summary refs log tree commit diff
path: root/gnu/packages/patches/glibc-CVE-2018-11236.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/glibc-CVE-2018-11236.patch')
-rw-r--r--gnu/packages/patches/glibc-CVE-2018-11236.patch149
1 files changed, 0 insertions, 149 deletions
diff --git a/gnu/packages/patches/glibc-CVE-2018-11236.patch b/gnu/packages/patches/glibc-CVE-2018-11236.patch
deleted file mode 100644
index 4f8a72943c..0000000000
--- a/gnu/packages/patches/glibc-CVE-2018-11236.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=5460617d1567657621107d895ee2dd83bc1f88f2
-with ChangeLog removed
-
-From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
-From: Paul Pluzhnikov <ppluzhnikov@google.com>
-Date: Tue, 8 May 2018 18:12:41 -0700
-Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
- buffer overflow when realpath() input length is close to SSIZE_MAX.
-
-2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
-
-	[BZ #22786]
-	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
-	computation.
-	* stdlib/Makefile (test-bz22786): New test.
-	* stdlib/test-bz22786.c: New test.
----
- ChangeLog             |  8 +++++
- stdlib/Makefile       |  2 +-
- stdlib/canonicalize.c |  2 +-
- stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 100 insertions(+), 2 deletions(-)
- create mode 100644 stdlib/test-bz22786.c
-
-diff --git a/stdlib/Makefile b/stdlib/Makefile
-index af1643c..1ddb1f9 100644
---- a/stdlib/Makefile
-+++ b/stdlib/Makefile
-@@ -84,7 +84,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
- 		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
- 		   test-at_quick_exit-race test-cxa_atexit-race             \
- 		   test-on_exit-race test-dlclose-exit-race 		    \
--		   tst-makecontext-align
-+		   tst-makecontext-align test-bz22786
- 
- tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
- 		   tst-tls-atexit tst-tls-atexit-nodelete
-diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
-index 4135f3f..390fb43 100644
---- a/stdlib/canonicalize.c
-+++ b/stdlib/canonicalize.c
-@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
- 		extra_buf = __alloca (path_max);
- 
- 	      len = strlen (end);
--	      if ((long int) (n + len) >= path_max)
-+	      if (path_max - n <= len)
- 		{
- 		  __set_errno (ENAMETOOLONG);
- 		  goto error;
-diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
-new file mode 100644
-index 0000000..e7837f9
---- /dev/null
-+++ b/stdlib/test-bz22786.c
-@@ -0,0 +1,90 @@
-+/* Bug 22786: test for buffer overflow in realpath.
-+   Copyright (C) 2018 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
-+/* This file must be run from within a directory called "stdlib".  */
-+
-+#include <errno.h>
-+#include <limits.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/stat.h>
-+#include <sys/types.h>
-+#include <support/test-driver.h>
-+#include <libc-diag.h>
-+
-+static int
-+do_test (void)
-+{
-+  const char dir[] = "bz22786";
-+  const char lnk[] = "bz22786/symlink";
-+
-+  rmdir (dir);
-+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
-+    {
-+      printf ("mkdir %s: %m\n", dir);
-+      return EXIT_FAILURE;
-+    }
-+  if (symlink (".", lnk) != 0 && errno != EEXIST)
-+    {
-+      printf ("symlink (%s, %s): %m\n", dir, lnk);
-+      return EXIT_FAILURE;
-+    }
-+
-+  const size_t path_len = (size_t) INT_MAX + 1;
-+
-+  DIAG_PUSH_NEEDS_COMMENT;
-+#if __GNUC_PREREQ (7, 0)
-+  /* GCC 7 warns about too-large allocations; here we need such
-+     allocation to succeed for the test to work.  */
-+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
-+#endif
-+  char *path = malloc (path_len);
-+  DIAG_POP_NEEDS_COMMENT;
-+
-+  if (path == NULL)
-+    {
-+      printf ("malloc (%zu): %m\n", path_len);
-+      return EXIT_UNSUPPORTED;
-+    }
-+
-+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
-+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
-+  *(p++) = '/';
-+  memset (p, 'a', path_len - (path - p) - 2);
-+  p[path_len - (path - p) - 1] = '\0';
-+
-+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
-+  p = realpath (path, NULL);
-+
-+  if (p != NULL || errno != ENAMETOOLONG)
-+    {
-+      printf ("realpath: %s (%m)", p);
-+      return EXIT_FAILURE;
-+    }
-+
-+  /* Cleanup.  */
-+  unlink (lnk);
-+  rmdir (dir);
-+
-+  return 0;
-+}
-+
-+#define TEST_FUNCTION do_test
-+#include <support/test-driver.c>
--- 
-2.9.3
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-02-14 00:44:57 +0000