diff options
Diffstat (limited to 'yocto-poky/meta/recipes-core/glibc')
12 files changed, 3052 insertions, 5 deletions
diff --git a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb index 2153ece0e..3aefe748f 100644 --- a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb +++ b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb @@ -14,12 +14,13 @@ inherit autotools FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:" -BRANCH ?= "release/${PV}/master" +SRCBRANCH ?= "release/${PV}/master" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" -SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ +SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \ file://fix_for_centos_5.8.patch \ + file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ ${EGLIBCPATCHES} \ " EGLIBCPATCHES = "\ diff --git a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc index df6d07343..2352bd029 100644 --- a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc +++ b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc @@ -87,7 +87,7 @@ do_install () { if [ -e ${LOCALETREESRC}/${datadir}/locale ]; then cp -fpPR ${LOCALETREESRC}/${datadir}/locale ${D}${datadir} fi - chown root.root -R ${D} + chown root:root -R ${D} cp -fpPR ${LOCALETREESRC}/SUPPORTED ${WORKDIR} } diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch new file mode 100644 index 000000000..3455df1cf --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch @@ -0,0 +1,84 @@ +From cadaf1336332ca7bcdfe4a400776e5782a20e26d Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Wed, 28 Oct 2015 07:49:44 -0700 +Subject: [PATCH] Keep only ELF_RTYPE_CLASS_{PLT|COPY} bits for prelink + +prelink runs ld.so with the environment variable LD_TRACE_PRELINKING +set to dump the relocation type class from _dl_debug_bindings. prelink +has the following relocation type classes: + + #define RTYPE_CLASS_VALID 8 + #define RTYPE_CLASS_PLT (8|1) + #define RTYPE_CLASS_COPY (8|2) + #define RTYPE_CLASS_TLS (8|4) + +where ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA has a conflict with +RTYPE_CLASS_TLS. + +Since prelink only uses ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY +bits, we should clear the other bits when the DL_DEBUG_PRELINK bit is +set. + + [BZ #19178] + * elf/dl-lookup.c (RTYPE_CLASS_VALID): New. + (RTYPE_CLASS_PLT): Likewise. + (RTYPE_CLASS_COPY): Likewise. + (RTYPE_CLASS_TLS): Likewise. + (_dl_debug_bindings): Use RTYPE_CLASS_TLS and RTYPE_CLASS_VALID + to set relocation type class for DL_DEBUG_PRELINK. Keep only + ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY bits for + DL_DEBUG_PRELINK. + +Upstream-Status: submitted (https://sourceware.org/bugzilla/show_bug.cgi?id=19178) + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> +--- + elf/dl-lookup.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c +index 581fb20..6ae6cc3 100644 +--- a/elf/dl-lookup.c ++++ b/elf/dl-lookup.c +@@ -1016,6 +1016,18 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map, + #ifdef SHARED + if (GLRO(dl_debug_mask) & DL_DEBUG_PRELINK) + { ++/* ELF_RTYPE_CLASS_XXX must match RTYPE_CLASS_XXX used by prelink with ++ LD_TRACE_PRELINKING. */ ++#define RTYPE_CLASS_VALID 8 ++#define RTYPE_CLASS_PLT (8|1) ++#define RTYPE_CLASS_COPY (8|2) ++#define RTYPE_CLASS_TLS (8|4) ++#if ELF_RTYPE_CLASS_PLT != 0 && ELF_RTYPE_CLASS_PLT != 1 ++# error ELF_RTYPE_CLASS_PLT must be 0 or 1! ++#endif ++#if ELF_RTYPE_CLASS_COPY != 0 && ELF_RTYPE_CLASS_COPY != 2 ++# error ELF_RTYPE_CLASS_COPY must be 0 or 2! ++#endif + int conflict = 0; + struct sym_val val = { NULL, NULL }; + +@@ -1071,12 +1083,17 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map, + + if (value->s) + { ++ /* Keep only ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY ++ bits since since prelink only uses them. */ ++ type_class &= ELF_RTYPE_CLASS_PLT | ELF_RTYPE_CLASS_COPY; + if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info) + == STT_TLS)) +- type_class = 4; ++ /* Clear the RTYPE_CLASS_VALID bit in RTYPE_CLASS_TLS. */ ++ type_class = RTYPE_CLASS_TLS & ~RTYPE_CLASS_VALID; + else if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info) + == STT_GNU_IFUNC)) +- type_class |= 8; ++ /* Set the RTYPE_CLASS_VALID bit. */ ++ type_class |= RTYPE_CLASS_VALID; + } + + if (conflict +-- +1.9.3 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch new file mode 100644 index 000000000..4e539f849 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch @@ -0,0 +1,642 @@ +From e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell <carlos@systemhalted.org> +Date: Tue, 16 Feb 2016 21:26:37 -0500 +Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug + 18665). + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + +See also: +https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html +https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html + +Upstream-Status: Backport +CVE: CVE-2015-7547 + +https://sourceware.org/git/?p=glibc.git;a=commit;h=e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca +minor tweeking to apply to Changelog and res_send.c + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 17 ++- + NEWS | 14 +++ + resolv/nss_dns/dns-host.c | 111 +++++++++++++++++++- + resolv/res_query.c | 3 + + resolv/res_send.c | 260 +++++++++++++++++++++++++++++++++++----------- + 5 files changed, 339 insertions(+), 66 deletions(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -105,6 +105,20 @@ Security related changes: + depending on the length of the string passed as an argument to the + functions. Reported by Joseph Myers. + ++* A stack-based buffer overflow was found in libresolv when invoked from ++ libnss_dns, allowing specially crafted DNS responses to seize control ++ of execution flow in the DNS client. The buffer overflow occurs in ++ the functions send_dg (send datagram) and send_vc (send TCP) for the ++ NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC ++ family. The use of AF_UNSPEC triggers the low-level resolver code to ++ send out two parallel queries for A and AAAA. A mismanagement of the ++ buffers used for those queries could result in the response of a query ++ writing beyond the alloca allocated buffer created by ++ _nss_dns_gethostbyname4_r. Buffer management is simplified to remove ++ the overflow. Thanks to the Google Security Team and Red Hat for ++ reporting the security impact of this issue, and Robert Holiday of ++ Ciena for reporting the related bug 18665. (CVE-2015-7547) ++ + * The following bugs are resolved with this release: + + 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498, +Index: git/resolv/nss_dns/dns-host.c +=================================================================== +--- git.orig/resolv/nss_dns/dns-host.c ++++ git/resolv/nss_dns/dns-host.c +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an + int h_namelen = 0; + + if (ancount == 0) +- return NSS_STATUS_NOTFOUND; ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } + + while (ancount-- > 0 && cp < end_of_message && had_error == 0) + { +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an + /* Special case here: if the resolver sent a result but it only + contains a CNAME while we are looking for a T_A or T_AAAA record, + we fail with NOTFOUND instead of TRYAGAIN. */ +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; ++ if (canon != NULL) ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } ++ ++ *h_errnop = NETDB_INTERNAL; ++ return NSS_STATUS_TRYAGAIN; + } + + +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, + + enum nss_status status = NSS_STATUS_NOTFOUND; + ++ /* Combining the NSS status of two distinct queries requires some ++ compromise and attention to symmetry (A or AAAA queries can be ++ returned in any order). What follows is a breakdown of how this ++ code is expected to work and why. We discuss only SUCCESS, ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns ++ that apply (though RETURN and MERGE exist). We make a distinction ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). ++ A recoverable TRYAGAIN is almost always due to buffer size issues ++ and returns ERANGE in errno and the caller is expected to retry ++ with a larger buffer. ++ ++ Lastly, you may be tempted to make significant changes to the ++ conditions in this code to bring about symmetry between responses. ++ Please don't change anything without due consideration for ++ expected application behaviour. Some of the synthesized responses ++ aren't very well thought out and sometimes appear to imply that ++ IPv4 responses are always answer 1, and IPv6 responses are always ++ answer 2, but that's not true (see the implementation of send_dg ++ and send_vc to see response can arrive in any order, particularly ++ for UDP). However, we expect it holds roughly enough of the time ++ that this code works, but certainly needs to be fixed to make this ++ a more robust implementation. ++ ++ ---------------------------------------------- ++ | Answer 1 Status / | Synthesized | Reason | ++ | Answer 2 Status | Status | | ++ |--------------------------------------------| ++ | SUCCESS/SUCCESS | SUCCESS | [1] | ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | ++ ---------------------------------------------- ++ ++ [1] If the first response is a success we return success. ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second ++ answer. However because the response is a success we ignore ++ *errnop and *h_errnop (though that means you touched errno on ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. ++ ++ [2] If the first response is a recoverable TRYAGAIN we return ++ that instead of looking at the second response. The ++ expectation here is that we have failed to get an IPv4 response ++ and should retry both queries. ++ ++ [3] If the first response was not a SUCCESS and the second ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the ++ result from the second response, otherwise the first responses ++ status is used. Again we have some odd side-effects when the ++ second response is NOTFOUND because we overwrite *errnop and ++ *h_errnop that means that a first answer of NOTFOUND might see ++ its *errnop and *h_errnop values altered. Whether it matters ++ in practice that a first response NOTFOUND has the wrong ++ *errnop and *h_errnop is undecided. ++ ++ [4] If the first response is UNAVAIL we return that instead of ++ looking at the second response. The expectation here is that ++ it will have failed similarly e.g. configuration failure. ++ ++ [5] Testing this code is complicated by the fact that truncated ++ second response buffers might be returned as SUCCESS if the ++ first answer is a SUCCESS. To fix this we add symmetry to ++ TRYAGAIN with the second response. If the second response ++ is a recoverable error we now return TRYAGIN even if the first ++ response was SUCCESS. */ ++ + if (anslen1 > 0) + status = gaih_getanswer_slice(answer1, anslen1, qname, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND + || (status == NSS_STATUS_TRYAGAIN + /* We want to look at the second answer in case of an +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ /* Use the second response status in some cases. */ + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) + status = status2; ++ /* Do not return a truncated second response (unless it was ++ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ if (status == NSS_STATUS_SUCCESS ++ && (status2 == NSS_STATUS_TRYAGAIN ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) ++ status = NSS_STATUS_TRYAGAIN; + } + + return status; +Index: git/resolv/res_query.c +=================================================================== +--- git.orig/resolv/res_query.c ++++ git/resolv/res_query.c +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + } +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + if (saved_herrno != -1) +Index: git/resolv/res_send.c +=================================================================== +--- git.orig/resolv/res_send.c ++++ git/resolv/res_send.c +@@ -1,3 +1,20 @@ ++/* Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ + /* + * Copyright (c) 1985, 1989, 1993 + * The Regents of the University of California. All rights reserved. +@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook || statp->rhook)) { + if (anssiz < MAXPACKET && ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *buf = malloc (MAXPACKET); + if (buf == NULL) + return (-1); +@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) + return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; + } + ++/* The send_vc function is responsible for sending a DNS query over TCP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and ++ IPv6 queries at the same serially on the same socket. ++ ++ Please note that for TCP there is no way to disable sending both ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP ++ and sends the queries serially and waits for the result after each ++ sent query. This implemetnation should be corrected to honour these ++ options. ++ ++ Please also note that for TCP we send both queries over the same ++ socket one after another. This technically violates best practice ++ since the server is allowed to read the first query, respond, and ++ then close the socket (to service another client). If the server ++ does this, then the remaining second query in the socket data buffer ++ will cause the server to send the client an RST which will arrive ++ asynchronously and the client's OS will likely tear down the socket ++ receive buffer resulting in a potentially short read and lost ++ response data. This will force the client to retry the query again, ++ and this process may repeat until all servers and connection resets ++ are exhausted and then the query will fail. It's not known if this ++ happens with any frequency in real DNS server implementations. This ++ implementation should be corrected to use two sockets by default for ++ parallel queries. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ serially on the same socket. ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message and the rest of the socket data will be read and discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -647,11 +737,7 @@ send_vc(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; +- // XXX REMOVE +- // int anssiz = *anssizp; +- HEADER *anhp = (HEADER *) ans; ++ HEADER *anhp = (HEADER *) *ansp; + struct sockaddr *nsap = get_nsaddr (statp, ns); + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating +@@ -743,6 +829,8 @@ send_vc(res_state statp, + * Receive length & response + */ + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + uint16_t rlen16; + read_len: +@@ -779,40 +867,14 @@ send_vc(res_state statp, + u_char **thisansp; + int *thisresplenp; + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if __GNUC_PREREQ (4, 7) +- DIAG_PUSH_NEEDS_COMMENT; +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); +-#endif +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +-#if __GNUC_PREREQ (4, 7) +- DIAG_POP_NEEDS_COMMENT; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; +@@ -820,10 +882,14 @@ send_vc(res_state statp, + anhp = (HEADER *) *thisansp; + + *thisresplenp = rlen; +- if (rlen > *thisanssizp) { +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- if (__glibc_likely (anscp != NULL)) { ++ /* Is the answer buffer too small? */ ++ if (*thisanssizp < rlen) { ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ if (thisansp != NULL && thisansp != ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp == NULL) { + *terrno = ENOMEM; +@@ -835,6 +901,9 @@ send_vc(res_state statp, + if (thisansp == ansp2) + *ansp2_malloced = 1; + anhp = (HEADER *) newp; ++ /* A uint16_t can't be larger than MAXPACKET ++ thus it's safe to allocate MAXPACKET but ++ read RLEN bytes instead. */ + len = rlen; + } else { + Dprint(statp->options & RES_DEBUG, +@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, in + return 1; + } + ++/* The send_dg function is responsible for sending a DNS query over UDP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries ++ along with the ability to send the query in parallel for both stacks ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup ++ with a close and reopen of the socket used to talk to the server ++ (RES_SNGLKUPREOP) to work around broken name servers. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message, while the rest of the UDP packet is discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If an answer is truncated because of UDP datagram DNS limits then ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 ++ if any progress was made reading a response from the nameserver and ++ is used by the caller to distinguish between ECONNREFUSED and ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_dg(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -1006,8 +1135,6 @@ send_dg(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; + struct timespec now, timeout, finish; + struct pollfd pfd[1]; + int ptimeout; +@@ -1040,6 +1167,8 @@ send_dg(res_state statp, + int need_recompute = 0; + int nwritten = 0; + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + pfd[0].fd = EXT(statp).nssocks[ns]; + pfd[0].events = POLLOUT; +@@ -1203,55 +1332,56 @@ send_dg(res_state statp, + int *thisresplenp; + + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; + } + + if (*thisanssizp < MAXPACKET +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- && anscp ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ && (thisansp != NULL && thisansp != ansp) + #ifdef FIONREAD ++ /* Is the size too small? */ + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 + || *thisanssizp < *thisresplenp) + #endif + ) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp != NULL) { +- *anssizp = MAXPACKET; +- *thisansp = ans = newp; ++ *thisanssizp = MAXPACKET; ++ *thisansp = newp; + if (thisansp == ansp2) + *ansp2_malloced = 1; + } + } ++ /* We could end up with truncation if anscp was NULL ++ (not allowed to change caller's buffer) and the ++ response buffer size is too small. This isn't a ++ reliable way to detect truncation because the ioctl ++ may be an inaccurate report of the UDP message size. ++ Therefore we use this only to issue debug output. ++ To do truncation accurately with UDP we need ++ MSG_TRUNC which is only available on Linux. We ++ can abstract out the Linux-specific feature in the ++ future to detect truncation. */ ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { ++ Dprint(statp->options & RES_DEBUG, ++ (stdout, ";; response may be truncated (UDP)\n") ++ ); ++ } ++ + HEADER *anhp = (HEADER *) *thisansp; + socklen_t fromlen = sizeof(struct sockaddr_in6); + assert (sizeof(from) <= fromlen); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,18 @@ ++2016-02-15 Carlos O'Donell <carlos@redhat.com> ++ ++ [BZ #18665] ++ * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set ++ *herrno_p. ++ (gaih_getanswer): Document functional behviour. Return tryagain ++ if any result is tryagain. ++ * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero ++ when freed. ++ * resolv/res_send.c: Add copyright text. ++ (__libc_res_nsend): Document that MAXPACKET is expected. ++ (send_vc): Document. Remove buffer reuse. ++ (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the ++ size of the buffer. Add Dprint for truncated UDP buffer. ++ + 2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #18985] diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch new file mode 100644 index 000000000..684f34417 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch @@ -0,0 +1,155 @@ +From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Sat, 26 Sep 2015 13:27:48 -0700 +Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a + segfault + +Upstream-Status: Backport +CVE: CVE-2015-8776 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 8 ++++++++ + NEWS | 2 +- + time/strftime_l.c | 20 +++++++++++++------- + time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 73 insertions(+), 9 deletions(-) + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,11 @@ ++2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> ++ ++ [BZ #18985] ++ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check. ++ (__strftime_internal): Likewise. ++ * time/tst-strftime.c (do_bz18985): New test. ++ (do_test): Call it. ++ + 2015-12-04 Joseph Myers <joseph@codesourcery.com> + + [BZ #16961] +Index: git/time/strftime_l.c +=================================================================== +--- git.orig/time/strftime_l.c ++++ git/time/strftime_l.c +@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format, + only a few elements. Dereference the pointers only if the format + requires this. Then it is ok to fail if the pointers are invalid. */ + # define a_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) + # define f_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) + # define a_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) + # define f_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) + # define ampm \ + ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ + ? NLW(PM_STR) : NLW(AM_STR))) +@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format, + # define ap_len STRLEN (ampm) + #else + # if !HAVE_STRFTIME +-# define f_wkday (weekday_name[tp->tm_wday]) +-# define f_month (month_name[tp->tm_mon]) ++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : weekday_name[tp->tm_wday]) ++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : month_name[tp->tm_mon]) + # define a_wkday f_wkday + # define a_month f_month + # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) +@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format, + *tzset_called = true; + } + # endif +- zone = tzname[tp->tm_isdst]; ++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; + } + #endif + if (! zone) +Index: git/time/tst-strftime.c +=================================================================== +--- git.orig/time/tst-strftime.c ++++ git/time/tst-strftime.c +@@ -4,6 +4,56 @@ + #include <time.h> + + ++static int ++do_bz18985 (void) ++{ ++ char buf[1000]; ++ struct tm ttm; ++ int rc, ret = 0; ++ ++ memset (&ttm, 1, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 66) ++ { ++ const char expected[] ++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 66, got %d\n", rc); ++ ret += 1; ++ } ++ ++ /* Check negative values as well. */ ++ memset (&ttm, 0xFF, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 30) ++ { ++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 30, got %d\n", rc); ++ ret += 1; ++ } ++ ++ return ret; ++} ++ + static struct + { + const char *fmt; +@@ -104,7 +154,7 @@ do_test (void) + } + } + +- return result; ++ return result + do_bz18985 (); + } + + #define TEST_FUNCTION do_test () diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 000000000..eeab72d65 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch @@ -0,0 +1,123 @@ +From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Thu, 15 Oct 2015 09:23:07 +0200 +Subject: [PATCH] Always enable pointer guard [BZ #18928] + +Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode +has security implications. This commit enables pointer guard +unconditionally, and the environment variable is now ignored. + + [BZ #18928] + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove + _dl_pointer_guard member. + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard + initializer. + (security_init): Always set up pointer guard. + (process_envvars): Do not process LD_POINTER_GUARD. + +Upstream-Status: Backport +CVE: CVE-2015-8777 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 10 ++++++++++ + NEWS | 13 ++++++++----- + elf/rtld.c | 15 ++++----------- + sysdeps/generic/ldsodefs.h | 3 --- + 4 files changed, 22 insertions(+), 19 deletions(-) + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,14 @@ ++2015-10-15 Florian Weimer <fweimer@redhat.com> ++ ++ [BZ #18928] ++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove ++ _dl_pointer_guard member. ++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard ++ initializer. ++ (security_init): Always set up pointer guard. ++ (process_envvars): Do not process LD_POINTER_GUARD. ++ ++ + 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com> + + [BZ #18778] +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -34,7 +34,10 @@ Version 2.22 + 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547, + 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593, + 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648, +- 18657, 18676, 18694, 18696. ++ 18657, 18676, 18694, 18696, 18928. ++ ++* The LD_POINTER_GUARD environment variable can no longer be used to ++ disable the pointer guard feature. It is always enabled. + + * Cache information can be queried via sysconf() function on s390 e.g. with + _SC_LEVEL1_ICACHE_SIZE as argument. +Index: git/elf/rtld.c +=================================================================== +--- git.orig/elf/rtld.c ++++ git/elf/rtld.c +@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at + ._dl_hwcap_mask = HWCAP_IMPORTANT, + ._dl_lazy = 1, + ._dl_fpu_control = _FPU_DEFAULT, +- ._dl_pointer_guard = 1, + ._dl_pagesize = EXEC_PAGESIZE, + ._dl_inhibit_cache = 0, + +@@ -710,15 +709,12 @@ security_init (void) + #endif + + /* Set up the pointer guard as well, if necessary. */ +- if (GLRO(dl_pointer_guard)) +- { +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, +- stack_chk_guard); ++ uintptr_t pointer_chk_guard ++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); + #ifdef THREAD_SET_POINTER_GUARD +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); + #endif +- __pointer_chk_guard_local = pointer_chk_guard; +- } ++ __pointer_chk_guard_local = pointer_chk_guard; + + /* We do not need the _dl_random value anymore. The less + information we leave behind, the better, so clear the +@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep) + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; + break; + } +- +- if (memcmp (envline, "POINTER_GUARD", 13) == 0) +- GLRO(dl_pointer_guard) = envline[14] != '0'; + break; + + case 14: +Index: git/sysdeps/generic/ldsodefs.h +=================================================================== +--- git.orig/sysdeps/generic/ldsodefs.h ++++ git/sysdeps/generic/ldsodefs.h +@@ -600,9 +600,6 @@ struct rtld_global_ro + /* List of auditing interfaces. */ + struct audit_ifaces *_dl_audit; + unsigned int _dl_naudit; +- +- /* 0 if internal pointer values should not be guarded, 1 if they should. */ +- EXTERN int _dl_pointer_guard; + }; + # define __rtld_global_attribute__ + # if IS_IN (rtld) diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch new file mode 100644 index 000000000..4dc93c769 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch @@ -0,0 +1,262 @@ +From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Sat, 8 Aug 2015 15:53:03 -0700 +Subject: [PATCH] Fix BZ #17905 + +Upstream-Status: Backport +CVE: CVE-2015-8779 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 8 ++++++++ + NEWS | 2 +- + catgets/Makefile | 9 ++++++++- + catgets/catgets.c | 19 ++++++++++++------- + catgets/open_catalog.c | 23 ++++++++++++++--------- + catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++ + 6 files changed, 74 insertions(+), 18 deletions(-) + +Index: git/catgets/Makefile +=================================================================== +--- git.orig/catgets/Makefile ++++ git/catgets/Makefile +@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS)) + ifeq ($(run-built-tests),yes) + tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ + $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out ++tests-special += $(objpfx)tst-catgets-mem.out + endif + endif + gencat-modules = xmalloc +@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat + + generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ + test-gencat.h ++generated += tst-catgets.mtrace tst-catgets-mem.out ++ + generated-dirs += de + +-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de ++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace + + ifeq ($(run-built-tests),yes) + # This test just checks whether the program produces any error or not. +@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh + $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat + $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ ++ $(evaluate-test) + endif +Index: git/catgets/catgets.c +=================================================================== +--- git.orig/catgets/catgets.c ++++ git/catgets/catgets.c +@@ -16,7 +16,6 @@ + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +-#include <alloca.h> + #include <errno.h> + #include <locale.h> + #include <nl_types.h> +@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) + __nl_catd result; + const char *env_var = NULL; + const char *nlspath = NULL; ++ char *tmp = NULL; + + if (strchr (cat_name, '/') == NULL) + { +@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) + { + /* Append the system dependent directory. */ + size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; +- char *tmp = alloca (len); ++ tmp = malloc (len); ++ ++ if (__glibc_unlikely (tmp == NULL)) ++ return (nl_catd) -1; + + __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); + nlspath = tmp; +@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) + + result = (__nl_catd) malloc (sizeof (*result)); + if (result == NULL) +- /* We cannot get enough memory. */ +- return (nl_catd) -1; +- +- if (__open_catalog (cat_name, nlspath, env_var, result) != 0) ++ { ++ /* We cannot get enough memory. */ ++ result = (nl_catd) -1; ++ } ++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) + { + /* Couldn't open the file. */ + free ((void *) result); +- return (nl_catd) -1; ++ result = (nl_catd) -1; + } + ++ free (tmp); + return (nl_catd) result; + } + +Index: git/catgets/open_catalog.c +=================================================================== +--- git.orig/catgets/open_catalog.c ++++ git/catgets/open_catalog.c +@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co + size_t tab_size; + const char *lastp; + int result = -1; ++ char *buf = NULL; + + if (strchr (cat_name, '/') != NULL || nlspath == NULL) + fd = open_not_cancel_2 (cat_name, O_RDONLY); +@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co + if (__glibc_unlikely (bufact + (n) >= bufmax)) \ + { \ + char *old_buf = buf; \ +- bufmax += 256 + (n); \ +- buf = (char *) alloca (bufmax); \ +- memcpy (buf, old_buf, bufact); \ ++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ ++ buf = realloc (buf, bufmax); \ ++ if (__glibc_unlikely (buf == NULL)) \ ++ { \ ++ free (old_buf); \ ++ return -1; \ ++ } \ + } + + /* The RUN_NLSPATH variable contains a colon separated list of + descriptions where we expect to find catalogs. We have to + recognize certain % substitutions and stop when we found the + first existing file. */ +- char *buf; + size_t bufact; +- size_t bufmax; ++ size_t bufmax = 0; + size_t len; + +- buf = NULL; +- bufmax = 0; +- + fd = -1; + while (*run_nlspath != '\0') + { +@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co + + /* Avoid dealing with directories and block devices */ + if (__builtin_expect (fd, 0) < 0) +- return -1; ++ { ++ free (buf); ++ return -1; ++ } + + if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) + goto close_unlock_return; +@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co + /* Release the lock again. */ + close_unlock_return: + close_not_cancel_no_status (fd); ++ free (buf); + + return result; + } +Index: git/catgets/tst-catgets.c +=================================================================== +--- git.orig/catgets/tst-catgets.c ++++ git/catgets/tst-catgets.c +@@ -1,7 +1,10 @@ ++#include <assert.h> + #include <mcheck.h> + #include <nl_types.h> + #include <stdio.h> ++#include <stdlib.h> + #include <string.h> ++#include <sys/resource.h> + + + static const char *msgs[] = +@@ -12,6 +15,33 @@ static const char *msgs[] = + }; + #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) + ++ ++/* Test for unbounded alloca. */ ++static int ++do_bz17905 (void) ++{ ++ char *buf; ++ struct rlimit rl; ++ nl_catd result; ++ ++ const int sz = 1024 * 1024; ++ ++ getrlimit (RLIMIT_STACK, &rl); ++ rl.rlim_cur = sz; ++ setrlimit (RLIMIT_STACK, &rl); ++ ++ buf = malloc (sz + 1); ++ memset (buf, 'A', sz); ++ buf[sz] = '\0'; ++ setenv ("NLSPATH", buf, 1); ++ ++ result = catopen (buf, NL_CAT_LOCALE); ++ assert (result == (nl_catd) -1); ++ ++ free (buf); ++ return 0; ++} ++ + #define ROUNDS 5 + + static int +@@ -62,6 +92,7 @@ do_test (void) + } + } + ++ result += do_bz17905 (); + return result; + } + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,11 @@ ++2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com> ++ ++ [BZ #17905] ++ * catgets/Makefile (tst-catgets-mem): New test. ++ * catgets/catgets.c (catopen): Don't use unbounded alloca. ++ * catgets/open_catalog.c (__open_catalog): Likewise. ++ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. ++ + 2015-10-15 Florian Weimer <fweimer@redhat.com> + + [BZ #18928] +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -9,7 +9,7 @@ Version 2.22.1 + + * The following bugs are resolved with this release: + +- 18778, 18781, 18787. ++ 18778, 18781, 18787, 17905. + + Version 2.22 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch new file mode 100644 index 000000000..3aca91331 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch @@ -0,0 +1,1039 @@ +From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Tue, 24 Nov 2015 22:24:52 +0000 +Subject: [PATCH] Refactor strtod parsing of NaN payloads. + +The nan* functions handle their string argument by constructing a +NAN(...) string on the stack as a VLA and passing it to strtod +functions. + +This approach has problems discussed in bug 16961 and bug 16962: the +stack usage is unbounded, and it gives incorrect results in certain +cases where the argument is not a valid n-char-sequence. + +The natural fix for both issues is to refactor the NaN payload parsing +out of strtod into a separate function that the nan* functions can +call directly, so that no temporary string needs constructing on the +stack at all. This patch does that refactoring in preparation for +fixing those bugs (but without actually using the new functions from +nan* - which will also require exporting them from libc at version +GLIBC_PRIVATE). This patch is not intended to change any user-visible +behavior, so no tests are added (fixes for the above bugs will of +course add tests for them). + +This patch builds on my recent fixes for strtol and strtod issues in +Turkish locales. Given those fixes, the parsing of NaN payloads is +locale-independent; thus, the new functions do not need to take a +locale_t argument. + +Tested for x86_64, x86, mips64 and powerpc. + + * stdlib/strtod_nan.c: New file. + * stdlib/strtod_nan_double.h: Likewise. + * stdlib/strtod_nan_float.h: Likewise. + * stdlib/strtod_nan_main.c: Likewise. + * stdlib/strtod_nan_narrow.h: Likewise. + * stdlib/strtod_nan_wide.h: Likewise. + * stdlib/strtof_nan.c: Likewise. + * stdlib/strtold_nan.c: Likewise. + * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise. + * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise. + * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise. + * wcsmbs/wcstod_nan.c: Likewise. + * wcsmbs/wcstof_nan.c: Likewise. + * wcsmbs/wcstold_nan.c: Likewise. + * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and + strtold_nan. + * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and + wcstof_nan. + * include/stdlib.h (__strtof_nan): Declare and use + libc_hidden_proto. + (__strtod_nan): Likewise. + (__strtold_nan): Likewise. + (__wcstof_nan): Likewise. + (__wcstod_nan): Likewise. + (__wcstold_nan): Likewise. + * include/wchar.h (____wcstoull_l_internal): Declare. + * stdlib/strtod_l.c: Do not include <ieee754.h>. + (____strtoull_l_internal): Remove declaration. + (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + (STRTOULL): Likewise. + (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload. + * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration. + (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define + macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define + macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration. + * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise. + * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise. + +Upstream-Status: Backport +CVE: CVE-2015-9761 patch #1 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 49 ++++++++++++++++++ + include/stdlib.h | 18 +++++++ + include/wchar.h | 3 ++ + stdlib/Makefile | 1 + + stdlib/strtod_l.c | 48 ++++-------------- + stdlib/strtod_nan.c | 24 +++++++++ + stdlib/strtod_nan_double.h | 30 +++++++++++ + stdlib/strtod_nan_float.h | 29 +++++++++++ + stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++ + stdlib/strtod_nan_narrow.h | 22 +++++++++ + stdlib/strtod_nan_wide.h | 22 +++++++++ + stdlib/strtof_l.c | 11 +---- + stdlib/strtof_nan.c | 24 +++++++++ + stdlib/strtold_nan.c | 30 +++++++++++ + sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++ + sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +---- + sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++ + sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +--- + sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +---- + sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++ + sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +--- + wcsmbs/Makefile | 1 + + wcsmbs/wcstod_l.c | 3 -- + wcsmbs/wcstod_nan.c | 23 +++++++++ + wcsmbs/wcstof_l.c | 3 -- + wcsmbs/wcstof_nan.c | 23 +++++++++ + wcsmbs/wcstold_l.c | 3 -- + wcsmbs/wcstold_nan.c | 30 +++++++++++ + 28 files changed, 504 insertions(+), 95 deletions(-) + create mode 100644 stdlib/strtod_nan.c + create mode 100644 stdlib/strtod_nan_double.h + create mode 100644 stdlib/strtod_nan_float.h + create mode 100644 stdlib/strtod_nan_main.c + create mode 100644 stdlib/strtod_nan_narrow.h + create mode 100644 stdlib/strtod_nan_wide.h + create mode 100644 stdlib/strtof_nan.c + create mode 100644 stdlib/strtold_nan.c + create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h + create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h + create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h + create mode 100644 wcsmbs/wcstod_nan.c + create mode 100644 wcsmbs/wcstof_nan.c + create mode 100644 wcsmbs/wcstold_nan.c + +Index: git/include/stdlib.h +=================================================================== +--- git.orig/include/stdlib.h ++++ git/include/stdlib.h +@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll) + libc_hidden_proto (strtoul) + libc_hidden_proto (strtoull) + ++extern float __strtof_nan (const char *, char **, char) internal_function; ++extern double __strtod_nan (const char *, char **, char) internal_function; ++extern long double __strtold_nan (const char *, char **, char) ++ internal_function; ++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++ ++libc_hidden_proto (__strtof_nan) ++libc_hidden_proto (__strtod_nan) ++libc_hidden_proto (__strtold_nan) ++libc_hidden_proto (__wcstof_nan) ++libc_hidden_proto (__wcstod_nan) ++libc_hidden_proto (__wcstold_nan) ++ + extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt, + int *__restrict __sign); + extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt, +Index: git/include/wchar.h +=================================================================== +--- git.orig/include/wchar.h ++++ git/include/wchar.h +@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull + __restrict __endptr, + int __base, + int __group) __THROW; ++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, ++ wchar_t **, int, int, ++ __locale_t); + libc_hidden_proto (__wcstof_internal) + libc_hidden_proto (__wcstod_internal) + libc_hidden_proto (__wcstold_internal) +Index: git/stdlib/Makefile +=================================================================== +--- git.orig/stdlib/Makefile ++++ git/stdlib/Makefile +@@ -51,6 +51,7 @@ routines-y := \ + strtol_l strtoul_l strtoll_l strtoull_l \ + strtof strtod strtold \ + strtof_l strtod_l strtold_l \ ++ strtof_nan strtod_nan strtold_nan \ + system canonicalize \ + a64l l64a \ + getsubopt xpg_basename \ +Index: git/stdlib/strtod_l.c +=================================================================== +--- git.orig/stdlib/strtod_l.c ++++ git/stdlib/strtod_l.c +@@ -21,8 +21,6 @@ + #include <xlocale.h> + + extern double ____strtod_l_internal (const char *, char **, int, __locale_t); +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, +- int, int, __locale_t); + + /* Configuration part. These macros are defined by `strtold.c', + `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the +@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou + # ifdef USE_WIDE_CHAR + # define STRTOF wcstod_l + # define __STRTOF __wcstod_l ++# define STRTOF_NAN __wcstod_nan + # else + # define STRTOF strtod_l + # define __STRTOF __strtod_l ++# define STRTOF_NAN __strtod_nan + # endif + # define MPN2FLOAT __mpn_construct_double + # define FLOAT_HUGE_VAL HUGE_VAL +-# define SET_MANTISSA(flt, mant) \ +- do { union ieee754_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = (mant) >> 32; \ +- u.ieee_nan.mantissa1 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ +- (flt) = u.d; \ +- } while (0) + #endif + /* End of configuration part. */ + + #include <ctype.h> + #include <errno.h> + #include <float.h> +-#include <ieee754.h> + #include "../locale/localeinfo.h" + #include <locale.h> + #include <math.h> +@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou + # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr) + # define STRNCASECMP(S1, S2, N) \ + __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) +-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc) + #else + # define STRING_TYPE char + # define CHAR_TYPE char +@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou + # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr) + # define STRNCASECMP(S1, S2, N) \ + __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) +-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc) + #endif + + +@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group + if (*cp == L_('(')) + { + const STRING_TYPE *startp = cp; +- do +- ++cp; +- while ((*cp >= L_('0') && *cp <= L_('9')) +- || ({ CHAR_TYPE lo = TOLOWER (*cp); +- lo >= L_('a') && lo <= L_('z'); }) +- || *cp == L_('_')); +- +- if (*cp != L_(')')) +- /* The closing brace is missing. Only match the NAN +- part. */ +- cp = startp; ++ STRING_TYPE *endp; ++ retval = STRTOF_NAN (cp + 1, &endp, L_(')')); ++ if (*endp == L_(')')) ++ /* Consume the closing parenthesis. */ ++ cp = endp + 1; + else +- { +- /* This is a system-dependent way to specify the +- bitmask used for the NaN. We expect it to be +- a number which is put in the mantissa of the +- number. */ +- STRING_TYPE *endp; +- unsigned long long int mant; +- +- mant = STRTOULL (startp + 1, &endp, 0); +- if (endp == cp) +- SET_MANTISSA (retval, mant); +- +- /* Consume the closing brace. */ +- ++cp; +- } ++ /* Only match the NAN part. */ ++ cp = startp; + } + + if (endptr != NULL) +Index: git/stdlib/strtod_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan.c +@@ -0,0 +1,24 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <strtod_nan_narrow.h> ++#include <strtod_nan_double.h> ++ ++#define STRTOD_NAN __strtod_nan ++#include <strtod_nan_main.c> +Index: git/stdlib/strtod_nan_double.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_double.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For double. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee754_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.ieee_nan.mantissa1 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/stdlib/strtod_nan_float.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_float.h +@@ -0,0 +1,29 @@ ++/* Convert string for NaN payload to corresponding NaN. For float. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT float ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee754_float u; \ ++ u.f = (flt); \ ++ u.ieee_nan.mantissa = (mant); \ ++ if (u.ieee.mantissa != 0) \ ++ (flt) = u.f; \ ++ } \ ++ while (0) +Index: git/stdlib/strtod_nan_main.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_main.c +@@ -0,0 +1,63 @@ ++/* Convert string for NaN payload to corresponding NaN. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <ieee754.h> ++#include <locale.h> ++#include <math.h> ++#include <stdlib.h> ++#include <wchar.h> ++ ++ ++/* If STR starts with an optional n-char-sequence as defined by ISO C ++ (a sequence of ASCII letters, digits and underscores), followed by ++ ENDC, return a NaN whose payload is set based on STR. Otherwise, ++ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point ++ to the character after the initial n-char-sequence. */ ++ ++internal_function ++FLOAT ++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc) ++{ ++ const STRING_TYPE *cp = str; ++ ++ while ((*cp >= L_('0') && *cp <= L_('9')) ++ || (*cp >= L_('A') && *cp <= L_('Z')) ++ || (*cp >= L_('a') && *cp <= L_('z')) ++ || *cp == L_('_')) ++ ++cp; ++ ++ FLOAT retval = NAN; ++ if (*cp != endc) ++ goto out; ++ ++ /* This is a system-dependent way to specify the bitmask used for ++ the NaN. We expect it to be a number which is put in the ++ mantissa of the number. */ ++ STRING_TYPE *endp; ++ unsigned long long int mant; ++ ++ mant = STRTOULL (str, &endp, 0); ++ if (endp == cp) ++ SET_MANTISSA (retval, mant); ++ ++ out: ++ if (endptr != NULL) ++ *endptr = (STRING_TYPE *) cp; ++ return retval; ++} ++libc_hidden_def (STRTOD_NAN) +Index: git/stdlib/strtod_nan_narrow.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_narrow.h +@@ -0,0 +1,22 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow strings. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define STRING_TYPE char ++#define L_(Ch) Ch ++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \ ++ _nl_C_locobj_ptr) +Index: git/stdlib/strtod_nan_wide.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_wide.h +@@ -0,0 +1,22 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define STRING_TYPE wchar_t ++#define L_(Ch) L##Ch ++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \ ++ _nl_C_locobj_ptr) +Index: git/stdlib/strtof_l.c +=================================================================== +--- git.orig/stdlib/strtof_l.c ++++ git/stdlib/strtof_l.c +@@ -20,26 +20,19 @@ + #include <xlocale.h> + + extern float ____strtof_l_internal (const char *, char **, int, __locale_t); +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, +- int, int, __locale_t); + + #define FLOAT float + #define FLT FLT + #ifdef USE_WIDE_CHAR + # define STRTOF wcstof_l + # define __STRTOF __wcstof_l ++# define STRTOF_NAN __wcstof_nan + #else + # define STRTOF strtof_l + # define __STRTOF __strtof_l ++# define STRTOF_NAN __strtof_nan + #endif + #define MPN2FLOAT __mpn_construct_float + #define FLOAT_HUGE_VAL HUGE_VALF +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee754_float u; \ +- u.f = (flt); \ +- u.ieee_nan.mantissa = (mant); \ +- if (u.ieee.mantissa != 0) \ +- (flt) = u.f; \ +- } while (0) + + #include "strtod_l.c" +Index: git/stdlib/strtof_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtof_nan.c +@@ -0,0 +1,24 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, float. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <strtod_nan_narrow.h> ++#include <strtod_nan_float.h> ++ ++#define STRTOD_NAN __strtof_nan ++#include <strtod_nan_main.c> +Index: git/stdlib/strtold_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtold_nan.c +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, long double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++ ++/* This function is unused if long double and double have the same ++ representation. */ ++#ifndef __NO_LONG_DOUBLE_MATH ++# include <strtod_nan_narrow.h> ++# include <strtod_nan_ldouble.h> ++ ++# define STRTOD_NAN __strtold_nan ++# include <strtod_nan_main.c> ++#endif +Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h +@@ -0,0 +1,33 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee854_long_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = 0; \ ++ u.ieee_nan.mantissa1 = 0; \ ++ u.ieee_nan.mantissa2 = (mant) >> 32; \ ++ u.ieee_nan.mantissa3 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ ++ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-128/strtold_l.c +@@ -25,22 +25,13 @@ + #ifdef USE_WIDE_CHAR + # define STRTOF wcstold_l + # define __STRTOF __wcstold_l ++# define STRTOF_NAN __wcstold_nan + #else + # define STRTOF strtold_l + # define __STRTOF __strtold_l ++# define STRTOF_NAN __strtold_nan + #endif + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = 0; \ +- u.ieee_nan.mantissa1 = 0; \ +- u.ieee_nan.mantissa2 = (mant) >> 32; \ +- u.ieee_nan.mantissa3 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <strtod_l.c> +Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ibm_extended_long_double u; \ ++ u.ld = (flt); \ ++ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.d[0].ieee_nan.mantissa1 = (mant); \ ++ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ ++ (flt) = u.ld; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c +@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co + # define STRTOF __new_wcstold_l + # define __STRTOF ____new_wcstold_l + # define ____STRTOF_INTERNAL ____wcstold_l_internal ++# define STRTOF_NAN __wcstold_nan + #else + extern long double ____new_strtold_l (const char *, char **, __locale_t); + # define STRTOF __new_strtold_l + # define __STRTOF ____new_strtold_l + # define ____STRTOF_INTERNAL ____strtold_l_internal ++# define STRTOF_NAN __strtold_nan + #endif + extern __typeof (__STRTOF) STRTOF; + libc_hidden_proto (__STRTOF) + libc_hidden_proto (STRTOF) + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-# define SET_MANTISSA(flt, mant) \ +- do { union ibm_extended_long_double u; \ +- u.ld = (flt); \ +- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ +- u.d[0].ieee_nan.mantissa1 = (mant); \ +- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ +- (flt) = u.ld; \ +- } while (0) + + #include <strtod_l.c> + +Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c +@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co + # define STRTOF __new_wcstold_l + # define __STRTOF ____new_wcstold_l + # define ____STRTOF_INTERNAL ____wcstold_l_internal ++# define STRTOF_NAN __wcstold_nan + #else + extern long double ____new_strtold_l (const char *, char **, __locale_t); + # define STRTOF __new_strtold_l + # define __STRTOF ____new_strtold_l + # define ____STRTOF_INTERNAL ____strtold_l_internal ++# define STRTOF_NAN __strtold_nan + #endif + extern __typeof (__STRTOF) STRTOF; + libc_hidden_proto (__STRTOF) + libc_hidden_proto (STRTOF) + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = 0; \ +- u.ieee_nan.mantissa1 = 0; \ +- u.ieee_nan.mantissa2 = (mant) >> 32; \ +- u.ieee_nan.mantissa3 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <strtod_l.c> + +Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-96. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee854_long_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.ieee_nan.mantissa1 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-96/strtold_l.c +@@ -25,19 +25,13 @@ + #ifdef USE_WIDE_CHAR + # define STRTOF wcstold_l + # define __STRTOF __wcstold_l ++# define STRTOF_NAN __wcstold_nan + #else + # define STRTOF strtold_l + # define __STRTOF __strtold_l ++# define STRTOF_NAN __strtold_nan + #endif + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = (mant) >> 32; \ +- u.ieee_nan.mantissa1 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <stdlib/strtod_l.c> +Index: git/wcsmbs/Makefile +=================================================================== +--- git.orig/wcsmbs/Makefile ++++ git/wcsmbs/Makefile +@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR + wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \ + wcstol_l wcstoul_l wcstoll_l wcstoull_l \ + wcstod_l wcstold_l wcstof_l \ ++ wcstod_nan wcstold_nan wcstof_nan \ + wcscoll wcsxfrm \ + wcwidth wcswidth \ + wcscoll_l wcsxfrm_l \ +Index: git/wcsmbs/wcstod_l.c +=================================================================== +--- git.orig/wcsmbs/wcstod_l.c ++++ git/wcsmbs/wcstod_l.c +@@ -23,9 +23,6 @@ + + extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #define USE_WIDE_CHAR 1 + +Index: git/wcsmbs/wcstod_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstod_nan.c +@@ -0,0 +1,23 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include "../stdlib/strtod_nan_wide.h" ++#include "../stdlib/strtod_nan_double.h" ++ ++#define STRTOD_NAN __wcstod_nan ++#include "../stdlib/strtod_nan_main.c" +Index: git/wcsmbs/wcstof_l.c +=================================================================== +--- git.orig/wcsmbs/wcstof_l.c ++++ git/wcsmbs/wcstof_l.c +@@ -25,8 +25,5 @@ + + extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #include <stdlib/strtof_l.c> +Index: git/wcsmbs/wcstof_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstof_nan.c +@@ -0,0 +1,23 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, float. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include "../stdlib/strtod_nan_wide.h" ++#include "../stdlib/strtod_nan_float.h" ++ ++#define STRTOD_NAN __wcstof_nan ++#include "../stdlib/strtod_nan_main.c" +Index: git/wcsmbs/wcstold_l.c +=================================================================== +--- git.orig/wcsmbs/wcstold_l.c ++++ git/wcsmbs/wcstold_l.c +@@ -24,8 +24,5 @@ + + extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #include <strtold_l.c> +Index: git/wcsmbs/wcstold_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstold_nan.c +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, ++ long double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++ ++/* This function is unused if long double and double have the same ++ representation. */ ++#ifndef __NO_LONG_DOUBLE_MATH ++# include "../stdlib/strtod_nan_wide.h" ++# include <strtod_nan_ldouble.h> ++ ++# define STRTOD_NAN __wcstold_nan ++# include "../stdlib/strtod_nan_main.c" ++#endif +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,57 @@ ++2015-11-24 Joseph Myers <joseph@codesourcery.com> ++ ++ * stdlib/strtod_nan.c: New file. ++ * stdlib/strtod_nan_double.h: Likewise. ++ * stdlib/strtod_nan_float.h: Likewise. ++ * stdlib/strtod_nan_main.c: Likewise. ++ * stdlib/strtod_nan_narrow.h: Likewise. ++ * stdlib/strtod_nan_wide.h: Likewise. ++ * stdlib/strtof_nan.c: Likewise. ++ * stdlib/strtold_nan.c: Likewise. ++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise. ++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise. ++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise. ++ * wcsmbs/wcstod_nan.c: Likewise. ++ * wcsmbs/wcstof_nan.c: Likewise. ++ * wcsmbs/wcstold_nan.c: Likewise. ++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and ++ strtold_nan. ++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and ++ wcstof_nan. ++ * include/stdlib.h (__strtof_nan): Declare and use ++ libc_hidden_proto. ++ (__strtod_nan): Likewise. ++ (__strtold_nan): Likewise. ++ (__wcstof_nan): Likewise. ++ (__wcstod_nan): Likewise. ++ (__wcstold_nan): Likewise. ++ * include/wchar.h (____wcstoull_l_internal): Declare. ++ * stdlib/strtod_l.c: Do not include <ieee754.h>. ++ (____strtoull_l_internal): Remove declaration. ++ (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ (STRTOULL): Likewise. ++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload. ++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration. ++ (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define ++ macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define ++ macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration. ++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise. ++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise. ++ ++ [BZ #19266] ++ * stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for ++ upper case and lower case letters inside NAN(), not using TOLOWER. + 2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #17905] diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch new file mode 100644 index 000000000..e30307fbc --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch @@ -0,0 +1,385 @@ +From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Fri, 4 Dec 2015 20:36:28 +0000 +Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug + 16962). + +The nan, nanf and nanl functions handle payload strings by doing e.g.: + + if (tagp[0] != '\0') + { + char buf[6 + strlen (tagp)]; + sprintf (buf, "NAN(%s)", tagp); + return strtod (buf, NULL); + } + +This is an unbounded stack allocation based on the length of the +argument. Furthermore, if the argument starts with an n-char-sequence +followed by ')', that n-char-sequence is wrongly treated as +significant for determining the payload of the resulting NaN, when ISO +C says the call should be equivalent to strtod ("NAN", NULL), without +being affected by that initial n-char-sequence. This patch fixes both +those problems by using the __strtod_nan etc. functions recently +factored out of strtod etc. for that purpose, with those functions +being exported from libc at version GLIBC_PRIVATE. + +Tested for x86_64, x86, mips64 and powerpc. + + [BZ #16961] + [BZ #16962] + * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a + string on the stack for strtod. + * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing + a string on the stack for strtof. + * math/s_nanl.c (__nanl): Use __strtold_nan instead of + constructing a string on the stack for strtold. + * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and + __strtold_nan to GLIBC_PRIVATE. + * math/test-nan-overflow.c: New file. + * math/test-nan-payload.c: Likewise. + * math/Makefile (tests): Add test-nan-overflow and + test-nan-payload. + +Upstream-Status: Backport +CVE: CVE-2015-9761 patch #2 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 17 +++++++ + NEWS | 6 +++ + math/Makefile | 3 +- + math/s_nan.c | 9 +--- + math/s_nanf.c | 9 +--- + math/s_nanl.c | 9 +--- + math/test-nan-overflow.c | 66 +++++++++++++++++++++++++ + math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ + stdlib/Versions | 1 + + 9 files changed, 217 insertions(+), 25 deletions(-) + create mode 100644 math/test-nan-overflow.c + create mode 100644 math/test-nan-payload.c + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,20 @@ ++2015-12-04 Joseph Myers <joseph@codesourcery.com> ++ ++ [BZ #16961] ++ [BZ #16962] ++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a ++ string on the stack for strtod. ++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing ++ a string on the stack for strtof. ++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of ++ constructing a string on the stack for strtold. ++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and ++ __strtold_nan to GLIBC_PRIVATE. ++ * math/test-nan-overflow.c: New file. ++ * math/test-nan-payload.c: Likewise. ++ * math/Makefile (tests): Add test-nan-overflow and ++ test-nan-payload. ++ + 2015-11-24 Joseph Myers <joseph@codesourcery.com> + + * stdlib/strtod_nan.c: New file. +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -99,6 +99,12 @@ Version 2.22 + + Version 2.21 + ++Security related changes: ++ ++* The nan, nanf and nanl functions no longer have unbounded stack usage ++ depending on the length of the string passed as an argument to the ++ functions. Reported by Joseph Myers. ++ + * The following bugs are resolved with this release: + + 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498, +Index: git/math/Makefile +=================================================================== +--- git.orig/math/Makefile ++++ git/math/Makefile +@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp + test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \ + test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \ + test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \ ++ test-nan-overflow test-nan-payload \ + $(tests-static) + tests-static = test-fpucw-static test-fpucw-ieee-static + # We do the `long double' tests only if this data type is available and +Index: git/math/s_nan.c +=================================================================== +--- git.orig/math/s_nan.c ++++ git/math/s_nan.c +@@ -28,14 +28,7 @@ + double + __nan (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtod (buf, NULL); +- } +- +- return NAN; ++ return __strtod_nan (tagp, NULL, 0); + } + weak_alias (__nan, nan) + #ifdef NO_LONG_DOUBLE +Index: git/math/s_nanf.c +=================================================================== +--- git.orig/math/s_nanf.c ++++ git/math/s_nanf.c +@@ -28,13 +28,6 @@ + float + __nanf (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtof (buf, NULL); +- } +- +- return NAN; ++ return __strtof_nan (tagp, NULL, 0); + } + weak_alias (__nanf, nanf) +Index: git/math/s_nanl.c +=================================================================== +--- git.orig/math/s_nanl.c ++++ git/math/s_nanl.c +@@ -28,13 +28,6 @@ + long double + __nanl (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtold (buf, NULL); +- } +- +- return NAN; ++ return __strtold_nan (tagp, NULL, 0); + } + weak_alias (__nanl, nanl) +Index: git/math/test-nan-overflow.c +=================================================================== +--- /dev/null ++++ git/math/test-nan-overflow.c +@@ -0,0 +1,66 @@ ++/* Test nan functions stack overflow (bug 16962). ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++#include <stdio.h> ++#include <string.h> ++#include <sys/resource.h> ++ ++#define STACK_LIM 1048576 ++#define STRING_SIZE (2 * STACK_LIM) ++ ++static int ++do_test (void) ++{ ++ int result = 0; ++ struct rlimit lim; ++ getrlimit (RLIMIT_STACK, &lim); ++ lim.rlim_cur = STACK_LIM; ++ setrlimit (RLIMIT_STACK, &lim); ++ char *nanstr = malloc (STRING_SIZE); ++ if (nanstr == NULL) ++ { ++ puts ("malloc failed, cannot test"); ++ return 77; ++ } ++ memset (nanstr, '0', STRING_SIZE - 1); ++ nanstr[STRING_SIZE - 1] = 0; ++#define NAN_TEST(TYPE, FUNC) \ ++ do \ ++ { \ ++ char *volatile p = nanstr; \ ++ volatile TYPE v = FUNC (p); \ ++ if (isnan (v)) \ ++ puts ("PASS: " #FUNC); \ ++ else \ ++ { \ ++ puts ("FAIL: " #FUNC); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ NAN_TEST (float, nanf); ++ NAN_TEST (double, nan); ++#ifndef NO_LONG_DOUBLE ++ NAN_TEST (long double, nanl); ++#endif ++ return result; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/math/test-nan-payload.c +=================================================================== +--- /dev/null ++++ git/math/test-nan-payload.c +@@ -0,0 +1,122 @@ ++/* Test nan functions payload handling (bug 16961). ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <float.h> ++#include <math.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ ++/* Avoid built-in functions. */ ++#define WRAP_NAN(FUNC, STR) \ ++ ({ const char *volatile wns = (STR); FUNC (wns); }) ++#define WRAP_STRTO(FUNC, STR) \ ++ ({ const char *volatile wss = (STR); FUNC (wss, NULL); }) ++ ++#define CHECK_IS_NAN(TYPE, A) \ ++ do \ ++ { \ ++ if (isnan (A)) \ ++ puts ("PASS: " #TYPE " " #A); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++#define CHECK_SAME_NAN(TYPE, A, B) \ ++ do \ ++ { \ ++ if (memcmp (&(A), &(B), sizeof (A)) == 0) \ ++ puts ("PASS: " #TYPE " " #A " = " #B); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A " = " #B); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++#define CHECK_DIFF_NAN(TYPE, A, B) \ ++ do \ ++ { \ ++ if (memcmp (&(A), &(B), sizeof (A)) != 0) \ ++ puts ("PASS: " #TYPE " " #A " != " #B); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A " != " #B); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++/* Cannot test payloads by memcmp for formats where NaNs have padding ++ bits. */ ++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106) ++ ++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \ ++ do \ ++ { \ ++ TYPE n123 = WRAP_NAN (FUNC, "123"); \ ++ CHECK_IS_NAN (TYPE, n123); \ ++ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \ ++ CHECK_IS_NAN (TYPE, s123); \ ++ TYPE n456 = WRAP_NAN (FUNC, "456"); \ ++ CHECK_IS_NAN (TYPE, n456); \ ++ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \ ++ CHECK_IS_NAN (TYPE, s456); \ ++ TYPE n123x = WRAP_NAN (FUNC, "123)"); \ ++ CHECK_IS_NAN (TYPE, n123x); \ ++ TYPE nemp = WRAP_NAN (FUNC, ""); \ ++ CHECK_IS_NAN (TYPE, nemp); \ ++ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \ ++ CHECK_IS_NAN (TYPE, semp); \ ++ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \ ++ CHECK_IS_NAN (TYPE, sx); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n123, s123); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n456, s456); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, nemp, semp); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n123x, sx); \ ++ CHECK_DIFF_NAN (TYPE, n123, n456); \ ++ CHECK_DIFF_NAN (TYPE, n123, nemp); \ ++ CHECK_DIFF_NAN (TYPE, n123, n123x); \ ++ CHECK_DIFF_NAN (TYPE, n456, nemp); \ ++ CHECK_DIFF_NAN (TYPE, n456, n123x); \ ++ } \ ++ while (0) ++ ++static int ++do_test (void) ++{ ++ int result = 0; ++ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG); ++ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG); ++#ifndef NO_LONG_DOUBLE ++ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG); ++#endif ++ return result; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/stdlib/Versions +=================================================================== +--- git.orig/stdlib/Versions ++++ git/stdlib/Versions +@@ -118,5 +118,6 @@ libc { + # Used from other libraries + __libc_secure_getenv; + __call_tls_dtors; ++ __strtof_nan; __strtod_nan; __strtold_nan; + } + } diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch new file mode 100644 index 000000000..8ce255f11 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch @@ -0,0 +1,323 @@ +Upstream-Status: Backport + +Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> + +From https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c84109cfa26f35c3dfed3acb97d347361bd5849 +Author: Carlos O'Donell <carlos@systemhalted.org> +Date: Thu Oct 8 16:34:53 2015 -0400 + + strcoll: Remove incorrect STRDIFF-based optimization (Bug 18589). + + The optimization introduced in commit + f13c2a8dff2329c6692a80176262ceaaf8a6f74e, causes regressions in + sorting for languages that have digraphs that change sort order, like + cs_CZ which sorts ch between h and i. + + My analysis shows the fast-forwarding optimization in STRCOLL advances + through a digraph while possibly stopping in the middle which results + in a subsequent skipping of the digraph and incorrect sorting. The + optimization is incorrect as implemented and because of that I'm + removing it for 2.23, and I will also commit this fix for 2.22 where + it was originally introduced. + + This patch reverts the optimization, introduces a new bug-strcoll2.c + regression test that tests both cs_CZ.UTF-8 and da_DK.ISO-8859-1 and + ensures they sort one digraph each correctly. The optimization can't be + applied without regressing this test. + + Checked on x86_64, bug-strcoll2.c fails without this patch and passes + after. This will also get a fix on 2.22 which has the same bug. + + (cherry picked from commit 87701a58e291bd7ac3b407d10a829dac52c9c16e) +--- + locale/C-collate.c | 4 +- + locale/categories.def | 1 - + locale/langinfo.h | 1 - + locale/localeinfo.h | 7 ---- + locale/programs/ld-collate.c | 9 ----- + string/bug-strcoll2.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ + string/strcoll_l.c | 39 +----------------- + wcsmbs/wcscoll_l.c | 1 - + 8 files changed, 98 insertions(+), 59 deletions(-) + create mode 100644 string/bug-strcoll2.c + +diff --git a/locale/C-collate.c b/locale/C-collate.c +index d7f3c55..06dfdfa 100644 +--- a/locale/C-collate.c ++++ b/locale/C-collate.c +@@ -144,8 +144,6 @@ const struct __locale_data _nl_C_LC_COLLATE attribute_hidden = + /* _NL_COLLATE_COLLSEQWC */ + { .string = (const char *) collseqwc }, + /* _NL_COLLATE_CODESET */ +- { .string = _nl_C_codeset }, +- /* _NL_COLLATE_ENCODING_TYPE */ +- { .word = __cet_8bit } ++ { .string = _nl_C_codeset } + } + }; +diff --git a/locale/categories.def b/locale/categories.def +index 045489d..a8dda53 100644 +--- a/locale/categories.def ++++ b/locale/categories.def +@@ -58,7 +58,6 @@ DEFINE_CATEGORY + DEFINE_ELEMENT (_NL_COLLATE_COLLSEQMB, "collate-collseqmb", std, wstring) + DEFINE_ELEMENT (_NL_COLLATE_COLLSEQWC, "collate-collseqwc", std, wstring) + DEFINE_ELEMENT (_NL_COLLATE_CODESET, "collate-codeset", std, string) +- DEFINE_ELEMENT (_NL_COLLATE_ENCODING_TYPE, "collate-encoding-type", std, word) + ), NO_POSTLOAD) + + +diff --git a/locale/langinfo.h b/locale/langinfo.h +index ffc5c7f..a565d9d 100644 +--- a/locale/langinfo.h ++++ b/locale/langinfo.h +@@ -255,7 +255,6 @@ enum + _NL_COLLATE_COLLSEQMB, + _NL_COLLATE_COLLSEQWC, + _NL_COLLATE_CODESET, +- _NL_COLLATE_ENCODING_TYPE, + _NL_NUM_LC_COLLATE, + + /* LC_CTYPE category: character classification. +diff --git a/locale/localeinfo.h b/locale/localeinfo.h +index a7516c0..c076d8e 100644 +--- a/locale/localeinfo.h ++++ b/locale/localeinfo.h +@@ -110,13 +110,6 @@ enum coll_sort_rule + sort_mask + }; + +-/* Collation encoding type. */ +-enum collation_encoding_type +-{ +- __cet_other, +- __cet_8bit, +- __cet_utf8 +-}; + + /* We can map the types of the entries into a few categories. */ + enum value_type +diff --git a/locale/programs/ld-collate.c b/locale/programs/ld-collate.c +index 16e9039..3c88c6d 100644 +--- a/locale/programs/ld-collate.c ++++ b/locale/programs/ld-collate.c +@@ -32,7 +32,6 @@ + #include "linereader.h" + #include "locfile.h" + #include "elem-hash.h" +-#include "../localeinfo.h" + + /* Uncomment the following line in the production version. */ + /* #define NDEBUG 1 */ +@@ -2130,8 +2129,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap, + /* The words have to be handled specially. */ + if (idx == _NL_ITEM_INDEX (_NL_COLLATE_SYMB_HASH_SIZEMB)) + add_locale_uint32 (&file, 0); +- else if (idx == _NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE)) +- add_locale_uint32 (&file, __cet_other); + else + add_locale_empty (&file); + } +@@ -2495,12 +2492,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap, + add_locale_raw_data (&file, collate->mbseqorder, 256); + add_locale_collseq_table (&file, &collate->wcseqorder); + add_locale_string (&file, charmap->code_set_name); +- if (strcmp (charmap->code_set_name, "UTF-8") == 0) +- add_locale_uint32 (&file, __cet_utf8); +- else if (charmap->mb_cur_max == 1) +- add_locale_uint32 (&file, __cet_8bit); +- else +- add_locale_uint32 (&file, __cet_other); + write_locale_data (output_path, LC_COLLATE, "LC_COLLATE", &file); + + obstack_free (&weightpool, NULL); +diff --git a/string/bug-strcoll2.c b/string/bug-strcoll2.c +new file mode 100644 +index 0000000..950b090 +--- /dev/null ++++ b/string/bug-strcoll2.c +@@ -0,0 +1,95 @@ ++/* Bug 18589: sort-test.sh fails at random. ++ * Copyright (C) 1998-2015 Free Software Foundation, Inc. ++ * This file is part of the GNU C Library. ++ * Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998. ++ * ++ * The GNU C Library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * The GNU C Library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with the GNU C Library; if not, see ++ * <http://www.gnu.org/licenses/>. */ ++ ++#include <stdio.h> ++#include <string.h> ++#include <locale.h> ++ ++/* An incorrect strcoll optimization resulted in incorrect ++ * results from strcoll for cs_CZ and da_DK. */ ++ ++int ++test_cs_CZ (void) ++{ ++ const char t1[] = "config"; ++ const char t2[] = "choose"; ++ if (setlocale (LC_ALL, "cs_CZ.UTF-8") == NULL) ++ { ++ perror ("setlocale"); ++ return 1; ++ } ++ /* In Czech the digraph ch sorts after c, therefore we expect ++ * config to sort before choose. */ ++ int a = strcoll (t1, t2); ++ int b = strcoll (t2, t1); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b); ++ if (a < 0 && b > 0) ++ { ++ puts ("PASS: config < choose"); ++ return 0; ++ } ++ else ++ { ++ puts ("FAIL: Wrong sorting in cz_CZ.UTF-8."); ++ return 1; ++ } ++} ++ ++int ++test_da_DK (void) ++{ ++ const char t1[] = "AS"; ++ const char t2[] = "AA"; ++ if (setlocale (LC_ALL, "da_DK.ISO-8859-1") == NULL) ++ { ++ perror ("setlocale"); ++ return 1; ++ } ++ /* AA should be treated as the last letter of the Danish alphabet, ++ * hence sorting after AS. */ ++ int a = strcoll (t1, t2); ++ int b = strcoll (t2, t1); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b); ++ if (a < 0 && b > 0) ++ { ++ puts ("PASS: AS < AA"); ++ return 0; ++ } ++ else ++ { ++ puts ("FAIL: Wrong sorting in da_DK.ISO-8859-1"); ++ return 1; ++ } ++} ++ ++static int ++do_test (void) ++{ ++ int err = 0; ++ err |= test_cs_CZ (); ++ err |= test_da_DK (); ++ return err; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" ++ ++ +diff --git a/string/strcoll_l.c b/string/strcoll_l.c +index b36b18c..a18b65e 100644 +--- a/string/strcoll_l.c ++++ b/string/strcoll_l.c +@@ -30,7 +30,6 @@ + # define STRING_TYPE char + # define USTRING_TYPE unsigned char + # define STRCOLL __strcoll_l +-# define STRDIFF __strdiff + # define STRCMP strcmp + # define WEIGHT_H "../locale/weight.h" + # define SUFFIX MB +@@ -43,19 +42,6 @@ + #include "../locale/localeinfo.h" + #include WEIGHT_H + +-#define MASK_UTF8_7BIT (1 << 7) +-#define MASK_UTF8_START (3 << 6) +- +-size_t +-STRDIFF (const STRING_TYPE *s, const STRING_TYPE *t) +-{ +- size_t n; +- +- for (n = 0; *s != '\0' && *s++ == *t++; ++n) +- continue; +- +- return n; +-} + + /* Track status while looking for sequences in a string. */ + typedef struct +@@ -274,29 +260,9 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + const USTRING_TYPE *extra; + const int32_t *indirect; + +- /* In case there is no locale specific sort order (C / POSIX). */ + if (nrules == 0) + return STRCMP (s1, s2); + +- /* Fast forward to the position of the first difference. Needs to be +- encoding aware as the byte-by-byte comparison can stop in the middle +- of a char sequence for multibyte encodings like UTF-8. */ +- uint_fast32_t encoding = +- current->values[_NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE)].word; +- if (encoding != __cet_other) +- { +- size_t diff = STRDIFF (s1, s2); +- if (diff > 0) +- { +- if (encoding == __cet_utf8 && (*(s1 + diff) & MASK_UTF8_7BIT) != 0) +- do +- diff--; +- while (diff > 0 && (*(s1 + diff) & MASK_UTF8_START) != MASK_UTF8_START); +- s1 += diff; +- s2 += diff; +- } +- } +- + /* Catch empty strings. */ + if (__glibc_unlikely (*s1 == '\0') || __glibc_unlikely (*s2 == '\0')) + return (*s1 != '\0') - (*s2 != '\0'); +@@ -363,9 +329,8 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + byte-level comparison to ensure that we don't waste time + going through multiple passes for totally equal strings + before proceeding to subsequent passes. */ +- if (pass == 0 && encoding == __cet_other && +- STRCMP (s1, s2) == 0) +- return result; ++ if (pass == 0 && STRCMP (s1, s2) == 0) ++ return result; + else + break; + } +diff --git a/wcsmbs/wcscoll_l.c b/wcsmbs/wcscoll_l.c +index 6d9384a..87f240d 100644 +--- a/wcsmbs/wcscoll_l.c ++++ b/wcsmbs/wcscoll_l.c +@@ -23,7 +23,6 @@ + #define STRING_TYPE wchar_t + #define USTRING_TYPE wint_t + #define STRCOLL __wcscoll_l +-#define STRDIFF __wcsdiff + #define STRCMP __wcscmp + #define WEIGHT_H "../locale/weightwc.h" + #define SUFFIX WC +-- +1.8.4.2 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch new file mode 100644 index 000000000..eb7f2b29b --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch @@ -0,0 +1,24 @@ +This patch alows using 64 bit atomic instructions on a +32 bit platform. This is safe, providing x86 is Pentium or +later (would not work on i386, i486). Using 64 bit atomic +instructions bypasses code containing a bug as documented in +https://bugzilla.yoctoproject.org/show_bug.cgi?id=8140 + +Upstream-Status: TBD + +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> + + +Index: libc/sysdeps/i386/i486/bits/atomic.h +=================================================================== +--- libc.orig/sysdeps/i386/i486/bits/atomic.h ++++ libc/sysdeps/i386/i486/bits/atomic.h +@@ -54,7 +54,7 @@ typedef uintmax_t uatomic_max_t; + # endif + #endif + +-#define __HAVE_64B_ATOMICS 0 ++#define __HAVE_64B_ATOMICS 1 + #define USE_ATOMIC_COMPILER_BUILTINS 0 + + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb index 09f0428ea..a13b7f94b 100644 --- a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb +++ b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb @@ -9,11 +9,11 @@ DEPENDS += "gperf-native kconfig-frontends-native" SRCREV ?= "a34d1c6afc86521d6ad17662a3b5362d8481514c" -BRANCH ?= "release/${PV}/master" +SRCBRANCH ?= "release/${PV}/master" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" -SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ +SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0004-Backport-https-sourceware.org-ml-libc-ports-2007-12-.patch \ file://0005-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch \ file://0006-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \ @@ -39,6 +39,14 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ file://0026-eglibc-dl_debug_mask-is-controlled-by-__OPTION_EGLIB.patch \ file://0027-eglibc-use-option-groups-Conditionally-exclude-c-tes.patch \ file://nscd-no-bash.patch \ + file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ + file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \ + file://CVE-2015-8777.patch \ + file://CVE-2015-8779.patch \ + file://CVE-2015-9761_1.patch \ + file://CVE-2015-9761_2.patch \ + file://CVE-2015-8776.patch \ + file://CVE-2015-7547.patch \ " SRC_URI += "\ @@ -50,6 +58,7 @@ SRC_URI_append_class-nativesdk = "\ file://0001-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch \ file://0002-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch \ file://0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \ + file://use_64bit_atomics.patch \ " S = "${WORKDIR}/git" |