glibc:fw/bug20018-backport

Last commit made on 2019-02-04
Get this branch:
git clone -b fw/bug20018-backport https://git.launchpad.net/glibc

Branch merges

Branch information

Name:
fw/bug20018-backport
Repository:
lp:glibc

Recent commits

4e9ff10... by Florian Weimer on 2019-02-04

Restore GLIBC_PRIVATE ABI after CVE-2016-10739 fix [BZ #20018]

This commit avoids adding the __inet_aton_exact@GLIBC_PRIVATE
symbol. In master, the separately-compiled getaddrinfo
implementation in nscd needs it, however such an internal ABI change
is not desirable on a release branch if it can be avoided easily.

525478a... by Florian Weimer on 2019-01-21

CVE-2016-10739: getaddrinfo: Fully parse IPv4 address strings [BZ #20018]

The IPv4 address parser in the getaddrinfo function is changed so that
it does not ignore trailing whitespace and all characters after it.
For backwards compatibility, the getaddrinfo function still recognizes
legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8
(octal).

This commit does not change the behavior of inet_addr and inet_aton.
gethostbyname already had additional sanity checks (but is switched
over to the new __inet_aton_exact function for completeness as well).

To avoid sending the problematic query names over DNS, commit
6ca53a2453598804a2559a548a08424fca96434a ("resolv: Do not send queries
for non-host-names in nss_dns [BZ #24112]") is needed.

(cherry picked from commit 108bc4049f8ae82710aec26a92ffdb4b439c83fd)

c3419ac... by Florian Weimer on 2019-01-21

resolv: Do not send queries for non-host-names in nss_dns [BZ #24112]

Before this commit, nss_dns would send a query which did not contain a
host name as the query name (such as invalid\032name.example.com) and
then reject the answer in getanswer_r and gaih_getanswer_slice, using
a check based on res_hnok. With this commit, no query is sent, and a
host-not-found error is returned to NSS without network interaction.

(cherry picked from commit 6ca53a2453598804a2559a548a08424fca96434a)

467741b... by Florian Weimer on 2019-01-21

resolv: Reformat inet_addr, inet_aton to GNU style

(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)

d09b11c... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 strnlen/wcsnlen: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes strnlen/wcsnlen for x32. Tested on x86-64 and x32. On
x86-64, libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/multiarch/strlen-avx2.S: Use RSI_LP for length.
 Clear the upper 32 bits of RSI register.
 * sysdeps/x86_64/strlen.S: Use RSI_LP for length.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-strnlen
 and tst-size_t-wcsnlen.
 * sysdeps/x86_64/x32/tst-size_t-strnlen.c: New file.
 * sysdeps/x86_64/x32/tst-size_t-wcsnlen.c: Likewise.

(cherry picked from commit 5165de69c0908e28a380cbd4bb054e55ea4abc95)

07a42c0... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 strncpy: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes strncpy for x32. Tested on x86-64 and x32. On x86-64,
libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: Use RDX_LP
 for length.
 * sysdeps/x86_64/multiarch/strcpy-ssse3.S: Likewise.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-strncpy.
 * sysdeps/x86_64/x32/tst-size_t-strncpy.c: New file.

(cherry picked from commit c7c54f65b080affb87a1513dee449c8ad6143c8b)

c678b80... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 strncmp family: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes the strncmp family for x32. Tested on x86-64 and x32.
On x86-64, libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/multiarch/strcmp-avx2.S: Use RDX_LP for length.
 * sysdeps/x86_64/multiarch/strcmp-sse42.S: Likewise.
 * sysdeps/x86_64/strcmp.S: Likewise.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-strncasecmp,
 tst-size_t-strncmp and tst-size_t-wcsncmp.
 * sysdeps/x86_64/x32/tst-size_t-strncasecmp.c: New file.
 * sysdeps/x86_64/x32/tst-size_t-strncmp.c: Likewise.
 * sysdeps/x86_64/x32/tst-size_t-wcsncmp.c: Likewise.

(cherry picked from commit ee915088a0231cd421054dbd8abab7aadf331153)

17fc7de... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 memset/wmemset: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes memset/wmemset for x32. Tested on x86-64 and x32. On
x86-64, libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/multiarch/memset-avx512-no-vzeroupper.S: Use
 RDX_LP for length. Clear the upper 32 bits of RDX register.
 * sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: Likewise.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-wmemset.
 * sysdeps/x86_64/x32/tst-size_t-memset.c: New file.
 * sysdeps/x86_64/x32/tst-size_t-wmemset.c: Likewise.

(cherry picked from commit 82d0b4a4d76db554eb6757acb790fcea30b19965)

eee0a3d... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 memrchr: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes memrchr for x32. Tested on x86-64 and x32. On x86-64,
libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/memrchr.S: Use RDX_LP for length.
 * sysdeps/x86_64/multiarch/memrchr-avx2.S: Likewise.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memrchr.
 * sysdeps/x86_64/x32/tst-size_t-memrchr.c: New file.

(cherry picked from commit ecd8b842cf37ea112e59cd9085ff1f1b6e208ae0)

7814034... by "H.J. Lu" <email address hidden> on 2019-02-01

x86-64 memcpy: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits. The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes memcpy for x32. Tested on x86-64 and x32. On x86-64,
libc.so is the same with and withou the fix.

 [BZ #24097]
 CVE-2019-6488
 * sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: Use RDX_LP for
 length. Clear the upper 32 bits of RDX register.
 * sysdeps/x86_64/multiarch/memcpy-ssse3.S: Likewise.
 * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S:
 Likewise.
 * sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:
 Likewise.
 * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcpy.
 tst-size_t-wmemchr.
 * sysdeps/x86_64/x32/tst-size_t-memcpy.c: New file.

(cherry picked from commit 231c56760c1e2ded21ad96bbb860b1f08c556c7a)