AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-09-19 16:10:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch release/2.26/master into ibm/2.26/master

Browse Source
This commit is contained in:
Tulio Magno Quites Machado Filho 2020-03-20 18:24:51 -03:00
commit 6869471f35
5 changed files with 38 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@ -190,6 +190,7 @@ The following bugs are resolved with this release:
[24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
[25203] libio: Disable vtable validation for pre-2.1 interposed handles
[25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
[25423] Array overflow in backtrace on powerpc
Version 2.26
@ -393,6 +394,9 @@ Security related changes:
* A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
fixed (CVE-2017-12133).
* A use-after-free vulnerability in the glob function when expanding ~user has
been fixed (CVE-2020-1752).
The following bugs are resolved with this release:
[984] network: Respond to changed resolv.conf in gethostbyname
@ -620,6 +624,7 @@ The following bugs are resolved with this release:
[21839] localedata: Fix LC_MONETARY for ta_LK
[21844] localedata: Fix Latin characters and Months Sequence.
[21848] localedata: Fix mai_NP Title Name
[25414] 'glob' use-after-free bug (CVE-2020-1752)
Version 2.25

12
debug/tst-backtrace5.c
View File

@ -88,6 +88,18 @@ handle_signal (int signum)
}
/* Symbol names are not available for static functions, so we do not
check do_test. */
/* Check that backtrace does not return more than what fits in the array
(bug 25423). */
for (int j = 0; j < NUM_FUNCTIONS; j++)
{
n = backtrace (addresses, j);
if (n > j)
{
FAIL ();
return;
}
}
}
NO_INLINE int

28
posix/glob.c
View File

@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
if (__glibc_unlikely (malloc_dirname))
free (dirname);
malloc_dirname = 0;
char *d, *newp;
bool use_alloca = glob_use_alloca (alloca_used,
home_len + rest_len + 1);
if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
dirname = alloca_account (home_len + rest_len + 1,
alloca_used);
if (use_alloca)
newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
dirname = malloc (home_len + rest_len + 1);
if (dirname == NULL)
newp = malloc (home_len + rest_len + 1);
if (newp == NULL)
{
free (malloc_pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
malloc_dirname = 1;
}
*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
end_name, rest_len)) = '\0';
d = mempcpy (newp, p->pw_dir, home_len);
if (end_name != NULL)
d = mempcpy (d, end_name, rest_len);
*d = '\0';
if (__glibc_unlikely (malloc_dirname))
free (dirname);
dirname = newp;
malloc_dirname = !use_alloca;
dirlen = home_len + rest_len;
dirname_modified = 1;

2
sysdeps/powerpc/powerpc32/backtrace.c
View File

@ -114,6 +114,8 @@ __backtrace (void **array, int size)
}
if (gregset)
{
if (count + 1 == size)
break;
array[++count] = (void*)((*gregset)[PT_NIP]);
current = (void*)((*gregset)[PT_R1]);
}

2
sysdeps/powerpc/powerpc64/backtrace.c
View File

@ -87,6 +87,8 @@ __backtrace (void **array, int size)
if (is_sigtramp_address (current->return_address))
{
struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
if (count + 1 == size)
break;
array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
}