summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8776.patch155
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch123
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8779.patch262
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch1039
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch385
5 files changed, 0 insertions, 1964 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
deleted file mode 100644
index 684f344177..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+++ /dev/null
@@ -1,155 +0,0 @@
1From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
2From: Paul Pluzhnikov <ppluzhnikov@google.com>
3Date: Sat, 26 Sep 2015 13:27:48 -0700
4Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
5 segfault
6
7Upstream-Status: Backport
8CVE: CVE-2015-8776
9[Yocto # 8980]
10
11https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
12
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 ChangeLog | 8 ++++++++
17 NEWS | 2 +-
18 time/strftime_l.c | 20 +++++++++++++-------
19 time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
20 4 files changed, 73 insertions(+), 9 deletions(-)
21
22Index: git/ChangeLog
23===================================================================
24--- git.orig/ChangeLog
25+++ git/ChangeLog
26@@ -1,3 +1,11 @@
27+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
28+
29+ [BZ #18985]
30+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
31+ (__strftime_internal): Likewise.
32+ * time/tst-strftime.c (do_bz18985): New test.
33+ (do_test): Call it.
34+
35 2015-12-04 Joseph Myers <joseph@codesourcery.com>
36
37 [BZ #16961]
38Index: git/time/strftime_l.c
39===================================================================
40--- git.orig/time/strftime_l.c
41+++ git/time/strftime_l.c
42@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
43 only a few elements. Dereference the pointers only if the format
44 requires this. Then it is ok to fail if the pointers are invalid. */
45 # define a_wkday \
46- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
47+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
48+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
49 # define f_wkday \
50- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
51+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
52+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
53 # define a_month \
54- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
55+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
56+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
57 # define f_month \
58- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
59+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
60+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
61 # define ampm \
62 ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
63 ? NLW(PM_STR) : NLW(AM_STR)))
64@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
65 # define ap_len STRLEN (ampm)
66 #else
67 # if !HAVE_STRFTIME
68-# define f_wkday (weekday_name[tp->tm_wday])
69-# define f_month (month_name[tp->tm_mon])
70+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
71+ ? "?" : weekday_name[tp->tm_wday])
72+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
73+ ? "?" : month_name[tp->tm_mon])
74 # define a_wkday f_wkday
75 # define a_month f_month
76 # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
77@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
78 *tzset_called = true;
79 }
80 # endif
81- zone = tzname[tp->tm_isdst];
82+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
83 }
84 #endif
85 if (! zone)
86Index: git/time/tst-strftime.c
87===================================================================
88--- git.orig/time/tst-strftime.c
89+++ git/time/tst-strftime.c
90@@ -4,6 +4,56 @@
91 #include <time.h>
92
93
94+static int
95+do_bz18985 (void)
96+{
97+ char buf[1000];
98+ struct tm ttm;
99+ int rc, ret = 0;
100+
101+ memset (&ttm, 1, sizeof (ttm));
102+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
103+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
104+
105+ if (rc == 66)
106+ {
107+ const char expected[]
108+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
109+ if (0 != strcmp (buf, expected))
110+ {
111+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
112+ ret += 1;
113+ }
114+ }
115+ else
116+ {
117+ printf ("expected 66, got %d\n", rc);
118+ ret += 1;
119+ }
120+
121+ /* Check negative values as well. */
122+ memset (&ttm, 0xFF, sizeof (ttm));
123+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
124+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
125+
126+ if (rc == 30)
127+ {
128+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
129+ if (0 != strcmp (buf, expected))
130+ {
131+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
132+ ret += 1;
133+ }
134+ }
135+ else
136+ {
137+ printf ("expected 30, got %d\n", rc);
138+ ret += 1;
139+ }
140+
141+ return ret;
142+}
143+
144 static struct
145 {
146 const char *fmt;
147@@ -104,7 +154,7 @@ do_test (void)
148 }
149 }
150
151- return result;
152+ return result + do_bz18985 ();
153 }
154
155 #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
deleted file mode 100644
index eeab72d650..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+++ /dev/null
@@ -1,123 +0,0 @@
1From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 15 Oct 2015 09:23:07 +0200
4Subject: [PATCH] Always enable pointer guard [BZ #18928]
5
6Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
7has security implications. This commit enables pointer guard
8unconditionally, and the environment variable is now ignored.
9
10 [BZ #18928]
11 * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
12 _dl_pointer_guard member.
13 * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
14 initializer.
15 (security_init): Always set up pointer guard.
16 (process_envvars): Do not process LD_POINTER_GUARD.
17
18Upstream-Status: Backport
19CVE: CVE-2015-8777
20[Yocto # 8980]
21
22https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 ChangeLog | 10 ++++++++++
28 NEWS | 13 ++++++++-----
29 elf/rtld.c | 15 ++++-----------
30 sysdeps/generic/ldsodefs.h | 3 ---
31 4 files changed, 22 insertions(+), 19 deletions(-)
32
33Index: git/ChangeLog
34===================================================================
35--- git.orig/ChangeLog
36+++ git/ChangeLog
37@@ -1,3 +1,14 @@
38+2015-10-15 Florian Weimer <fweimer@redhat.com>
39+
40+ [BZ #18928]
41+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
42+ _dl_pointer_guard member.
43+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
44+ initializer.
45+ (security_init): Always set up pointer guard.
46+ (process_envvars): Do not process LD_POINTER_GUARD.
47+
48+
49 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
50
51 [BZ #18778]
52Index: git/NEWS
53===================================================================
54--- git.orig/NEWS
55+++ git/NEWS
56@@ -34,7 +34,10 @@ Version 2.22
57 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
58 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
59 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
60- 18657, 18676, 18694, 18696.
61+ 18657, 18676, 18694, 18696, 18928.
62+
63+* The LD_POINTER_GUARD environment variable can no longer be used to
64+ disable the pointer guard feature. It is always enabled.
65
66 * Cache information can be queried via sysconf() function on s390 e.g. with
67 _SC_LEVEL1_ICACHE_SIZE as argument.
68Index: git/elf/rtld.c
69===================================================================
70--- git.orig/elf/rtld.c
71+++ git/elf/rtld.c
72@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
73 ._dl_hwcap_mask = HWCAP_IMPORTANT,
74 ._dl_lazy = 1,
75 ._dl_fpu_control = _FPU_DEFAULT,
76- ._dl_pointer_guard = 1,
77 ._dl_pagesize = EXEC_PAGESIZE,
78 ._dl_inhibit_cache = 0,
79
80@@ -710,15 +709,12 @@ security_init (void)
81 #endif
82
83 /* Set up the pointer guard as well, if necessary. */
84- if (GLRO(dl_pointer_guard))
85- {
86- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
87- stack_chk_guard);
88+ uintptr_t pointer_chk_guard
89+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
90 #ifdef THREAD_SET_POINTER_GUARD
91- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
92+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
93 #endif
94- __pointer_chk_guard_local = pointer_chk_guard;
95- }
96+ __pointer_chk_guard_local = pointer_chk_guard;
97
98 /* We do not need the _dl_random value anymore. The less
99 information we leave behind, the better, so clear the
100@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
101 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
102 break;
103 }
104-
105- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
106- GLRO(dl_pointer_guard) = envline[14] != '0';
107 break;
108
109 case 14:
110Index: git/sysdeps/generic/ldsodefs.h
111===================================================================
112--- git.orig/sysdeps/generic/ldsodefs.h
113+++ git/sysdeps/generic/ldsodefs.h
114@@ -600,9 +600,6 @@ struct rtld_global_ro
115 /* List of auditing interfaces. */
116 struct audit_ifaces *_dl_audit;
117 unsigned int _dl_naudit;
118-
119- /* 0 if internal pointer values should not be guarded, 1 if they should. */
120- EXTERN int _dl_pointer_guard;
121 };
122 # define __rtld_global_attribute__
123 # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
deleted file mode 100644
index 4dc93c769d..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+++ /dev/null
@@ -1,262 +0,0 @@
1From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
2From: Paul Pluzhnikov <ppluzhnikov@google.com>
3Date: Sat, 8 Aug 2015 15:53:03 -0700
4Subject: [PATCH] Fix BZ #17905
5
6Upstream-Status: Backport
7CVE: CVE-2015-8779
8[Yocto # 8980]
9
10https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
11
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 ChangeLog | 8 ++++++++
16 NEWS | 2 +-
17 catgets/Makefile | 9 ++++++++-
18 catgets/catgets.c | 19 ++++++++++++-------
19 catgets/open_catalog.c | 23 ++++++++++++++---------
20 catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
21 6 files changed, 74 insertions(+), 18 deletions(-)
22
23Index: git/catgets/Makefile
24===================================================================
25--- git.orig/catgets/Makefile
26+++ git/catgets/Makefile
27@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
28 ifeq ($(run-built-tests),yes)
29 tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
30 $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
31+tests-special += $(objpfx)tst-catgets-mem.out
32 endif
33 endif
34 gencat-modules = xmalloc
35@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
36
37 generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
38 test-gencat.h
39+generated += tst-catgets.mtrace tst-catgets-mem.out
40+
41 generated-dirs += de
42
43-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
44+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
45
46 ifeq ($(run-built-tests),yes)
47 # This test just checks whether the program produces any error or not.
48@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
49 $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
50 $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
51 $(evaluate-test)
52+
53+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
54+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
55+ $(evaluate-test)
56 endif
57Index: git/catgets/catgets.c
58===================================================================
59--- git.orig/catgets/catgets.c
60+++ git/catgets/catgets.c
61@@ -16,7 +16,6 @@
62 License along with the GNU C Library; if not, see
63 <http://www.gnu.org/licenses/>. */
64
65-#include <alloca.h>
66 #include <errno.h>
67 #include <locale.h>
68 #include <nl_types.h>
69@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
70 __nl_catd result;
71 const char *env_var = NULL;
72 const char *nlspath = NULL;
73+ char *tmp = NULL;
74
75 if (strchr (cat_name, '/') == NULL)
76 {
77@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
78 {
79 /* Append the system dependent directory. */
80 size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
81- char *tmp = alloca (len);
82+ tmp = malloc (len);
83+
84+ if (__glibc_unlikely (tmp == NULL))
85+ return (nl_catd) -1;
86
87 __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
88 nlspath = tmp;
89@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
90
91 result = (__nl_catd) malloc (sizeof (*result));
92 if (result == NULL)
93- /* We cannot get enough memory. */
94- return (nl_catd) -1;
95-
96- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
97+ {
98+ /* We cannot get enough memory. */
99+ result = (nl_catd) -1;
100+ }
101+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
102 {
103 /* Couldn't open the file. */
104 free ((void *) result);
105- return (nl_catd) -1;
106+ result = (nl_catd) -1;
107 }
108
109+ free (tmp);
110 return (nl_catd) result;
111 }
112
113Index: git/catgets/open_catalog.c
114===================================================================
115--- git.orig/catgets/open_catalog.c
116+++ git/catgets/open_catalog.c
117@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
118 size_t tab_size;
119 const char *lastp;
120 int result = -1;
121+ char *buf = NULL;
122
123 if (strchr (cat_name, '/') != NULL || nlspath == NULL)
124 fd = open_not_cancel_2 (cat_name, O_RDONLY);
125@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
126 if (__glibc_unlikely (bufact + (n) >= bufmax)) \
127 { \
128 char *old_buf = buf; \
129- bufmax += 256 + (n); \
130- buf = (char *) alloca (bufmax); \
131- memcpy (buf, old_buf, bufact); \
132+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
133+ buf = realloc (buf, bufmax); \
134+ if (__glibc_unlikely (buf == NULL)) \
135+ { \
136+ free (old_buf); \
137+ return -1; \
138+ } \
139 }
140
141 /* The RUN_NLSPATH variable contains a colon separated list of
142 descriptions where we expect to find catalogs. We have to
143 recognize certain % substitutions and stop when we found the
144 first existing file. */
145- char *buf;
146 size_t bufact;
147- size_t bufmax;
148+ size_t bufmax = 0;
149 size_t len;
150
151- buf = NULL;
152- bufmax = 0;
153-
154 fd = -1;
155 while (*run_nlspath != '\0')
156 {
157@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
158
159 /* Avoid dealing with directories and block devices */
160 if (__builtin_expect (fd, 0) < 0)
161- return -1;
162+ {
163+ free (buf);
164+ return -1;
165+ }
166
167 if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
168 goto close_unlock_return;
169@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
170 /* Release the lock again. */
171 close_unlock_return:
172 close_not_cancel_no_status (fd);
173+ free (buf);
174
175 return result;
176 }
177Index: git/catgets/tst-catgets.c
178===================================================================
179--- git.orig/catgets/tst-catgets.c
180+++ git/catgets/tst-catgets.c
181@@ -1,7 +1,10 @@
182+#include <assert.h>
183 #include <mcheck.h>
184 #include <nl_types.h>
185 #include <stdio.h>
186+#include <stdlib.h>
187 #include <string.h>
188+#include <sys/resource.h>
189
190
191 static const char *msgs[] =
192@@ -12,6 +15,33 @@ static const char *msgs[] =
193 };
194 #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
195
196+
197+/* Test for unbounded alloca. */
198+static int
199+do_bz17905 (void)
200+{
201+ char *buf;
202+ struct rlimit rl;
203+ nl_catd result;
204+
205+ const int sz = 1024 * 1024;
206+
207+ getrlimit (RLIMIT_STACK, &rl);
208+ rl.rlim_cur = sz;
209+ setrlimit (RLIMIT_STACK, &rl);
210+
211+ buf = malloc (sz + 1);
212+ memset (buf, 'A', sz);
213+ buf[sz] = '\0';
214+ setenv ("NLSPATH", buf, 1);
215+
216+ result = catopen (buf, NL_CAT_LOCALE);
217+ assert (result == (nl_catd) -1);
218+
219+ free (buf);
220+ return 0;
221+}
222+
223 #define ROUNDS 5
224
225 static int
226@@ -62,6 +92,7 @@ do_test (void)
227 }
228 }
229
230+ result += do_bz17905 ();
231 return result;
232 }
233
234Index: git/ChangeLog
235===================================================================
236--- git.orig/ChangeLog
237+++ git/ChangeLog
238@@ -1,3 +1,11 @@
239+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
240+
241+ [BZ #17905]
242+ * catgets/Makefile (tst-catgets-mem): New test.
243+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
244+ * catgets/open_catalog.c (__open_catalog): Likewise.
245+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
246+
247 2015-10-15 Florian Weimer <fweimer@redhat.com>
248
249 [BZ #18928]
250Index: git/NEWS
251===================================================================
252--- git.orig/NEWS
253+++ git/NEWS
254@@ -9,7 +9,7 @@ Version 2.22.1
255
256 * The following bugs are resolved with this release:
257
258- 18778, 18781, 18787.
259+ 18778, 18781, 18787, 17905.
260
261 Version 2.22
262
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch b/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
deleted file mode 100644
index 3aca913317..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+++ /dev/null
@@ -1,1039 +0,0 @@
1From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
2From: Joseph Myers <joseph@codesourcery.com>
3Date: Tue, 24 Nov 2015 22:24:52 +0000
4Subject: [PATCH] Refactor strtod parsing of NaN payloads.
5
6The nan* functions handle their string argument by constructing a
7NAN(...) string on the stack as a VLA and passing it to strtod
8functions.
9
10This approach has problems discussed in bug 16961 and bug 16962: the
11stack usage is unbounded, and it gives incorrect results in certain
12cases where the argument is not a valid n-char-sequence.
13
14The natural fix for both issues is to refactor the NaN payload parsing
15out of strtod into a separate function that the nan* functions can
16call directly, so that no temporary string needs constructing on the
17stack at all. This patch does that refactoring in preparation for
18fixing those bugs (but without actually using the new functions from
19nan* - which will also require exporting them from libc at version
20GLIBC_PRIVATE). This patch is not intended to change any user-visible
21behavior, so no tests are added (fixes for the above bugs will of
22course add tests for them).
23
24This patch builds on my recent fixes for strtol and strtod issues in
25Turkish locales. Given those fixes, the parsing of NaN payloads is
26locale-independent; thus, the new functions do not need to take a
27locale_t argument.
28
29Tested for x86_64, x86, mips64 and powerpc.
30
31 * stdlib/strtod_nan.c: New file.
32 * stdlib/strtod_nan_double.h: Likewise.
33 * stdlib/strtod_nan_float.h: Likewise.
34 * stdlib/strtod_nan_main.c: Likewise.
35 * stdlib/strtod_nan_narrow.h: Likewise.
36 * stdlib/strtod_nan_wide.h: Likewise.
37 * stdlib/strtof_nan.c: Likewise.
38 * stdlib/strtold_nan.c: Likewise.
39 * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
40 * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
41 * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
42 * wcsmbs/wcstod_nan.c: Likewise.
43 * wcsmbs/wcstof_nan.c: Likewise.
44 * wcsmbs/wcstold_nan.c: Likewise.
45 * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
46 strtold_nan.
47 * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
48 wcstof_nan.
49 * include/stdlib.h (__strtof_nan): Declare and use
50 libc_hidden_proto.
51 (__strtod_nan): Likewise.
52 (__strtold_nan): Likewise.
53 (__wcstof_nan): Likewise.
54 (__wcstod_nan): Likewise.
55 (__wcstold_nan): Likewise.
56 * include/wchar.h (____wcstoull_l_internal): Declare.
57 * stdlib/strtod_l.c: Do not include <ieee754.h>.
58 (____strtoull_l_internal): Remove declaration.
59 (STRTOF_NAN): Define macro.
60 (SET_MANTISSA): Remove macro.
61 (STRTOULL): Likewise.
62 (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
63 * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
64 (STRTOF_NAN): Define macro.
65 (SET_MANTISSA): Remove macro.
66 * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
67 (SET_MANTISSA): Remove macro.
68 * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
69 macro.
70 (SET_MANTISSA): Remove macro.
71 * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
72 macro.
73 (SET_MANTISSA): Remove macro.
74 * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
75 (SET_MANTISSA): Remove macro.
76 * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
77 * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
78 * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
79
80Upstream-Status: Backport
81CVE: CVE-2015-9761 patch #1
82[Yocto # 8980]
83
84https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
85
86Signed-off-by: Armin Kuster <akuster@mvista.com>
87
88---
89 ChangeLog | 49 ++++++++++++++++++
90 include/stdlib.h | 18 +++++++
91 include/wchar.h | 3 ++
92 stdlib/Makefile | 1 +
93 stdlib/strtod_l.c | 48 ++++--------------
94 stdlib/strtod_nan.c | 24 +++++++++
95 stdlib/strtod_nan_double.h | 30 +++++++++++
96 stdlib/strtod_nan_float.h | 29 +++++++++++
97 stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++
98 stdlib/strtod_nan_narrow.h | 22 +++++++++
99 stdlib/strtod_nan_wide.h | 22 +++++++++
100 stdlib/strtof_l.c | 11 +----
101 stdlib/strtof_nan.c | 24 +++++++++
102 stdlib/strtold_nan.c | 30 +++++++++++
103 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++
104 sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +----
105 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
106 sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +---
107 sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +----
108 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++
109 sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +---
110 wcsmbs/Makefile | 1 +
111 wcsmbs/wcstod_l.c | 3 --
112 wcsmbs/wcstod_nan.c | 23 +++++++++
113 wcsmbs/wcstof_l.c | 3 --
114 wcsmbs/wcstof_nan.c | 23 +++++++++
115 wcsmbs/wcstold_l.c | 3 --
116 wcsmbs/wcstold_nan.c | 30 +++++++++++
117 28 files changed, 504 insertions(+), 95 deletions(-)
118 create mode 100644 stdlib/strtod_nan.c
119 create mode 100644 stdlib/strtod_nan_double.h
120 create mode 100644 stdlib/strtod_nan_float.h
121 create mode 100644 stdlib/strtod_nan_main.c
122 create mode 100644 stdlib/strtod_nan_narrow.h
123 create mode 100644 stdlib/strtod_nan_wide.h
124 create mode 100644 stdlib/strtof_nan.c
125 create mode 100644 stdlib/strtold_nan.c
126 create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
127 create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
128 create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
129 create mode 100644 wcsmbs/wcstod_nan.c
130 create mode 100644 wcsmbs/wcstof_nan.c
131 create mode 100644 wcsmbs/wcstold_nan.c
132
133Index: git/include/stdlib.h
134===================================================================
135--- git.orig/include/stdlib.h
136+++ git/include/stdlib.h
137@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
138 libc_hidden_proto (strtoul)
139 libc_hidden_proto (strtoull)
140
141+extern float __strtof_nan (const char *, char **, char) internal_function;
142+extern double __strtod_nan (const char *, char **, char) internal_function;
143+extern long double __strtold_nan (const char *, char **, char)
144+ internal_function;
145+extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
146+ internal_function;
147+extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
148+ internal_function;
149+extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
150+ internal_function;
151+
152+libc_hidden_proto (__strtof_nan)
153+libc_hidden_proto (__strtod_nan)
154+libc_hidden_proto (__strtold_nan)
155+libc_hidden_proto (__wcstof_nan)
156+libc_hidden_proto (__wcstod_nan)
157+libc_hidden_proto (__wcstold_nan)
158+
159 extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
160 int *__restrict __sign);
161 extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
162Index: git/include/wchar.h
163===================================================================
164--- git.orig/include/wchar.h
165+++ git/include/wchar.h
166@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
167 __restrict __endptr,
168 int __base,
169 int __group) __THROW;
170+extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
171+ wchar_t **, int, int,
172+ __locale_t);
173 libc_hidden_proto (__wcstof_internal)
174 libc_hidden_proto (__wcstod_internal)
175 libc_hidden_proto (__wcstold_internal)
176Index: git/stdlib/Makefile
177===================================================================
178--- git.orig/stdlib/Makefile
179+++ git/stdlib/Makefile
180@@ -51,6 +51,7 @@ routines-y := \
181 strtol_l strtoul_l strtoll_l strtoull_l \
182 strtof strtod strtold \
183 strtof_l strtod_l strtold_l \
184+ strtof_nan strtod_nan strtold_nan \
185 system canonicalize \
186 a64l l64a \
187 getsubopt xpg_basename \
188Index: git/stdlib/strtod_l.c
189===================================================================
190--- git.orig/stdlib/strtod_l.c
191+++ git/stdlib/strtod_l.c
192@@ -21,8 +21,6 @@
193 #include <xlocale.h>
194
195 extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
196-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
197- int, int, __locale_t);
198
199 /* Configuration part. These macros are defined by `strtold.c',
200 `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
201@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
202 # ifdef USE_WIDE_CHAR
203 # define STRTOF wcstod_l
204 # define __STRTOF __wcstod_l
205+# define STRTOF_NAN __wcstod_nan
206 # else
207 # define STRTOF strtod_l
208 # define __STRTOF __strtod_l
209+# define STRTOF_NAN __strtod_nan
210 # endif
211 # define MPN2FLOAT __mpn_construct_double
212 # define FLOAT_HUGE_VAL HUGE_VAL
213-# define SET_MANTISSA(flt, mant) \
214- do { union ieee754_double u; \
215- u.d = (flt); \
216- u.ieee_nan.mantissa0 = (mant) >> 32; \
217- u.ieee_nan.mantissa1 = (mant); \
218- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
219- (flt) = u.d; \
220- } while (0)
221 #endif
222 /* End of configuration part. */
223
224 #include <ctype.h>
225 #include <errno.h>
226 #include <float.h>
227-#include <ieee754.h>
228 #include "../locale/localeinfo.h"
229 #include <locale.h>
230 #include <math.h>
231@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
232 # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
233 # define STRNCASECMP(S1, S2, N) \
234 __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
235-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
236 #else
237 # define STRING_TYPE char
238 # define CHAR_TYPE char
239@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
240 # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
241 # define STRNCASECMP(S1, S2, N) \
242 __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
243-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
244 #endif
245
246
247@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
248 if (*cp == L_('('))
249 {
250 const STRING_TYPE *startp = cp;
251- do
252- ++cp;
253- while ((*cp >= L_('0') && *cp <= L_('9'))
254- || ({ CHAR_TYPE lo = TOLOWER (*cp);
255- lo >= L_('a') && lo <= L_('z'); })
256- || *cp == L_('_'));
257-
258- if (*cp != L_(')'))
259- /* The closing brace is missing. Only match the NAN
260- part. */
261- cp = startp;
262+ STRING_TYPE *endp;
263+ retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
264+ if (*endp == L_(')'))
265+ /* Consume the closing parenthesis. */
266+ cp = endp + 1;
267 else
268- {
269- /* This is a system-dependent way to specify the
270- bitmask used for the NaN. We expect it to be
271- a number which is put in the mantissa of the
272- number. */
273- STRING_TYPE *endp;
274- unsigned long long int mant;
275-
276- mant = STRTOULL (startp + 1, &endp, 0);
277- if (endp == cp)
278- SET_MANTISSA (retval, mant);
279-
280- /* Consume the closing brace. */
281- ++cp;
282- }
283+ /* Only match the NAN part. */
284+ cp = startp;
285 }
286
287 if (endptr != NULL)
288Index: git/stdlib/strtod_nan.c
289===================================================================
290--- /dev/null
291+++ git/stdlib/strtod_nan.c
292@@ -0,0 +1,24 @@
293+/* Convert string for NaN payload to corresponding NaN. Narrow
294+ strings, double.
295+ Copyright (C) 2015 Free Software Foundation, Inc.
296+ This file is part of the GNU C Library.
297+
298+ The GNU C Library is free software; you can redistribute it and/or
299+ modify it under the terms of the GNU Lesser General Public
300+ License as published by the Free Software Foundation; either
301+ version 2.1 of the License, or (at your option) any later version.
302+
303+ The GNU C Library is distributed in the hope that it will be useful,
304+ but WITHOUT ANY WARRANTY; without even the implied warranty of
305+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
306+ Lesser General Public License for more details.
307+
308+ You should have received a copy of the GNU Lesser General Public
309+ License along with the GNU C Library; if not, see
310+ <http://www.gnu.org/licenses/>. */
311+
312+#include <strtod_nan_narrow.h>
313+#include <strtod_nan_double.h>
314+
315+#define STRTOD_NAN __strtod_nan
316+#include <strtod_nan_main.c>
317Index: git/stdlib/strtod_nan_double.h
318===================================================================
319--- /dev/null
320+++ git/stdlib/strtod_nan_double.h
321@@ -0,0 +1,30 @@
322+/* Convert string for NaN payload to corresponding NaN. For double.
323+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
324+ This file is part of the GNU C Library.
325+
326+ The GNU C Library is free software; you can redistribute it and/or
327+ modify it under the terms of the GNU Lesser General Public
328+ License as published by the Free Software Foundation; either
329+ version 2.1 of the License, or (at your option) any later version.
330+
331+ The GNU C Library is distributed in the hope that it will be useful,
332+ but WITHOUT ANY WARRANTY; without even the implied warranty of
333+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
334+ Lesser General Public License for more details.
335+
336+ You should have received a copy of the GNU Lesser General Public
337+ License along with the GNU C Library; if not, see
338+ <http://www.gnu.org/licenses/>. */
339+
340+#define FLOAT double
341+#define SET_MANTISSA(flt, mant) \
342+ do \
343+ { \
344+ union ieee754_double u; \
345+ u.d = (flt); \
346+ u.ieee_nan.mantissa0 = (mant) >> 32; \
347+ u.ieee_nan.mantissa1 = (mant); \
348+ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
349+ (flt) = u.d; \
350+ } \
351+ while (0)
352Index: git/stdlib/strtod_nan_float.h
353===================================================================
354--- /dev/null
355+++ git/stdlib/strtod_nan_float.h
356@@ -0,0 +1,29 @@
357+/* Convert string for NaN payload to corresponding NaN. For float.
358+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
359+ This file is part of the GNU C Library.
360+
361+ The GNU C Library is free software; you can redistribute it and/or
362+ modify it under the terms of the GNU Lesser General Public
363+ License as published by the Free Software Foundation; either
364+ version 2.1 of the License, or (at your option) any later version.
365+
366+ The GNU C Library is distributed in the hope that it will be useful,
367+ but WITHOUT ANY WARRANTY; without even the implied warranty of
368+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
369+ Lesser General Public License for more details.
370+
371+ You should have received a copy of the GNU Lesser General Public
372+ License along with the GNU C Library; if not, see
373+ <http://www.gnu.org/licenses/>. */
374+
375+#define FLOAT float
376+#define SET_MANTISSA(flt, mant) \
377+ do \
378+ { \
379+ union ieee754_float u; \
380+ u.f = (flt); \
381+ u.ieee_nan.mantissa = (mant); \
382+ if (u.ieee.mantissa != 0) \
383+ (flt) = u.f; \
384+ } \
385+ while (0)
386Index: git/stdlib/strtod_nan_main.c
387===================================================================
388--- /dev/null
389+++ git/stdlib/strtod_nan_main.c
390@@ -0,0 +1,63 @@
391+/* Convert string for NaN payload to corresponding NaN.
392+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
393+ This file is part of the GNU C Library.
394+
395+ The GNU C Library is free software; you can redistribute it and/or
396+ modify it under the terms of the GNU Lesser General Public
397+ License as published by the Free Software Foundation; either
398+ version 2.1 of the License, or (at your option) any later version.
399+
400+ The GNU C Library is distributed in the hope that it will be useful,
401+ but WITHOUT ANY WARRANTY; without even the implied warranty of
402+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
403+ Lesser General Public License for more details.
404+
405+ You should have received a copy of the GNU Lesser General Public
406+ License along with the GNU C Library; if not, see
407+ <http://www.gnu.org/licenses/>. */
408+
409+#include <ieee754.h>
410+#include <locale.h>
411+#include <math.h>
412+#include <stdlib.h>
413+#include <wchar.h>
414+
415+
416+/* If STR starts with an optional n-char-sequence as defined by ISO C
417+ (a sequence of ASCII letters, digits and underscores), followed by
418+ ENDC, return a NaN whose payload is set based on STR. Otherwise,
419+ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point
420+ to the character after the initial n-char-sequence. */
421+
422+internal_function
423+FLOAT
424+STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc)
425+{
426+ const STRING_TYPE *cp = str;
427+
428+ while ((*cp >= L_('0') && *cp <= L_('9'))
429+ || (*cp >= L_('A') && *cp <= L_('Z'))
430+ || (*cp >= L_('a') && *cp <= L_('z'))
431+ || *cp == L_('_'))
432+ ++cp;
433+
434+ FLOAT retval = NAN;
435+ if (*cp != endc)
436+ goto out;
437+
438+ /* This is a system-dependent way to specify the bitmask used for
439+ the NaN. We expect it to be a number which is put in the
440+ mantissa of the number. */
441+ STRING_TYPE *endp;
442+ unsigned long long int mant;
443+
444+ mant = STRTOULL (str, &endp, 0);
445+ if (endp == cp)
446+ SET_MANTISSA (retval, mant);
447+
448+ out:
449+ if (endptr != NULL)
450+ *endptr = (STRING_TYPE *) cp;
451+ return retval;
452+}
453+libc_hidden_def (STRTOD_NAN)
454Index: git/stdlib/strtod_nan_narrow.h
455===================================================================
456--- /dev/null
457+++ git/stdlib/strtod_nan_narrow.h
458@@ -0,0 +1,22 @@
459+/* Convert string for NaN payload to corresponding NaN. Narrow strings.
460+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
461+ This file is part of the GNU C Library.
462+
463+ The GNU C Library is free software; you can redistribute it and/or
464+ modify it under the terms of the GNU Lesser General Public
465+ License as published by the Free Software Foundation; either
466+ version 2.1 of the License, or (at your option) any later version.
467+
468+ The GNU C Library is distributed in the hope that it will be useful,
469+ but WITHOUT ANY WARRANTY; without even the implied warranty of
470+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
471+ Lesser General Public License for more details.
472+
473+ You should have received a copy of the GNU Lesser General Public
474+ License along with the GNU C Library; if not, see
475+ <http://www.gnu.org/licenses/>. */
476+
477+#define STRING_TYPE char
478+#define L_(Ch) Ch
479+#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \
480+ _nl_C_locobj_ptr)
481Index: git/stdlib/strtod_nan_wide.h
482===================================================================
483--- /dev/null
484+++ git/stdlib/strtod_nan_wide.h
485@@ -0,0 +1,22 @@
486+/* Convert string for NaN payload to corresponding NaN. Wide strings.
487+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
488+ This file is part of the GNU C Library.
489+
490+ The GNU C Library is free software; you can redistribute it and/or
491+ modify it under the terms of the GNU Lesser General Public
492+ License as published by the Free Software Foundation; either
493+ version 2.1 of the License, or (at your option) any later version.
494+
495+ The GNU C Library is distributed in the hope that it will be useful,
496+ but WITHOUT ANY WARRANTY; without even the implied warranty of
497+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
498+ Lesser General Public License for more details.
499+
500+ You should have received a copy of the GNU Lesser General Public
501+ License along with the GNU C Library; if not, see
502+ <http://www.gnu.org/licenses/>. */
503+
504+#define STRING_TYPE wchar_t
505+#define L_(Ch) L##Ch
506+#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \
507+ _nl_C_locobj_ptr)
508Index: git/stdlib/strtof_l.c
509===================================================================
510--- git.orig/stdlib/strtof_l.c
511+++ git/stdlib/strtof_l.c
512@@ -20,26 +20,19 @@
513 #include <xlocale.h>
514
515 extern float ____strtof_l_internal (const char *, char **, int, __locale_t);
516-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
517- int, int, __locale_t);
518
519 #define FLOAT float
520 #define FLT FLT
521 #ifdef USE_WIDE_CHAR
522 # define STRTOF wcstof_l
523 # define __STRTOF __wcstof_l
524+# define STRTOF_NAN __wcstof_nan
525 #else
526 # define STRTOF strtof_l
527 # define __STRTOF __strtof_l
528+# define STRTOF_NAN __strtof_nan
529 #endif
530 #define MPN2FLOAT __mpn_construct_float
531 #define FLOAT_HUGE_VAL HUGE_VALF
532-#define SET_MANTISSA(flt, mant) \
533- do { union ieee754_float u; \
534- u.f = (flt); \
535- u.ieee_nan.mantissa = (mant); \
536- if (u.ieee.mantissa != 0) \
537- (flt) = u.f; \
538- } while (0)
539
540 #include "strtod_l.c"
541Index: git/stdlib/strtof_nan.c
542===================================================================
543--- /dev/null
544+++ git/stdlib/strtof_nan.c
545@@ -0,0 +1,24 @@
546+/* Convert string for NaN payload to corresponding NaN. Narrow
547+ strings, float.
548+ Copyright (C) 2015 Free Software Foundation, Inc.
549+ This file is part of the GNU C Library.
550+
551+ The GNU C Library is free software; you can redistribute it and/or
552+ modify it under the terms of the GNU Lesser General Public
553+ License as published by the Free Software Foundation; either
554+ version 2.1 of the License, or (at your option) any later version.
555+
556+ The GNU C Library is distributed in the hope that it will be useful,
557+ but WITHOUT ANY WARRANTY; without even the implied warranty of
558+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
559+ Lesser General Public License for more details.
560+
561+ You should have received a copy of the GNU Lesser General Public
562+ License along with the GNU C Library; if not, see
563+ <http://www.gnu.org/licenses/>. */
564+
565+#include <strtod_nan_narrow.h>
566+#include <strtod_nan_float.h>
567+
568+#define STRTOD_NAN __strtof_nan
569+#include <strtod_nan_main.c>
570Index: git/stdlib/strtold_nan.c
571===================================================================
572--- /dev/null
573+++ git/stdlib/strtold_nan.c
574@@ -0,0 +1,30 @@
575+/* Convert string for NaN payload to corresponding NaN. Narrow
576+ strings, long double.
577+ Copyright (C) 2015 Free Software Foundation, Inc.
578+ This file is part of the GNU C Library.
579+
580+ The GNU C Library is free software; you can redistribute it and/or
581+ modify it under the terms of the GNU Lesser General Public
582+ License as published by the Free Software Foundation; either
583+ version 2.1 of the License, or (at your option) any later version.
584+
585+ The GNU C Library is distributed in the hope that it will be useful,
586+ but WITHOUT ANY WARRANTY; without even the implied warranty of
587+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
588+ Lesser General Public License for more details.
589+
590+ You should have received a copy of the GNU Lesser General Public
591+ License along with the GNU C Library; if not, see
592+ <http://www.gnu.org/licenses/>. */
593+
594+#include <math.h>
595+
596+/* This function is unused if long double and double have the same
597+ representation. */
598+#ifndef __NO_LONG_DOUBLE_MATH
599+# include <strtod_nan_narrow.h>
600+# include <strtod_nan_ldouble.h>
601+
602+# define STRTOD_NAN __strtold_nan
603+# include <strtod_nan_main.c>
604+#endif
605Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
606===================================================================
607--- /dev/null
608+++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
609@@ -0,0 +1,33 @@
610+/* Convert string for NaN payload to corresponding NaN. For ldbl-128.
611+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
612+ This file is part of the GNU C Library.
613+
614+ The GNU C Library is free software; you can redistribute it and/or
615+ modify it under the terms of the GNU Lesser General Public
616+ License as published by the Free Software Foundation; either
617+ version 2.1 of the License, or (at your option) any later version.
618+
619+ The GNU C Library is distributed in the hope that it will be useful,
620+ but WITHOUT ANY WARRANTY; without even the implied warranty of
621+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
622+ Lesser General Public License for more details.
623+
624+ You should have received a copy of the GNU Lesser General Public
625+ License along with the GNU C Library; if not, see
626+ <http://www.gnu.org/licenses/>. */
627+
628+#define FLOAT long double
629+#define SET_MANTISSA(flt, mant) \
630+ do \
631+ { \
632+ union ieee854_long_double u; \
633+ u.d = (flt); \
634+ u.ieee_nan.mantissa0 = 0; \
635+ u.ieee_nan.mantissa1 = 0; \
636+ u.ieee_nan.mantissa2 = (mant) >> 32; \
637+ u.ieee_nan.mantissa3 = (mant); \
638+ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
639+ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
640+ (flt) = u.d; \
641+ } \
642+ while (0)
643Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c
644===================================================================
645--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c
646+++ git/sysdeps/ieee754/ldbl-128/strtold_l.c
647@@ -25,22 +25,13 @@
648 #ifdef USE_WIDE_CHAR
649 # define STRTOF wcstold_l
650 # define __STRTOF __wcstold_l
651+# define STRTOF_NAN __wcstold_nan
652 #else
653 # define STRTOF strtold_l
654 # define __STRTOF __strtold_l
655+# define STRTOF_NAN __strtold_nan
656 #endif
657 #define MPN2FLOAT __mpn_construct_long_double
658 #define FLOAT_HUGE_VAL HUGE_VALL
659-#define SET_MANTISSA(flt, mant) \
660- do { union ieee854_long_double u; \
661- u.d = (flt); \
662- u.ieee_nan.mantissa0 = 0; \
663- u.ieee_nan.mantissa1 = 0; \
664- u.ieee_nan.mantissa2 = (mant) >> 32; \
665- u.ieee_nan.mantissa3 = (mant); \
666- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
667- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
668- (flt) = u.d; \
669- } while (0)
670
671 #include <strtod_l.c>
672Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
673===================================================================
674--- /dev/null
675+++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
676@@ -0,0 +1,30 @@
677+/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm.
678+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
679+ This file is part of the GNU C Library.
680+
681+ The GNU C Library is free software; you can redistribute it and/or
682+ modify it under the terms of the GNU Lesser General Public
683+ License as published by the Free Software Foundation; either
684+ version 2.1 of the License, or (at your option) any later version.
685+
686+ The GNU C Library is distributed in the hope that it will be useful,
687+ but WITHOUT ANY WARRANTY; without even the implied warranty of
688+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
689+ Lesser General Public License for more details.
690+
691+ You should have received a copy of the GNU Lesser General Public
692+ License along with the GNU C Library; if not, see
693+ <http://www.gnu.org/licenses/>. */
694+
695+#define FLOAT long double
696+#define SET_MANTISSA(flt, mant) \
697+ do \
698+ { \
699+ union ibm_extended_long_double u; \
700+ u.ld = (flt); \
701+ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
702+ u.d[0].ieee_nan.mantissa1 = (mant); \
703+ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
704+ (flt) = u.ld; \
705+ } \
706+ while (0)
707Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
708===================================================================
709--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
710+++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
711@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co
712 # define STRTOF __new_wcstold_l
713 # define __STRTOF ____new_wcstold_l
714 # define ____STRTOF_INTERNAL ____wcstold_l_internal
715+# define STRTOF_NAN __wcstold_nan
716 #else
717 extern long double ____new_strtold_l (const char *, char **, __locale_t);
718 # define STRTOF __new_strtold_l
719 # define __STRTOF ____new_strtold_l
720 # define ____STRTOF_INTERNAL ____strtold_l_internal
721+# define STRTOF_NAN __strtold_nan
722 #endif
723 extern __typeof (__STRTOF) STRTOF;
724 libc_hidden_proto (__STRTOF)
725 libc_hidden_proto (STRTOF)
726 #define MPN2FLOAT __mpn_construct_long_double
727 #define FLOAT_HUGE_VAL HUGE_VALL
728-# define SET_MANTISSA(flt, mant) \
729- do { union ibm_extended_long_double u; \
730- u.ld = (flt); \
731- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
732- u.d[0].ieee_nan.mantissa1 = (mant); \
733- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
734- (flt) = u.ld; \
735- } while (0)
736
737 #include <strtod_l.c>
738
739Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
740===================================================================
741--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c
742+++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
743@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co
744 # define STRTOF __new_wcstold_l
745 # define __STRTOF ____new_wcstold_l
746 # define ____STRTOF_INTERNAL ____wcstold_l_internal
747+# define STRTOF_NAN __wcstold_nan
748 #else
749 extern long double ____new_strtold_l (const char *, char **, __locale_t);
750 # define STRTOF __new_strtold_l
751 # define __STRTOF ____new_strtold_l
752 # define ____STRTOF_INTERNAL ____strtold_l_internal
753+# define STRTOF_NAN __strtold_nan
754 #endif
755 extern __typeof (__STRTOF) STRTOF;
756 libc_hidden_proto (__STRTOF)
757 libc_hidden_proto (STRTOF)
758 #define MPN2FLOAT __mpn_construct_long_double
759 #define FLOAT_HUGE_VAL HUGE_VALL
760-#define SET_MANTISSA(flt, mant) \
761- do { union ieee854_long_double u; \
762- u.d = (flt); \
763- u.ieee_nan.mantissa0 = 0; \
764- u.ieee_nan.mantissa1 = 0; \
765- u.ieee_nan.mantissa2 = (mant) >> 32; \
766- u.ieee_nan.mantissa3 = (mant); \
767- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
768- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
769- (flt) = u.d; \
770- } while (0)
771
772 #include <strtod_l.c>
773
774Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
775===================================================================
776--- /dev/null
777+++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
778@@ -0,0 +1,30 @@
779+/* Convert string for NaN payload to corresponding NaN. For ldbl-96.
780+ Copyright (C) 1997-2015 Free Software Foundation, Inc.
781+ This file is part of the GNU C Library.
782+
783+ The GNU C Library is free software; you can redistribute it and/or
784+ modify it under the terms of the GNU Lesser General Public
785+ License as published by the Free Software Foundation; either
786+ version 2.1 of the License, or (at your option) any later version.
787+
788+ The GNU C Library is distributed in the hope that it will be useful,
789+ but WITHOUT ANY WARRANTY; without even the implied warranty of
790+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
791+ Lesser General Public License for more details.
792+
793+ You should have received a copy of the GNU Lesser General Public
794+ License along with the GNU C Library; if not, see
795+ <http://www.gnu.org/licenses/>. */
796+
797+#define FLOAT long double
798+#define SET_MANTISSA(flt, mant) \
799+ do \
800+ { \
801+ union ieee854_long_double u; \
802+ u.d = (flt); \
803+ u.ieee_nan.mantissa0 = (mant) >> 32; \
804+ u.ieee_nan.mantissa1 = (mant); \
805+ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
806+ (flt) = u.d; \
807+ } \
808+ while (0)
809Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c
810===================================================================
811--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c
812+++ git/sysdeps/ieee754/ldbl-96/strtold_l.c
813@@ -25,19 +25,13 @@
814 #ifdef USE_WIDE_CHAR
815 # define STRTOF wcstold_l
816 # define __STRTOF __wcstold_l
817+# define STRTOF_NAN __wcstold_nan
818 #else
819 # define STRTOF strtold_l
820 # define __STRTOF __strtold_l
821+# define STRTOF_NAN __strtold_nan
822 #endif
823 #define MPN2FLOAT __mpn_construct_long_double
824 #define FLOAT_HUGE_VAL HUGE_VALL
825-#define SET_MANTISSA(flt, mant) \
826- do { union ieee854_long_double u; \
827- u.d = (flt); \
828- u.ieee_nan.mantissa0 = (mant) >> 32; \
829- u.ieee_nan.mantissa1 = (mant); \
830- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
831- (flt) = u.d; \
832- } while (0)
833
834 #include <stdlib/strtod_l.c>
835Index: git/wcsmbs/Makefile
836===================================================================
837--- git.orig/wcsmbs/Makefile
838+++ git/wcsmbs/Makefile
839@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR
840 wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \
841 wcstol_l wcstoul_l wcstoll_l wcstoull_l \
842 wcstod_l wcstold_l wcstof_l \
843+ wcstod_nan wcstold_nan wcstof_nan \
844 wcscoll wcsxfrm \
845 wcwidth wcswidth \
846 wcscoll_l wcsxfrm_l \
847Index: git/wcsmbs/wcstod_l.c
848===================================================================
849--- git.orig/wcsmbs/wcstod_l.c
850+++ git/wcsmbs/wcstod_l.c
851@@ -23,9 +23,6 @@
852
853 extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int,
854 __locale_t);
855-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
856- wchar_t **, int, int,
857- __locale_t);
858
859 #define USE_WIDE_CHAR 1
860
861Index: git/wcsmbs/wcstod_nan.c
862===================================================================
863--- /dev/null
864+++ git/wcsmbs/wcstod_nan.c
865@@ -0,0 +1,23 @@
866+/* Convert string for NaN payload to corresponding NaN. Wide strings, double.
867+ Copyright (C) 2015 Free Software Foundation, Inc.
868+ This file is part of the GNU C Library.
869+
870+ The GNU C Library is free software; you can redistribute it and/or
871+ modify it under the terms of the GNU Lesser General Public
872+ License as published by the Free Software Foundation; either
873+ version 2.1 of the License, or (at your option) any later version.
874+
875+ The GNU C Library is distributed in the hope that it will be useful,
876+ but WITHOUT ANY WARRANTY; without even the implied warranty of
877+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
878+ Lesser General Public License for more details.
879+
880+ You should have received a copy of the GNU Lesser General Public
881+ License along with the GNU C Library; if not, see
882+ <http://www.gnu.org/licenses/>. */
883+
884+#include "../stdlib/strtod_nan_wide.h"
885+#include "../stdlib/strtod_nan_double.h"
886+
887+#define STRTOD_NAN __wcstod_nan
888+#include "../stdlib/strtod_nan_main.c"
889Index: git/wcsmbs/wcstof_l.c
890===================================================================
891--- git.orig/wcsmbs/wcstof_l.c
892+++ git/wcsmbs/wcstof_l.c
893@@ -25,8 +25,5 @@
894
895 extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int,
896 __locale_t);
897-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
898- wchar_t **, int, int,
899- __locale_t);
900
901 #include <stdlib/strtof_l.c>
902Index: git/wcsmbs/wcstof_nan.c
903===================================================================
904--- /dev/null
905+++ git/wcsmbs/wcstof_nan.c
906@@ -0,0 +1,23 @@
907+/* Convert string for NaN payload to corresponding NaN. Wide strings, float.
908+ Copyright (C) 2015 Free Software Foundation, Inc.
909+ This file is part of the GNU C Library.
910+
911+ The GNU C Library is free software; you can redistribute it and/or
912+ modify it under the terms of the GNU Lesser General Public
913+ License as published by the Free Software Foundation; either
914+ version 2.1 of the License, or (at your option) any later version.
915+
916+ The GNU C Library is distributed in the hope that it will be useful,
917+ but WITHOUT ANY WARRANTY; without even the implied warranty of
918+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
919+ Lesser General Public License for more details.
920+
921+ You should have received a copy of the GNU Lesser General Public
922+ License along with the GNU C Library; if not, see
923+ <http://www.gnu.org/licenses/>. */
924+
925+#include "../stdlib/strtod_nan_wide.h"
926+#include "../stdlib/strtod_nan_float.h"
927+
928+#define STRTOD_NAN __wcstof_nan
929+#include "../stdlib/strtod_nan_main.c"
930Index: git/wcsmbs/wcstold_l.c
931===================================================================
932--- git.orig/wcsmbs/wcstold_l.c
933+++ git/wcsmbs/wcstold_l.c
934@@ -24,8 +24,5 @@
935
936 extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int,
937 __locale_t);
938-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
939- wchar_t **, int, int,
940- __locale_t);
941
942 #include <strtold_l.c>
943Index: git/wcsmbs/wcstold_nan.c
944===================================================================
945--- /dev/null
946+++ git/wcsmbs/wcstold_nan.c
947@@ -0,0 +1,30 @@
948+/* Convert string for NaN payload to corresponding NaN. Wide strings,
949+ long double.
950+ Copyright (C) 2015 Free Software Foundation, Inc.
951+ This file is part of the GNU C Library.
952+
953+ The GNU C Library is free software; you can redistribute it and/or
954+ modify it under the terms of the GNU Lesser General Public
955+ License as published by the Free Software Foundation; either
956+ version 2.1 of the License, or (at your option) any later version.
957+
958+ The GNU C Library is distributed in the hope that it will be useful,
959+ but WITHOUT ANY WARRANTY; without even the implied warranty of
960+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
961+ Lesser General Public License for more details.
962+
963+ You should have received a copy of the GNU Lesser General Public
964+ License along with the GNU C Library; if not, see
965+ <http://www.gnu.org/licenses/>. */
966+
967+#include <math.h>
968+
969+/* This function is unused if long double and double have the same
970+ representation. */
971+#ifndef __NO_LONG_DOUBLE_MATH
972+# include "../stdlib/strtod_nan_wide.h"
973+# include <strtod_nan_ldouble.h>
974+
975+# define STRTOD_NAN __wcstold_nan
976+# include "../stdlib/strtod_nan_main.c"
977+#endif
978Index: git/ChangeLog
979===================================================================
980--- git.orig/ChangeLog
981+++ git/ChangeLog
982@@ -1,3 +1,57 @@
983+2015-11-24 Joseph Myers <joseph@codesourcery.com>
984+
985+ * stdlib/strtod_nan.c: New file.
986+ * stdlib/strtod_nan_double.h: Likewise.
987+ * stdlib/strtod_nan_float.h: Likewise.
988+ * stdlib/strtod_nan_main.c: Likewise.
989+ * stdlib/strtod_nan_narrow.h: Likewise.
990+ * stdlib/strtod_nan_wide.h: Likewise.
991+ * stdlib/strtof_nan.c: Likewise.
992+ * stdlib/strtold_nan.c: Likewise.
993+ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
994+ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
995+ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
996+ * wcsmbs/wcstod_nan.c: Likewise.
997+ * wcsmbs/wcstof_nan.c: Likewise.
998+ * wcsmbs/wcstold_nan.c: Likewise.
999+ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
1000+ strtold_nan.
1001+ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
1002+ wcstof_nan.
1003+ * include/stdlib.h (__strtof_nan): Declare and use
1004+ libc_hidden_proto.
1005+ (__strtod_nan): Likewise.
1006+ (__strtold_nan): Likewise.
1007+ (__wcstof_nan): Likewise.
1008+ (__wcstod_nan): Likewise.
1009+ (__wcstold_nan): Likewise.
1010+ * include/wchar.h (____wcstoull_l_internal): Declare.
1011+ * stdlib/strtod_l.c: Do not include <ieee754.h>.
1012+ (____strtoull_l_internal): Remove declaration.
1013+ (STRTOF_NAN): Define macro.
1014+ (SET_MANTISSA): Remove macro.
1015+ (STRTOULL): Likewise.
1016+ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
1017+ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
1018+ (STRTOF_NAN): Define macro.
1019+ (SET_MANTISSA): Remove macro.
1020+ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
1021+ (SET_MANTISSA): Remove macro.
1022+ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
1023+ macro.
1024+ (SET_MANTISSA): Remove macro.
1025+ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
1026+ macro.
1027+ (SET_MANTISSA): Remove macro.
1028+ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
1029+ (SET_MANTISSA): Remove macro.
1030+ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
1031+ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
1032+ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
1033+
1034+ [BZ #19266]
1035+ * stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for
1036+ upper case and lower case letters inside NAN(), not using TOLOWER.
1037 2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
1038
1039 [BZ #17905]
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch b/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
deleted file mode 100644
index e30307fbc0..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+++ /dev/null
@@ -1,385 +0,0 @@
1From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
2From: Joseph Myers <joseph@codesourcery.com>
3Date: Fri, 4 Dec 2015 20:36:28 +0000
4Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug
5 16962).
6
7The nan, nanf and nanl functions handle payload strings by doing e.g.:
8
9 if (tagp[0] != '\0')
10 {
11 char buf[6 + strlen (tagp)];
12 sprintf (buf, "NAN(%s)", tagp);
13 return strtod (buf, NULL);
14 }
15
16This is an unbounded stack allocation based on the length of the
17argument. Furthermore, if the argument starts with an n-char-sequence
18followed by ')', that n-char-sequence is wrongly treated as
19significant for determining the payload of the resulting NaN, when ISO
20C says the call should be equivalent to strtod ("NAN", NULL), without
21being affected by that initial n-char-sequence. This patch fixes both
22those problems by using the __strtod_nan etc. functions recently
23factored out of strtod etc. for that purpose, with those functions
24being exported from libc at version GLIBC_PRIVATE.
25
26Tested for x86_64, x86, mips64 and powerpc.
27
28 [BZ #16961]
29 [BZ #16962]
30 * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
31 string on the stack for strtod.
32 * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
33 a string on the stack for strtof.
34 * math/s_nanl.c (__nanl): Use __strtold_nan instead of
35 constructing a string on the stack for strtold.
36 * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
37 __strtold_nan to GLIBC_PRIVATE.
38 * math/test-nan-overflow.c: New file.
39 * math/test-nan-payload.c: Likewise.
40 * math/Makefile (tests): Add test-nan-overflow and
41 test-nan-payload.
42
43Upstream-Status: Backport
44CVE: CVE-2015-9761 patch #2
45[Yocto # 8980]
46
47https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
48
49Signed-off-by: Armin Kuster <akuster@mvista.com>
50
51---
52 ChangeLog | 17 +++++++
53 NEWS | 6 +++
54 math/Makefile | 3 +-
55 math/s_nan.c | 9 +---
56 math/s_nanf.c | 9 +---
57 math/s_nanl.c | 9 +---
58 math/test-nan-overflow.c | 66 +++++++++++++++++++++++++
59 math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
60 stdlib/Versions | 1 +
61 9 files changed, 217 insertions(+), 25 deletions(-)
62 create mode 100644 math/test-nan-overflow.c
63 create mode 100644 math/test-nan-payload.c
64
65Index: git/ChangeLog
66===================================================================
67--- git.orig/ChangeLog
68+++ git/ChangeLog
69@@ -1,3 +1,20 @@
70+2015-12-04 Joseph Myers <joseph@codesourcery.com>
71+
72+ [BZ #16961]
73+ [BZ #16962]
74+ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
75+ string on the stack for strtod.
76+ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
77+ a string on the stack for strtof.
78+ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
79+ constructing a string on the stack for strtold.
80+ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
81+ __strtold_nan to GLIBC_PRIVATE.
82+ * math/test-nan-overflow.c: New file.
83+ * math/test-nan-payload.c: Likewise.
84+ * math/Makefile (tests): Add test-nan-overflow and
85+ test-nan-payload.
86+
87 2015-11-24 Joseph Myers <joseph@codesourcery.com>
88
89 * stdlib/strtod_nan.c: New file.
90Index: git/NEWS
91===================================================================
92--- git.orig/NEWS
93+++ git/NEWS
94@@ -99,6 +99,12 @@ Version 2.22
95
96 Version 2.21
97
98+Security related changes:
99+
100+* The nan, nanf and nanl functions no longer have unbounded stack usage
101+ depending on the length of the string passed as an argument to the
102+ functions. Reported by Joseph Myers.
103+
104 * The following bugs are resolved with this release:
105
106 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
107Index: git/math/Makefile
108===================================================================
109--- git.orig/math/Makefile
110+++ git/math/Makefile
111@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp
112 test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
113 test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
114 test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \
115+ test-nan-overflow test-nan-payload \
116 $(tests-static)
117 tests-static = test-fpucw-static test-fpucw-ieee-static
118 # We do the `long double' tests only if this data type is available and
119Index: git/math/s_nan.c
120===================================================================
121--- git.orig/math/s_nan.c
122+++ git/math/s_nan.c
123@@ -28,14 +28,7 @@
124 double
125 __nan (const char *tagp)
126 {
127- if (tagp[0] != '\0')
128- {
129- char buf[6 + strlen (tagp)];
130- sprintf (buf, "NAN(%s)", tagp);
131- return strtod (buf, NULL);
132- }
133-
134- return NAN;
135+ return __strtod_nan (tagp, NULL, 0);
136 }
137 weak_alias (__nan, nan)
138 #ifdef NO_LONG_DOUBLE
139Index: git/math/s_nanf.c
140===================================================================
141--- git.orig/math/s_nanf.c
142+++ git/math/s_nanf.c
143@@ -28,13 +28,6 @@
144 float
145 __nanf (const char *tagp)
146 {
147- if (tagp[0] != '\0')
148- {
149- char buf[6 + strlen (tagp)];
150- sprintf (buf, "NAN(%s)", tagp);
151- return strtof (buf, NULL);
152- }
153-
154- return NAN;
155+ return __strtof_nan (tagp, NULL, 0);
156 }
157 weak_alias (__nanf, nanf)
158Index: git/math/s_nanl.c
159===================================================================
160--- git.orig/math/s_nanl.c
161+++ git/math/s_nanl.c
162@@ -28,13 +28,6 @@
163 long double
164 __nanl (const char *tagp)
165 {
166- if (tagp[0] != '\0')
167- {
168- char buf[6 + strlen (tagp)];
169- sprintf (buf, "NAN(%s)", tagp);
170- return strtold (buf, NULL);
171- }
172-
173- return NAN;
174+ return __strtold_nan (tagp, NULL, 0);
175 }
176 weak_alias (__nanl, nanl)
177Index: git/math/test-nan-overflow.c
178===================================================================
179--- /dev/null
180+++ git/math/test-nan-overflow.c
181@@ -0,0 +1,66 @@
182+/* Test nan functions stack overflow (bug 16962).
183+ Copyright (C) 2015 Free Software Foundation, Inc.
184+ This file is part of the GNU C Library.
185+
186+ The GNU C Library is free software; you can redistribute it and/or
187+ modify it under the terms of the GNU Lesser General Public
188+ License as published by the Free Software Foundation; either
189+ version 2.1 of the License, or (at your option) any later version.
190+
191+ The GNU C Library is distributed in the hope that it will be useful,
192+ but WITHOUT ANY WARRANTY; without even the implied warranty of
193+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
194+ Lesser General Public License for more details.
195+
196+ You should have received a copy of the GNU Lesser General Public
197+ License along with the GNU C Library; if not, see
198+ <http://www.gnu.org/licenses/>. */
199+
200+#include <math.h>
201+#include <stdio.h>
202+#include <string.h>
203+#include <sys/resource.h>
204+
205+#define STACK_LIM 1048576
206+#define STRING_SIZE (2 * STACK_LIM)
207+
208+static int
209+do_test (void)
210+{
211+ int result = 0;
212+ struct rlimit lim;
213+ getrlimit (RLIMIT_STACK, &lim);
214+ lim.rlim_cur = STACK_LIM;
215+ setrlimit (RLIMIT_STACK, &lim);
216+ char *nanstr = malloc (STRING_SIZE);
217+ if (nanstr == NULL)
218+ {
219+ puts ("malloc failed, cannot test");
220+ return 77;
221+ }
222+ memset (nanstr, '0', STRING_SIZE - 1);
223+ nanstr[STRING_SIZE - 1] = 0;
224+#define NAN_TEST(TYPE, FUNC) \
225+ do \
226+ { \
227+ char *volatile p = nanstr; \
228+ volatile TYPE v = FUNC (p); \
229+ if (isnan (v)) \
230+ puts ("PASS: " #FUNC); \
231+ else \
232+ { \
233+ puts ("FAIL: " #FUNC); \
234+ result = 1; \
235+ } \
236+ } \
237+ while (0)
238+ NAN_TEST (float, nanf);
239+ NAN_TEST (double, nan);
240+#ifndef NO_LONG_DOUBLE
241+ NAN_TEST (long double, nanl);
242+#endif
243+ return result;
244+}
245+
246+#define TEST_FUNCTION do_test ()
247+#include "../test-skeleton.c"
248Index: git/math/test-nan-payload.c
249===================================================================
250--- /dev/null
251+++ git/math/test-nan-payload.c
252@@ -0,0 +1,122 @@
253+/* Test nan functions payload handling (bug 16961).
254+ Copyright (C) 2015 Free Software Foundation, Inc.
255+ This file is part of the GNU C Library.
256+
257+ The GNU C Library is free software; you can redistribute it and/or
258+ modify it under the terms of the GNU Lesser General Public
259+ License as published by the Free Software Foundation; either
260+ version 2.1 of the License, or (at your option) any later version.
261+
262+ The GNU C Library is distributed in the hope that it will be useful,
263+ but WITHOUT ANY WARRANTY; without even the implied warranty of
264+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
265+ Lesser General Public License for more details.
266+
267+ You should have received a copy of the GNU Lesser General Public
268+ License along with the GNU C Library; if not, see
269+ <http://www.gnu.org/licenses/>. */
270+
271+#include <float.h>
272+#include <math.h>
273+#include <stdio.h>
274+#include <stdlib.h>
275+#include <string.h>
276+
277+/* Avoid built-in functions. */
278+#define WRAP_NAN(FUNC, STR) \
279+ ({ const char *volatile wns = (STR); FUNC (wns); })
280+#define WRAP_STRTO(FUNC, STR) \
281+ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
282+
283+#define CHECK_IS_NAN(TYPE, A) \
284+ do \
285+ { \
286+ if (isnan (A)) \
287+ puts ("PASS: " #TYPE " " #A); \
288+ else \
289+ { \
290+ puts ("FAIL: " #TYPE " " #A); \
291+ result = 1; \
292+ } \
293+ } \
294+ while (0)
295+
296+#define CHECK_SAME_NAN(TYPE, A, B) \
297+ do \
298+ { \
299+ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
300+ puts ("PASS: " #TYPE " " #A " = " #B); \
301+ else \
302+ { \
303+ puts ("FAIL: " #TYPE " " #A " = " #B); \
304+ result = 1; \
305+ } \
306+ } \
307+ while (0)
308+
309+#define CHECK_DIFF_NAN(TYPE, A, B) \
310+ do \
311+ { \
312+ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
313+ puts ("PASS: " #TYPE " " #A " != " #B); \
314+ else \
315+ { \
316+ puts ("FAIL: " #TYPE " " #A " != " #B); \
317+ result = 1; \
318+ } \
319+ } \
320+ while (0)
321+
322+/* Cannot test payloads by memcmp for formats where NaNs have padding
323+ bits. */
324+#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
325+
326+#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
327+ do \
328+ { \
329+ TYPE n123 = WRAP_NAN (FUNC, "123"); \
330+ CHECK_IS_NAN (TYPE, n123); \
331+ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
332+ CHECK_IS_NAN (TYPE, s123); \
333+ TYPE n456 = WRAP_NAN (FUNC, "456"); \
334+ CHECK_IS_NAN (TYPE, n456); \
335+ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
336+ CHECK_IS_NAN (TYPE, s456); \
337+ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
338+ CHECK_IS_NAN (TYPE, n123x); \
339+ TYPE nemp = WRAP_NAN (FUNC, ""); \
340+ CHECK_IS_NAN (TYPE, nemp); \
341+ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
342+ CHECK_IS_NAN (TYPE, semp); \
343+ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
344+ CHECK_IS_NAN (TYPE, sx); \
345+ if (CAN_TEST_EQ (MANT_DIG)) \
346+ CHECK_SAME_NAN (TYPE, n123, s123); \
347+ if (CAN_TEST_EQ (MANT_DIG)) \
348+ CHECK_SAME_NAN (TYPE, n456, s456); \
349+ if (CAN_TEST_EQ (MANT_DIG)) \
350+ CHECK_SAME_NAN (TYPE, nemp, semp); \
351+ if (CAN_TEST_EQ (MANT_DIG)) \
352+ CHECK_SAME_NAN (TYPE, n123x, sx); \
353+ CHECK_DIFF_NAN (TYPE, n123, n456); \
354+ CHECK_DIFF_NAN (TYPE, n123, nemp); \
355+ CHECK_DIFF_NAN (TYPE, n123, n123x); \
356+ CHECK_DIFF_NAN (TYPE, n456, nemp); \
357+ CHECK_DIFF_NAN (TYPE, n456, n123x); \
358+ } \
359+ while (0)
360+
361+static int
362+do_test (void)
363+{
364+ int result = 0;
365+ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
366+ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
367+#ifndef NO_LONG_DOUBLE
368+ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
369+#endif
370+ return result;
371+}
372+
373+#define TEST_FUNCTION do_test ()
374+#include "../test-skeleton.c"
375Index: git/stdlib/Versions
376===================================================================
377--- git.orig/stdlib/Versions
378+++ git/stdlib/Versions
379@@ -118,5 +118,6 @@ libc {
380 # Used from other libraries
381 __libc_secure_getenv;
382 __call_tls_dtors;
383+ __strtof_nan; __strtod_nan; __strtold_nan;
384 }
385 }
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-06 19:59:25 +0000