[OE-core] [morty][PATCH] glibc: Fix CVE-2015-5180
akuster808
akuster808 at gmail.com
Tue Jul 18 22:06:06 UTC 2017
Yualie,
On 07/17/2017 11:14 PM, Yuanjie Huang wrote:
> Backport upstream patch to fix NULL pointer dereference and process
> crash in libresolv. (CVE-2015-5180)
I will have to hand merge the bb file as I have several other glibc
changes sitting in my contrib branch.
Thanks for the patch.
> Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
> ---
> meta/recipes-core/glibc/glibc/CVE-2015-5180.patch | 136 ++++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.24.bb | 1 +
> 2 files changed, 137 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-5180.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch b/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch
> new file mode 100644
> index 0000000000..638f652c4d
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-5180.patch
> @@ -0,0 +1,136 @@
> +From a8476611d5bca2032a2d18c503996762ac26a489 Mon Sep 17 00:00:00 2001
> +From: Florian Weimer <fweimer at redhat.com>
> +Date: Sat, 31 Dec 2016 20:22:09 +0100
> +Subject: CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ #18784]
> +
> +Also rename T_UNSPEC because an upcoming public header file
> +update will use that name.
> +
> +(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
> +
> +Upstream-Status: Backport[master]
> +CVE: CVE-2015-5180
> +Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
> +---
> + ChangeLog | 11 +++++++++++
> + NEWS | 6 ++++++
> + include/arpa/nameser_compat.h | 6 +++---
> + resolv/nss_dns/dns-host.c | 2 +-
> + resolv/res_mkquery.c | 4 ++++
> + resolv/res_query.c | 6 +++---
> + 6 files changed, 28 insertions(+), 7 deletions(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index 0fbda9020e..180634e658 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,14 @@
> ++2017-03-07 Siddhesh Poyarekar <siddhesh at sourceware.org>
> ++
> ++ [BZ #18784]
> ++ CVE-2015-5180
> ++ * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
> ++ T_UNSPEC. Adjust value.
> ++ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
> ++ * resolv/res_query.c (__libc_res_nquery): Likewise.
> ++ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
> ++ QTYPEs.
> ++
> + 2016-01-28 Carlos O'Donell <carlos at redhat.com>
> + Alexey Makhalov <amakhalov at vmware.com>
> + Florian Weimer <fweimer at redhat.com>
> +diff --git a/NEWS b/NEWS
> +index b0447e7169..366f602aac 100644
> +--- a/NEWS
> ++++ b/NEWS
> +@@ -71,6 +71,12 @@ Security related changes:
> + and exits. Over time, this could result in a denial of service due to
> + memory exhaustion. Reported by Matthias Schiffer. (CVE-2016-5417)
> +
> ++* The DNS stub resolver functions would crash due to a NULL pointer
> ++ dereference when processing a query with a valid DNS question type which
> ++ was used internally in the implementation. The stub resolver now uses a
> ++ question type which is outside the range of valid question type values.
> ++ (CVE-2015-5180)
> ++
> + The following bugs are resolved with this release:
> +
> + [1170] localedata: ne_NP: update Nepali locale definition file
> +diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
> +index 2e735ede4c..7c0deed9ae 100644
> +--- a/include/arpa/nameser_compat.h
> ++++ b/include/arpa/nameser_compat.h
> +@@ -1,8 +1,8 @@
> + #ifndef _ARPA_NAMESER_COMPAT_
> + #include <resolv/arpa/nameser_compat.h>
> +
> +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
> +- T_A and T_AAAA). */
> +-#define T_UNSPEC 62321
> ++/* The number is outside the 16-bit RR type range and is used
> ++ internally by the implementation. */
> ++#define T_QUERY_A_AND_AAAA 439963904
> +
> + #endif
> +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
> +index 5f9e35701b..d16fa4b8ed 100644
> +--- a/resolv/nss_dns/dns-host.c
> ++++ b/resolv/nss_dns/dns-host.c
> +@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
> +
> + int olderr = errno;
> + enum nss_status status;
> +- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
> ++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
> + host_buffer.buf->buf, 2048, &host_buffer.ptr,
> + &ans2p, &nans2p, &resplen2, &ans2p_malloced);
> + if (n >= 0)
> +diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
> +index 12f9730199..d80b5318e5 100644
> +--- a/resolv/res_mkquery.c
> ++++ b/resolv/res_mkquery.c
> +@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
> + int n;
> + u_char *dnptrs[20], **dpp, **lastdnptr;
> +
> ++ if (class < 0 || class > 65535
> ++ || type < 0 || type > 65535)
> ++ return -1;
> ++
> + #ifdef DEBUG
> + if (statp->options & RES_DEBUG)
> + printf(";; res_nmkquery(%s, %s, %s, %s)\n",
> +diff --git a/resolv/res_query.c b/resolv/res_query.c
> +index 944d1a90f5..07dc6f6583 100644
> +--- a/resolv/res_query.c
> ++++ b/resolv/res_query.c
> +@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
> + int n, use_malloc = 0;
> + u_int oflags = statp->_flags;
> +
> +- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
> ++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
> + u_char *buf = alloca (bufsize);
> + u_char *query1 = buf;
> + int nquery1 = -1;
> +@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
> + printf(";; res_query(%s, %d, %d)\n", name, class, type);
> + #endif
> +
> +- if (type == T_UNSPEC)
> ++ if (type == T_QUERY_A_AND_AAAA)
> + {
> + n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
> + query1, bufsize);
> +@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
> + if (__builtin_expect (n <= 0, 0) && !use_malloc) {
> + /* Retry just in case res_nmkquery failed because of too
> + short buffer. Shouldn't happen. */
> +- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
> ++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
> + buf = malloc (bufsize);
> + if (buf != NULL) {
> + query1 = buf;
> +--
> +2.11.0
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
> index b60b692723..a3bdba2190 100644
> --- a/meta/recipes-core/glibc/glibc_2.24.bb
> +++ b/meta/recipes-core/glibc/glibc_2.24.bb
> @@ -38,6 +38,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> file://0025-Define-DUMMY_LOCALE_T-if-not-defined.patch \
> file://0026-build_local_scope.patch \
> file://0028-Bug-20116-Fix-use-after-free-in-pthread_create.patch \
> + file://CVE-2015-5180.patch \
> "
>
> SRC_URI += "\
More information about the Openembedded-core
mailing list