glibc:release/2.20/master

Last commit made on 2016-05-24
Get this branch:
git clone -b release/2.20/master https://git.launchpad.net/glibc

Branch merges

Branch information

Name:
release/2.20/master
Repository:
lp:glibc

Recent commits

916ef0f... by Florian Weimer

CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]

The defensive copy is not needed because the name may not alias the
output buffer.

(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
(cherry picked from commit f5b3338d70a7a2c626331ac4589b6deb2f610432)

afc4daa... by Ppluzhnikov-google

Fix BZ #17905

(cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)

c5bbc09... by Florian Weimer

hsearch_r: Apply VM size limit in test case

(cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c)

902072e... by Florian Weimer

Improve check against integer wraparound in hcreate_r [BZ #18240]

(cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb)

03e3ee4... by =?utf-8?b?T25kxZllaiBCw61sa2E=?= <email address hidden>

Handle overflow in __hcreate_r

Hi,

As in bugzilla entry there is overflow in hsearch when looking for prime
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
inputs before looking for prime.

 * misc/hsearch_r.c (__hcreate_r): Handle overflow.

(cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc)

3822125... by Florian Weimer

CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]

Instead, we store the data we need from the return value of
readdir in an object of the new type struct readdir_result.
This type is independent of the layout of struct dirent.

(cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)

75cf90e... by Florian Weimer

glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir

Previously, application code had to set up the d_namlen member if
the target supported it, involving conditional compilation. After
this change, glob will use the length of the string in d_name instead
of d_namlen to determine the file name length. All glibc targets
provide the d_type and d_ino members, and setting them as needed for
gl_readdir is straightforward.

Changing the behavior with regards to d_ino is left to a future
cleanup.

(cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)

1029487... by Florian Weimer

CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010]

When converting a struct hostent response to struct gaih_addrtuple, the
gethosts macro (which is called from gaih_inet) used alloca, without
malloc fallback for large responses. This commit changes this code to
use calloc unconditionally.

This commit also consolidated a second hostent-to-gaih_addrtuple
conversion loop (in gaih_inet) to use the new conversion function.

(cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)

edbab24... by Stefan Liebler <email address hidden>

S390: Fix "backtrace() returns infinitely deep stack frames with makecontext()" [BZ #18508].

On s390/s390x backtrace(buffer, size) returns the series of called functions until
"makecontext_ret" and additional entries (up to "size") with "makecontext_ret".
GDB-backtrace is also warning:
"Backtrace stopped: previous frame identical to this frame (corrupt stack?)"

To reproduce this scenario you have to setup a new context with makecontext()
and activate it with setcontext(). See e.g. cf() function in testcase stdlib/tst-makecontext.c.
Or see bug in libgo "Bug 66303 - runtime.Caller() returns infinitely deep stack frames
on s390x " (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66303).

This patch omits the cfi_startproc/cfi_endproc directives in ENTRY/END macro of
__makecontext_ret. Thus no frame information is generated in .eh_frame and backtrace
stops after __makecontext_ret. There is also no .eh_frame info for _start or
thread_start functions.

ChangeLog:

 [BZ #18508]
 * stdlib/Makefile ($(objpfx)tst-makecontext3):
 Depend on $(libdl).
 * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace
 is not called infinitely times.
 (backtrace_helper): New function.
 (trace_arg): New struct.
 (st1): Enlarge stack size.
 * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S:
 (__makecontext_ret): Omit cfi_startproc and cfi_endproc.
 * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S:
 Likewise.

(cherry picked from commit 890b7a4b33d482b5c768ab47d70758b80227e9bc)

ee35f1c... by Stefan Liebler <email address hidden>

S/390: Fix setcontext/swapcontext which are not restoring sigmask.

This patch uses sigprocmask(SIG_SETMASK) instead of SIG_BLOCK
in setcontext, swapcontext.

(cherry picked from commit 2e807f29595eb5b1e5d0decc6e356a3562ecc58e)