[OE-core] [PATCH] glibc: fix CVE-2026-5450

Wed, 20 May 2026 08:42:09 -0700 

From: Sunil Dora <[email protected]>

Upstream-Status: Backport 
[https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=839898777226a3ed88c0859f25ffe712519b4ead]

Signed-off-by: Sunil Dora <[email protected]>
---
 .../glibc/glibc/0023-CVE-2026-5450.patch      | 135 ++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.43.bb         |   1 +
 2 files changed, 136 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0023-CVE-2026-5450.patch

diff --git a/meta/recipes-core/glibc/glibc/0023-CVE-2026-5450.patch 
b/meta/recipes-core/glibc/glibc/0023-CVE-2026-5450.patch
new file mode 100644
index 0000000000..22408708ac
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0023-CVE-2026-5450.patch
@@ -0,0 +1,135 @@
+From e3e9a51815d6582206eef9b3f5ce408507c81e2c Mon Sep 17 00:00:00 2001
+From: Rocket Ma <[email protected]>
+Date: Wed, 20 May 2026 07:01:58 -0700
+Subject: [PATCH] stdio-common: Fix buffer overflow in scanf %mc [BZ #34008]
+
+* stdio-common/vfscanf-internal.c: When enlarging allocated buffer with
+format %mc or %mC, glibc allocates one byte less, leading to
+user-controlled one byte overflow. This commit fixes BZ #34008, or
+CVE-2026-5450.
+
+Upstream-Status: Backport 
[http://sourceware.org/git/gitweb.cgi?p=glibc.git;h=839898777226a3ed88c0859f25ffe712519b4ead]
+CVE: CVE-2026-5450
+
+Reviewed-by: Carlos O'Donell <[email protected]>
+Signed-off-by: Rocket Ma <[email protected]>
+Reviewed-by: H.J. Lu <[email protected]>
+Signed-off-by: Sunil Dora <[email protected]>
+---
+ stdio-common/Makefile              |  4 +++
+ stdio-common/tst-vfscanf-bz34008.c | 48 ++++++++++++++++++++++++++++++
+ stdio-common/vfscanf-internal.c    |  7 ++---
+ 3 files changed, 55 insertions(+), 4 deletions(-)
+ create mode 100644 stdio-common/tst-vfscanf-bz34008.c
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 21094483..0c0085e6 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -349,6 +349,7 @@ tests := \
+   tst-vfprintf-user-type \
+   tst-vfprintf-width-i18n \
+   tst-vfprintf-width-prec-alloc \
++  tst-vfscanf-bz34008 \
+   tst-wc-printf \
+   tstdiomisc \
+   tstgetln \
+@@ -564,6 +565,9 @@ tst-printf-bz18872-ENV = 
MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \
+ tst-vfprintf-width-prec-ENV = \
+   MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \
+   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++tst-vfscanf-bz34008-ENV = \
++  MALLOC_CHECK_=3 \
++  LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+ tst-printf-bz25691-ENV = \
+   MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \
+   LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+diff --git a/stdio-common/tst-vfscanf-bz34008.c 
b/stdio-common/tst-vfscanf-bz34008.c
+new file mode 100644
+index 00000000..48371c8a
+--- /dev/null
++++ b/stdio-common/tst-vfscanf-bz34008.c
+@@ -0,0 +1,48 @@
++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008)
++   Copyright (C) 2026 The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include "malloc/mcheck.h"
++#include <stddef.h>
++#include <stdio.h>
++#include <string.h>
++#include <wchar.h>
++#include <stdlib.h>
++#include <malloc.h>
++#include <support/check.h>
++
++#define WIDTH 0x410
++#define SCANFSTR "%1040mc"
++static int
++do_test (void)
++{
++  mcheck_pedantic (NULL);
++  char *input = malloc (WIDTH + 1);
++  TEST_VERIFY (input != NULL);
++  memset (input, 'A', WIDTH);
++  input[WIDTH] = '\0';
++
++  char *buf = NULL;
++  TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1);
++  TEST_VERIFY (buf != NULL);
++
++  free (buf);
++  free (input);
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c
+index 63b9246e..8687150d 100644
+--- a/stdio-common/vfscanf-internal.c
++++ b/stdio-common/vfscanf-internal.c
+@@ -862,8 +862,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list 
argptr,
+                       {
+                         /* Enlarge the buffer.  */
+                         size_t newsize
+-                          = strsize
+-                            + (strsize >= width ? width - 1 : strsize);
++                          = strsize + (strsize >= width ? width : strsize);
+ 
+                         str = (char *) realloc (*strptr, newsize);
+                         if (str == NULL)
+@@ -936,7 +935,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list 
argptr,
+                     && wstr == (wchar_t *) *strptr + strsize)
+                   {
+                     size_t newsize
+-                      = strsize + (strsize > width ? width - 1 : strsize);
++                      = strsize + (strsize >= width ? width : strsize);
+                     /* Enlarge the buffer.  */
+                     wstr = (wchar_t *) realloc (*strptr,
+                                                 newsize * sizeof (wchar_t));
+@@ -991,7 +990,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list 
argptr,
+                   && wstr == (wchar_t *) *strptr + strsize)
+                 {
+                   size_t newsize
+-                    = strsize + (strsize > width ? width - 1 : strsize);
++                    = strsize + (strsize >= width ? width : strsize);
+                   /* Enlarge the buffer.  */
+                   wstr = (wchar_t *) realloc (*strptr,
+                                               newsize * sizeof (wchar_t));
+-- 
+2.49.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.43.bb 
b/meta/recipes-core/glibc/glibc_2.43.bb
index b84c55ca17..a52dcfd364 100644
--- a/meta/recipes-core/glibc/glibc_2.43.bb
+++ b/meta/recipes-core/glibc/glibc_2.43.bb
@@ -54,6 +54,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            
file://0020-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
            
file://0021-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch \
            file://0022-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch 
\
+           file://0023-CVE-2026-5450.patch \
 "
 B = "${WORKDIR}/build-${TARGET_SYS}"
 
-- 
2.49.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237452): 
https://lists.openembedded.org/g/openembedded-core/message/237452
Mute This Topic: https://lists.openembedded.org/mt/119410138/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to