From 681e254565f2cd1f8fe2b16748d43e8926e8739d Mon Sep 17 00:00:00 2001
From: liqingqing_1229 <liqingqing3@huawei.com>
Date: Sat, 23 May 2020 16:50:24 +0800
Subject: [PATCH 1/2] fix CVE-2020-1751: Fix array overflow in backtrace on
 PowerPC (bug 25423)

---
 ...ow-in-backtrace-on-PowerPC-bug-25423.patch | 68 +++++++++++++++++++
 glibc.spec                                    |  6 +-
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch

diff --git a/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch b/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch
new file mode 100644
index 0000000..4bb478d
--- /dev/null
+++ b/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch
@@ -0,0 +1,68 @@
+From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 20 Jan 2020 17:01:50 +0100
+Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423)
+
+When unwinding through a signal frame the backtrace function on PowerPC
+didn't check array bounds when storing the frame address.  Fixes commit
+d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
+
+Signed-off-by: wuxu.wu <wuxu.wu@huawei.com>
+---
+ debug/tst-backtrace5.c                | 12 ++++++++++++
+ sysdeps/powerpc/powerpc32/backtrace.c |  2 ++
+ sysdeps/powerpc/powerpc64/backtrace.c |  2 ++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
+index e7ce410..b2f4616 100644
+--- a/debug/tst-backtrace5.c
++++ b/debug/tst-backtrace5.c
+@@ -89,6 +89,18 @@ handle_signal (int signum)
+       }
+   /* Symbol names are not available for static functions, so we do not
+      check do_test.  */
++
++  /* Check that backtrace does not return more than what fits in the array
++     (bug 25423).  */
++  for (int j = 0; j < NUM_FUNCTIONS; j++)
++    {
++      n = backtrace (addresses, j);
++      if (n > j)
++	{
++	  FAIL ();
++	  return;
++	}
++    }
+ }
+ 
+ NO_INLINE int
+diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c
+index 7c2d472..d1456c8 100644
+--- a/sysdeps/powerpc/powerpc32/backtrace.c
++++ b/sysdeps/powerpc/powerpc32/backtrace.c
+@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
+         }
+       if (gregset)
+ 	{
++	  if (count + 1 == size)
++	    break;
+ 	  array[++count] = (void*)((*gregset)[PT_NIP]);
+ 	  current = (void*)((*gregset)[PT_R1]);
+ 	}
+diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c
+index 65c260a..8a53a10 100644
+--- a/sysdeps/powerpc/powerpc64/backtrace.c
++++ b/sysdeps/powerpc/powerpc64/backtrace.c
+@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
+       if (is_sigtramp_address (current->return_address))
+         {
+ 	  struct signal_frame_64 *sigframe = (struct signal_frame_64*) current;
++	  if (count + 1 == size)
++	    break;
+           array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
+ 	  current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
+ 	}
+-- 
+1.8.3.1
+
diff --git a/glibc.spec b/glibc.spec
index 477c223..5c28e6d 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -59,7 +59,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	38
+Release: 	39
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -76,6 +76,7 @@ Source7:   LanguageList
 Patch0: Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch
 Patch1: backport-Kunpeng-patches.patch
 Patch2: Avoid-ldbl-96-stack-corruption-from-range-reduction-.patch 
+Patch3: backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch  
 
 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
 
@@ -920,6 +921,9 @@ fi
 
 
 %changelog
+* Sat May 23 2020 liqingqing<liqignqing3@huawei.com> - 2.28-39
+- Fix array overflow in backtrace on PowerPC (bug 25423) 
+
 * Tue Apr 28 2020 liqingqing<liqignqing3@huawei.com> - 2.28-38
 - Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487)
 
-- 
Gitee


From d77cf6779ca4ead50877480e0ff5b142c039cc7e Mon Sep 17 00:00:00 2001
From: liqingqing <liqingqing3@huawei.com>
Date: Thu, 28 May 2020 20:32:07 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E5=9B=9E=E5=90=88CVE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 glibc.spec | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/glibc.spec b/glibc.spec
index 5c28e6d..0cb9a64 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -59,7 +59,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	39
+Release: 	40
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -343,7 +343,7 @@ touch locale/programs/*-kw.h
 ##############################################################################
 %build
 
-BuildFlags="-O2 -g"
+BuildFlags="-O2 -g -Wno-error"
 reference=" \
         "-Wp,-D_GLIBCXX_ASSERTIONS" \
         "-fasynchronous-unwind-tables" \
@@ -921,9 +921,12 @@ fi
 
 
 %changelog
-* Sat May 23 2020 liqingqing<liqignqing3@huawei.com> - 2.28-39
+* Thu May 28 2020 liqingqing<liqignqing3@huawei.com> - 2.28-40
 - Fix array overflow in backtrace on PowerPC (bug 25423) 
 
+* Thu May 28 2020 jdkboy<guoge1@huawei.com> - 2.28-39
+- Disable compilation warnings temporarily
+
 * Tue Apr 28 2020 liqingqing<liqignqing3@huawei.com> - 2.28-38
 - Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487)
 
-- 
Gitee