diff options
Diffstat (limited to 'patches/glibc')
42 files changed, 2628 insertions, 0 deletions
diff --git a/patches/glibc/2.12.1/920-fix-rpc_parse-format.patch b/patches/glibc/2.12.1/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.12.1/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.12.1/940-nis-bogus-conditional.patch b/patches/glibc/2.12.1/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.12.1/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.12.2/920-fix-rpc_parse-format.patch b/patches/glibc/2.12.2/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.12.2/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.12.2/940-nis-bogus-conditional.patch b/patches/glibc/2.12.2/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.12.2/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.13/920-fix-rpc_parse-format.patch b/patches/glibc/2.13/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.13/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.13/940-nis-bogus-conditional.patch b/patches/glibc/2.13/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.13/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.14.1/920-fix-rpc_parse-format.patch b/patches/glibc/2.14.1/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.14.1/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.14.1/940-nis-bogus-conditional.patch b/patches/glibc/2.14.1/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.14.1/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.14/920-fix-rpc_parse-format.patch b/patches/glibc/2.14/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.14/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.14/940-nis-bogus-conditional.patch b/patches/glibc/2.14/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.14/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.15/920-fix-rpc_parse-format.patch b/patches/glibc/2.15/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.15/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.15/940-nis-bogus-conditional.patch b/patches/glibc/2.15/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.15/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.16.0/920-fix-rpc_parse-format.patch b/patches/glibc/2.16.0/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.16.0/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.16.0/940-nis-bogus-conditional.patch b/patches/glibc/2.16.0/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.16.0/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.17/920-fix-rpc_parse-format.patch b/patches/glibc/2.17/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.17/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.17/940-nis-bogus-conditional.patch b/patches/glibc/2.17/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.17/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.18/920-fix-rpc_parse-format.patch b/patches/glibc/2.18/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.18/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.18/940-nis-bogus-conditional.patch b/patches/glibc/2.18/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.18/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.19/920-fix-rpc_parse-format.patch b/patches/glibc/2.19/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.19/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.19/930-explicit-boolean.patch b/patches/glibc/2.19/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.19/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.19/940-nis-bogus-conditional.patch b/patches/glibc/2.19/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.19/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.20/920-fix-rpc_parse-format.patch b/patches/glibc/2.20/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.20/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.20/930-explicit-boolean.patch b/patches/glibc/2.20/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.20/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.20/940-nis-bogus-conditional.patch b/patches/glibc/2.20/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.20/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.21/920-fix-rpc_parse-format.patch b/patches/glibc/2.21/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.21/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.21/930-explicit-boolean.patch b/patches/glibc/2.21/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.21/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.21/940-nis-bogus-conditional.patch b/patches/glibc/2.21/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.21/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.21/950-dlclose-assert.patch b/patches/glibc/2.21/950-dlclose-assert.patch new file mode 100644 index 0000000..6e2fcff --- /dev/null +++ b/patches/glibc/2.21/950-dlclose-assert.patch @@ -0,0 +1,40 @@ +commit 2bd2cad9e8a410643e80efa0b15f6f2882e1271b +Author: Roland McGrath <roland@hack.frob.com> +Date: Fri Apr 17 14:29:40 2015 -0700 + + Avoid confusing compiler with dynamically impossible statically invalid dereference in _dl_close_worker. + +diff --git a/elf/dl-close.c b/elf/dl-close.c +index cf8f9e0465..412f71d70b 100644 +--- a/elf/dl-close.c ++++ b/elf/dl-close.c +@@ -641,9 +641,16 @@ _dl_close_worker (struct link_map *map) + DL_UNMAP (imap); + + /* Finally, unlink the data structure and free it. */ +- if (imap->l_prev != NULL) +- imap->l_prev->l_next = imap->l_next; +- else ++#if DL_NNS == 1 ++ /* The assert in the (imap->l_prev == NULL) case gives ++ the compiler license to warn that NS points outside ++ the dl_ns array bounds in that case (as nsid != LM_ID_BASE ++ is tantamount to nsid >= DL_NNS). That should be impossible ++ in this configuration, so just assert about it instead. */ ++ assert (nsid == LM_ID_BASE); ++ assert (imap->l_prev != NULL); ++#else ++ if (imap->l_prev == NULL) + { + assert (nsid != LM_ID_BASE); + ns->_ns_loaded = imap->l_next; +@@ -652,6 +659,9 @@ _dl_close_worker (struct link_map *map) + we leave for debuggers to examine. */ + r->r_map = (void *) ns->_ns_loaded; + } ++ else ++#endif ++ imap->l_prev->l_next = imap->l_next; + + --ns->_ns_nloaded; + if (imap->l_next != NULL) diff --git a/patches/glibc/2.22/920-fix-rpc_parse-format.patch b/patches/glibc/2.22/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.22/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.22/930-explicit-boolean.patch b/patches/glibc/2.22/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.22/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.22/940-nis-bogus-conditional.patch b/patches/glibc/2.22/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.22/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.23/920-fix-rpc_parse-format.patch b/patches/glibc/2.23/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.23/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.23/930-explicit-boolean.patch b/patches/glibc/2.23/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.23/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.23/940-nis-bogus-conditional.patch b/patches/glibc/2.23/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.23/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.24/920-fix-rpc_parse-format.patch b/patches/glibc/2.24/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/2.24/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/2.24/930-explicit-boolean.patch b/patches/glibc/2.24/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/2.24/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/2.24/940-nis-bogus-conditional.patch b/patches/glibc/2.24/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/2.24/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; diff --git a/patches/glibc/2.25/960-sh4-trap-divdi3.patch b/patches/glibc/2.25/960-sh4-trap-divdi3.patch new file mode 100644 index 0000000..99fad46 --- /dev/null +++ b/patches/glibc/2.25/960-sh4-trap-divdi3.patch @@ -0,0 +1,340 @@ +commit db3d848e154b00071f4a5e729d5884efad410109 +Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Wed Mar 15 15:44:59 2017 -0300 + + Build divdi3 only for architecture that required it + + As noted in [1], divdi3 object is only exported in a handful ABIs + (i386, m68k, powerpc32, s390-32, and ia64), however it is built + for all current architectures regardless. + + This patch refact the make rules for this object to so only the + aforementioned architectures that actually require it builds it. + + Also, to avoid internal PLT calls to the exported symbol from the + module, glibc uses an internal header (symbol-hacks.h) which is + unrequired (and in fact breaks the build for architectures that + intend to get symbol definitions from libgcc.a). The patch also + changes it to create its own header (divdi3-symbol-hacks.h) and + adjust the architectures that require it accordingly. + + I checked the build/check (with run-built-tests=no) on the + following architectures (which I think must cover all supported + ABI/builds) using GCC 6.3: + + aarch64-linux-gnu + alpha-linux-gnu + arm-linux-gnueabihf + hppa-linux-gnu + ia64-linux-gnu + m68k-linux-gnu + microblaze-linux-gnu + mips64-n32-linux-gnu + mips-linux-gnu + mips64-linux-gnu + nios2-linux-gnu + powerpc-linux-gnu + powerpc-linux-gnu-power4 + powerpc64-linux-gnu + powerpc64le-linux-gnu + s390x-linux-gnu + s390-linux-gnu + sh4-linux-gnu + sh4-linux-gnu-soft + sparc64-linux-gnu + sparcv9-linux-gnu + tilegx-linux-gnu + tilegx-linux-gnu-32 + tilepro-linux-gnu + x86_64-linux-gnu + x86_64-linux-gnu-x32 + i686-linux-gnu + + I only saw one regression on sparcv9-linux-gnu (extra PLT call to + .udiv) which I address in next patch in the set. It also correctly + build SH with GCC 7.0.1 (without any regression from c89721e25d). + + [1] https://sourceware.org/ml/libc-alpha/2017-03/msg00243.html + + * sysdeps/i386/symbol-hacks.h: New file. + * sysdeps/m68k/symbol-hacks.h: New file. + * sysdeps/powerpc/powerpc32/symbol-hacks.h: New file. + * sysdeps/s390/s390-32/symbol-hacks.h: New file. + * sysdeps/unix/sysv/linux/i386/Makefile + [$(subdir) = csu] (sysdep_routines): New rule: divdi3 object. + [$(subdir) = csu] (sysdep-only-routines): Likewise. + [$(subdir) = csu] (CFLAGS-divdi3.c): Likewise. + * sysdeps/unix/sysv/linux/m68k/Makefile + [$(subdir) = csu] (sysdep_routines): Likewise. + [$(subdir) = csu] (sysdep-only-routines): Likewise. + [$(subdir) = csu] (CFLAGS-divdi3.c): Likewise. + * sysdeps/unix/sysv/linux/powerpc/powerpc32/Makefile + [$(subdir) = csu] (sysdep_routines): Likewise. + [$(subdir) = csu] (sysdep-only-routines): Likewise. + [$(subdir) = csu] (CFLAGS-divdi3.c): Likewise. + * sysdeps/unix/sysv/linux/s390/s390-32/Makefile + [$(subdir) = csu] (sysdep_routines): Likewise. + [$(subdir) = csu] (sysdep-only-routines): Likewise. + [$(subdir) = csu] (CFLAGS-divdi3.c): Likewise. + * sysdeps/wordsize-32/Makefile: Remove file. + * sysdeps/wordsize-32/symbol-hacks.h: Definitions move to ... + * sysdeps/wordsize-32/divdi3-symbol-hacks.h: ... here. + +diff --git a/sysdeps/i386/symbol-hacks.h b/sysdeps/i386/symbol-hacks.h +new file mode 100644 +index 0000000000..36a13c83f7 +--- /dev/null ++++ b/sysdeps/i386/symbol-hacks.h +@@ -0,0 +1,21 @@ ++/* Hacks needed for symbol manipulation. i386 version. ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <sysdeps/wordsize-32/divdi3-symbol-hacks.h> ++ ++#include_next "symbol-hacks.h" +diff --git a/sysdeps/m68k/symbol-hacks.h b/sysdeps/m68k/symbol-hacks.h +new file mode 100644 +index 0000000000..e449d29810 +--- /dev/null ++++ b/sysdeps/m68k/symbol-hacks.h +@@ -0,0 +1,21 @@ ++/* Hacks needed for symbol manipulation. m68k version. ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <sysdeps/wordsize-32/divdi3-symbol-hacks.h> ++ ++#include_next "symbol-hacks.h" +diff --git a/sysdeps/powerpc/powerpc32/symbol-hacks.h b/sysdeps/powerpc/powerpc32/symbol-hacks.h +new file mode 100644 +index 0000000000..dbb3141621 +--- /dev/null ++++ b/sysdeps/powerpc/powerpc32/symbol-hacks.h +@@ -0,0 +1,21 @@ ++/* Hacks needed for symbol manipulation. powerpc version. ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <sysdeps/wordsize-32/divdi3-symbol-hacks.h> ++ ++#include_next "symbol-hacks.h" +diff --git a/sysdeps/s390/s390-32/symbol-hacks.h b/sysdeps/s390/s390-32/symbol-hacks.h +new file mode 100644 +index 0000000000..585c42365a +--- /dev/null ++++ b/sysdeps/s390/s390-32/symbol-hacks.h +@@ -0,0 +1,21 @@ ++/* Hacks needed for symbol manipulation. s390 version. ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <sysdeps/wordsize-32/divdi3-symbol-hacks.h> ++ ++#include_next "symbol-hacks.h" +diff --git a/sysdeps/unix/sysv/linux/i386/Makefile b/sysdeps/unix/sysv/linux/i386/Makefile +index 6aac0dfe15..4080b8c966 100644 +--- a/sysdeps/unix/sysv/linux/i386/Makefile ++++ b/sysdeps/unix/sysv/linux/i386/Makefile +@@ -26,6 +26,11 @@ endif + + ifeq ($(subdir),csu) + sysdep-dl-routines += sysdep ++ifeq (yes,$(build-shared)) ++sysdep_routines += divdi3 ++shared-only-routines += divdi3 ++CPPFLAGS-divdi3.c = -Din_divdi3_c ++endif + endif + + ifeq ($(subdir),nptl) +diff --git a/sysdeps/unix/sysv/linux/m68k/Makefile b/sysdeps/unix/sysv/linux/m68k/Makefile +index 5c50ce6927..ce1f696a6f 100644 +--- a/sysdeps/unix/sysv/linux/m68k/Makefile ++++ b/sysdeps/unix/sysv/linux/m68k/Makefile +@@ -4,6 +4,11 @@ m68k-syntax-flag = -DMOTOROLA_SYNTAX + + ifeq ($(subdir),csu) + sysdep_routines += m68k-helpers ++ifeq (yes,$(build-shared)) ++sysdep_routines += divdi3 ++shared-only-routines += divdi3 ++CPPFLAGS-divdi3.c = -Din_divdi3_c ++endif + endif + + ifeq ($(subdir),misc) +diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/Makefile b/sysdeps/unix/sysv/linux/powerpc/powerpc32/Makefile +index 3d6c150582..1f45659ed1 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/Makefile ++++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/Makefile +@@ -1,2 +1,10 @@ + # See Makeconfig regarding the use of default-abi. + default-abi := 32 ++ ++ifeq ($(subdir),csu) ++ifeq (yes,$(build-shared)) ++sysdep_routines += divdi3 ++shared-only-routines += divdi3 ++CPPFLAGS-divdi3.c = -Din_divdi3_c ++endif ++endif +diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/Makefile b/sysdeps/unix/sysv/linux/s390/s390-32/Makefile +index da3b3c76b4..fd8cf92633 100644 +--- a/sysdeps/unix/sysv/linux/s390/s390-32/Makefile ++++ b/sysdeps/unix/sysv/linux/s390/s390-32/Makefile +@@ -21,3 +21,11 @@ endif + ifeq ($(subdir),stdlib) + sysdep_routines += __makecontext_ret + endif ++ ++ifeq ($(subdir),csu) ++ifeq (yes,$(build-shared)) ++sysdep_routines += divdi3 ++shared-only-routines += divdi3 ++CPPFLAGS-divdi3.c = -Din_divdi3_c ++endif ++endif +diff --git a/sysdeps/wordsize-32/Makefile b/sysdeps/wordsize-32/Makefile +deleted file mode 100644 +index 82beac44ed..0000000000 +--- a/sysdeps/wordsize-32/Makefile ++++ /dev/null +@@ -1,7 +0,0 @@ +-ifeq ($(subdir),csu) +-ifeq (yes,$(build-shared)) +-sysdep_routines += divdi3 +-shared-only-routines += divdi3 +-CPPFLAGS-divdi3.c = -Din_divdi3_c +-endif +-endif +diff --git a/sysdeps/wordsize-32/divdi3-symbol-hacks.h b/sysdeps/wordsize-32/divdi3-symbol-hacks.h +new file mode 100644 +index 0000000000..6c90cb796d +--- /dev/null ++++ b/sysdeps/wordsize-32/divdi3-symbol-hacks.h +@@ -0,0 +1,31 @@ ++/* Hacks needed for divdi3 symbol manipulation. ++ Copyright (C) 2004-2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++/* A very dirty trick: gcc emits references to __divdi3, __udivdi3, ++ __moddi3, and __umoddi3. These functions are exported and ++ therefore we get PLTs. Unnecessarily so. Changing gcc is a big ++ task which might not be worth it so we play tricks with the ++ assembler. ++ Note: in_divdi3_c is only used to avoid symbol alias on divdi3 ++ build itself. */ ++#if !defined __ASSEMBLER__ && !defined in_divdi3_c && IS_IN (libc) && defined SHARED ++asm ("__divdi3 = __divdi3_internal"); ++asm ("__udivdi3 = __udivdi3_internal"); ++asm ("__moddi3 = __moddi3_internal"); ++asm ("__umoddi3 = __umoddi3_internal"); ++#endif +diff --git a/sysdeps/wordsize-32/symbol-hacks.h b/sysdeps/wordsize-32/symbol-hacks.h +deleted file mode 100644 +index 0aec1e0b97..0000000000 +--- a/sysdeps/wordsize-32/symbol-hacks.h ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* Hacks needed for symbol manipulation. +- Copyright (C) 2004-2017 Free Software Foundation, Inc. +- This file is part of the GNU C Library. +- +- The GNU C Library is free software; you can redistribute it and/or +- modify it under the terms of the GNU Lesser General Public +- License as published by the Free Software Foundation; either +- version 2.1 of the License, or (at your option) any later version. +- +- The GNU C Library is distributed in the hope that it will be useful, +- but WITHOUT ANY WARRANTY; without even the implied warranty of +- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- Lesser General Public License for more details. +- +- You should have received a copy of the GNU Lesser General Public +- License along with the GNU C Library; if not, see +- <http://www.gnu.org/licenses/>. */ +- +-#include_next "symbol-hacks.h" +- +-/* A very dirty trick: gcc emits references to __divdi3, __udivdi3, +- __moddi3, and __umoddi3. These functions are exported and +- therefore we get PLTs. Unnecessarily so. Changing gcc is a big +- task which might not be worth it so we play tricks with the +- assembler. */ +-#if !defined __ASSEMBLER__ && !defined in_divdi3_c && IS_IN (libc) && defined SHARED +-asm ("__divdi3 = __divdi3_internal"); +-asm ("__udivdi3 = __udivdi3_internal"); +-asm ("__moddi3 = __moddi3_internal"); +-asm ("__umoddi3 = __umoddi3_internal"); +-#endif diff --git a/patches/glibc/2.25/961-sparc-extra-plt-call.patch b/patches/glibc/2.25/961-sparc-extra-plt-call.patch new file mode 100644 index 0000000..3781cf0 --- /dev/null +++ b/patches/glibc/2.25/961-sparc-extra-plt-call.patch @@ -0,0 +1,65 @@ +commit bdc543e338281da051b3dc06eae96c330a485ce6 +Author: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Thu Mar 16 09:15:57 2017 -0300 + + sparc: Fix .udiv plt on libc + + With the removal of divdi3 object from sparcv9-linux-gnu build, its + definition came from libgcc and its functions internall calls .udiv. + Since glibc also exports these symbols for compatibility reasons, it + will end up creating PLT calls internally in libc.so. + + To avoid it, this patch uses the linker option --wrap to replace all + the internal libc.so .udiv calls to the wrapper __wrap_.udiv. Along + with strong alias in the udiv implementations, it makes linker do + local calls. + + Checked on sparcv9-linux-gnu. + + * sysdeps/sparc/sparc32/Makefile (libc.so-gnulib): New rule. + * sysdeps/sparc/sparc32/sparcv8/udiv.S (.udiv): Make a strong_alias + to __wrap_.udiv. + * sysdeps/sparc/sparc32/sparcv9/udiv.S (.udiv): Likewise. + * sysdeps/sparc/sparc32/udiv.S (.udiv): Likewise. + +diff --git a/sysdeps/sparc/sparc32/Makefile b/sysdeps/sparc/sparc32/Makefile +index da205898cf..14d6e03c6f 100644 +--- a/sysdeps/sparc/sparc32/Makefile ++++ b/sysdeps/sparc/sparc32/Makefile +@@ -47,3 +47,9 @@ $(divrem:%=$(sysdep_dir)/sparc/sparc32/%.S): $(sysdep_dir)/sparc/sparc32/divrem. + mv -f $@-tmp $@ + + sysdep-realclean := $(sysdep-realclean) $(divrem:%=sysdeps/sparc/sparc32/%.S) ++ ++# libgcc __divdi3 and __moddi3 uses .udiv and since it is also exported by ++# libc.so linker will create PLTs for the symbol. To avoid it we strong alias ++# the exported libc one to __wrap_.udiv and use linker option --wrap to make any ++# call to .udiv to call the wrapper symbol. ++libc.so-gnulib += -Wl,--wrap=.udiv +diff --git a/sysdeps/sparc/sparc32/sparcv8/udiv.S b/sysdeps/sparc/sparc32/sparcv8/udiv.S +index d71954351e..e9cab4e4ef 100644 +--- a/sysdeps/sparc/sparc32/sparcv8/udiv.S ++++ b/sysdeps/sparc/sparc32/sparcv8/udiv.S +@@ -13,3 +13,4 @@ ENTRY(.udiv) + udiv %o0, %o1, %o0 + + END(.udiv) ++strong_alias (.udiv, __wrap_.udiv) +diff --git a/sysdeps/sparc/sparc32/sparcv9/udiv.S b/sysdeps/sparc/sparc32/sparcv9/udiv.S +index de79899756..368f85ede2 100644 +--- a/sysdeps/sparc/sparc32/sparcv9/udiv.S ++++ b/sysdeps/sparc/sparc32/sparcv9/udiv.S +@@ -15,3 +15,4 @@ ENTRY(.udiv) + udiv %o0, %o1, %o0 + + END(.udiv) ++strong_alias (.udiv, __wrap_.udiv) +diff --git a/sysdeps/sparc/sparc32/udiv.S b/sysdeps/sparc/sparc32/udiv.S +index 8dfff66158..ade0afdf40 100644 +--- a/sysdeps/sparc/sparc32/udiv.S ++++ b/sysdeps/sparc/sparc32/udiv.S +@@ -344,3 +344,4 @@ LOC(got_result): + mov %o2, %o0 + + END(.udiv) ++strong_alias (.udiv, __wrap_.udiv) diff --git a/patches/glibc/linaro-2.20-2014.11/920-fix-rpc_parse-format.patch b/patches/glibc/linaro-2.20-2014.11/920-fix-rpc_parse-format.patch new file mode 100644 index 0000000..37e58da --- /dev/null +++ b/patches/glibc/linaro-2.20-2014.11/920-fix-rpc_parse-format.patch @@ -0,0 +1,60 @@ +commit 5874510faaf3cbd0bb112aaacab9f225002beed1 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Tue Nov 8 23:44:51 2016 +0000 + + Fix rpcgen buffer overrun (bug 20790). + + Building with GCC 7 produces an error building rpcgen: + + rpc_parse.c: In function 'get_prog_declaration': + rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=] + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ~~~~^ + rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10 + sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + That buffer overrun is for the case where the .x file declares a + program with a million arguments. The strcpy two lines above can + generate a buffer overrun much more simply for a long argument name. + + The limit on length of line read by rpcgen (MAXLINESIZE == 1024) + provides a bound on the buffer size needed, so this patch just changes + the buffer size to MAXLINESIZE to avoid both possible buffer + overruns. A testcase is added that rpcgen does not crash with a + 500-character argument name, where it previously crashed. + + It would not at all surprise me if there are many other ways of + crashing rpcgen with either valid or invalid input; fuzz testing would + likely find various such bugs, though I don't think they are that + important to fix (rpcgen is not that likely to be used with untrusted + .x files as input). (As well as fuzz-findable bugs there are probably + also issues when various int variables get overflowed on very large + input.) The test infrastructure for rpcgen-not-crashing tests would + need extending if tests are to be added for cases where rpcgen should + produce an error, as opposed to cases where it should succeed. + + Tested for x86_64 and x86. + + [BZ #20790] + * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size + to MAXLINESIZE. + * sunrpc/bug20790.x: New file. + * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New + variable. + [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests). + [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule. + +diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c +index 1a1df6d8c2..505a6554cf 100644 +--- a/sunrpc/rpc_parse.c ++++ b/sunrpc/rpc_parse.c +@@ -521,7 +521,7 @@ static void + get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ ) + { + token tok; +- char name[10]; /* argument name */ ++ char name[MAXLINESIZE]; /* argument name */ + + if (dkind == DEF_PROGRAM) + { diff --git a/patches/glibc/linaro-2.20-2014.11/930-explicit-boolean.patch b/patches/glibc/linaro-2.20-2014.11/930-explicit-boolean.patch new file mode 100644 index 0000000..780fae6 --- /dev/null +++ b/patches/glibc/linaro-2.20-2014.11/930-explicit-boolean.patch @@ -0,0 +1,33 @@ +commit e223d1fe72e820d96f43831412ab267a1ace04d0 +Author: steve ellcey-CA Eng-Software <sellcey@sellcey-thinkpad.caveonetworks.com> +Date: Fri Oct 14 12:53:27 2016 -0700 + + Fix warnings from latest GCC. + + * sysdeps/ieee754/dbl-64/e_pow.c (checkint) Make conditions explicitly + boolean. + +diff --git a/sysdeps/ieee754/dbl-64/e_pow.c b/sysdeps/ieee754/dbl-64/e_pow.c +index 663fa392c2..bd758b5979 100644 +--- a/sysdeps/ieee754/dbl-64/e_pow.c ++++ b/sysdeps/ieee754/dbl-64/e_pow.c +@@ -466,15 +466,15 @@ checkint (double x) + return (n & 1) ? -1 : 1; /* odd or even */ + if (k > 20) + { +- if (n << (k - 20)) ++ if (n << (k - 20) != 0) + return 0; /* if not integer */ +- return (n << (k - 21)) ? -1 : 1; ++ return (n << (k - 21) != 0) ? -1 : 1; + } + if (n) + return 0; /*if not integer */ + if (k == 20) + return (m & 1) ? -1 : 1; +- if (m << (k + 12)) ++ if (m << (k + 12) != 0) + return 0; +- return (m << (k + 11)) ? -1 : 1; ++ return (m << (k + 11) != 0) ? -1 : 1; + } diff --git a/patches/glibc/linaro-2.20-2014.11/940-nis-bogus-conditional.patch b/patches/glibc/linaro-2.20-2014.11/940-nis-bogus-conditional.patch new file mode 100644 index 0000000..09b38cf --- /dev/null +++ b/patches/glibc/linaro-2.20-2014.11/940-nis-bogus-conditional.patch @@ -0,0 +1,62 @@ +commit f88759ea9bd3c8d8fef28f123ba9767cb0e421a3 +Author: Joseph Myers <joseph@codesourcery.com> +Date: Wed Dec 21 23:44:01 2016 +0000 + + Fix nss_nisplus build with mainline GCC (bug 20978). + + glibc build with current mainline GCC fails because + nis/nss_nisplus/nisplus-alias.c contains code + + if (name != NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; + } + + char buf[strlen (name) + 9 + tablename_len]; + + producing an error about strlen being called on a pointer that is + always NULL (and a subsequent use of that pointer with a %s format in + snprintf). + + As Andreas noted, the bogus conditional comes from a 1997 change: + + - if (name == NULL || strlen(name) > 8) + - return NSS_STATUS_NOTFOUND; + - else + + if (name != NULL || strlen(name) <= 8) + + So the intention is clearly to return an error for NULL name. + + This patch duly inverts the sense of the conditional. It fixes the + build with GCC mainline, and passes usual glibc testsuite testing for + x86_64. However, I have not tried any actual substantive nisplus + testing, do not have an environment for such testing, and do not know + whether it is possible that strlen (name) or tablename_len might be + large so that the VLA for buf is actually a security issue. However, + if it is a security issue, there are plenty of other similar instances + in the nisplus code (that haven't been hidden by a bogus comparison + with NULL) - and nis_table.c:__create_ib_request uses strdupa on the + string passed to nis_list, so a local fix in the caller wouldn't + suffice anyway (see bug 20987). (Calls to strdupa and other such + macros that use alloca must be considered equally questionable + regarding stack overflow issues as direct calls to alloca and VLA + declarations.) + + [BZ #20978] + * nis/nss_nisplus/nisplus-alias.c (_nss_nisplus_getaliasbyname_r): + Compare name == NULL, not name != NULL. + +diff --git a/nis/nss_nisplus/nisplus-alias.c b/nis/nss_nisplus/nisplus-alias.c +index 7f698b4e6d..cb5acce01d 100644 +--- a/nis/nss_nisplus/nisplus-alias.c ++++ b/nis/nss_nisplus/nisplus-alias.c +@@ -291,7 +291,7 @@ _nss_nisplus_getaliasbyname_r (const char *name, struct aliasent *alias, + return status; + } + +- if (name != NULL) ++ if (name == NULL) + { + *errnop = EINVAL; + return NSS_STATUS_UNAVAIL; |