9e98ee64cb25490de0921ce307f3872749 (commit)
      from  f80af76648ed97a76745fad6caa3315a79cb1c7c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d54424420c6300efbf57a7b9aa8635a8b8c1942

commit 4d54424420c6300efbf57a7b9aa8635a8b8c1942
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Fri Feb 6 00:30:42 2015 -0500

    CVE-2015-1472: wscanf allocates too little memory

    BZ #16618

    Under certain conditions wscanf can allocate too little memory for the
    to-be-scanned arguments and overflow the allocated buffer.  The
    implementation now correctly computes the required buffer size when
    using malloc.

    A regression test was added to tst-sscanf.

    (cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06)

    Conflicts:
        ChangeLog
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1bf9d48aec087062e2a14b77cb5ee1fa81be334c

commit 1bf9d48aec087062e2a14b77cb5ee1fa81be334c
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Fri Jan 30 06:50:20 2015 -0800

    Use AVX unaligned memcpy only if AVX2 is available

    memcpy with unaligned 256-bit AVX register loads/stores are slow on older
    processorsl like Sandy Bridge.  This patch adds bit_AVX_Fast_Unaligned_Load
    and sets it only when AVX2 is available.

        [BZ #17801]
        * sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features):
        Set the bit_AVX_Fast_Unaligned_Load bit for AVX2.
        * sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load):
        New.
        (index_AVX_Fast_Unaligned_Load): Likewise.
        (HAS_AVX_FAST_UNALIGNED_LOAD): Likewise.
        * sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the
        bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit.
        * sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise.
        * sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise.
        * sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise.
        * sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace
        HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD.
        * sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise.

    (cherry picked from commit 5f3d0b78e011d2a72f9e88b0e9ef5bc081d18f97)

    Conflicts:
        ChangeLog
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0

commit f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0
Author: Leonhard Holz <leonhard.holz@web.de>
Date:   Tue Jan 13 11:33:56 2015 +0530

    Fix memory handling in strxfrm_l [BZ #16009]

    [Modified from the original email by Siddhesh Poyarekar]

    This patch solves bug #16009 by implementing an additional path in
    strxfrm that does not depend on caching the weight and rule indices.

    In detail the following changed:

    * The old main loop was factored out of strxfrm_l into the function
    do_xfrm_cached to be able to alternativly use the non-caching version
    do_xfrm.

    * strxfrm_l allocates a a fixed size array on the stack. If this is not
    sufficiant to store the weight and rule indices, the non-caching path is
    taken. As the cache size is not dependent on the input there can be no
    problems with integer overflows or stack allocations greater than
    __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
    definition of strxfrm does not allow an oom errorhandling.

    * The uncached path determines the weight and rule index for every char
    and for every pass again.

    * Passing all the locale data array by array resulted in very long
    parameter lists, so I introduced a structure that holds them.

    * Checking for zero src string has been moved a bit upwards, it is
    before the locale data initialization now.

    * To verify that the non-caching path works correct I added a test run
    to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
    are patched up with spaces so that they are too large for the caching path.

    (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)

    Conflicts:
        ChangeLog
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b0694b9e98ee64cb25490de0921ce307f3872749

commit b0694b9e98ee64cb25490de0921ce307f3872749
Author: Roland McGrath <roland@hack.frob.com>
Date:   Thu Sep 11 16:02:17 2014 -0700

    Move findidx nested functions to top-level.

    Needed in order to backport strxfrm_l security fix cleanly.

    (cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8)

    Conflicts:
        ChangeLog

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                              |   77 +++++
 NEWS                                   |    8 +-
 locale/weight.h                        |   13 +-
 locale/weightwc.h                      |   13 +-
 localedata/sort-test.sh                |    7 +
 localedata/xfrm-test.c                 |   52 +++-
 posix/fnmatch.c                        |    8 +
 posix/fnmatch_loop.c                   |   17 +-
 posix/regcomp.c                        |   10 +-
 posix/regex_internal.h                 |    7 +-
 posix/regexec.c                        |    8 +-
 stdio-common/tst-sscanf.c              |   33 +++
 stdio-common/vfscanf.c                 |   12 +-
 string/strcoll_l.c                     |    9 +-
 string/strxfrm_l.c                     |  491 +++++++++++++++++++++++++-------
 sysdeps/x86_64/multiarch/init-arch.c   |    9 +-
 sysdeps/x86_64/multiarch/init-arch.h   |    4 +
 sysdeps/x86_64/multiarch/memcpy.S      |    2 +-
 sysdeps/x86_64/multiarch/memcpy_chk.S  |    2 +-
 sysdeps/x86_64/multiarch/memmove.c     |    2 +-
 sysdeps/x86_64/multiarch/memmove_chk.c |    2 +-
 sysdeps/x86_64/multiarch/mempcpy.S     |    2 +-
 sysdeps/x86_64/multiarch/mempcpy_chk.S |    2 +-
 23 files changed, 642 insertions(+), 148 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]