Merge branch release/2.26/master into ibm/2.26/master

2024-12-11 22:00:08 +00:00 · 2020-03-20 18:24:51 -03:00 · 2020-03-20 18:24:51 -03:00 · 6869471f35
commit 6869471f35
parent fe5012e474 263e617599
5 changed files with 38 additions and 11 deletions
--- a/5
+++ b/5
@ -190,6 +190,7 @@ The following bugs are resolved with this release:
  [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
  [25203] libio: Disable vtable validation for pre-2.1 interposed handles
  [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
+  [25423] Array overflow in backtrace on powerpc


 Version 2.26
@ -393,6 +394,9 @@ Security related changes:
 * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
  fixed (CVE-2017-12133).

+* A use-after-free vulnerability in the glob function when expanding ~user has
+  been fixed (CVE-2020-1752).
+
 The following bugs are resolved with this release:

  [984] network: Respond to changed resolv.conf in gethostbyname
@ -620,6 +624,7 @@ The following bugs are resolved with this release:
  [21839] localedata: Fix LC_MONETARY for ta_LK
  [21844] localedata: Fix Latin characters and Months Sequence.
  [21848] localedata: Fix mai_NP Title Name
+  [25414] 'glob' use-after-free bug (CVE-2020-1752)


 Version 2.25
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@ -88,6 +88,18 @@ handle_signal (int signum)
      }
  /* Symbol names are not available for static functions, so we do not
     check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j = 0; j < NUM_FUNCTIONS; j++)
+    {
+      n = backtrace (addresses, j);
+      if (n > j)
+	{
+	  FAIL ();
+	  return;
+	}
+    }
 }

 NO_INLINE int
--- a/posix/glob.c
+++ b/posix/glob.c
@ -947,26 +947,32 @@ glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
 		size_t home_len = strlen (p->pw_dir);
 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);

-		if (__glibc_unlikely (malloc_dirname))
-		  free (dirname);
-		malloc_dirname = 0;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);

-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
-		  dirname = alloca_account (home_len + rest_len + 1,
-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
 		else
 		  {
-		    dirname = malloc (home_len + rest_len + 1);
-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
 		      {
 			free (malloc_pwtmpbuf);
 			retval = GLOB_NOSPACE;
 			goto out;
 		      }
-		    malloc_dirname = 1;
 		  }
-		*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
-				    end_name, rest_len)) = '\0';
+
+		d = mempcpy (newp, p->pw_dir, home_len);
+		if (end_name != NULL)
+		  d = mempcpy (d, end_name, rest_len);
+		*d = '\0';
+
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;

 		dirlen = home_len + rest_len;
 		dirname_modified = 1;
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@ -114,6 +114,8 @@ __backtrace (void **array, int size)
        }
      if (gregset)
 	{
+	  if (count + 1 == size)
+	    break;
 	  array[++count] = (void*)((*gregset)[PT_NIP]);
 	  current = (void*)((*gregset)[PT_R1]);
 	}
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@ -87,6 +87,8 @@ __backtrace (void **array, int size)
      if (is_sigtramp_address (current->return_address))
        {
 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
+	  if (count + 1 == size)
+	    break;
          array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
 	}