[OE-core] [morty][PATCH] glibc: Fix CVE-2015-5180

Yuanjie Huang yuanjie.huang at windriver.com
Tue Jul 18 06:14:45 UTC 2017


Backport upstream patch to fix NULL pointer dereference and process
crash in libresolv. (CVE-2015-5180)

Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
---
 meta/recipes-core/glibc/glibc/CVE-2015-5180.patch | 136 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.24.bb             |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-5180.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch b/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch
new file mode 100644
index 0000000000..638f652c4d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch
@@ -0,0 +1,136 @@
+From a8476611d5bca2032a2d18c503996762ac26a489 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Sat, 31 Dec 2016 20:22:09 +0100
+Subject: CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ #18784]
+
+Also rename T_UNSPEC because an upcoming public header file
+update will use that name.
+
+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
+
+Upstream-Status: Backport[master]
+CVE: CVE-2015-5180
+Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
+---
+ ChangeLog                     | 11 +++++++++++
+ NEWS                          |  6 ++++++
+ include/arpa/nameser_compat.h |  6 +++---
+ resolv/nss_dns/dns-host.c     |  2 +-
+ resolv/res_mkquery.c          |  4 ++++
+ resolv/res_query.c            |  6 +++---
+ 6 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 0fbda9020e..180634e658 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++2017-03-07  Siddhesh Poyarekar  <siddhesh at sourceware.org>
++
++	[BZ #18784]
++	CVE-2015-5180
++	* include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
++	T_UNSPEC.  Adjust value.
++	* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
++	* resolv/res_query.c (__libc_res_nquery): Likewise.
++	* resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
++	QTYPEs.
++
+ 2016-01-28  Carlos O'Donell  <carlos at redhat.com>
+ 	    Alexey Makhalov <amakhalov at vmware.com>
+ 	    Florian Weimer <fweimer at redhat.com>
+diff --git a/NEWS b/NEWS
+index b0447e7169..366f602aac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -71,6 +71,12 @@ Security related changes:
+   and exits.  Over time, this could result in a denial of service due to
+   memory exhaustion.  Reported by Matthias Schiffer.  (CVE-2016-5417)
+ 
++* The DNS stub resolver functions would crash due to a NULL pointer
++  dereference when processing a query with a valid DNS question type which
++  was used internally in the implementation.  The stub resolver now uses a
++  question type which is outside the range of valid question type values.
++  (CVE-2015-5180)
++
+ The following bugs are resolved with this release:
+ 
+   [1170] localedata: ne_NP: update Nepali locale definition file
+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
+index 2e735ede4c..7c0deed9ae 100644
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_AAAA).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_AAAA 439963904
+ 
+ #endif
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5f9e35701b..d16fa4b8ed 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+ 
+   int olderr = errno;
+   enum nss_status status;
+-  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+ 			      host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ 			      &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+   if (n >= 0)
+diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
+index 12f9730199..d80b5318e5 100644
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
+ 	int n;
+ 	u_char *dnptrs[20], **dpp, **lastdnptr;
+ 
++	if (class < 0 || class > 65535
++	    || type < 0 || type > 65535)
++	  return -1;
++
+ #ifdef DEBUG
+ 	if (statp->options & RES_DEBUG)
+ 		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+diff --git a/resolv/res_query.c b/resolv/res_query.c
+index 944d1a90f5..07dc6f6583 100644
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
+ 	int n, use_malloc = 0;
+ 	u_int oflags = statp->_flags;
+ 
+-	size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+ 	u_char *buf = alloca (bufsize);
+ 	u_char *query1 = buf;
+ 	int nquery1 = -1;
+@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
+ 		printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+ 
+-	if (type == T_UNSPEC)
++	if (type == T_QUERY_A_AND_AAAA)
+ 	  {
+ 	    n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+ 			     query1, bufsize);
+@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
+ 	if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+ 		/* Retry just in case res_nmkquery failed because of too
+ 		   short buffer.  Shouldn't happen.  */
+-		bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+ 		buf = malloc (bufsize);
+ 		if (buf != NULL) {
+ 			query1 = buf;
+-- 
+2.11.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
index b60b692723..a3bdba2190 100644
--- a/meta/recipes-core/glibc/glibc_2.24.bb
+++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -38,6 +38,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0025-Define-DUMMY_LOCALE_T-if-not-defined.patch \
            file://0026-build_local_scope.patch \
            file://0028-Bug-20116-Fix-use-after-free-in-pthread_create.patch \
+           file://CVE-2015-5180.patch \
 "
 
 SRC_URI += "\
-- 
2.11.0




More information about the Openembedded-core mailing list