diff --git a/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch b/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bb478d422938c94efa12de790ae6b124be22161 --- /dev/null +++ b/backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch @@ -0,0 +1,68 @@ +From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 20 Jan 2020 17:01:50 +0100 +Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423) + +When unwinding through a signal frame the backtrace function on PowerPC +didn't check array bounds when storing the frame address. Fixes commit +d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). + +Signed-off-by: wuxu.wu +--- + debug/tst-backtrace5.c | 12 ++++++++++++ + sysdeps/powerpc/powerpc32/backtrace.c | 2 ++ + sysdeps/powerpc/powerpc64/backtrace.c | 2 ++ + 3 files changed, 16 insertions(+) + +diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c +index e7ce410..b2f4616 100644 +--- a/debug/tst-backtrace5.c ++++ b/debug/tst-backtrace5.c +@@ -89,6 +89,18 @@ handle_signal (int signum) + } + /* Symbol names are not available for static functions, so we do not + check do_test. */ ++ ++ /* Check that backtrace does not return more than what fits in the array ++ (bug 25423). */ ++ for (int j = 0; j < NUM_FUNCTIONS; j++) ++ { ++ n = backtrace (addresses, j); ++ if (n > j) ++ { ++ FAIL (); ++ return; ++ } ++ } + } + + NO_INLINE int +diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c +index 7c2d472..d1456c8 100644 +--- a/sysdeps/powerpc/powerpc32/backtrace.c ++++ b/sysdeps/powerpc/powerpc32/backtrace.c +@@ -114,6 +114,8 @@ __backtrace (void **array, int size) + } + if (gregset) + { ++ if (count + 1 == size) ++ break; + array[++count] = (void*)((*gregset)[PT_NIP]); + current = (void*)((*gregset)[PT_R1]); + } +diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c +index 65c260a..8a53a10 100644 +--- a/sysdeps/powerpc/powerpc64/backtrace.c ++++ b/sysdeps/powerpc/powerpc64/backtrace.c +@@ -87,6 +87,8 @@ __backtrace (void **array, int size) + if (is_sigtramp_address (current->return_address)) + { + struct signal_frame_64 *sigframe = (struct signal_frame_64*) current; ++ if (count + 1 == size) ++ break; + array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP]; + current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1]; + } +-- +1.8.3.1 + diff --git a/glibc.spec b/glibc.spec index 48610cc00beecab3cc90d0eb0b18a791a7983379..3fcbac78bf71738cd96656344f9bb6a21d3015da 100644 --- a/glibc.spec +++ b/glibc.spec @@ -26,7 +26,7 @@ # - Run smoke tests with valgrind to verify dynamic loader. # - Default: Always run valgrind tests if there is architecture support. ############################################################################## -%bcond_with testsuite +%bcond_without testsuite %bcond_without benchtests %bcond_with bootstrap %bcond_without werror @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 39 +Release: 40 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -76,6 +76,7 @@ Source7: LanguageList Patch0: Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch Patch1: backport-Kunpeng-patches.patch Patch2: Avoid-ldbl-96-stack-corruption-from-range-reduction-.patch +Patch3: backport-CVE-2020-1751-Fix-array-overflow-in-backtrace-on-PowerPC-bug-25423.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -920,6 +921,9 @@ fi %changelog +* Sat May 23 2020 liqingqing - 2.28-40 +- Fix array overflow in backtrace on PowerPC (bug 25423) + * Thu May 28 2020 jdkboy - 2.28-39 - Disable compilation warnings temporarily