vapier 15/02/17 08:08:43
Modified: README.history
Added: 00_all_0018-Update-Russian-translation.patch
00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch
00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch
00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch
00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch
00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch
00_all_0024-Update-French-translation.patch
00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch
00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch
00_all_0027-AArch64-End-frame-record-chain-correctly.patch
00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
00_all_0029-arm-drop-EABI-check.patch
00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch
00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch
00_all_0033-Move-findidx-nested-functions-to-top-level.patch
00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch
00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch
00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
Removed: 00_all_0018-arm-drop-EABI-check.patch
Log:
pull in upstreams glibc-2.20 branch fixes
Revision Changes Path
1.3 src/patchsets/glibc/2.20/README.history
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/README.history?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/README.history?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/README.history?r1=1.2&r2=1.3
Index: README.history
===================================================================
RCS file: /var/cvsroot/gentoo/src/patchsets/glibc/2.20/README.history,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- README.history 31 Dec 2014 08:21:36 -0000 1.2
+++ README.history 17 Feb 2015 08:08:42 -0000 1.3
@@ -1,3 +1,24 @@
+4 17 Feb 2014
+ R 00_all_0018-arm-drop-EABI-check.patch ->
00_all_0029-arm-drop-EABI-check.patch
+ + 00_all_0018-Update-Russian-translation.patch
+ + 00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch
+ + 00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch
+ + 00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch
+ + 00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch
+ + 00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch
+ + 00_all_0024-Update-French-translation.patch
+ + 00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch
+ + 00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch
+ + 00_all_0027-AArch64-End-frame-record-chain-correctly.patch
+ + 00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
+ + 00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch
+ + 00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
+ + 00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch
+ + 00_all_0033-Move-findidx-nested-functions-to-top-level.patch
+ + 00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch
+ + 00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch
+ + 00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
+
3 30 Dec 2014
+ 00_all_0018-arm-drop-EABI-check.patch
1.1
src/patchsets/glibc/2.20/00_all_0018-Update-Russian-translation.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0018-Update-Russian-translation.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0018-Update-Russian-translation.patch?rev=1.1&content-type=text/plain
Index: 00_all_0018-Update-Russian-translation.patch
===================================================================
>From b735a759ef35d73f1cfc783187fe8281b75069ac Mon Sep 17 00:00:00 2001
From: Allan McRae <al...@archlinux.org>
Date: Sat, 13 Sep 2014 15:41:54 +1000
Subject: [PATCH] Update Russian translation
(cherry picked from commit d8f879ee3e4131542c2ac3d1d9db4cf12cb86729)
---
ChangeLog | 4 ++++
po/ru.po | 10 +++++-----
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f343428..848e5c8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-09-13 Allan McRae <al...@archlinux.org>
+
+ * po/ru.po: Update Russian translation from translation project.
+
2014-09-07 Allan McRae <al...@archlinux.org
* version.h (RELEASE): Set to "stable".
diff --git a/po/ru.po b/po/ru.po
index 8596b47..d3d0973 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: libc 2.19.90\n"
"POT-Creation-Date: 2014-08-09 17:06+1000\n"
-"PO-Revision-Date: 2014-08-21 14:55+0400\n"
+"PO-Revision-Date: 2014-09-10 16:38+0400\n"
"Last-Translator: Yuri Kozlov <yu...@komyakino.ru>\n"
"Language-Team: Russian <g...@mx.ru>\n"
"Language: ru\n"
@@ -76,7 +76,7 @@ msgstr "Выдает краткую информацию об использов
#: iconv/iconv_prog.c:60 iconv/iconv_prog.c:61 nscd/nscd.c:105
#: nss/makedb.c:120
msgid "NAME"
-msgstr "ФАЙЛ"
+msgstr "ИМЯ"
#: argp/argp-parse.c:104
msgid "Set the program name"
@@ -123,7 +123,7 @@ msgstr ""
#: catgets/gencat.c:110
msgid "Create C header file NAME containing symbol definitions"
-msgstr "Создает заголовочный ФАЙЛ на Си, содержащий определения символов."
+msgstr "Создает заголовочный файл с ИМЕНЕМ на Си, содержащий определения
символов."
#: catgets/gencat.c:112
msgid "Do not use existing catalog, force new output file"
@@ -131,7 +131,7 @@ msgstr "Не использовать существующий каталог,
#: catgets/gencat.c:113 nss/makedb.c:120
msgid "Write output to file NAME"
-msgstr "Записать вывод в ФАЙЛ"
+msgstr "Записать вывод в файл с ИМЕНЕМ"
#: catgets/gencat.c:118
msgid ""
@@ -4098,7 +4098,7 @@ msgstr "Перезагрузка «%s (%s,%s,%s)» в кэше netgroup!"
#: nscd/nscd.c:106
msgid "Read configuration data from NAME"
-msgstr "Читать конфигурационные данные из ФАЙЛА"
+msgstr "Читать конфигурационные данные из файла с ИМЕНЕМ"
#: nscd/nscd.c:108
msgid "Do not fork and display messages on the current tty"
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch?rev=1.1&content-type=text/plain
Index: 00_all_0019-Add-new-Linux-3.16-constants-to-netinet-udp.h.patch
===================================================================
>From 3b016908924afb5ef71ac874bedf8c6f0157941c Mon Sep 17 00:00:00 2001
From: Joseph Myers <jos...@codesourcery.com>
Date: Fri, 12 Sep 2014 12:13:08 +0000
Subject: [PATCH] Add new Linux 3.16 constants to netinet/udp.h.
This patch adds the new constants UDP_NO_CHECK6_TX and
UDP_NO_CHECK6_RX from Linux 3.16 to sysdeps/gnu/netinet/udp.h. (I
believe the existing constants there are already Linux-specific,
possibly with the intention that other OSes should adopt the same
values if possible if adopting the features in question.)
Tested on x86_64.
* sysdeps/gnu/netinet/udp.h (UDP_NO_CHECK6_TX): New macro.
(UDP_NO_CHECK6_RX): Likewise.
(cherry picked from commit 0bd72468030947254e7de183cac1014dac884475)
---
ChangeLog | 5 +++++
sysdeps/gnu/netinet/udp.h | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 848e5c8..cc99818 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-09-12 Joseph Myers <jos...@codesourcery.com>
+
+ * sysdeps/gnu/netinet/udp.h (UDP_NO_CHECK6_TX): New macro.
+ (UDP_NO_CHECK6_RX): Likewise.
+
2014-09-13 Allan McRae <al...@archlinux.org>
* po/ru.po: Update Russian translation from translation project.
diff --git a/sysdeps/gnu/netinet/udp.h b/sysdeps/gnu/netinet/udp.h
index 32159cd..8cc1c60 100644
--- a/sysdeps/gnu/netinet/udp.h
+++ b/sysdeps/gnu/netinet/udp.h
@@ -78,6 +78,10 @@ struct udphdr
#define UDP_CORK 1 /* Never send partially complete segments. */
#define UDP_ENCAP 100 /* Set the socket to accept
encapsulated packets. */
+#define UDP_NO_CHECK6_TX 101 /* Disable sending checksum for UDP
+ over IPv6. */
+#define UDP_NO_CHECK6_RX 102 /* Disable accepting checksum for UDP
+ over IPv6. */
/* UDP encapsulation types */
#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch?rev=1.1&content-type=text/plain
Index: 00_all_0020-Handle-zero-prefix-length-in-getifaddrs-BZ-17371.patch
===================================================================
>From ea5509237291f1a109d46052353ece197f4213bc Mon Sep 17 00:00:00 2001
From: Andreas Schwab <sch...@linux-m68k.org>
Date: Sat, 13 Sep 2014 10:10:29 +0200
Subject: [PATCH] Handle zero prefix length in getifaddrs (BZ #17371)
(cherry picked from commit a7b872687073decdcc7effc2289877d69058aca9)
Conflicts:
NEWS
---
ChangeLog | 6 ++++++
NEWS | 6 ++++++
sysdeps/unix/sysv/linux/ifaddrs.c | 11 ++++-------
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index cc99818..ed6b9ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-09-15 Andreas Schwab <sch...@linux-m68k.org>
+
+ [BZ #17371]
+ * sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs_internal): Fix
+ last change to handle zero prefix length.
+
2014-09-12 Joseph Myers <jos...@codesourcery.com>
* sysdeps/gnu/netinet/udp.h (UDP_NO_CHECK6_TX): New macro.
diff --git a/NEWS b/NEWS
index 721b457..3373c96 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,12 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
�
+Version 2.20.1
+
+* The following bugs are resolved with this release:
+
+ 17371.
+�
Version 2.20
* The following bugs are resolved with this release:
diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c
b/sysdeps/unix/sysv/linux/ifaddrs.c
index 2c04e17..a47b2ed 100644
--- a/sysdeps/unix/sysv/linux/ifaddrs.c
+++ b/sysdeps/unix/sysv/linux/ifaddrs.c
@@ -770,20 +770,17 @@ getifaddrs_internal (struct ifaddrs **ifap)
if (cp != NULL)
{
- char c;
unsigned int preflen;
- if ((max_prefixlen > 0) &&
- (ifam->ifa_prefixlen > max_prefixlen))
+ if (ifam->ifa_prefixlen > max_prefixlen)
preflen = max_prefixlen;
else
preflen = ifam->ifa_prefixlen;
- for (i = 0; i < ((preflen - 1) / 8); i++)
+ for (i = 0; i < preflen / 8; i++)
*cp++ = 0xff;
- c = 0xff;
- c <<= ((128 - preflen) % 8);
- *cp = c;
+ if (preflen % 8)
+ *cp = 0xff << (8 - preflen % 8);
}
}
}
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch?rev=1.1&content-type=text/plain
Index: 00_all_0021-Revert-to-defining-__extern_inline-only-for-gcc-4.3-.patch
===================================================================
>From 979add9f87577c10c629af82586e48b686672134 Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddh...@redhat.com>
Date: Tue, 16 Sep 2014 14:14:11 +0530
Subject: [PATCH] Revert to defining __extern_inline only for gcc-4.3+ (BZ
#17266)
The check for only __GNUC_STDC_INLINE__ and __GNUC_GNU_INLINE__ may
not be sufficient since those flags were added during initial support
for C99 inlining semantics. There is also a problem with always
defining __extern_inline and __extern_always_inline, since it enables
inline wrapper functions even when GNU inlining semantics are not
guaranteed. This, along with the possibility of such wrappers using
redirection (btowc for example) could result in compiler generating an
infinitely recusrive call to the function.
In fact it was such a recursion that led to this code being written
the way it was; see:
https://bugzilla.redhat.com/show_bug.cgi?id=186410
The initial change was to fix bugs 14530 and 13741, but they can be
resolved by checking if __fortify_function and/or
__extern_always_inline are defined, as it has been done in this patch.
In addition, I have audited uses of __extern_always_inline to make
sure that none of the uses result in compilation errors.
There is however a regression in this patch for llvm, since it reverts
the llvm expectation that __GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE__
definition imply proper extern inline semantics.
2014-09-16 Siddhesh Poyarekar <siddh...@redhat.com>
Jakub Jelinek <ja...@redhat.com>
[BZ #17266]
* libio/stdio.h: Check definition of __fortify_function
instead of __extern_always_inline to include bits/stdio2.h.
* math/bits/math-finite.h [__USE_XOPEN || __USE_ISOC99]: Also
check if __extern_always_inline is defined.
[__USE_MISC || __USE_XOPEN]: Likewise.
[__USE_ISOC99] Likewise.
* misc/sys/cdefs.h (__fortify_function): Define only if
__extern_always_inline is defined.
[!__cplusplus || __GNUC_PREREQ (4,3)]: Revert to defining
__extern_always_inline and __extern_inline only for g++-4.3
and newer or a compatible gcc.
---
ChangeLog | 16 ++++++++++++++++
NEWS | 2 +-
libio/stdio.h | 2 +-
math/bits/math-finite.h | 8 +++++---
misc/sys/cdefs.h | 21 +++++++++++----------
5 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index ed6b9ab..f456c1a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2014-09-16 Siddhesh Poyarekar <siddh...@redhat.com>
+ Jakub Jelinek <ja...@redhat.com>
+
+ [BZ #17266]
+ * libio/stdio.h: Check definition of __fortify_function
+ instead of __extern_always_inline to include bits/stdio2.h.
+ * math/bits/math-finite.h [__USE_XOPEN || __USE_ISOC99]: Also
+ check if __extern_always_inline is defined.
+ [__USE_MISC || __USE_XOPEN]: Likewise.
+ [__USE_ISOC99] Likewise.
+ * misc/sys/cdefs.h (__fortify_function): Define only if
+ __extern_always_inline is defined.
+ [!__cplusplus || __GNUC_PREREQ (4,3)]: Revert to defining
+ __extern_always_inline and __extern_inline only for g++-4.3
+ and newer or a compatible gcc.
+
2014-09-15 Andreas Schwab <sch...@linux-m68k.org>
[BZ #17371]
diff --git a/NEWS b/NEWS
index 3373c96..a9991cc 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17371.
+ 17266, 17371.
�
Version 2.20
diff --git a/libio/stdio.h b/libio/stdio.h
index d8c0bdb..1f4f837 100644
--- a/libio/stdio.h
+++ b/libio/stdio.h
@@ -932,7 +932,7 @@ extern void funlockfile (FILE *__stream) __THROW;
#ifdef __USE_EXTERN_INLINES
# include <bits/stdio.h>
#endif
-#if __USE_FORTIFY_LEVEL > 0 && defined __extern_always_inline
+#if __USE_FORTIFY_LEVEL > 0 && defined __fortify_function
# include <bits/stdio2.h>
#endif
#ifdef __LDBL_COMPAT
diff --git a/math/bits/math-finite.h b/math/bits/math-finite.h
index aa755de..0656645 100644
--- a/math/bits/math-finite.h
+++ b/math/bits/math-finite.h
@@ -251,7 +251,8 @@ extern long double __REDIRECT_NTH (lgammal_r, (long double,
int *),
# endif
#endif
-#if defined __USE_XOPEN || defined __USE_ISOC99
+#if ((defined __USE_XOPEN || defined __USE_ISOC99) \
+ && defined __extern_always_inline)
/* lgamma. */
__extern_always_inline double __NTH (lgamma (double __d))
{
@@ -284,7 +285,8 @@ __extern_always_inline long double __NTH (lgammal (long
double __d))
# endif
#endif
-#if defined __USE_MISC || defined __USE_XOPEN
+#if ((defined __USE_MISC || defined __USE_XOPEN) \
+ && defined __extern_always_inline)
/* gamma. */
__extern_always_inline double __NTH (gamma (double __d))
{
@@ -422,7 +424,7 @@ extern long double __REDIRECT_NTH (sqrtl, (long double),
__sqrtl_finite);
# endif
#endif
-#ifdef __USE_ISOC99
+#if defined __USE_ISOC99 && defined __extern_always_inline
/* tgamma. */
extern double __gamma_r_finite (double, int *);
__extern_always_inline double __NTH (tgamma (double __d))
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 04db956..01e81ba 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -131,7 +131,6 @@
/* Fortify support. */
#define __bos(ptr) __builtin_object_size (ptr, __USE_FORTIFY_LEVEL > 1)
#define __bos0(ptr) __builtin_object_size (ptr, 0)
-#define __fortify_function __extern_always_inline __attribute_artificial__
#if __GNUC_PREREQ (4,3)
# define __warndecl(name, msg) \
@@ -318,12 +317,13 @@
# define __attribute_artificial__ /* Ignore */
#endif
-#ifdef __GNUC__
-/* One of these will be defined if the __gnu_inline__ attribute is
- available. In C++, __GNUC_GNU_INLINE__ will be defined even though
- __inline does not use the GNU inlining rules. If neither macro is
- defined, this version of GCC only supports GNU inline semantics. */
-# if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__
+/* GCC 4.3 and above with -std=c99 or -std=gnu99 implements ISO C99
+ inline semantics, unless -fgnu89-inline is used. Using __GNUC_STDC_INLINE__
+ or __GNUC_GNU_INLINE is not a good enough check for gcc because gcc versions
+ older than 4.3 may define these macros and still not guarantee GNU inlining
+ semantics. */
+#if !defined __cplusplus || __GNUC_PREREQ (4,3)
+# if defined __GNUC_STDC_INLINE__ || defined __cplusplus
# define __extern_inline extern __inline __attribute__ ((__gnu_inline__))
# define __extern_always_inline \
extern __always_inline __attribute__ ((__gnu_inline__))
@@ -331,9 +331,10 @@
# define __extern_inline extern __inline
# define __extern_always_inline extern __always_inline
# endif
-#else /* Not GCC. */
-# define __extern_inline /* Ignore */
-# define __extern_always_inline /* Ignore */
+#endif
+
+#ifdef __extern_always_inline
+# define __fortify_function __extern_always_inline __attribute_artificial__
#endif
/* GCC 4.3 and above allow passing all anonymous arguments of an
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch?rev=1.1&content-type=text/plain
Index: 00_all_0022-Fix-memory-leak-in-libio-wfileops.c-do_ftell_wide-BZ.patch
===================================================================
>From d2c37d028d48337d00200248340de0e4a893456b Mon Sep 17 00:00:00 2001
From: Tim Lammens <tim.lamm...@gmail.com>
Date: Thu, 11 Sep 2014 10:35:54 +0530
Subject: [PATCH] Fix memory leak in libio/wfileops.c do_ftell_wide [BZ #17370]
(cherry picked from commit 984c0ea97f649c869130a1ff099098e2b6f70aad)
Conflicts:
NEWS
---
ChangeLog | 5 +++++
NEWS | 2 +-
libio/wfileops.c | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index f456c1a..9ebf81e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-09-11 Tim Lammens <tim.lamm...@gmail.com>
+
+ [BZ #17370]
+ * libio/wfileops (do_ftell_wide): Free OUT.
+
2014-09-16 Siddhesh Poyarekar <siddh...@redhat.com>
Jakub Jelinek <ja...@redhat.com>
diff --git a/NEWS b/NEWS
index a9991cc..c555f75 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17371.
+ 17266, 17370, 17371.
�
Version 2.20
diff --git a/libio/wfileops.c b/libio/wfileops.c
index f123add..ebc06e8 100644
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -711,6 +711,7 @@ do_ftell_wide (_IO_FILE *fp)
return WEOF;
offset += outstop - out;
+ free (out);
}
/* We don't trust _IO_read_end to represent the current file offset
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch?rev=1.1&content-type=text/plain
Index: 00_all_0023-Fix-memory-leak-in-error-path-of-do_ftell_wide-BZ-17.patch
===================================================================
>From 4adf2992ac7ebf6720d8d56589eb297f5215730c Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddh...@redhat.com>
Date: Tue, 16 Sep 2014 14:20:45 +0530
Subject: [PATCH] Fix memory leak in error path of do_ftell_wide (BZ #17370)
(cherry picked from commit 545583d664b64ff234b99aca0d85e99c8a55808f)
---
ChangeLog | 5 +++++
libio/wfileops.c | 5 ++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 9ebf81e..890c3c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-09-16 Siddhesh Poyarekar <siddh...@redhat.com>
+
+ [BZ #17370]
+ * libio/wfileops.c (do_ftell_wide): Free OUT on error path.
+
2014-09-11 Tim Lammens <tim.lamm...@gmail.com>
[BZ #17370]
diff --git a/libio/wfileops.c b/libio/wfileops.c
index ebc06e8..c5ec5f7 100644
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -708,7 +708,10 @@ do_ftell_wide (_IO_FILE *fp)
sequences must be complete since they are accepted as
wchar_t; if not, then that is an error. */
if (__glibc_unlikely (status != __codecvt_ok))
- return WEOF;
+ {
+ free (out);
+ return WEOF;
+ }
offset += outstop - out;
free (out);
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0024-Update-French-translation.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0024-Update-French-translation.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0024-Update-French-translation.patch?rev=1.1&content-type=text/plain
Index: 00_all_0024-Update-French-translation.patch
===================================================================
>From 2930c79afaf31158f990949cbb7cd6c03d9c0d74 Mon Sep 17 00:00:00 2001
From: Allan McRae <al...@archlinux.org>
Date: Thu, 9 Oct 2014 22:11:30 +1000
Subject: [PATCH] Update French translation
(cherry picked from commit b6dcfe8c2408958be246dd61f1c5415ed7667a2a)
---
ChangeLog | 4 ++++
po/fr.po | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 890c3c6..81641a9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-10-09 Allan McRae <al...@archlinux.org>
+
+ * po/fr.po: Update French translation from translation project.
+
2014-09-16 Siddhesh Poyarekar <siddh...@redhat.com>
[BZ #17370]
diff --git a/po/fr.po b/po/fr.po
index fbf564a..bb7a924 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -6673,11 +6673,11 @@ msgstr "Erreur d'entrée/sortie sur l'hôte cible"
#: sysdeps/gnu/errlist.c:1399
msgid "No medium found"
-msgstr "Aucun medium trouvé"
+msgstr "Aucun médium trouvé"
#: sysdeps/gnu/errlist.c:1407
msgid "Wrong medium type"
-msgstr "Mauvais type de medium"
+msgstr "Mauvais type de médium"
#: sysdeps/gnu/errlist.c:1415
msgid "Required key not available"
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch?rev=1.1&content-type=text/plain
Index: 00_all_0025-BZ-17460-Fix-buffer-overrun-in-nscd-help.patch
===================================================================
>From 1b198b7fc764c013d41d1bd7b83fed0ad3dee038 Mon Sep 17 00:00:00 2001
From: Roland McGrath <rol...@hack.frob.com>
Date: Wed, 8 Oct 2014 15:36:12 -0700
Subject: [PATCH] BZ#17460: Fix buffer overrun in nscd --help.
(cherry picked from commit c763c5d27112be055920c46f3be8d05bc8b669da)
Conflicts:
NEWS
---
ChangeLog | 8 ++++++++
NEWS | 2 +-
nscd/nscd.c | 45 ++++++++++++++++++++++++---------------------
nscd/nscd_conf.c | 3 ---
4 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 81641a9..0f9a3e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-08 Roland McGrath <rol...@hack.frob.com>
+
+ [BZ #17460]
+ * nscd/nscd.c (more_help): Rewrite list of tables collection
+ using xstrdup and asprintf.
+
+ * nscd/nscd_conf.c: Remove local xstrdup declaration.
+
2014-10-09 Allan McRae <al...@archlinux.org>
* po/fr.po: Update French translation from translation project.
diff --git a/NEWS b/NEWS
index c555f75..a1d3053 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17370, 17371.
+ 17266, 17370, 17371, 17460.
�
Version 2.20
diff --git a/nscd/nscd.c b/nscd/nscd.c
index 7131ead..b7704b3 100644
--- a/nscd/nscd.c
+++ b/nscd/nscd.c
@@ -451,33 +451,36 @@ parse_opt (int key, char *arg, struct argp_state *state)
static char *
more_help (int key, const char *text, void *input)
{
- char *tables, *tp = NULL;
-
switch (key)
{
case ARGP_KEY_HELP_EXTRA:
{
- dbtype cnt;
+ /* We print some extra information. */
- tables = xmalloc (sizeof (dbnames) + 1);
- for (cnt = 0; cnt < lastdb; cnt++)
+ char *tables = xstrdup (dbnames[0]);
+ for (dbtype i = 1; i < lastdb; ++i)
{
- strcat (tables, dbnames[cnt]);
- strcat (tables, " ");
+ char *more_tables;
+ if (asprintf (&more_tables, "%s %s", tables, dbnames[i]) < 0)
+ more_tables = NULL;
+ free (tables);
+ if (more_tables == NULL)
+ return NULL;
+ tables = more_tables;
}
- }
- /* We print some extra information. */
- if (asprintf (&tp, gettext ("\
+ char *tp;
+ if (asprintf (&tp, gettext ("\
Supported tables:\n\
%s\n\
\n\
For bug reporting instructions, please see:\n\
%s.\n\
"), tables, REPORT_BUGS_TO) < 0)
- tp = NULL;
- free (tables);
- return tp;
+ tp = NULL;
+ free (tables);
+ return tp;
+ }
default:
break;
@@ -622,15 +625,15 @@ monitor_child (int fd)
}
if (WIFEXITED (status))
- {
- child_ret = WEXITSTATUS (status);
- fprintf (stderr, _("child exited with status %d\n"), child_ret);
- }
+ {
+ child_ret = WEXITSTATUS (status);
+ fprintf (stderr, _("child exited with status %d\n"), child_ret);
+ }
if (WIFSIGNALED (status))
- {
- child_ret = WTERMSIG (status);
- fprintf (stderr, _("child terminated by signal %d\n"), child_ret);
- }
+ {
+ child_ret = WTERMSIG (status);
+ fprintf (stderr, _("child terminated by signal %d\n"), child_ret);
+ }
}
/* We have the child status, so exit with that code. */
diff --git a/nscd/nscd_conf.c b/nscd/nscd_conf.c
index 7856ed9..c8e194d 100644
--- a/nscd/nscd_conf.c
+++ b/nscd/nscd_conf.c
@@ -32,9 +32,6 @@
#include "dbg_log.h"
#include "nscd.h"
-/* Wrapper functions with error checking for standard functions. */
-extern char *xstrdup (const char *s);
-
/* Names of the databases. */
const char *const dbnames[lastdb] =
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch?rev=1.1&content-type=text/plain
Index: 00_all_0026-MIPS-Avoid-a-dangling-vfork-GLIBC_2.0-reference.patch
===================================================================
>From c14e752fc73d34c75d4f84f37fea8e0b1734cf98 Mon Sep 17 00:00:00 2001
From: "Maciej W. Rozycki" <ma...@codesourcery.com>
Date: Wed, 22 Oct 2014 15:20:37 +0100
Subject: [PATCH] MIPS: Avoid a dangling `vfork@GLIBC_2.0' reference
This satisfies a symbol reference created with:
.symver __libc_vfork, vfork@GLIBC_2.0
where `__libc_vfork' has not been defined or referenced. In this case
the `vfork@GLIBC_2.0' reference is supposed to be discarded, however a
bug present in GAS since forever causes an undefined symbol table entry
to be created. This in turn triggers a problem in the linker that can
manifest itself by link errors such as:
ld: libpthread.so: invalid string offset 2765592330 >= 5154 for section
`.dynstr'
The GAS and linker bugs need to be resolved, but we can avoid them too
by providing a `__libc_vfork' definition just like our other platforms.
[BZ #17485]
* sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define.
(cherry picked from commit b5af9297d51a43f96c5be1bafab032184690dd6f)
Conflicts:
NEWS
---
ChangeLog | 5 +++++
NEWS | 2 +-
sysdeps/unix/sysv/linux/mips/vfork.S | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 0f9a3e1..26ef072 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-10-22 Maciej W. Rozycki <ma...@codesourcery.com>
+
+ [BZ #17485]
+ * sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define.
+
2014-10-08 Roland McGrath <rol...@hack.frob.com>
[BZ #17460]
diff --git a/NEWS b/NEWS
index a1d3053..29229d7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17370, 17371, 17460.
+ 17266, 17370, 17371, 17460, 17485.
�
Version 2.20
diff --git a/sysdeps/unix/sysv/linux/mips/vfork.S
b/sysdeps/unix/sysv/linux/mips/vfork.S
index 80c362d..2c1a747 100644
--- a/sysdeps/unix/sysv/linux/mips/vfork.S
+++ b/sysdeps/unix/sysv/linux/mips/vfork.S
@@ -108,3 +108,4 @@ L(error):
libc_hidden_def(__vfork)
weak_alias (__vfork, vfork)
+strong_alias (__vfork, __libc_vfork)
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0027-AArch64-End-frame-record-chain-correctly.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0027-AArch64-End-frame-record-chain-correctly.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0027-AArch64-End-frame-record-chain-correctly.patch?rev=1.1&content-type=text/plain
Index: 00_all_0027-AArch64-End-frame-record-chain-correctly.patch
===================================================================
>From e42643491c47dcd1c226b4f00f716023e9bcc5ca Mon Sep 17 00:00:00 2001
From: Renlin Li <renlin...@arm.com>
Date: Tue, 11 Nov 2014 15:18:04 +0000
Subject: [PATCH] [AArch64] End frame record chain correctly.
---
ChangeLog | 5 +++++
NEWS | 2 +-
sysdeps/aarch64/start.S | 1 -
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 26ef072..31139c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-11-10 Renlin Li <renlin...@arm.com>
+
+ [BZ #17555]
+ * sysdeps/aarch64/start.S (_start): Delete x29 overwritten assignment.
+
2014-10-22 Maciej W. Rozycki <ma...@codesourcery.com>
[BZ #17485]
diff --git a/NEWS b/NEWS
index 29229d7..1df7f5e 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17370, 17371, 17460, 17485.
+ 17266, 17370, 17371, 17460, 17485, 17555.
�
Version 2.20
diff --git a/sysdeps/aarch64/start.S b/sysdeps/aarch64/start.S
index 35d603a..69b45ea 100644
--- a/sysdeps/aarch64/start.S
+++ b/sysdeps/aarch64/start.S
@@ -47,7 +47,6 @@ _start:
/* Create an initial frame with 0 LR and FP */
mov x29, #0
mov x30, #0
- mov x29, sp
/* Setup rtld_fini in argument register */
mov x5, x0
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch?rev=1.1&content-type=text/plain
Index: 00_all_0028-CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
===================================================================
>From 33ceaf6187b31ea15284ac65131749e1cb68d2ae Mon Sep 17 00:00:00 2001
From: Carlos O'Donell <car...@redhat.com>
Date: Wed, 19 Nov 2014 11:44:12 -0500
Subject: [PATCH] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
---
ChangeLog | 22 ++++++++++++++++++++++
NEWS | 9 ++++++++-
posix/wordexp-test.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
posix/wordexp.c | 16 ++++------------
4 files changed, 78 insertions(+), 13 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 31139c1..f9f3407 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,25 @@
+2014-11-19 Carlos O'Donell <car...@redhat.com>
+ Florian Weimer <fwei...@redhat.com>
+ Joseph Myers <jos...@codesourcery.com>
+ Adam Conrad <adcon...@0c3.net>
+ Andreas Schwab <sch...@suse.de>
+ Brooks <bmo...@google.com>
+
+ [BZ #17625]
+ * wordexp-test.c (__dso_handle): Add prototype.
+ (__register_atfork): Likewise.
+ (__app_register_atfork): New function.
+ (registered_forks): New global.
+ (register_fork): New function.
+ (test_case): Add 3 new tests for WRDE_CMDSUB.
+ (main): Call __app_register_atfork.
+ (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if
+ fork count is non-zero fail the test.
+ * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag
+ is set.
+ (parse_dollars): Remove check for WRDE_NOCMD.
+ (parse_dquote): Likewise.
+
2014-11-10 Renlin Li <renlin...@arm.com>
[BZ #17555]
diff --git a/NEWS b/NEWS
index 1df7f5e..3de92cd 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,14 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17370, 17371, 17460, 17485, 17555.
+ 17266, 17370, 17371, 17460, 17485, 17555, 17625.
+
+* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+ under certain input conditions resulting in the execution of a shell for
+ command substitution when the applicaiton did not request it. The
+ implementation now checks WRDE_NOCMD immediately before executing the
+ shell and returns the error WRDE_CMDSUB as expected.
+
�
Version 2.20
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 4957006..bdd65e4 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -27,6 +27,25 @@
#define IFS " \n\t"
+extern void *__dso_handle __attribute__ ((__weak__, __visibility__
("hidden")));
+extern int __register_atfork (void (*) (void), void (*) (void), void (*)
(void), void *);
+
+static int __app_register_atfork (void (*prepare) (void), void (*parent)
(void), void (*child) (void))
+{
+ return __register_atfork (prepare, parent, child,
+ &__dso_handle == NULL ? NULL : __dso_handle);
+}
+
+/* Number of forks seen. */
+static int registered_forks;
+
+/* For each fork increment the fork count. */
+static void
+register_fork (void)
+{
+ registered_forks++;
+}
+
struct test_case_struct
{
int retval;
@@ -206,6 +225,12 @@ struct test_case_struct
{ WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
{ WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
{ WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
+ /* Test for CVE-2014-7817. We test 3 combinations of command
+ substitution inside an arithmetic expression to make sure that
+ no commands are executed and error is returned. */
+ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS
},
{ -1, NULL, NULL, 0, 0, { NULL, }, IFS },
};
@@ -258,6 +283,15 @@ main (int argc, char *argv[])
return -1;
}
+ /* If we are not allowed to do command substitution, we install
+ fork handlers to verify that no forks happened. No forks should
+ happen at all if command substitution is disabled. */
+ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
+ {
+ printf ("Failed to register fork handler.\n");
+ return -1;
+ }
+
for (test = 0; test_case[test].retval != -1; test++)
if (testit (&test_case[test]))
++fail;
@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
printf ("Test %d (%s): ", ++tests, tc->words);
+ if (tc->flags & WRDE_NOCMD)
+ registered_forks = 0;
+
if (tc->flags & WRDE_APPEND)
{
/* initial wordexp() call, to be appended to */
@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
}
retval = wordexp (tc->words, &we, tc->flags);
+ if ((tc->flags & WRDE_NOCMD)
+ && (registered_forks > 0))
+ {
+ printf ("FAILED fork called for WRDE_NOCMD\n");
+ return 1;
+ }
+
if (tc->flags & WRDE_DOOFFS)
start_offs = sav_we.we_offs;
diff --git a/posix/wordexp.c b/posix/wordexp.c
index b6b65dd..26f3a26 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length,
size_t *max_length,
pid_t pid;
int noexec = 0;
+ /* Do nothing if command substitution should not succeed. */
+ if (flags & WRDE_NOCMD)
+ return WRDE_CMDSUB;
+
/* Don't fork() unless necessary */
if (!comm || !*comm)
return 0;
@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t
*max_length,
}
}
- if (flags & WRDE_NOCMD)
- return WRDE_CMDSUB;
-
(*offset) += 2;
return parse_comm (word, word_length, max_length, words, offset, flags,
quoted? NULL : pwordexp, ifs, ifs_white);
@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t
*max_length,
break;
case '`':
- if (flags & WRDE_NOCMD)
- return WRDE_CMDSUB;
-
++(*offset);
error = parse_backtick (word, word_length, max_length, words,
offset, flags, NULL, NULL, NULL);
@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int
flags)
break;
case '`':
- if (flags & WRDE_NOCMD)
- {
- error = WRDE_CMDSUB;
- goto do_error;
- }
-
++words_offset;
error = parse_backtick (&word, &word_length, &max_length, words,
&words_offset, flags, pwordexp, ifs,
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0029-arm-drop-EABI-check.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0029-arm-drop-EABI-check.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0029-arm-drop-EABI-check.patch?rev=1.1&content-type=text/plain
Index: 00_all_0029-arm-drop-EABI-check.patch
===================================================================
>From 1b08ac828aeafeff86fa67108a8ad285d32f70e6 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vap...@gentoo.org>
Date: Thu, 20 Nov 2014 02:28:22 -0500
Subject: [PATCH] arm: drop EABI check
GCC marked OABI obsolete in 4.7 and dropped it in 4.8. So the number
of people this is catching is shrinking every day. At this point,
it's not terribly useful, so just drop it.
(cherry picked from commit 34d97d87bb1c08e34d08a9d4be24a3b1d53a4ddb)
---
sysdeps/arm/preconfigure | 22 ----------------------
sysdeps/arm/preconfigure.ac | 5 -----
2 files changed, 27 deletions(-)
diff --git a/sysdeps/arm/preconfigure b/sysdeps/arm/preconfigure
index 59d776d..33e9501 100644
--- a/sysdeps/arm/preconfigure
+++ b/sysdeps/arm/preconfigure
@@ -3,28 +3,6 @@
case "$machine" in
arm*)
-
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#if !__ARM_EABI__
-#error
-#endif
-int
-main ()
-{
-
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-else
- as_fn_error $? "Old ABI no longer supported" "$LINENO" 5
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
# If the compiler enables unwind tables by default, this causes
# problems with undefined symbols in -nostdlib link tests. To
# avoid this, add -fno-unwind-tables here and remove it in
diff --git a/sysdeps/arm/preconfigure.ac b/sysdeps/arm/preconfigure.ac
index d78817b..20de5bc 100644
--- a/sysdeps/arm/preconfigure.ac
+++ b/sysdeps/arm/preconfigure.ac
@@ -3,11 +3,6 @@ GLIBC_PROVIDES dnl See aclocal.m4 in the top level source
directory.
case "$machine" in
arm*)
- AC_TRY_COMPILE([
-#if !__ARM_EABI__
-#error
-#endif], [], [], [AC_MSG_ERROR([Old ABI no longer supported])])
-
# If the compiler enables unwind tables by default, this causes
# problems with undefined symbols in -nostdlib link tests. To
# avoid this, add -fno-unwind-tables here and remove it in
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch?rev=1.1&content-type=text/plain
Index: 00_all_0030-Make-__extern_always_inline-usable-on-clang-again.patch
===================================================================
>From d73ac1bb436cf1adb62335f53b4fc91a02f40a3b Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddh...@redhat.com>
Date: Mon, 24 Nov 2014 17:25:56 +0530
Subject: [PATCH] Make __extern_always_inline usable on clang++ again
The fix for BZ #17266 (884ddc5081278f488ef8cd49951f41cfdbb480ce)
removed changes that had gone into cdefs.h to make
__extern_always_inline usable with clang++. This patch adds back
support for clang to detect if GNU inlining semantics are available,
this time without breaking the gcc use case. The check put here is
based on the earlier patch and assertion[1] that checking if
__GNUC_STDC_INLINE__ or __GNUC_GNU_INLINE__ is defined is sufficient
to determine that clang++ suports GNU inlining semantics.
Tested with a simple program that builds with __extern_always_inline
with the patch and fails compilation without it.
#include <stdio.h>
#include <sys/cdefs.h>
extern void foo_alias (void) __asm ("foo");
__extern_always_inline void
foo (void)
{
puts ("hi oh world!");
return foo_alias ();
}
void
foo_alias (void)
{
puts ("hell oh world");
}
int
main ()
{
foo ();
}
[1] https://sourceware.org/ml/libc-alpha/2012-12/msg00306.html
[BZ #17266]
* misc/sys/cdefs.h: Define __extern_always_inline for clang
4.2 and newer.
(cherry picked from commit 602f80ec8b966cfad3b61914cbe14ee606cedf6e)
---
ChangeLog | 6 ++++++
misc/sys/cdefs.h | 10 ++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f9f3407..ac7d980 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-11-24 Siddhesh Poyarekar <siddh...@redhat.com>
+
+ [BZ #17266]
+ * misc/sys/cdefs.h: Define __extern_always_inline for clang
+ 4.2 and newer.
+
2014-11-19 Carlos O'Donell <car...@redhat.com>
Florian Weimer <fwei...@redhat.com>
Joseph Myers <jos...@codesourcery.com>
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
index 01e81ba..711ac1d 100644
--- a/misc/sys/cdefs.h
+++ b/misc/sys/cdefs.h
@@ -321,8 +321,14 @@
inline semantics, unless -fgnu89-inline is used. Using __GNUC_STDC_INLINE__
or __GNUC_GNU_INLINE is not a good enough check for gcc because gcc versions
older than 4.3 may define these macros and still not guarantee GNU inlining
- semantics. */
-#if !defined __cplusplus || __GNUC_PREREQ (4,3)
+ semantics.
+
+ clang++ identifies itself as gcc-4.2, but has support for GNU inlining
+ semantics, that can be checked fot by using the __GNUC_STDC_INLINE_ and
+ __GNUC_GNU_INLINE__ macro definitions. */
+#if (!defined __cplusplus || __GNUC_PREREQ (4,3) \
+ || (defined __clang__ && (defined __GNUC_STDC_INLINE__ \
+ || defined __GNUC_GNU_INLINE__)))
# if defined __GNUC_STDC_INLINE__ || defined __cplusplus
# define __extern_inline extern __inline __attribute__ ((__gnu_inline__))
# define __extern_always_inline \
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch?rev=1.1&content-type=text/plain
Index: 00_all_0031-CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
===================================================================
>From a3a1f4163c4d0f9a36056c8640661a88674ae8a2 Mon Sep 17 00:00:00 2001
From: Jeff Law <l...@redhat.com>
Date: Mon, 15 Dec 2014 10:09:32 +0100
Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
(cherry picked from commit a5357b7ce2a2982c5778435704bcdb55ce3667a0)
(cherry picked from commit ae61fc7b33d9d99d2763c16de8275227dc9748ba)
Conflicts:
NEWS
---
ChangeLog | 9 +++++++
NEWS | 4 ++-
stdio-common/Makefile | 2 +-
stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++
stdio-common/bug23-4.c | 31 ++++++++++++++++++++++
stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++--
7 files changed, 202 insertions(+), 4 deletions(-)
create mode 100644 stdio-common/bug23-2.c
create mode 100644 stdio-common/bug23-3.c
create mode 100644 stdio-common/bug23-4.c
diff --git a/ChangeLog b/ChangeLog
index ac7d980..88d2f1e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2014-12-15 Jeff Law <l...@redhat.com>
+
+ [BZ #16617]
+ * stdio-common/vfprintf.c (vfprintf): Allocate large specs array
+ on the heap. (CVE-2012-3406)
+ * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file.
+ * stdio-common/bug23-4.c: New file. Test case by Joseph Myers.
+ * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4.
+
2014-11-24 Siddhesh Poyarekar <siddh...@redhat.com>
[BZ #17266]
diff --git a/NEWS b/NEWS
index 3de92cd..f6cdb66 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 17266, 17370, 17371, 17460, 17485, 17555, 17625.
+ 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625.
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
@@ -17,6 +17,8 @@ Version 2.20.1
implementation now checks WRDE_NOCMD immediately before executing the
shell and returns the error WRDE_CMDSUB as expected.
+* CVE-2012-3406 printf-style functions could run into a stack overflow when
+ processing format strings with a large number of format specifiers.a
�
Version 2.20
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index 5f8e534..e5e45b6 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
- bug25 tst-printf-round bug26
+ bug25 tst-printf-round bug23-2 bug23-3 bug23-4 bug26
test-srcs = tst-unbputc tst-printf
diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c
new file mode 100644
index 0000000..9e0cfe6
--- /dev/null
+++ b/stdio-common/bug23-2.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+static const char expected[] = "\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
+
+static int
+do_test (void)
+{
+ char *buf = malloc (strlen (expected) + 1);
+ snprintf (buf, strlen (expected) + 1,
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
+ "a", "b", "c", "d", 5);
+ return strcmp (buf, expected) != 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c
new file mode 100644
index 0000000..57c8cef
--- /dev/null
+++ b/stdio-common/bug23-3.c
@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+int
+do_test (void)
+{
+ size_t instances = 16384;
+#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ const char *item = "\na\nabbcd55";
+#define X3 X0 X0 X0 X0 X0 X0 X0 X0
+#define X6 X3 X3 X3 X3 X3 X3 X3 X3
+#define X9 X6 X6 X6 X6 X6 X6 X6 X6
+#define X12 X9 X9 X9 X9 X9 X9 X9 X9
+#define X14 X12 X12 X12 X12
+#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
+#define TRAILER2 TRAILER TRAILER
+ size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
+
+ char *buf = malloc (length + 1);
+ snprintf (buf, length + 1,
+ X14 TRAILER2 "\n",
+ "a", "b", "c", "d", 5);
+
+ const char *p = buf;
+ size_t i;
+ for (i = 0; i < instances; ++i)
+ {
+ const char *expected;
+ for (expected = item; *expected; ++expected)
+ {
+ if (*p != *expected)
+ {
+ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
+ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
+ return 1;
+ }
+ ++p;
+ }
+ }
+ if (strcmp (p, TRAILER "\n") != 0)
+ {
+ printf ("mismatch at trailer: [%s]\n", p);
+ return 1;
+ }
+ free (buf);
+ return 0;
+}
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
new file mode 100644
index 0000000..a478564
--- /dev/null
+++ b/stdio-common/bug23-4.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/resource.h>
+
+#define LIMIT 1000000
+
+int
+main (void)
+{
+ struct rlimit lim;
+ getrlimit (RLIMIT_STACK, &lim);
+ lim.rlim_cur = 1048576;
+ setrlimit (RLIMIT_STACK, &lim);
+ char *fmtstr = malloc (4 * LIMIT + 1);
+ if (fmtstr == NULL)
+ abort ();
+ char *output = malloc (LIMIT + 1);
+ if (output == NULL)
+ abort ();
+ for (size_t i = 0; i < LIMIT; i++)
+ memcpy (fmtstr + 4 * i, "%1$d", 4);
+ fmtstr[4 * LIMIT] = '\0';
+ int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
+ if (ret != LIMIT)
+ abort ();
+ for (size_t i = 0; i < LIMIT; i++)
+ if (output[i] != '0')
+ abort ();
+ return 0;
+}
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index c4ff833..429a3d1 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
/* For the argument descriptions, which may be allocated on the heap. */
void *args_malloced = NULL;
+ /* For positional argument handling. */
+ struct printf_spec *specs;
+
+ /* Track if we malloced the SPECS array and thus must free it. */
+ bool specs_malloced = false;
+
/* This table maps a character into a number representing a
class. In each step there is a destination label for each
class. */
@@ -1679,8 +1685,8 @@ do_positional:
size_t nspecs = 0;
/* A more or less arbitrary start value. */
size_t nspecs_size = 32 * sizeof (struct printf_spec);
- struct printf_spec *specs = alloca (nspecs_size);
+ specs = alloca (nspecs_size);
/* The number of arguments the format string requests. This will
determine the size of the array needed to store the argument
attributes. */
@@ -1721,11 +1727,39 @@ do_positional:
if (nspecs * sizeof (*specs) >= nspecs_size)
{
/* Extend the array of format specifiers. */
+ if (nspecs_size * 2 < nspecs_size)
+ {
+ __set_errno (ENOMEM);
+ done = -1;
+ goto all_done;
+ }
struct printf_spec *old = specs;
- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+ if (__libc_use_alloca (2 * nspecs_size))
+ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+ else
+ {
+ nspecs_size *= 2;
+ specs = malloc (nspecs_size);
+ if (specs == NULL)
+ {
+ __set_errno (ENOMEM);
+ specs = old;
+ done = -1;
+ goto all_done;
+ }
+ }
/* Copy the old array's elements to the new space. */
memmove (specs, old, nspecs * sizeof (*specs));
+
+ /* If we had previously malloc'd space for SPECS, then
+ release it after the copy is complete. */
+ if (specs_malloced)
+ free (old);
+
+ /* Now set SPECS_MALLOCED if needed. */
+ if (!__libc_use_alloca (nspecs_size))
+ specs_malloced = true;
}
/* Parse the format specifier. */
@@ -2046,6 +2080,8 @@ do_positional:
}
all_done:
+ if (specs_malloced)
+ free (specs);
if (__glibc_unlikely (args_malloced != NULL))
free (args_malloced);
if (__glibc_unlikely (workstart != NULL))
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch?rev=1.1&content-type=text/plain
Index: 00_all_0032-Avoid-infinite-loop-in-nss_dns-getnetbyname-BZ-17630.patch
===================================================================
>From f80af76648ed97a76745fad6caa3315a79cb1c7c Mon Sep 17 00:00:00 2001
From: Florian Weimer <fwei...@redhat.com>
Date: Mon, 15 Dec 2014 17:41:13 +0100
Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
(cherry picked from commit 11e3417af6e354f1942c68a271ae51e892b2814d)
(cherry picked from commit e54db0ea6a49affac43fa305fd134f3020c41382)
Conflicts:
NEWS
---
ChangeLog | 6 ++++++
NEWS | 8 ++++++--
resolv/nss_dns/dns-network.c | 4 ++--
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 88d2f1e..e416cd0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-12-16 Florian Weimer <fwei...@redhat.com>
+
+ [BZ #17630]
+ * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
+ names.
+
2014-12-15 Jeff Law <l...@redhat.com>
[BZ #16617]
diff --git a/NEWS b/NEWS
index f6cdb66..9bc835c 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625.
+ 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630.
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
@@ -18,7 +18,11 @@ Version 2.20.1
shell and returns the error WRDE_CMDSUB as expected.
* CVE-2012-3406 printf-style functions could run into a stack overflow when
- processing format strings with a large number of format specifiers.a
+ processing format strings with a large number of format specifiers.
+
+* CVE-2014-9402 The nss_dns implementation of getnetbyname could run into an
+ infinite loopif the DNS response contained a PTR record of an unexpected
+ format.
�
Version 2.20
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 0a77c8b..08cf0a6 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct
netent *result,
case BYNAME:
{
- char **ap = result->n_aliases++;
- while (*ap != NULL)
+ char **ap;
+ for (ap = result->n_aliases; *ap != NULL; ++ap)
{
/* Check each alias name for being of the forms:
4.3.2.1.in-addr.arpa = net 1.2.3.4
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0033-Move-findidx-nested-functions-to-top-level.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0033-Move-findidx-nested-functions-to-top-level.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0033-Move-findidx-nested-functions-to-top-level.patch?rev=1.1&content-type=text/plain
Index: 00_all_0033-Move-findidx-nested-functions-to-top-level.patch
===================================================================
>From b0694b9e98ee64cb25490de0921ce307f3872749 Mon Sep 17 00:00:00 2001
From: Roland McGrath <rol...@hack.frob.com>
Date: Thu, 11 Sep 2014 16:02:17 -0700
Subject: [PATCH] Move findidx nested functions to top-level.
Needed in order to backport strxfrm_l security fix cleanly.
(cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8)
Conflicts:
ChangeLog
---
ChangeLog | 35 +++++++++++++++++++++++++++++++++++
locale/weight.h | 13 ++++++++++---
locale/weightwc.h | 13 ++++++++++---
posix/fnmatch.c | 8 ++++++++
posix/fnmatch_loop.c | 17 ++++++-----------
posix/regcomp.c | 10 ++++++----
posix/regex_internal.h | 7 +++++--
posix/regexec.c | 8 +++++---
string/strcoll_l.c | 9 ++++-----
string/strxfrm_l.c | 5 ++---
10 files changed, 91 insertions(+), 34 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index e416cd0..dbf7e86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,38 @@
+2015-02-16 Kostya Serebryany <konstantin.s.serebry...@gmail.com>
+ Roland McGrath <rol...@hack.frob.com>
+
+ * locale/weight.h: Add include guard.
+ (findidx): Make static rather than auto; take new parameters
+ TABLE, INDIRECT, and EXTRA instead of getting them as outer locals.
+ * locale/weightwc.h: Likewise.
+ * posix/fnmatch_loop.c
+ (FCT): Change type of EXTRA from int32_t to wint_t.
+ Don't include either header inside the function.
+ Call FINDIDX rather than findidx, and pass new arguments.
+ #undef FINDIDX at the end of the file.
+ * posix/fnmatch.c [_LIBC]: #include <locale/weight.h> and define
+ FINDIDX before including fnmatch_loop.c for the non-wide version.
+ [_LIBC] [HANDLE_MULTIBYTE]: #define findidx to findidxwc around
+ #include <locale/weightwc.h>, and define FINDIDX to findidxwc
+ for the wide version.
+ * posix/regcomp.c [_LIBC]: #include <locale/weight.h>.
+ (build_equiv_class) [_LIBC]: Don't #include it inside the function.
+ Pass new arguments to findidx.
+ * posix/regexec.c [RE_ENABLE_I18N] [_LIBC]: #include <locale/weight.h>.
+ [RE_ENABLE_I18N] (check_node_accept_bytes) [_LIBC]:
+ Don't #include it inside the function. Pass new arguments to findidx.
+ * posix/regex_internal.h
+ [!NOT_IN_libc] [_LIBC]: #include <locale/weight.h>.
+ (re_string_elem_size_at): Don't #include it inside the function.
+ Pass new arguments to findidx.
+ * string/strcoll_l.c: #include WEIGHT_H at top level.
+ (get_next_seq): Don't #include it inside the function.
+ Pass new arguments to findidx.
+ (get_next_seq_nocache): Likewise.
+ * string/strxfrm_l.c: #include WEIGHT_H at top level.
+ (STRXFRM): Don't #include it inside the function.
+ Pass new arguments to findidx.
+
2014-12-16 Florian Weimer <fwei...@redhat.com>
[BZ #17630]
diff --git a/locale/weight.h b/locale/weight.h
index 9eb8ac6..9d93fdc 100644
--- a/locale/weight.h
+++ b/locale/weight.h
@@ -16,10 +16,15 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
+#ifndef _WEIGHT_H_
+#define _WEIGHT_H_ 1
+
/* Find index of weight. */
-auto inline int32_t
-__attribute ((always_inline))
-findidx (const unsigned char **cpp, size_t len)
+static inline int32_t __attribute__ ((always_inline))
+findidx (const int32_t *table,
+ const int32_t *indirect,
+ const unsigned char *extra,
+ const unsigned char **cpp, size_t len)
{
int_fast32_t i = table[*(*cpp)++];
const unsigned char *cp;
@@ -130,3 +135,5 @@ findidx (const unsigned char **cpp, size_t len)
/* NOTREACHED */
return 0x43219876;
}
+
+#endif /* weight.h */
diff --git a/locale/weightwc.h b/locale/weightwc.h
index 8f047e3..0f70b00 100644
--- a/locale/weightwc.h
+++ b/locale/weightwc.h
@@ -16,10 +16,15 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
+#ifndef _WEIGHTWC_H_
+#define _WEIGHTWC_H_ 1
+
/* Find index of weight. */
-auto inline int32_t
-__attribute ((always_inline))
-findidx (const wint_t **cpp, size_t len)
+static inline int32_t __attribute__ ((always_inline))
+findidx (const int32_t *table,
+ const int32_t *indirect,
+ const wint_t *extra,
+ const wint_t **cpp, size_t len)
{
wint_t ch = *(*cpp)++;
int32_t i = __collidx_table_lookup ((const char *) table, ch);
@@ -109,3 +114,5 @@ findidx (const wint_t **cpp, size_t len)
/* NOTREACHED */
return 0x43219876;
}
+
+#endif /* weightwc.h */
diff --git a/posix/fnmatch.c b/posix/fnmatch.c
index c330a12..85a6ec2 100644
--- a/posix/fnmatch.c
+++ b/posix/fnmatch.c
@@ -221,6 +221,8 @@ __wcschrnul (s, c)
# define MEMCHR(S, C, N) memchr (S, C, N)
# define STRCOLL(S1, S2) strcoll (S1, S2)
# define WIDE_CHAR_VERSION 0
+# include <locale/weight.h>
+# define FINDIDX findidx
# include "fnmatch_loop.c"
@@ -246,6 +248,12 @@ __wcschrnul (s, c)
# define MEMCHR(S, C, N) wmemchr (S, C, N)
# define STRCOLL(S1, S2) wcscoll (S1, S2)
# define WIDE_CHAR_VERSION 1
+/* Change the name the header defines so it doesn't conflict with
+ the <locale/weight.h> version included above. */
+# define findidx findidxwc
+# include <locale/weightwc.h>
+# undef findidx
+# define FINDIDX findidxwc
# undef IS_CHAR_CLASS
/* We have to convert the wide character string in a multibyte string. But
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 1957397..db6d9d7 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -376,7 +376,7 @@ FCT (pattern, string, string_end, no_leading_period, flags,
ends, alloca_used)
const int32_t *table;
# if WIDE_CHAR_VERSION
const int32_t *weights;
- const int32_t *extra;
+ const wint_t *extra;
# else
const unsigned char *weights;
const unsigned char *extra;
@@ -385,19 +385,12 @@ FCT (pattern, string, string_end, no_leading_period,
flags, ends, alloca_used)
int32_t idx;
const UCHAR *cp = (const UCHAR *) str;
- /* This #include defines a local function! */
-# if WIDE_CHAR_VERSION
-# include <locale/weightwc.h>
-# else
-# include <locale/weight.h>
-# endif
-
# if WIDE_CHAR_VERSION
table = (const int32_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_TABLEWC);
weights = (const int32_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_WEIGHTWC);
- extra = (const int32_t *)
+ extra = (const wint_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAWC);
indirect = (const int32_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTWC);
@@ -412,7 +405,7 @@ FCT (pattern, string, string_end, no_leading_period, flags,
ends, alloca_used)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
# endif
- idx = findidx (&cp, 1);
+ idx = FINDIDX (table, indirect, extra, &cp, 1);
if (idx != 0)
{
/* We found a table entry. Now see whether the
@@ -422,7 +415,8 @@ FCT (pattern, string, string_end, no_leading_period, flags,
ends, alloca_used)
int32_t idx2;
const UCHAR *np = (const UCHAR *) n;
- idx2 = findidx (&np, string_end - n);
+ idx2 = FINDIDX (table, indirect, extra,
+ &np, string_end - n);
if (idx2 != 0
&& (idx >> 24) == (idx2 >> 24)
&& len == weights[idx2 & 0xffffff])
@@ -1277,3 +1271,4 @@ EXT (INT opt, const CHAR *pattern, const CHAR *string,
const CHAR *string_end,
#undef L
#undef BTOWC
#undef WIDE_CHAR_VERSION
+#undef FINDIDX
diff --git a/posix/regcomp.c b/posix/regcomp.c
index 8f2747b..897fe27 100644
--- a/posix/regcomp.c
+++ b/posix/regcomp.c
@@ -19,6 +19,10 @@
#include <stdint.h>
+#ifdef _LIBC
+# include <locale/weight.h>
+#endif
+
static reg_errcode_t re_compile_internal (regex_t *preg, const char * pattern,
size_t length, reg_syntax_t syntax);
static void re_compile_fastmap_iter (regex_t *bufp,
@@ -3426,8 +3430,6 @@ build_equiv_class (bitset_t sbcset, const unsigned char
*name)
int32_t idx1, idx2;
unsigned int ch;
size_t len;
- /* This #include defines a local function! */
-# include <locale/weight.h>
/* Calculate the index for equivalence class. */
cp = name;
table = (const int32_t *) _NL_CURRENT (LC_COLLATE, _NL_COLLATE_TABLEMB);
@@ -3437,7 +3439,7 @@ build_equiv_class (bitset_t sbcset, const unsigned char
*name)
_NL_COLLATE_EXTRAMB);
indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
_NL_COLLATE_INDIRECTMB);
- idx1 = findidx (&cp, -1);
+ idx1 = findidx (table, indirect, extra, &cp, -1);
if (BE (idx1 == 0 || *cp != '\0', 0))
/* This isn't a valid character. */
return REG_ECOLLATE;
@@ -3448,7 +3450,7 @@ build_equiv_class (bitset_t sbcset, const unsigned char
*name)
{
char_buf[0] = ch;
cp = char_buf;
- idx2 = findidx (&cp, 1);
+ idx2 = findidx (table, indirect, extra, &cp, 1);
/*
idx2 = table[ch];
*/
diff --git a/posix/regex_internal.h b/posix/regex_internal.h
index 4bbf6a8..d1ed3dc 100644
--- a/posix/regex_internal.h
+++ b/posix/regex_internal.h
@@ -733,6 +733,10 @@ re_string_wchar_at (const re_string_t *pstr, int idx)
}
# ifndef NOT_IN_libc
+# ifdef _LIBC
+# include <locale/weight.h>
+# endif
+
static int
internal_function __attribute__ ((pure, unused))
re_string_elem_size_at (const re_string_t *pstr, int idx)
@@ -740,7 +744,6 @@ re_string_elem_size_at (const re_string_t *pstr, int idx)
# ifdef _LIBC
const unsigned char *p, *extra;
const int32_t *table, *indirect;
-# include <locale/weight.h>
uint_fast32_t nrules = _NL_CURRENT_WORD (LC_COLLATE, _NL_COLLATE_NRULES);
if (nrules != 0)
@@ -751,7 +754,7 @@ re_string_elem_size_at (const re_string_t *pstr, int idx)
indirect = (const int32_t *) _NL_CURRENT (LC_COLLATE,
_NL_COLLATE_INDIRECTMB);
p = pstr->mbs + idx;
- findidx (&p, pstr->len - idx);
+ findidx (table, indirect, extra, &p, pstr->len - idx);
return p - pstr->mbs - idx;
}
else
diff --git a/posix/regexec.c b/posix/regexec.c
index 7032da7..c840b38 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -3749,6 +3749,10 @@ group_nodes_into_DFAstates (const re_dfa_t *dfa, const
re_dfastate_t *state,
one collating element like '.', '[a-z]', opposite to the other nodes
can only accept one byte. */
+# ifdef _LIBC
+# include <locale/weight.h>
+# endif
+
static int
internal_function
check_node_accept_bytes (const re_dfa_t *dfa, int node_idx,
@@ -3868,8 +3872,6 @@ check_node_accept_bytes (const re_dfa_t *dfa, int
node_idx,
const int32_t *table, *indirect;
const unsigned char *weights, *extra;
const char *collseqwc;
- /* This #include defines a local function! */
-# include <locale/weight.h>
/* match with collating_symbol? */
if (cset->ncoll_syms)
@@ -3925,7 +3927,7 @@ check_node_accept_bytes (const re_dfa_t *dfa, int
node_idx,
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_EXTRAMB);
indirect = (const int32_t *)
_NL_CURRENT (LC_COLLATE, _NL_COLLATE_INDIRECTMB);
- int32_t idx = findidx (&cp, elem_len);
+ int32_t idx = findidx (table, indirect, extra, &cp, elem_len);
if (idx > 0)
for (i = 0; i < cset->nequiv_classes; ++i)
{
diff --git a/string/strcoll_l.c b/string/strcoll_l.c
index 10ce4a6..d4f42a3 100644
--- a/string/strcoll_l.c
+++ b/string/strcoll_l.c
@@ -41,6 +41,7 @@
#define CONCAT1(a,b) a##b
#include "../locale/localeinfo.h"
+#include WEIGHT_H
/* Track status while looking for sequences in a string. */
typedef struct
@@ -152,7 +153,6 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned
char *rulesets,
const USTRING_TYPE *weights, const int32_t *table,
const USTRING_TYPE *extra, const int32_t *indirect)
{
-#include WEIGHT_H
size_t val = seq->val = 0;
int len = seq->len;
size_t backw_stop = seq->backw_stop;
@@ -194,7 +194,7 @@ get_next_seq (coll_seq *seq, int nrules, const unsigned
char *rulesets,
while (*us != L('\0'))
{
- int32_t tmp = findidx (&us, -1);
+ int32_t tmp = findidx (table, indirect, extra, &us, -1);
rulearr[idxmax] = tmp >> 24;
idxarr[idxmax] = tmp & 0xffffff;
idxcnt = idxmax++;
@@ -242,7 +242,6 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const
unsigned char *rulesets,
const USTRING_TYPE *extra, const int32_t *indirect,
int pass)
{
-#include WEIGHT_H
size_t val = seq->val = 0;
int len = seq->len;
size_t backw_stop = seq->backw_stop;
@@ -285,7 +284,7 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const
unsigned char *rulesets,
us = seq->back_us;
while (i < backw)
{
- int32_t tmp = findidx (&us, -1);
+ int32_t tmp = findidx (table, indirect, extra, &us, -1);
idx = tmp & 0xffffff;
i++;
}
@@ -300,7 +299,7 @@ get_next_seq_nocache (coll_seq *seq, int nrules, const
unsigned char *rulesets,
while (*us != L('\0'))
{
- int32_t tmp = findidx (&us, -1);
+ int32_t tmp = findidx (table, indirect, extra, &us, -1);
unsigned char rule = tmp >> 24;
prev_idx = idx;
idx = tmp & 0xffffff;
diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c
index 04b9338..2d3f1bd 100644
--- a/string/strxfrm_l.c
+++ b/string/strxfrm_l.c
@@ -41,6 +41,7 @@
#define CONCAT1(a,b) a##b
#include "../locale/localeinfo.h"
+#include WEIGHT_H
#ifndef WIDE_CHAR_VERSION
@@ -104,8 +105,6 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t
n, __locale_t l)
size_t idxcnt;
int use_malloc;
-#include WEIGHT_H
-
if (nrules == 0)
{
if (n != 0)
@@ -174,7 +173,7 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t
n, __locale_t l)
idxmax = 0;
do
{
- int32_t tmp = findidx (&usrc, -1);
+ int32_t tmp = findidx (table, indirect, extra, &usrc, -1);
rulearr[idxmax] = tmp >> 24;
idxarr[idxmax] = tmp & 0xffffff;
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch?rev=1.1&content-type=text/plain
Index: 00_all_0034-Fix-memory-handling-in-strxfrm_l-BZ-16009.patch
===================================================================
>From f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 Mon Sep 17 00:00:00 2001
From: Leonhard Holz <leonhard.h...@web.de>
Date: Tue, 13 Jan 2015 11:33:56 +0530
Subject: [PATCH] Fix memory handling in strxfrm_l [BZ #16009]
[Modified from the original email by Siddhesh Poyarekar]
This patch solves bug #16009 by implementing an additional path in
strxfrm that does not depend on caching the weight and rule indices.
In detail the following changed:
* The old main loop was factored out of strxfrm_l into the function
do_xfrm_cached to be able to alternativly use the non-caching version
do_xfrm.
* strxfrm_l allocates a a fixed size array on the stack. If this is not
sufficiant to store the weight and rule indices, the non-caching path is
taken. As the cache size is not dependent on the input there can be no
problems with integer overflows or stack allocations greater than
__MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the
definition of strxfrm does not allow an oom errorhandling.
* The uncached path determines the weight and rule index for every char
and for every pass again.
* Passing all the locale data array by array resulted in very long
parameter lists, so I introduced a structure that holds them.
* Checking for zero src string has been moved a bit upwards, it is
before the locale data initialization now.
* To verify that the non-caching path works correct I added a test run
to localedata/sort-test.sh & localedata/xfrm-test.c where all strings
are patched up with spaces so that they are too large for the caching path.
(cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa)
Conflicts:
ChangeLog
NEWS
---
ChangeLog | 16 ++
NEWS | 2 +-
localedata/sort-test.sh | 7 +
localedata/xfrm-test.c | 52 +++++-
string/strxfrm_l.c | 488 ++++++++++++++++++++++++++++++++++++++----------
5 files changed, 464 insertions(+), 101 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index dbf7e86..7a2e6c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2015-02-16 Leonhard Holz <leonhard.h...@web.de>
+
+ [BZ #16009]
+ * string/strxfrm_l.c (STRXFRM): Allocate fixed size cache for
+ weights and rules. Use do_xfrm_cached if data fits in cache,
+ do_xfrm otherwise. Moved former main loop to...
+ * (do_xfrm_cached): New function.
+ * (do_xfrm): Non-caching version of do_xfrm_cached. Uses
+ find_idx, find_position and stack_push.
+ * (find_idx): New function.
+ * (find_position): Likewise.
+ * localedata/sort-test.sh: Added test run for do_xfrm.
+ * localedata/xfrm-test.c (main): Added command line option
+ -nocache to run the test with strings that are too large for
+ the STRXFRM cache.
+
2015-02-16 Kostya Serebryany <konstantin.s.serebry...@gmail.com>
Roland McGrath <rol...@hack.frob.com>
diff --git a/NEWS b/NEWS
index 9bc835c..f578805 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630.
+ 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630.
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
diff --git a/localedata/sort-test.sh b/localedata/sort-test.sh
index e37129a..3cb57fb 100644
--- a/localedata/sort-test.sh
+++ b/localedata/sort-test.sh
@@ -53,11 +53,18 @@ for l in $lang; do
${common_objpfx}localedata/xfrm-test $id < $cns.in \
> ${common_objpfx}localedata/$cns.xout || here=1
cmp -s $cns.in ${common_objpfx}localedata/$cns.xout || here=1
+ ${test_program_prefix_before_env} \
+ ${run_program_env} \
+ LC_ALL=$l ${test_program_prefix_after_env} \
+ ${common_objpfx}localedata/xfrm-test $id -nocache < $cns.in \
+ > ${common_objpfx}localedata/$cns.nocache.xout || here=1
+ cmp -s $cns.in ${common_objpfx}localedata/$cns.nocache.xout || here=1
if test $here -eq 0; then
echo "$l xfrm-test OK"
else
echo "$l xfrm-test FAIL"
diff -u $cns.in ${common_objpfx}localedata/$cns.xout | sed 's/^/ /'
+ diff -u $cns.in ${common_objpfx}localedata/$cns.nocache.xout | sed 's/^/
/'
status=1
fi
done
diff --git a/localedata/xfrm-test.c b/localedata/xfrm-test.c
index d2aba7d..5cf29f6 100644
--- a/localedata/xfrm-test.c
+++ b/localedata/xfrm-test.c
@@ -23,7 +23,10 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <stdbool.h>
+/* Keep in sync with string/strxfrm_l.c. */
+#define SMALL_STR_SIZE 4095
struct lines
{
@@ -37,6 +40,7 @@ int
main (int argc, char *argv[])
{
int result = 0;
+ bool nocache = false;
size_t nstrings, nstrings_max;
struct lines *strings;
char *line = NULL;
@@ -44,7 +48,18 @@ main (int argc, char *argv[])
size_t n;
if (argc < 2)
- error (1, 0, "usage: %s <random seed>", argv[0]);
+ error (1, 0, "usage: %s <random seed> [-nocache]", argv[0]);
+
+ if (argc == 3)
+ {
+ if (strcmp (argv[2], "-nocache") == 0)
+ nocache = true;
+ else
+ {
+ printf ("Unknown option %s!\n", argv[2]);
+ exit (1);
+ }
+ }
setlocale (LC_ALL, "");
@@ -59,9 +74,9 @@ main (int argc, char *argv[])
while (1)
{
- char saved, *newp;
- int needed;
- int l;
+ char saved, *word, *newp;
+ size_t l, line_len, needed;
+
if (getline (&line, &len, stdin) < 0)
break;
@@ -83,10 +98,35 @@ main (int argc, char *argv[])
saved = line[l];
line[l] = '\0';
- needed = strxfrm (NULL, line, 0);
+
+ if (nocache)
+ {
+ line_len = strlen (line);
+ word = malloc (line_len + SMALL_STR_SIZE + 1);
+ if (word == NULL)
+ {
+ printf ("malloc failed: %m\n");
+ exit (1);
+ }
+ memset (word, ' ', SMALL_STR_SIZE);
+ memcpy (word + SMALL_STR_SIZE, line, line_len);
+ word[line_len + SMALL_STR_SIZE] = '\0';
+ }
+ else
+ word = line;
+
+ needed = strxfrm (NULL, word, 0);
newp = malloc (needed + 1);
- strxfrm (newp, line, needed + 1);
+ if (newp == NULL)
+ {
+ printf ("malloc failed: %m\n");
+ exit (1);
+ }
+ strxfrm (newp, word, needed + 1);
strings[nstrings].xfrm = newp;
+
+ if (nocache)
+ free (word);
line[l] = saved;
++nstrings;
}
diff --git a/string/strxfrm_l.c b/string/strxfrm_l.c
index 2d3f1bd..95ffd6f 100644
--- a/string/strxfrm_l.c
+++ b/string/strxfrm_l.c
@@ -40,9 +40,24 @@
#define CONCAT(a,b) CONCAT1(a,b)
#define CONCAT1(a,b) a##b
+/* Maximum string size that is calculated with cached indices. Right now this
+ is an arbitrary value open to optimizations. SMALL_STR_SIZE * 4 has to be
+ lower than __MAX_ALLOCA_CUTOFF. Keep localedata/xfrm-test.c in sync. */
+#define SMALL_STR_SIZE 4095
+
#include "../locale/localeinfo.h"
#include WEIGHT_H
+/* Group locale data for shorter parameter lists. */
+typedef struct
+{
+ uint_fast32_t nrules;
+ unsigned char *rulesets;
+ USTRING_TYPE *weights;
+ int32_t *table;
+ USTRING_TYPE *extra;
+ int32_t *indirect;
+} locale_data_t;
#ifndef WIDE_CHAR_VERSION
@@ -81,113 +96,325 @@ utf8_encode (char *buf, int val)
}
#endif
+/* Find next weight and rule index. Inlined since called for every char. */
+static __always_inline size_t
+find_idx (const USTRING_TYPE **us, int32_t *weight_idx,
+ unsigned char *rule_idx, const locale_data_t *l_data, const int pass)
+{
+ int32_t tmp = findidx (l_data->table, l_data->indirect, l_data->extra, us,
+ -1);
+ *rule_idx = tmp >> 24;
+ int32_t idx = tmp & 0xffffff;
+ size_t len = l_data->weights[idx++];
+
+ /* Skip over indices of previous levels. */
+ for (int i = 0; i < pass; i++)
+ {
+ idx += len;
+ len = l_data->weights[idx++];
+ }
-size_t
-STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l)
+ *weight_idx = idx;
+ return len;
+}
+
+static int
+find_position (const USTRING_TYPE *us, const locale_data_t *l_data,
+ const int pass)
{
- struct __locale_data *current = l->__locales[LC_COLLATE];
- uint_fast32_t nrules = current->values[_NL_ITEM_INDEX
(_NL_COLLATE_NRULES)].word;
- /* We don't assign the following values right away since it might be
- unnecessary in case there are no rules. */
- const unsigned char *rulesets;
- const int32_t *table;
- const USTRING_TYPE *weights;
- const USTRING_TYPE *extra;
- const int32_t *indirect;
+ int32_t weight_idx;
+ unsigned char rule_idx;
+ const USTRING_TYPE *usrc = us;
+
+ find_idx (&usrc, &weight_idx, &rule_idx, l_data, pass);
+ return l_data->rulesets[rule_idx * l_data->nrules + pass] & sort_position;
+}
+
+/* Do the transformation. */
+static size_t
+do_xfrm (const USTRING_TYPE *usrc, STRING_TYPE *dest, size_t n,
+ const locale_data_t *l_data)
+{
+ int32_t weight_idx;
+ unsigned char rule_idx;
uint_fast32_t pass;
- size_t needed;
+ size_t needed = 0;
size_t last_needed;
- const USTRING_TYPE *usrc;
- size_t srclen = STRLEN (src);
- int32_t *idxarr;
- unsigned char *rulearr;
- size_t idxmax;
- size_t idxcnt;
- int use_malloc;
- if (nrules == 0)
+ /* Now the passes over the weights. */
+ for (pass = 0; pass < l_data->nrules; ++pass)
{
- if (n != 0)
- STPNCPY (dest, src, MIN (srclen + 1, n));
+ size_t backw_len = 0;
+ last_needed = needed;
+ const USTRING_TYPE *cur = usrc;
+ const USTRING_TYPE *backw_start = NULL;
- return srclen;
- }
+ /* We assume that if a rule has defined `position' in one section
+ this is true for all of them. */
+ int position = find_position (cur, l_data, pass);
- rulesets = (const unsigned char *)
- current->values[_NL_ITEM_INDEX (_NL_COLLATE_RULESETS)].string;
- table = (const int32_t *)
- current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_TABLE,SUFFIX))].string;
- weights = (const USTRING_TYPE *)
- current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_WEIGHT,SUFFIX))].string;
- extra = (const USTRING_TYPE *)
- current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string;
- indirect = (const int32_t *)
- current->values[_NL_ITEM_INDEX
(CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string;
- use_malloc = 0;
+ if (position == 0)
+ {
+ while (*cur != L('\0'))
+ {
+ const USTRING_TYPE *pos = cur;
+ size_t len = find_idx (&cur, &weight_idx, &rule_idx, l_data,
+ pass);
+ int rule = l_data->rulesets[rule_idx * l_data->nrules + pass];
- assert (((uintptr_t) table) % __alignof__ (table[0]) == 0);
- assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0);
- assert (((uintptr_t) extra) % __alignof__ (extra[0]) == 0);
- assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0);
+ if ((rule & sort_forward) != 0)
+ {
+ /* Handle the pushed backward sequence. */
+ if (backw_start != NULL)
+ {
+ for (size_t i = backw_len; i > 0; )
+ {
+ int32_t weight_idx;
+ unsigned char rule_idx;
+ size_t len = find_idx (&backw_start, &weight_idx,
+ &rule_idx, l_data, pass);
+ if (needed + i < n)
+ for (size_t j = len; j > 0; j--)
+ dest[needed + i - j] =
+ l_data->weights[weight_idx++];
+
+ i -= len;
+ }
- /* Handle an empty string as a special case. */
- if (srclen == 0)
- {
- if (n != 0)
- *dest = L('\0');
- return 0;
- }
+ needed += backw_len;
+ backw_start = NULL;
+ backw_len = 0;
+ }
- /* We need the elements of the string as unsigned values since they
- are used as indeces. */
- usrc = (const USTRING_TYPE *) src;
-
- /* Perform the first pass over the string and while doing this find
- and store the weights for each character. Since we want this to
- be as fast as possible we are using `alloca' to store the temporary
- values. But since there is no limit on the length of the string
- we have to use `malloc' if the string is too long. We should be
- very conservative here. */
- if (! __libc_use_alloca ((srclen + 1) * (sizeof (int32_t) + 1)))
- {
- idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));
- rulearr = (unsigned char *) &idxarr[srclen];
-
- if (idxarr == NULL)
- /* No memory. Well, go with the stack then.
-
- XXX Once this implementation is stable we will handle this
- differently. Instead of precomputing the indeces we will
- do this in time. This means, though, that this happens for
- every pass again. */
- goto try_stack;
- use_malloc = 1;
- }
- else
- {
- try_stack:
- idxarr = (int32_t *) alloca (srclen * sizeof (int32_t));
- rulearr = (unsigned char *) alloca (srclen + 1);
+ /* Now handle the forward element. */
+ if (needed + len < n)
+ while (len-- > 0)
+ dest[needed++] = l_data->weights[weight_idx++];
+ else
+ /* No more characters fit into the buffer. */
+ needed += len;
+ }
+ else
+ {
+ /* Remember start of the backward sequence & track length. */
+ if (backw_start == NULL)
+ backw_start = pos;
+ backw_len += len;
+ }
+ }
+
+
+ /* Handle the pushed backward sequence. */
+ if (backw_start != NULL)
+ {
+ for (size_t i = backw_len; i > 0; )
+ {
+ size_t len = find_idx (&backw_start, &weight_idx, &rule_idx,
+ l_data, pass);
+ if (needed + i < n)
+ for (size_t j = len; j > 0; j--)
+ dest[needed + i - j] =
+ l_data->weights[weight_idx++];
+
+ i -= len;
+ }
+
+ needed += backw_len;
+ }
+ }
+ else
+ {
+ int val = 1;
+#ifndef WIDE_CHAR_VERSION
+ char buf[7];
+ size_t buflen;
+#endif
+ size_t i;
+
+ while (*cur != L('\0'))
+ {
+ const USTRING_TYPE *pos = cur;
+ size_t len = find_idx (&cur, &weight_idx, &rule_idx, l_data,
+ pass);
+ int rule = l_data->rulesets[rule_idx * l_data->nrules + pass];
+
+ if ((rule & sort_forward) != 0)
+ {
+ /* Handle the pushed backward sequence. */
+ if (backw_start != NULL)
+ {
+ for (size_t p = backw_len; p > 0; p--)
+ {
+ size_t len;
+ int32_t weight_idx;
+ unsigned char rule_idx;
+ const USTRING_TYPE *backw_cur = backw_start;
+
+ /* To prevent a warning init the used vars. */
+ len = find_idx (&backw_cur, &weight_idx,
+ &rule_idx, l_data, pass);
+
+ for (i = 1; i < p; i++)
+ len = find_idx (&backw_cur, &weight_idx,
+ &rule_idx, l_data, pass);
+
+ if (len != 0)
+ {
+#ifdef WIDE_CHAR_VERSION
+ if (needed + 1 + len < n)
+ {
+ dest[needed] = val;
+ for (i = 0; i < len; ++i)
+ dest[needed + 1 + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += 1 + len;
+#else
+ buflen = utf8_encode (buf, val);
+ if (needed + buflen + len < n)
+ {
+ for (i = 0; i < buflen; ++i)
+ dest[needed + i] = buf[i];
+ for (i = 0; i < len; ++i)
+ dest[needed + buflen + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += buflen + len;
+#endif
+ val = 1;
+ }
+ else
+ ++val;
+ }
+
+ backw_start = NULL;
+ backw_len = 0;
+ }
+
+ /* Now handle the forward element. */
+ if (len != 0)
+ {
+#ifdef WIDE_CHAR_VERSION
+ if (needed + 1 + len < n)
+ {
+ dest[needed] = val;
+ for (i = 0; i < len; ++i)
+ dest[needed + 1 + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += 1 + len;
+#else
+ buflen = utf8_encode (buf, val);
+ if (needed + buflen + len < n)
+ {
+ for (i = 0; i < buflen; ++i)
+ dest[needed + i] = buf[i];
+ for (i = 0; i < len; ++i)
+ dest[needed + buflen + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += buflen + len;
+#endif
+ val = 1;
+ }
+ else
+ ++val;
+ }
+ else
+ {
+ /* Remember start of the backward sequence & track length. */
+ if (backw_start == NULL)
+ backw_start = pos;
+ backw_len++;
+ }
+ }
+
+ /* Handle the pushed backward sequence. */
+ if (backw_start != NULL)
+ {
+ for (size_t p = backw_len; p > 0; p--)
+ {
+ size_t len;
+ int32_t weight_idx;
+ unsigned char rule_idx;
+ const USTRING_TYPE *backw_cur = backw_start;
+
+ /* To prevent a warning init the used vars. */
+ len = find_idx (&backw_cur, &weight_idx,
+ &rule_idx, l_data, pass);
+
+ for (i = 1; i < p; i++)
+ len = find_idx (&backw_cur, &weight_idx,
+ &rule_idx, l_data, pass);
+
+ if (len != 0)
+ {
+#ifdef WIDE_CHAR_VERSION
+ if (needed + 1 + len < n)
+ {
+ dest[needed] = val;
+ for (i = 0; i < len; ++i)
+ dest[needed + 1 + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += 1 + len;
+#else
+ buflen = utf8_encode (buf, val);
+ if (needed + buflen + len < n)
+ {
+ for (i = 0; i < buflen; ++i)
+ dest[needed + i] = buf[i];
+ for (i = 0; i < len; ++i)
+ dest[needed + buflen + i] =
+ l_data->weights[weight_idx + i];
+ }
+ needed += buflen + len;
+#endif
+ val = 1;
+ }
+ else
+ ++val;
+ }
+ }
+ }
+
+ /* Finally store the byte to separate the passes or terminate
+ the string. */
+ if (needed < n)
+ dest[needed] = pass + 1 < l_data->nrules ? L('\1') : L('\0');
+ ++needed;
}
- idxmax = 0;
- do
+ /* This is a little optimization: many collation specifications have
+ a `position' rule at the end and if no non-ignored character
+ is found the last \1 byte is immediately followed by a \0 byte
+ signalling this. We can avoid the \1 byte(s). */
+ if (needed > 2 && needed == last_needed + 1)
{
- int32_t tmp = findidx (table, indirect, extra, &usrc, -1);
- rulearr[idxmax] = tmp >> 24;
- idxarr[idxmax] = tmp & 0xffffff;
-
- ++idxmax;
+ /* Remove the \1 byte. */
+ if (--needed <= n)
+ dest[needed - 1] = L('\0');
}
- while (*usrc != L('\0'));
- /* This element is only read, the value never used but to determine
- another value which then is ignored. */
- rulearr[idxmax] = '\0';
+ /* Return the number of bytes/words we need, but don't count the NUL
+ byte/word at the end. */
+ return needed - 1;
+}
+
+/* Do the transformation using weight-index and rule cache. */
+static size_t
+do_xfrm_cached (STRING_TYPE *dest, size_t n, const locale_data_t *l_data,
+ size_t idxmax, int32_t *idxarr, const unsigned char *rulearr)
+{
+ uint_fast32_t nrules = l_data->nrules;
+ unsigned char *rulesets = l_data->rulesets;
+ USTRING_TYPE *weights = l_data->weights;
+ uint_fast32_t pass;
+ size_t needed = 0;
+ size_t last_needed;
+ size_t idxcnt;
- /* Now the passes over the weights. We now use the indeces we found
- before. */
- needed = 0;
+ /* Now the passes over the weights. */
for (pass = 0; pass < nrules; ++pass)
{
size_t backw_stop = ~0ul;
@@ -433,14 +660,87 @@ STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src,
size_t n, __locale_t l)
dest[needed - 1] = L('\0');
}
- /* Free the memory if needed. */
- if (use_malloc)
- free (idxarr);
-
/* Return the number of bytes/words we need, but don't count the NUL
byte/word at the end. */
return needed - 1;
}
+
+size_t
+STRXFRM (STRING_TYPE *dest, const STRING_TYPE *src, size_t n, __locale_t l)
+{
+ locale_data_t l_data;
+ struct __locale_data *current = l->__locales[LC_COLLATE];
+ l_data.nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word;
+
+ /* Handle byte comparison case. */
+ if (l_data.nrules == 0)
+ {
+ size_t srclen = STRLEN (src);
+
+ if (n != 0)
+ STPNCPY (dest, src, MIN (srclen + 1, n));
+
+ return srclen;
+ }
+
+ /* Handle an empty string, code hereafter relies on strlen (src) > 0. */
+ if (*src == L('\0'))
+ {
+ if (n != 0)
+ *dest = L('\0');
+ return 0;
+ }
+
+ /* Get the locale data. */
+ l_data.rulesets = (unsigned char *)
+ current->values[_NL_ITEM_INDEX (_NL_COLLATE_RULESETS)].string;
+ l_data.table = (int32_t *)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_TABLE,SUFFIX))].string;
+ l_data.weights = (USTRING_TYPE *)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_WEIGHT,SUFFIX))].string;
+ l_data.extra = (USTRING_TYPE *)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string;
+ l_data.indirect = (int32_t *)
+ current->values[_NL_ITEM_INDEX
(CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string;
+
+ assert (((uintptr_t) l_data.table) % __alignof__ (l_data.table[0]) == 0);
+ assert (((uintptr_t) l_data.weights) % __alignof__ (l_data.weights[0]) == 0);
+ assert (((uintptr_t) l_data.extra) % __alignof__ (l_data.extra[0]) == 0);
+ assert (((uintptr_t) l_data.indirect) % __alignof__ (l_data.indirect[0]) ==
0);
+
+ /* We need the elements of the string as unsigned values since they
+ are used as indeces. */
+ const USTRING_TYPE *usrc = (const USTRING_TYPE *) src;
+
+ /* Allocate cache for small strings on the stack and fill it with weight and
+ rule indices. If the cache size is not sufficient, continue with the
+ uncached xfrm version. */
+ size_t idxmax = 0;
+ const USTRING_TYPE *cur = usrc;
+ int32_t *idxarr = alloca (SMALL_STR_SIZE * sizeof (int32_t));
+ unsigned char *rulearr = alloca (SMALL_STR_SIZE + 1);
+
+ do
+ {
+ int32_t tmp = findidx (l_data.table, l_data.indirect, l_data.extra, &cur,
+ -1);
+ rulearr[idxmax] = tmp >> 24;
+ idxarr[idxmax] = tmp & 0xffffff;
+
+ ++idxmax;
+ }
+ while (*cur != L('\0') && idxmax < SMALL_STR_SIZE);
+
+ /* This element is only read, the value never used but to determine
+ another value which then is ignored. */
+ rulearr[idxmax] = '\0';
+
+ /* Do the transformation. */
+ if (*cur == L('\0'))
+ return do_xfrm_cached (dest, n, &l_data, idxmax, idxarr, rulearr);
+ else
+ return do_xfrm (usrc, dest, n, &l_data);
+}
libc_hidden_def (STRXFRM)
#ifndef WIDE_CHAR_VERSION
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch?rev=1.1&content-type=text/plain
Index: 00_all_0035-Use-AVX-unaligned-memcpy-only-if-AVX2-is-available.patch
===================================================================
>From 1bf9d48aec087062e2a14b77cb5ee1fa81be334c Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.to...@gmail.com>
Date: Fri, 30 Jan 2015 06:50:20 -0800
Subject: [PATCH] Use AVX unaligned memcpy only if AVX2 is available
memcpy with unaligned 256-bit AVX register loads/stores are slow on older
processorsl like Sandy Bridge. This patch adds bit_AVX_Fast_Unaligned_Load
and sets it only when AVX2 is available.
[BZ #17801]
* sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features):
Set the bit_AVX_Fast_Unaligned_Load bit for AVX2.
* sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load):
New.
(index_AVX_Fast_Unaligned_Load): Likewise.
(HAS_AVX_FAST_UNALIGNED_LOAD): Likewise.
* sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the
bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit.
* sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise.
* sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise.
* sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise.
* sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace
HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD.
* sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise.
(cherry picked from commit 5f3d0b78e011d2a72f9e88b0e9ef5bc081d18f97)
Conflicts:
ChangeLog
NEWS
---
ChangeLog | 18 ++++++++++++++++++
NEWS | 3 ++-
sysdeps/x86_64/multiarch/init-arch.c | 9 +++++++--
sysdeps/x86_64/multiarch/init-arch.h | 4 ++++
sysdeps/x86_64/multiarch/memcpy.S | 2 +-
sysdeps/x86_64/multiarch/memcpy_chk.S | 2 +-
sysdeps/x86_64/multiarch/memmove.c | 2 +-
sysdeps/x86_64/multiarch/memmove_chk.c | 2 +-
sysdeps/x86_64/multiarch/mempcpy.S | 2 +-
sysdeps/x86_64/multiarch/mempcpy_chk.S | 2 +-
10 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 7a2e6c9..a6461e6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,21 @@
+2015-02-16 H.J. Lu <hongjiu...@intel.com>
+
+ [BZ #17801]
+ * sysdeps/x86_64/multiarch/init-arch.c (__init_cpu_features):
+ Set the bit_AVX_Fast_Unaligned_Load bit for AVX2.
+ * sysdeps/x86_64/multiarch/init-arch.h (bit_AVX_Fast_Unaligned_Load):
+ New.
+ (index_AVX_Fast_Unaligned_Load): Likewise.
+ (HAS_AVX_FAST_UNALIGNED_LOAD): Likewise.
+ * sysdeps/x86_64/multiarch/memcpy.S (__new_memcpy): Check the
+ bit_AVX_Fast_Unaligned_Load bit instead of the bit_AVX_Usable bit.
+ * sysdeps/x86_64/multiarch/memcpy_chk.S (__memcpy_chk): Likewise.
+ * sysdeps/x86_64/multiarch/mempcpy.S (__mempcpy): Likewise.
+ * sysdeps/x86_64/multiarch/mempcpy_chk.S (__mempcpy_chk): Likewise.
+ * sysdeps/x86_64/multiarch/memmove.c (__libc_memmove): Replace
+ HAS_AVX with HAS_AVX_FAST_UNALIGNED_LOAD.
+ * sysdeps/x86_64/multiarch/memmove_chk.c (__memmove_chk): Likewise.
+
2015-02-16 Leonhard Holz <leonhard.h...@web.de>
[BZ #16009]
diff --git a/NEWS b/NEWS
index f578805..0eb3fb3 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,8 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630.
+ 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630,
+ 17801.
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
diff --git a/sysdeps/x86_64/multiarch/init-arch.c
b/sysdeps/x86_64/multiarch/init-arch.c
index 2a6dcb7..f7c1bbe 100644
--- a/sysdeps/x86_64/multiarch/init-arch.c
+++ b/sysdeps/x86_64/multiarch/init-arch.c
@@ -167,9 +167,14 @@ __init_cpu_features (void)
/* Determine if AVX is usable. */
if (CPUID_AVX)
__cpu_features.feature[index_AVX_Usable] |= bit_AVX_Usable;
- /* Determine if AVX2 is usable. */
+#if index_AVX2_Usable != index_AVX_Fast_Unaligned_Load
+# error index_AVX2_Usable != index_AVX_Fast_Unaligned_Load
+#endif
+ /* Determine if AVX2 is usable. Unaligned load with 256-bit
+ AVX registers are faster on processors with AVX2. */
if (CPUID_AVX2)
- __cpu_features.feature[index_AVX2_Usable] |= bit_AVX2_Usable;
+ __cpu_features.feature[index_AVX2_Usable]
+ |= bit_AVX2_Usable | bit_AVX_Fast_Unaligned_Load;
/* Determine if FMA is usable. */
if (CPUID_FMA)
__cpu_features.feature[index_FMA_Usable] |= bit_FMA_Usable;
diff --git a/sysdeps/x86_64/multiarch/init-arch.h
b/sysdeps/x86_64/multiarch/init-arch.h
index ef0abbd..2fc7c7c 100644
--- a/sysdeps/x86_64/multiarch/init-arch.h
+++ b/sysdeps/x86_64/multiarch/init-arch.h
@@ -25,6 +25,7 @@
#define bit_FMA4_Usable (1 << 8)
#define bit_Slow_SSE4_2 (1 << 9)
#define bit_AVX2_Usable (1 << 10)
+#define bit_AVX_Fast_Unaligned_Load (1 << 11)
/* CPUID Feature flags. */
@@ -74,6 +75,7 @@
# define index_FMA4_Usable FEATURE_INDEX_1*FEATURE_SIZE
# define index_Slow_SSE4_2 FEATURE_INDEX_1*FEATURE_SIZE
# define index_AVX2_Usable FEATURE_INDEX_1*FEATURE_SIZE
+# define index_AVX_Fast_Unaligned_Load FEATURE_INDEX_1*FEATURE_SIZE
#else /* __ASSEMBLER__ */
@@ -169,6 +171,7 @@ extern const struct cpu_features *__get_cpu_features (void)
# define index_FMA4_Usable FEATURE_INDEX_1
# define index_Slow_SSE4_2 FEATURE_INDEX_1
# define index_AVX2_Usable FEATURE_INDEX_1
+# define index_AVX_Fast_Unaligned_Load FEATURE_INDEX_1
# define HAS_ARCH_FEATURE(name) \
((__get_cpu_features ()->feature[index_##name] & (bit_##name)) != 0)
@@ -181,5 +184,6 @@ extern const struct cpu_features *__get_cpu_features (void)
# define HAS_AVX2 HAS_ARCH_FEATURE (AVX2_Usable)
# define HAS_FMA HAS_ARCH_FEATURE (FMA_Usable)
# define HAS_FMA4 HAS_ARCH_FEATURE (FMA4_Usable)
+# define HAS_AVX_FAST_UNALIGNED_LOAD HAS_ARCH_FEATURE
(AVX_Fast_Unaligned_Load)
#endif /* __ASSEMBLER__ */
diff --git a/sysdeps/x86_64/multiarch/memcpy.S
b/sysdeps/x86_64/multiarch/memcpy.S
index e666695..10bbd39 100644
--- a/sysdeps/x86_64/multiarch/memcpy.S
+++ b/sysdeps/x86_64/multiarch/memcpy.S
@@ -33,7 +33,7 @@ ENTRY(__new_memcpy)
jne 1f
call __init_cpu_features
1: leaq __memcpy_avx_unaligned(%rip), %rax
- testl $bit_AVX_Usable,
__cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip)
+ testl $bit_AVX_Fast_Unaligned_Load,
__cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip)
jz 1f
ret
1: leaq __memcpy_sse2(%rip), %rax
diff --git a/sysdeps/x86_64/multiarch/memcpy_chk.S
b/sysdeps/x86_64/multiarch/memcpy_chk.S
index 076b19a..30cca20 100644
--- a/sysdeps/x86_64/multiarch/memcpy_chk.S
+++ b/sysdeps/x86_64/multiarch/memcpy_chk.S
@@ -39,7 +39,7 @@ ENTRY(__memcpy_chk)
testl $bit_Fast_Copy_Backward,
__cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip)
jz 2f
leaq __memcpy_chk_ssse3_back(%rip), %rax
- testl $bit_AVX_Usable,
__cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip)
+ testl $bit_AVX_Fast_Unaligned_Load,
__cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip)
jz 2f
leaq __memcpy_chk_avx_unaligned(%rip), %rax
2: ret
diff --git a/sysdeps/x86_64/multiarch/memmove.c
b/sysdeps/x86_64/multiarch/memmove.c
index 0c9af7e..2c86a4a 100644
--- a/sysdeps/x86_64/multiarch/memmove.c
+++ b/sysdeps/x86_64/multiarch/memmove.c
@@ -49,7 +49,7 @@ extern __typeof (__redirect_memmove) __memmove_avx_unaligned
attribute_hidden;
ifunc symbol properly. */
extern __typeof (__redirect_memmove) __libc_memmove;
libc_ifunc (__libc_memmove,
- HAS_AVX
+ HAS_AVX_FAST_UNALIGNED_LOAD
? __memmove_avx_unaligned
: (HAS_SSSE3
? (HAS_FAST_COPY_BACKWARD
diff --git a/sysdeps/x86_64/multiarch/memmove_chk.c
b/sysdeps/x86_64/multiarch/memmove_chk.c
index 44344f2..5ffcaec 100644
--- a/sysdeps/x86_64/multiarch/memmove_chk.c
+++ b/sysdeps/x86_64/multiarch/memmove_chk.c
@@ -30,7 +30,7 @@ extern __typeof (__memmove_chk) __memmove_chk_avx_unaligned
attribute_hidden;
#include "debug/memmove_chk.c"
libc_ifunc (__memmove_chk,
- HAS_AVX ? __memmove_chk_avx_unaligned :
+ HAS_AVX_FAST_UNALIGNED_LOAD ? __memmove_chk_avx_unaligned :
(HAS_SSSE3
? (HAS_FAST_COPY_BACKWARD
? __memmove_chk_ssse3_back : __memmove_chk_ssse3)
diff --git a/sysdeps/x86_64/multiarch/mempcpy.S
b/sysdeps/x86_64/multiarch/mempcpy.S
index 7589d8c..e205ef5 100644
--- a/sysdeps/x86_64/multiarch/mempcpy.S
+++ b/sysdeps/x86_64/multiarch/mempcpy.S
@@ -37,7 +37,7 @@ ENTRY(__mempcpy)
testl $bit_Fast_Copy_Backward,
__cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip)
jz 2f
leaq __mempcpy_ssse3_back(%rip), %rax
- testl $bit_AVX_Usable,
__cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip)
+ testl $bit_AVX_Fast_Unaligned_Load,
__cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip)
jz 2f
leaq __mempcpy_avx_unaligned(%rip), %rax
2: ret
diff --git a/sysdeps/x86_64/multiarch/mempcpy_chk.S
b/sysdeps/x86_64/multiarch/mempcpy_chk.S
index 88e0b74..dd777df 100644
--- a/sysdeps/x86_64/multiarch/mempcpy_chk.S
+++ b/sysdeps/x86_64/multiarch/mempcpy_chk.S
@@ -39,7 +39,7 @@ ENTRY(__mempcpy_chk)
testl $bit_Fast_Copy_Backward,
__cpu_features+FEATURE_OFFSET+index_Fast_Copy_Backward(%rip)
jz 2f
leaq __mempcpy_chk_ssse3_back(%rip), %rax
- testl $bit_AVX_Usable,
__cpu_features+FEATURE_OFFSET+index_AVX_Usable(%rip)
+ testl $bit_AVX_Fast_Unaligned_Load,
__cpu_features+FEATURE_OFFSET+index_AVX_Fast_Unaligned_Load(%rip)
jz 2f
leaq __mempcpy_chk_avx_unaligned(%rip), %rax
2: ret
--
2.3.0
1.1
src/patchsets/glibc/2.20/00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.20/00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch?rev=1.1&content-type=text/plain
Index: 00_all_0036-CVE-2015-1472-wscanf-allocates-too-little-memory.patch
===================================================================
>From 4d54424420c6300efbf57a7b9aa8635a8b8c1942 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhni...@google.com>
Date: Fri, 6 Feb 2015 00:30:42 -0500
Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
A regression test was added to tst-sscanf.
(cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06)
Conflicts:
ChangeLog
NEWS
---
ChangeLog | 8 ++++++++
NEWS | 9 +++++++--
stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++
stdio-common/vfscanf.c | 12 ++++++------
4 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a6461e6..ccce486 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-02-16 Paul Pluzhnikov <ppluzhni...@google.com>
+
+ [BZ #16618]
+ * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
+ * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
+ size in bytes. Store needed elements in wpmax. Use needed size
+ in bytes for extend_alloca.
+
2015-02-16 H.J. Lu <hongjiu...@intel.com>
[BZ #17801]
diff --git a/NEWS b/NEWS
index 0eb3fb3..976f2ea 100644
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,13 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 16009, 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625, 17630,
- 17801.
+ 16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
+ 17630, 17801.
+
+* CVE-2015-1472 Under certain conditions wscanf can allocate too little
+ memory for the to-be-scanned arguments and overflow the allocated
+ buffer. The implementation now correctly computes the required buffer
+ size when using malloc.
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
index 9fef93a..6394fe1 100644
--- a/stdio-common/tst-sscanf.c
+++ b/stdio-common/tst-sscanf.c
@@ -233,5 +233,38 @@ main (void)
}
}
+ /* BZ #16618
+ The test will segfault during SSCANF if the buffer overflow
+ is not fixed. The size of `s` is such that it forces the use
+ of malloc internally and this triggers the incorrect computation.
+ Thus the value for SIZE is arbitrariy high enough that malloc
+ is used. */
+ {
+#define SIZE 131072
+ CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
+ if (s == NULL)
+ abort ();
+ for (size_t i = 0; i < SIZE; i++)
+ s[i] = L('0');
+ s[SIZE] = L('\0');
+ int i = 42;
+ /* Scan multi-digit zero into `i`. */
+ if (SSCANF (s, L("%d"), &i) != 1)
+ {
+ printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
+ result = 1;
+ }
+ if (i != 0)
+ {
+ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
+ result = 1;
+ }
+ free (s);
+ if (result != 1)
+ printf ("PASS: bug16618: Did not crash.\n");
+#undef SIZE
+ }
+
+
return result;
}
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index e0d2245..a4f06b4 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format,
_IO_va_list argptr,
if (__glibc_unlikely (wpsize == wpmax)) \
{ \
CHAR_T *old = wp; \
- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
- ? UCHAR_MAX + 1 : 2 * wpmax); \
- if (use_malloc || !__libc_use_alloca (newsize)) \
+ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2);
\
+ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \
+ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \
+ if (!__libc_use_alloca (newsize)) \
{ \
wp = realloc (use_malloc ? wp : NULL, newsize); \
if (wp == NULL) \
@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format,
_IO_va_list argptr,
} \
if (! use_malloc) \
MEMCPY (wp, old, wpsize); \
- wpmax = newsize; \
+ wpmax = wpneed; \
use_malloc = true; \
} \
else \
{ \
size_t s = wpmax * sizeof (CHAR_T); \
- wp = (CHAR_T *) extend_alloca (wp, s, \
- newsize * sizeof (CHAR_T)); \
+ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \
wpmax = s / sizeof (CHAR_T); \
if (old != NULL) \
MEMCPY (wp, old, wpsize); \
--
2.3.0
