diff options
Diffstat (limited to 'yocto-poky/meta/recipes-core')
70 files changed, 5073 insertions, 29 deletions
diff --git a/yocto-poky/meta/recipes-core/busybox/busybox.inc b/yocto-poky/meta/recipes-core/busybox/busybox.inc index ed8f9fe76..4d4709a48 100644 --- a/yocto-poky/meta/recipes-core/busybox/busybox.inc +++ b/yocto-poky/meta/recipes-core/busybox/busybox.inc @@ -103,9 +103,8 @@ python () { } do_prepare_config () { - sed -e 's#@DATADIR@#${datadir}#g' \ + sed -e '/CONFIG_STATIC/d' \ < ${WORKDIR}/defconfig > ${S}/.config - sed -i -e '/CONFIG_STATIC/d' .config echo "# CONFIG_STATIC is not set" >> .config for i in 'CROSS' 'DISTRO FEATURES'; do echo "### $i"; done >> \ ${S}/.config diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch new file mode 100644 index 000000000..1d299eec9 --- /dev/null +++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Switch-to-POSIX-utmpx-API.patch @@ -0,0 +1,388 @@ +From 86a7f18f211af1abda5c855d2674b0fcb53de524 Mon Sep 17 00:00:00 2001 +From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> +Date: Thu, 2 Apr 2015 23:03:46 +0200 +Subject: [PATCH] *: Switch to POSIX utmpx API + +UTMP is SVID legacy, UTMPX is mandated by POSIX. + +Glibc and uClibc have identical layout of UTMP and UTMPX, both of these +libc treat _PATH_UTMPX as _PATH_UTMP so from a user-perspective nothing +changes except the names of the API entrypoints. + +Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> +--- +Upstream-Status: Backport + + coreutils/who.c | 8 ++++---- + include/libbb.h | 2 +- + init/halt.c | 4 ++-- + libbb/utmp.c | 44 ++++++++++++++++++++++---------------------- + miscutils/last.c | 8 ++++---- + miscutils/last_fancy.c | 16 ++++++++++------ + miscutils/runlevel.c | 12 ++++++------ + miscutils/wall.c | 8 ++++---- + procps/uptime.c | 6 +++--- + 9 files changed, 56 insertions(+), 52 deletions(-) + +diff --git a/coreutils/who.c b/coreutils/who.c +index f955ce6..8337212 100644 +--- a/coreutils/who.c ++++ b/coreutils/who.c +@@ -73,7 +73,7 @@ static void idle_string(char *str6, time_t t) + int who_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int who_main(int argc UNUSED_PARAM, char **argv) + { +- struct utmp *ut; ++ struct utmpx *ut; + unsigned opt; + int do_users = (ENABLE_USERS && (!ENABLE_WHO || applet_name[0] == 'u')); + const char *fmt = "%s"; +@@ -83,8 +83,8 @@ int who_main(int argc UNUSED_PARAM, char **argv) + if (opt & 2) // -H + printf("USER\t\tTTY\t\tIDLE\tTIME\t\t HOST\n"); + +- setutent(); +- while ((ut = getutent()) != NULL) { ++ setutxent(); ++ while ((ut = getutxent()) != NULL) { + if (ut->ut_user[0] + && ((opt & 1) || ut->ut_type == USER_PROCESS) + ) { +@@ -126,6 +126,6 @@ int who_main(int argc UNUSED_PARAM, char **argv) + if (do_users) + bb_putchar('\n'); + if (ENABLE_FEATURE_CLEAN_UP) +- endutent(); ++ endutxent(); + return EXIT_SUCCESS; + } +diff --git a/include/libbb.h b/include/libbb.h +index 26b6868..0f8363b 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -84,7 +84,7 @@ + # include <selinux/av_permissions.h> + #endif + #if ENABLE_FEATURE_UTMP +-# include <utmp.h> ++# include <utmpx.h> + #endif + #if ENABLE_LOCALE_SUPPORT + # include <locale.h> +diff --git a/init/halt.c b/init/halt.c +index 7974adb..ad12d91 100644 +--- a/init/halt.c ++++ b/init/halt.c +@@ -74,7 +74,7 @@ + + static void write_wtmp(void) + { +- struct utmp utmp; ++ struct utmpx utmp; + struct utsname uts; + /* "man utmp" says wtmp file should *not* be created automagically */ + /*if (access(bb_path_wtmp_file, R_OK|W_OK) == -1) { +@@ -88,7 +88,7 @@ static void write_wtmp(void) + utmp.ut_line[0] = '~'; utmp.ut_line[1] = '~'; /* = strcpy(utmp.ut_line, "~~"); */ + uname(&uts); + safe_strncpy(utmp.ut_host, uts.release, sizeof(utmp.ut_host)); +- updwtmp(bb_path_wtmp_file, &utmp); ++ updwtmpx(bb_path_wtmp_file, &utmp); + } + #else + #define write_wtmp() ((void)0) +diff --git a/libbb/utmp.c b/libbb/utmp.c +index 8ad9ba2..bd07670 100644 +--- a/libbb/utmp.c ++++ b/libbb/utmp.c +@@ -16,7 +16,7 @@ static void touch(const char *filename) + + void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, const char *username, const char *hostname) + { +- struct utmp utent; ++ struct utmpx utent; + char *id; + unsigned width; + +@@ -45,17 +45,17 @@ void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, con + tty_name += 3; + strncpy(id, tty_name, width); + +- touch(_PATH_UTMP); +- //utmpname(_PATH_UTMP); +- setutent(); ++ touch(_PATH_UTMPX); ++ //utmpxname(_PATH_UTMPX); ++ setutxent(); + /* Append new one (hopefully, unless we collide on ut_id) */ +- pututline(&utent); +- endutent(); ++ pututxline(&utent); ++ endutxent(); + + #if ENABLE_FEATURE_WTMP + /* "man utmp" says wtmp file should *not* be created automagically */ + /*touch(bb_path_wtmp_file);*/ +- updwtmp(bb_path_wtmp_file, &utent); ++ updwtmpx(bb_path_wtmp_file, &utent); + #endif + } + +@@ -64,17 +64,17 @@ void FAST_FUNC write_new_utmp(pid_t pid, int new_type, const char *tty_name, con + */ + void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const char *username, const char *hostname) + { +- struct utmp utent; +- struct utmp *utp; ++ struct utmpx utent; ++ struct utmpx *utp; + +- touch(_PATH_UTMP); +- //utmpname(_PATH_UTMP); +- setutent(); ++ touch(_PATH_UTMPX); ++ //utmpxname(_PATH_UTMPX); ++ setutxent(); + + /* Did init/getty/telnetd/sshd/... create an entry for us? + * It should be (new_type-1), but we'd also reuse + * any other potentially stale xxx_PROCESS entry */ +- while ((utp = getutent()) != NULL) { ++ while ((utp = getutxent()) != NULL) { + if (utp->ut_pid == pid + // && ut->ut_line[0] + && utp->ut_id[0] /* must have nonzero id */ +@@ -88,25 +88,25 @@ void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const + /* Stale record. Nuke hostname */ + memset(utp->ut_host, 0, sizeof(utp->ut_host)); + } +- /* NB: pututline (see later) searches for matching utent +- * using getutid(utent) - we must not change ut_id ++ /* NB: pututxline (see later) searches for matching utxent ++ * using getutxid(utent) - we must not change ut_id + * if we want *exactly this* record to be overwritten! + */ + break; + } + } +- //endutent(); - no need, pututline can deal with (and actually likes) ++ //endutxent(); - no need, pututxline can deal with (and actually likes) + //the situation when utmp file is positioned on found record + + if (!utp) { + if (new_type != DEAD_PROCESS) + write_new_utmp(pid, new_type, tty_name, username, hostname); + else +- endutent(); ++ endutxent(); + return; + } + +- /* Make a copy. We can't use *utp, pututline's internal getutid ++ /* Make a copy. We can't use *utp, pututxline's internal getutxid + * will overwrite it before it is used! */ + utent = *utp; + +@@ -120,14 +120,14 @@ void FAST_FUNC update_utmp(pid_t pid, int new_type, const char *tty_name, const + utent.ut_tv.tv_sec = time(NULL); + + /* Update, or append new one */ +- //setutent(); +- pututline(&utent); +- endutent(); ++ //setutxent(); ++ pututxline(&utent); ++ endutxent(); + + #if ENABLE_FEATURE_WTMP + /* "man utmp" says wtmp file should *not* be created automagically */ + /*touch(bb_path_wtmp_file);*/ +- updwtmp(bb_path_wtmp_file, &utent); ++ updwtmpx(bb_path_wtmp_file, &utent); + #endif + } + +diff --git a/miscutils/last.c b/miscutils/last.c +index a144c7e..6d8b584 100644 +--- a/miscutils/last.c ++++ b/miscutils/last.c +@@ -32,21 +32,21 @@ + + #if defined UT_LINESIZE \ + && ((UT_LINESIZE != 32) || (UT_NAMESIZE != 32) || (UT_HOSTSIZE != 256)) +-#error struct utmp member char[] size(s) have changed! ++#error struct utmpx member char[] size(s) have changed! + #elif defined __UT_LINESIZE \ + && ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 64) || (__UT_HOSTSIZE != 256)) +-#error struct utmp member char[] size(s) have changed! ++#error struct utmpx member char[] size(s) have changed! + #endif + + #if EMPTY != 0 || RUN_LVL != 1 || BOOT_TIME != 2 || NEW_TIME != 3 || \ + OLD_TIME != 4 +-#error Values for the ut_type field of struct utmp changed ++#error Values for the ut_type field of struct utmpx changed + #endif + + int last_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int last_main(int argc UNUSED_PARAM, char **argv UNUSED_PARAM) + { +- struct utmp ut; ++ struct utmpx ut; + int n, file = STDIN_FILENO; + time_t t_tmp; + off_t pos; +diff --git a/miscutils/last_fancy.c b/miscutils/last_fancy.c +index 16ed9e9..8194e31 100644 +--- a/miscutils/last_fancy.c ++++ b/miscutils/last_fancy.c +@@ -22,6 +22,10 @@ + #define HEADER_LINE_WIDE "USER", "TTY", \ + INET6_ADDRSTRLEN, INET6_ADDRSTRLEN, "HOST", "LOGIN", " TIME", "" + ++#if !defined __UT_LINESIZE && defined UT_LINESIZE ++# define __UT_LINESIZE UT_LINESIZE ++#endif ++ + enum { + NORMAL, + LOGGED, +@@ -39,7 +43,7 @@ enum { + + #define show_wide (option_mask32 & LAST_OPT_W) + +-static void show_entry(struct utmp *ut, int state, time_t dur_secs) ++static void show_entry(struct utmpx *ut, int state, time_t dur_secs) + { + unsigned days, hours, mins; + char duration[sizeof("(%u+02:02)") + sizeof(int)*3]; +@@ -104,7 +108,7 @@ static void show_entry(struct utmp *ut, int state, time_t dur_secs) + duration_str); + } + +-static int get_ut_type(struct utmp *ut) ++static int get_ut_type(struct utmpx *ut) + { + if (ut->ut_line[0] == '~') { + if (strcmp(ut->ut_user, "shutdown") == 0) { +@@ -142,7 +146,7 @@ static int get_ut_type(struct utmp *ut) + return ut->ut_type; + } + +-static int is_runlevel_shutdown(struct utmp *ut) ++static int is_runlevel_shutdown(struct utmpx *ut) + { + if (((ut->ut_pid & 255) == '0') || ((ut->ut_pid & 255) == '6')) { + return 1; +@@ -154,7 +158,7 @@ static int is_runlevel_shutdown(struct utmp *ut) + int last_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int last_main(int argc UNUSED_PARAM, char **argv) + { +- struct utmp ut; ++ struct utmpx ut; + const char *filename = _PATH_WTMP; + llist_t *zlist; + off_t pos; +@@ -242,9 +246,9 @@ int last_main(int argc UNUSED_PARAM, char **argv) + { + llist_t *el, *next; + for (el = zlist; el; el = next) { +- struct utmp *up = (struct utmp *)el->data; ++ struct utmpx *up = (struct utmpx *)el->data; + next = el->link; +- if (strncmp(up->ut_line, ut.ut_line, UT_LINESIZE) == 0) { ++ if (strncmp(up->ut_line, ut.ut_line, __UT_LINESIZE) == 0) { + if (show) { + show_entry(&ut, NORMAL, up->ut_tv.tv_sec); + show = 0; +diff --git a/miscutils/runlevel.c b/miscutils/runlevel.c +index 76231df..8558db8 100644 +--- a/miscutils/runlevel.c ++++ b/miscutils/runlevel.c +@@ -29,19 +29,19 @@ + int runlevel_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int runlevel_main(int argc UNUSED_PARAM, char **argv) + { +- struct utmp *ut; ++ struct utmpx *ut; + char prev; + +- if (argv[1]) utmpname(argv[1]); ++ if (argv[1]) utmpxname(argv[1]); + +- setutent(); +- while ((ut = getutent()) != NULL) { ++ setutxent(); ++ while ((ut = getutxent()) != NULL) { + if (ut->ut_type == RUN_LVL) { + prev = ut->ut_pid / 256; + if (prev == 0) prev = 'N'; + printf("%c %c\n", prev, ut->ut_pid % 256); + if (ENABLE_FEATURE_CLEAN_UP) +- endutent(); ++ endutxent(); + return 0; + } + } +@@ -49,6 +49,6 @@ int runlevel_main(int argc UNUSED_PARAM, char **argv) + puts("unknown"); + + if (ENABLE_FEATURE_CLEAN_UP) +- endutent(); ++ endutxent(); + return 1; + } +diff --git a/miscutils/wall.c b/miscutils/wall.c +index bb709ee..50658f4 100644 +--- a/miscutils/wall.c ++++ b/miscutils/wall.c +@@ -32,7 +32,7 @@ + int wall_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; + int wall_main(int argc UNUSED_PARAM, char **argv) + { +- struct utmp *ut; ++ struct utmpx *ut; + char *msg; + int fd; + +@@ -46,8 +46,8 @@ int wall_main(int argc UNUSED_PARAM, char **argv) + msg = xmalloc_read(fd, NULL); + if (ENABLE_FEATURE_CLEAN_UP && argv[1]) + close(fd); +- setutent(); +- while ((ut = getutent()) != NULL) { ++ setutxent(); ++ while ((ut = getutxent()) != NULL) { + char *line; + if (ut->ut_type != USER_PROCESS) + continue; +@@ -56,7 +56,7 @@ int wall_main(int argc UNUSED_PARAM, char **argv) + free(line); + } + if (ENABLE_FEATURE_CLEAN_UP) { +- endutent(); ++ endutxent(); + free(msg); + } + return EXIT_SUCCESS; +diff --git a/procps/uptime.c b/procps/uptime.c +index 778812a..149bae6 100644 +--- a/procps/uptime.c ++++ b/procps/uptime.c +@@ -81,10 +81,10 @@ int uptime_main(int argc UNUSED_PARAM, char **argv UNUSED_PARAM) + + #if ENABLE_FEATURE_UPTIME_UTMP_SUPPORT + { +- struct utmp *ut; ++ struct utmpx *ut; + unsigned users = 0; +- while ((ut = getutent()) != NULL) { +- if ((ut->ut_type == USER_PROCESS) && (ut->ut_name[0] != '\0')) ++ while ((ut = getutxent()) != NULL) { ++ if ((ut->ut_type == USER_PROCESS) && (ut->ut_user[0] != '\0')) + users++; + } + printf(", %u users", users); +-- +2.5.1 + diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch new file mode 100644 index 000000000..2bf2b91c7 --- /dev/null +++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch @@ -0,0 +1,114 @@ +From a9333eb6a7b8dbda735947cd5bc981ff9352a2c9 Mon Sep 17 00:00:00 2001 +From: Nathan Phillip Brink <ohnobinki@ohnopublishing.net> +Date: Thu, 10 Mar 2011 00:27:08 -0500 +Subject: [PATCH 1/2] Use $(CC) when linking instead of $(LD) and use $(CFLAGS) + and $(EXTRA_CFLAGS) when linking. + +This fixes the issue where LDFLAGS escaped with -Wl are ignored during +compilation. It also simplifies using CFLAGS or EXTRA_CFLAGS (such as +-m32 on x86_64 or -flto) which apply to both compilation and linking +situations. + +Signed-off-by: Nathan Phillip Brink <ohnobinki@ohnopublishing.net> +--- +Upstream-Status: Pending + + Makefile | 7 ++++--- + scripts/Makefile.build | 8 ++++---- + scripts/Makefile.lib | 13 +++---------- + 3 files changed, 11 insertions(+), 17 deletions(-) + +Index: busybox-1.23.2/Makefile +=================================================================== +--- busybox-1.23.2.orig/Makefile ++++ busybox-1.23.2/Makefile +@@ -309,7 +309,8 @@ CHECKFLAGS := -D__linux__ -Dlinux -D + MODFLAGS = -DMODULE + CFLAGS_MODULE = $(MODFLAGS) + AFLAGS_MODULE = $(MODFLAGS) +-LDFLAGS_MODULE = -r ++LDFLAGS_RELOCATABLE = -r -nostdlib ++LDFLAGS_MODULE = $(LDFLAGS_RELOCATABLE) + CFLAGS_KERNEL = + AFLAGS_KERNEL = + +@@ -331,7 +332,7 @@ KERNELVERSION = $(VERSION).$(PATCHLEVEL) + export VERSION PATCHLEVEL SUBLEVEL KERNELRELEASE KERNELVERSION \ + ARCH CONFIG_SHELL HOSTCC HOSTCFLAGS CROSS_COMPILE AS LD CC \ + CPP AR NM STRIP OBJCOPY OBJDUMP MAKE AWK GENKSYMS PERL UTS_MACHINE \ +- HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS ++ HOSTCXX HOSTCXXFLAGS LDFLAGS_RELOCATABLE LDFLAGS_MODULE CHECK CHECKFLAGS + + export CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS + export CFLAGS CFLAGS_KERNEL CFLAGS_MODULE +@@ -610,7 +611,7 @@ quiet_cmd_busybox__ ?= LINK $@ + cmd_busybox__ ?= $(srctree)/scripts/trylink \ + "$@" \ + "$(CC)" \ +- "$(CFLAGS) $(CFLAGS_busybox)" \ ++ "$(CFLAGS) $(CFLAGS_busybox) $(EXTRA_CFLAGS)" \ + "$(LDFLAGS) $(EXTRA_LDFLAGS)" \ + "$(core-y)" \ + "$(libs-y)" \ +Index: busybox-1.23.2/scripts/Makefile.build +=================================================================== +--- busybox-1.23.2.orig/scripts/Makefile.build ++++ busybox-1.23.2/scripts/Makefile.build +@@ -174,7 +174,7 @@ cmd_modversions = \ + | $(GENKSYMS) -a $(ARCH) \ + > $(@D)/.tmp_$(@F:.o=.ver); \ + \ +- $(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) \ ++ $(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(@D)/.tmp_$(@F) \ + -T $(@D)/.tmp_$(@F:.o=.ver); \ + rm -f $(@D)/.tmp_$(@F) $(@D)/.tmp_$(@F:.o=.ver); \ + else \ +@@ -257,7 +257,7 @@ quiet_cmd_link_o_target = LD $@ + # If the list of objects to link is empty, just create an empty built-in.o + # -nostdlib is added to make "make LD=gcc ..." work (some people use that) + cmd_link_o_target = $(if $(strip $(obj-y)),\ +- $(LD) -nostdlib $(ld_flags) -r -o $@ $(filter $(obj-y), $^),\ ++ $(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(filter $(obj-y), $^),\ + rm -f $@; $(AR) rcs $@) + + $(builtin-target): $(obj-y) FORCE +@@ -292,10 +292,10 @@ $($(subst $(obj)/,,$(@:.o=-objs))) \ + $($(subst $(obj)/,,$(@:.o=-y)))), $^) + + quiet_cmd_link_multi-y = LD $@ +-cmd_link_multi-y = $(LD) $(ld_flags) -r -o $@ $(link_multi_deps) ++cmd_link_multi-y = $(CC) $(ld_flags_partial) $(LDFLAGS_RELOCATABLE) -o $@ $(link_multi_deps) + + quiet_cmd_link_multi-m = LD [M] $@ +-cmd_link_multi-m = $(LD) $(ld_flags) $(LDFLAGS_MODULE) -o $@ $(link_multi_deps) ++cmd_link_multi-m = $(CC) $(ld_flags) $(LDFLAGS_MODULE) -o $@ $(link_multi_deps) + + # We would rather have a list of rules like + # foo.o: $(foo-objs) +Index: busybox-1.23.2/scripts/Makefile.lib +=================================================================== +--- busybox-1.23.2.orig/scripts/Makefile.lib ++++ busybox-1.23.2/scripts/Makefile.lib +@@ -121,7 +121,8 @@ cpp_flags = -Wp,-MD,$(depfile) $(NO + # yet ld_flags is fed to ld. + #ld_flags = $(LDFLAGS) $(EXTRA_LDFLAGS) + # Remove the -Wl, prefix from linker options normally passed through gcc +-ld_flags = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS)) ++ld_flags = $(filter-out -Wl$(comma)%,$(LDFLAGS) $(EXTRA_LDFLAGS) $(CFLAGS) $(EXTRA_CFLAGS)) ++ld_flags_partial = $($(filter-out -shared%, $(filter-out -pie%,$(ld_flags)))) + + + # Finds the multi-part object the current object will be linked into +@@ -151,10 +152,8 @@ $(obj)/%:: $(src)/%_shipped + # Linking + # --------------------------------------------------------------------------- + +-# TODO: LDFLAGS usually is supposed to contain gcc's flags, not ld's. +-# but here we feed them to ld! +-quiet_cmd_ld = LD $@ +-cmd_ld = $(LD) $(LDFLAGS) $(EXTRA_LDFLAGS) $(LDFLAGS_$(@F)) \ ++quiet_cmd_ld = CC $@ ++cmd_ld = $(CC) $(ld_flags) $(LDFLAGS_$(@F)) \ + $(filter-out FORCE,$^) -o $@ + + # Objcopy diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch new file mode 100644 index 000000000..415ec3409 --- /dev/null +++ b/yocto-poky/meta/recipes-core/busybox/busybox/0001-randconfig-fix.patch @@ -0,0 +1,33 @@ +If CONFIG_FEATURE_LAST_SMALL is enabled the build fails because of a broken +__UT_NAMESIZE test. + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 932302666b0354ede63504d1bef8393cab28db8b Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Sun, 11 Oct 2015 16:58:18 +0200 +Subject: [PATCH] randconfig fix + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + miscutils/last.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/miscutils/last.c b/miscutils/last.c +index 6d8b584..f8f3437 100644 +--- a/miscutils/last.c ++++ b/miscutils/last.c +@@ -34,7 +34,8 @@ + && ((UT_LINESIZE != 32) || (UT_NAMESIZE != 32) || (UT_HOSTSIZE != 256)) + #error struct utmpx member char[] size(s) have changed! + #elif defined __UT_LINESIZE \ +- && ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 64) || (__UT_HOSTSIZE != 256)) ++ && ((__UT_LINESIZE != 32) || (__UT_NAMESIZE != 32) || (__UT_HOSTSIZE != 256)) ++/* __UT_NAMESIZE was checked with 64 above, but glibc-2.11 definitely uses 32! */ + #error struct utmpx member char[] size(s) have changed! + #endif + +-- +2.6.4 + diff --git a/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch b/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch new file mode 100644 index 000000000..de286fb74 --- /dev/null +++ b/yocto-poky/meta/recipes-core/busybox/busybox/0002-Passthrough-r-to-linker.patch @@ -0,0 +1,32 @@ +From df2cc76cdebc4773361477f3db203790f6986e3b Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 22 Aug 2015 23:42:40 -0700 +Subject: [PATCH 2/2] Passthrough -r to linker + +clang does not have -r switch and it does not pass it down to linker +either, LDFLAGS_RELOCATABLE is used when CC is used for LD, so this +should not cause side effects + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 9da02cb..10dd4a9 100644 +--- a/Makefile ++++ b/Makefile +@@ -309,7 +309,7 @@ CHECKFLAGS := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise $(C + MODFLAGS = -DMODULE + CFLAGS_MODULE = $(MODFLAGS) + AFLAGS_MODULE = $(MODFLAGS) +-LDFLAGS_RELOCATABLE = -r -nostdlib ++LDFLAGS_RELOCATABLE = -Xlinker -r -nostdlib + LDFLAGS_MODULE = $(LDFLAGS_RELOCATABLE) + CFLAGS_KERNEL = + AFLAGS_KERNEL = +-- +2.1.4 + diff --git a/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb b/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb index e4d9f9718..7258df022 100644 --- a/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb +++ b/yocto-poky/meta/recipes-core/busybox/busybox_1.23.2.bb @@ -30,8 +30,12 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://login-utilities.cfg \ file://recognize_connmand.patch \ file://busybox-cross-menuconfig.patch \ + file://0001-Switch-to-POSIX-utmpx-API.patch \ file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \ file://0001-chown-fix-help-text.patch \ + file://0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch \ + file://0002-Passthrough-r-to-linker.patch \ + file://0001-randconfig-fix.patch \ file://mount-via-label.cfg \ file://sha1sum.cfg \ file://sha256sum.cfg \ diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch b/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch new file mode 100644 index 000000000..c72efd4d3 --- /dev/null +++ b/yocto-poky/meta/recipes-core/coreutils/coreutils-6.9/loadavg.patch @@ -0,0 +1,18 @@ +Remove hardcoded paths so OE's configure QA does not detect it and fail the builds +For cross compilation is less interesting to look into host paths for target libraries anyway + +Upstream-Status: Inappropriate [OE Specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Index: coreutils-6.9/m4/getloadavg.m4 +=================================================================== +--- coreutils-6.9.orig/m4/getloadavg.m4 ++++ coreutils-6.9/m4/getloadavg.m4 +@@ -49,7 +49,6 @@ if test $gl_have_func = no; then + # There is a commonly available library for RS/6000 AIX. + # Since it is not a standard part of AIX, it might be installed locally. + gl_getloadavg_LIBS=$LIBS +- LIBS="-L/usr/local/lib $LIBS" + AC_CHECK_LIB(getloadavg, getloadavg, + [LIBS="-lgetloadavg $LIBS"], [LIBS=$gl_getloadavg_LIBS]) + fi diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb b/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb index 4ff1d50bd..e9f82abc8 100644 --- a/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb +++ b/yocto-poky/meta/recipes-core/coreutils/coreutils_6.9.bb @@ -9,6 +9,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe \ file://src/ls.c;beginline=4;endline=16;md5=15ed60f67b1db5fedd5dbc37cf8a9543" PR = "r5" +DEPENDS = "virtual/libiconv" inherit autotools gettext texinfo @@ -25,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.bz2 \ file://coreutils-build-with-acl.patch \ file://coreutils-fix-texinfo.patch \ file://fix_for_manpage_building.patch \ + file://loadavg.patch \ " SRC_URI[md5sum] = "c9607d8495f16e98906e7ed2d9751a06" diff --git a/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb b/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb index 034ebcda9..f04234624 100644 --- a/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb +++ b/yocto-poky/meta/recipes-core/coreutils/coreutils_8.24.bb @@ -62,7 +62,7 @@ do_compile_prepend () { mkdir -p ${B}/src } -do_install_append() { +do_install_append_class-target() { for i in df mktemp base64; do mv ${D}${bindir}/$i ${D}${bindir}/$i.${BPN}; done install -d ${D}${base_bindir} diff --git a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service index 6fe994209..b420bcddc 100644 --- a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service +++ b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbear@.service @@ -4,8 +4,9 @@ Wants=dropbearkey.service After=syslog.target dropbearkey.service [Service] +Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear" EnvironmentFile=-/etc/default/dropbear -ExecStart=-@SBINDIR@/dropbear -i -r /etc/dropbear/dropbear_rsa_host_key $DROPBEAR_EXTRA_ARGS +ExecStart=-@SBINDIR@/dropbear -i -r ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR_EXTRA_ARGS ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket KillMode=process diff --git a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service index ccc21d5cc..c49053d57 100644 --- a/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/yocto-poky/meta/recipes-core/dropbear/dropbear/dropbearkey.service @@ -1,8 +1,13 @@ [Unit] Description=SSH Key Generation -ConditionPathExists=|!/etc/dropbear/dropbear_rsa_host_key +RequiresMountsFor=/var /var/lib +ConditionPathExists=!/etc/dropbear/dropbear_rsa_host_key +ConditionPathExists=!/var/lib/dropbear/dropbear_rsa_host_key [Service] +Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear" +EnvironmentFile=-/etc/default/dropbear Type=oneshot -ExecStart=@SBINDIR@/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key +ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} +ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key RemainAfterExit=yes diff --git a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb index 2153ece0e..3aefe748f 100644 --- a/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb +++ b/yocto-poky/meta/recipes-core/glibc/cross-localedef-native_2.22.bb @@ -14,12 +14,13 @@ inherit autotools FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:" -BRANCH ?= "release/${PV}/master" +SRCBRANCH ?= "release/${PV}/master" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" -SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ +SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \ file://fix_for_centos_5.8.patch \ + file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ ${EGLIBCPATCHES} \ " EGLIBCPATCHES = "\ diff --git a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc index df6d07343..2352bd029 100644 --- a/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc +++ b/yocto-poky/meta/recipes-core/glibc/glibc-locale.inc @@ -87,7 +87,7 @@ do_install () { if [ -e ${LOCALETREESRC}/${datadir}/locale ]; then cp -fpPR ${LOCALETREESRC}/${datadir}/locale ${D}${datadir} fi - chown root.root -R ${D} + chown root:root -R ${D} cp -fpPR ${LOCALETREESRC}/SUPPORTED ${WORKDIR} } diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch new file mode 100644 index 000000000..3455df1cf --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch @@ -0,0 +1,84 @@ +From cadaf1336332ca7bcdfe4a400776e5782a20e26d Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Wed, 28 Oct 2015 07:49:44 -0700 +Subject: [PATCH] Keep only ELF_RTYPE_CLASS_{PLT|COPY} bits for prelink + +prelink runs ld.so with the environment variable LD_TRACE_PRELINKING +set to dump the relocation type class from _dl_debug_bindings. prelink +has the following relocation type classes: + + #define RTYPE_CLASS_VALID 8 + #define RTYPE_CLASS_PLT (8|1) + #define RTYPE_CLASS_COPY (8|2) + #define RTYPE_CLASS_TLS (8|4) + +where ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA has a conflict with +RTYPE_CLASS_TLS. + +Since prelink only uses ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY +bits, we should clear the other bits when the DL_DEBUG_PRELINK bit is +set. + + [BZ #19178] + * elf/dl-lookup.c (RTYPE_CLASS_VALID): New. + (RTYPE_CLASS_PLT): Likewise. + (RTYPE_CLASS_COPY): Likewise. + (RTYPE_CLASS_TLS): Likewise. + (_dl_debug_bindings): Use RTYPE_CLASS_TLS and RTYPE_CLASS_VALID + to set relocation type class for DL_DEBUG_PRELINK. Keep only + ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY bits for + DL_DEBUG_PRELINK. + +Upstream-Status: submitted (https://sourceware.org/bugzilla/show_bug.cgi?id=19178) + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> +--- + elf/dl-lookup.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c +index 581fb20..6ae6cc3 100644 +--- a/elf/dl-lookup.c ++++ b/elf/dl-lookup.c +@@ -1016,6 +1016,18 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map, + #ifdef SHARED + if (GLRO(dl_debug_mask) & DL_DEBUG_PRELINK) + { ++/* ELF_RTYPE_CLASS_XXX must match RTYPE_CLASS_XXX used by prelink with ++ LD_TRACE_PRELINKING. */ ++#define RTYPE_CLASS_VALID 8 ++#define RTYPE_CLASS_PLT (8|1) ++#define RTYPE_CLASS_COPY (8|2) ++#define RTYPE_CLASS_TLS (8|4) ++#if ELF_RTYPE_CLASS_PLT != 0 && ELF_RTYPE_CLASS_PLT != 1 ++# error ELF_RTYPE_CLASS_PLT must be 0 or 1! ++#endif ++#if ELF_RTYPE_CLASS_COPY != 0 && ELF_RTYPE_CLASS_COPY != 2 ++# error ELF_RTYPE_CLASS_COPY must be 0 or 2! ++#endif + int conflict = 0; + struct sym_val val = { NULL, NULL }; + +@@ -1071,12 +1083,17 @@ _dl_debug_bindings (const char *undef_name, struct link_map *undef_map, + + if (value->s) + { ++ /* Keep only ELF_RTYPE_CLASS_PLT and ELF_RTYPE_CLASS_COPY ++ bits since since prelink only uses them. */ ++ type_class &= ELF_RTYPE_CLASS_PLT | ELF_RTYPE_CLASS_COPY; + if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info) + == STT_TLS)) +- type_class = 4; ++ /* Clear the RTYPE_CLASS_VALID bit in RTYPE_CLASS_TLS. */ ++ type_class = RTYPE_CLASS_TLS & ~RTYPE_CLASS_VALID; + else if (__glibc_unlikely (ELFW(ST_TYPE) (value->s->st_info) + == STT_GNU_IFUNC)) +- type_class |= 8; ++ /* Set the RTYPE_CLASS_VALID bit. */ ++ type_class |= RTYPE_CLASS_VALID; + } + + if (conflict +-- +1.9.3 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch new file mode 100644 index 000000000..4e539f849 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-7547.patch @@ -0,0 +1,642 @@ +From e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell <carlos@systemhalted.org> +Date: Tue, 16 Feb 2016 21:26:37 -0500 +Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug + 18665). + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + +See also: +https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html +https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html + +Upstream-Status: Backport +CVE: CVE-2015-7547 + +https://sourceware.org/git/?p=glibc.git;a=commit;h=e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca +minor tweeking to apply to Changelog and res_send.c + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 17 ++- + NEWS | 14 +++ + resolv/nss_dns/dns-host.c | 111 +++++++++++++++++++- + resolv/res_query.c | 3 + + resolv/res_send.c | 260 +++++++++++++++++++++++++++++++++++----------- + 5 files changed, 339 insertions(+), 66 deletions(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -105,6 +105,20 @@ Security related changes: + depending on the length of the string passed as an argument to the + functions. Reported by Joseph Myers. + ++* A stack-based buffer overflow was found in libresolv when invoked from ++ libnss_dns, allowing specially crafted DNS responses to seize control ++ of execution flow in the DNS client. The buffer overflow occurs in ++ the functions send_dg (send datagram) and send_vc (send TCP) for the ++ NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC ++ family. The use of AF_UNSPEC triggers the low-level resolver code to ++ send out two parallel queries for A and AAAA. A mismanagement of the ++ buffers used for those queries could result in the response of a query ++ writing beyond the alloca allocated buffer created by ++ _nss_dns_gethostbyname4_r. Buffer management is simplified to remove ++ the overflow. Thanks to the Google Security Team and Red Hat for ++ reporting the security impact of this issue, and Robert Holiday of ++ Ciena for reporting the related bug 18665. (CVE-2015-7547) ++ + * The following bugs are resolved with this release: + + 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498, +Index: git/resolv/nss_dns/dns-host.c +=================================================================== +--- git.orig/resolv/nss_dns/dns-host.c ++++ git/resolv/nss_dns/dns-host.c +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an + int h_namelen = 0; + + if (ancount == 0) +- return NSS_STATUS_NOTFOUND; ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } + + while (ancount-- > 0 && cp < end_of_message && had_error == 0) + { +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an + /* Special case here: if the resolver sent a result but it only + contains a CNAME while we are looking for a T_A or T_AAAA record, + we fail with NOTFOUND instead of TRYAGAIN. */ +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; ++ if (canon != NULL) ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } ++ ++ *h_errnop = NETDB_INTERNAL; ++ return NSS_STATUS_TRYAGAIN; + } + + +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, + + enum nss_status status = NSS_STATUS_NOTFOUND; + ++ /* Combining the NSS status of two distinct queries requires some ++ compromise and attention to symmetry (A or AAAA queries can be ++ returned in any order). What follows is a breakdown of how this ++ code is expected to work and why. We discuss only SUCCESS, ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns ++ that apply (though RETURN and MERGE exist). We make a distinction ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). ++ A recoverable TRYAGAIN is almost always due to buffer size issues ++ and returns ERANGE in errno and the caller is expected to retry ++ with a larger buffer. ++ ++ Lastly, you may be tempted to make significant changes to the ++ conditions in this code to bring about symmetry between responses. ++ Please don't change anything without due consideration for ++ expected application behaviour. Some of the synthesized responses ++ aren't very well thought out and sometimes appear to imply that ++ IPv4 responses are always answer 1, and IPv6 responses are always ++ answer 2, but that's not true (see the implementation of send_dg ++ and send_vc to see response can arrive in any order, particularly ++ for UDP). However, we expect it holds roughly enough of the time ++ that this code works, but certainly needs to be fixed to make this ++ a more robust implementation. ++ ++ ---------------------------------------------- ++ | Answer 1 Status / | Synthesized | Reason | ++ | Answer 2 Status | Status | | ++ |--------------------------------------------| ++ | SUCCESS/SUCCESS | SUCCESS | [1] | ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | ++ ---------------------------------------------- ++ ++ [1] If the first response is a success we return success. ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second ++ answer. However because the response is a success we ignore ++ *errnop and *h_errnop (though that means you touched errno on ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. ++ ++ [2] If the first response is a recoverable TRYAGAIN we return ++ that instead of looking at the second response. The ++ expectation here is that we have failed to get an IPv4 response ++ and should retry both queries. ++ ++ [3] If the first response was not a SUCCESS and the second ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the ++ result from the second response, otherwise the first responses ++ status is used. Again we have some odd side-effects when the ++ second response is NOTFOUND because we overwrite *errnop and ++ *h_errnop that means that a first answer of NOTFOUND might see ++ its *errnop and *h_errnop values altered. Whether it matters ++ in practice that a first response NOTFOUND has the wrong ++ *errnop and *h_errnop is undecided. ++ ++ [4] If the first response is UNAVAIL we return that instead of ++ looking at the second response. The expectation here is that ++ it will have failed similarly e.g. configuration failure. ++ ++ [5] Testing this code is complicated by the fact that truncated ++ second response buffers might be returned as SUCCESS if the ++ first answer is a SUCCESS. To fix this we add symmetry to ++ TRYAGAIN with the second response. If the second response ++ is a recoverable error we now return TRYAGIN even if the first ++ response was SUCCESS. */ ++ + if (anslen1 > 0) + status = gaih_getanswer_slice(answer1, anslen1, qname, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND + || (status == NSS_STATUS_TRYAGAIN + /* We want to look at the second answer in case of an +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ /* Use the second response status in some cases. */ + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) + status = status2; ++ /* Do not return a truncated second response (unless it was ++ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ if (status == NSS_STATUS_SUCCESS ++ && (status2 == NSS_STATUS_TRYAGAIN ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) ++ status = NSS_STATUS_TRYAGAIN; + } + + return status; +Index: git/resolv/res_query.c +=================================================================== +--- git.orig/resolv/res_query.c ++++ git/resolv/res_query.c +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + } +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + if (saved_herrno != -1) +Index: git/resolv/res_send.c +=================================================================== +--- git.orig/resolv/res_send.c ++++ git/resolv/res_send.c +@@ -1,3 +1,20 @@ ++/* Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ + /* + * Copyright (c) 1985, 1989, 1993 + * The Regents of the University of California. All rights reserved. +@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook || statp->rhook)) { + if (anssiz < MAXPACKET && ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *buf = malloc (MAXPACKET); + if (buf == NULL) + return (-1); +@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) + return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; + } + ++/* The send_vc function is responsible for sending a DNS query over TCP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and ++ IPv6 queries at the same serially on the same socket. ++ ++ Please note that for TCP there is no way to disable sending both ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP ++ and sends the queries serially and waits for the result after each ++ sent query. This implemetnation should be corrected to honour these ++ options. ++ ++ Please also note that for TCP we send both queries over the same ++ socket one after another. This technically violates best practice ++ since the server is allowed to read the first query, respond, and ++ then close the socket (to service another client). If the server ++ does this, then the remaining second query in the socket data buffer ++ will cause the server to send the client an RST which will arrive ++ asynchronously and the client's OS will likely tear down the socket ++ receive buffer resulting in a potentially short read and lost ++ response data. This will force the client to retry the query again, ++ and this process may repeat until all servers and connection resets ++ are exhausted and then the query will fail. It's not known if this ++ happens with any frequency in real DNS server implementations. This ++ implementation should be corrected to use two sockets by default for ++ parallel queries. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ serially on the same socket. ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message and the rest of the socket data will be read and discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -647,11 +737,7 @@ send_vc(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; +- // XXX REMOVE +- // int anssiz = *anssizp; +- HEADER *anhp = (HEADER *) ans; ++ HEADER *anhp = (HEADER *) *ansp; + struct sockaddr *nsap = get_nsaddr (statp, ns); + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating +@@ -743,6 +829,8 @@ send_vc(res_state statp, + * Receive length & response + */ + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + uint16_t rlen16; + read_len: +@@ -779,40 +867,14 @@ send_vc(res_state statp, + u_char **thisansp; + int *thisresplenp; + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if __GNUC_PREREQ (4, 7) +- DIAG_PUSH_NEEDS_COMMENT; +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); +-#endif +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +-#if __GNUC_PREREQ (4, 7) +- DIAG_POP_NEEDS_COMMENT; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; +@@ -820,10 +882,14 @@ send_vc(res_state statp, + anhp = (HEADER *) *thisansp; + + *thisresplenp = rlen; +- if (rlen > *thisanssizp) { +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- if (__glibc_likely (anscp != NULL)) { ++ /* Is the answer buffer too small? */ ++ if (*thisanssizp < rlen) { ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ if (thisansp != NULL && thisansp != ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp == NULL) { + *terrno = ENOMEM; +@@ -835,6 +901,9 @@ send_vc(res_state statp, + if (thisansp == ansp2) + *ansp2_malloced = 1; + anhp = (HEADER *) newp; ++ /* A uint16_t can't be larger than MAXPACKET ++ thus it's safe to allocate MAXPACKET but ++ read RLEN bytes instead. */ + len = rlen; + } else { + Dprint(statp->options & RES_DEBUG, +@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, in + return 1; + } + ++/* The send_dg function is responsible for sending a DNS query over UDP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries ++ along with the ability to send the query in parallel for both stacks ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup ++ with a close and reopen of the socket used to talk to the server ++ (RES_SNGLKUPREOP) to work around broken name servers. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header field TC will bet set to 1, indicating a truncated ++ message, while the rest of the UDP packet is discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If an answer is truncated because of UDP datagram DNS limits then ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 ++ if any progress was made reading a response from the nameserver and ++ is used by the caller to distinguish between ECONNREFUSED and ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_dg(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -1006,8 +1135,6 @@ send_dg(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; + struct timespec now, timeout, finish; + struct pollfd pfd[1]; + int ptimeout; +@@ -1040,6 +1167,8 @@ send_dg(res_state statp, + int need_recompute = 0; + int nwritten = 0; + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + pfd[0].fd = EXT(statp).nssocks[ns]; + pfd[0].events = POLLOUT; +@@ -1203,55 +1332,56 @@ send_dg(res_state statp, + int *thisresplenp; + + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; + } + + if (*thisanssizp < MAXPACKET +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- && anscp ++ /* If the current buffer is not the the static ++ user-supplied buffer then we can reallocate ++ it. */ ++ && (thisansp != NULL && thisansp != ansp) + #ifdef FIONREAD ++ /* Is the size too small? */ + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 + || *thisanssizp < *thisresplenp) + #endif + ) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp != NULL) { +- *anssizp = MAXPACKET; +- *thisansp = ans = newp; ++ *thisanssizp = MAXPACKET; ++ *thisansp = newp; + if (thisansp == ansp2) + *ansp2_malloced = 1; + } + } ++ /* We could end up with truncation if anscp was NULL ++ (not allowed to change caller's buffer) and the ++ response buffer size is too small. This isn't a ++ reliable way to detect truncation because the ioctl ++ may be an inaccurate report of the UDP message size. ++ Therefore we use this only to issue debug output. ++ To do truncation accurately with UDP we need ++ MSG_TRUNC which is only available on Linux. We ++ can abstract out the Linux-specific feature in the ++ future to detect truncation. */ ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { ++ Dprint(statp->options & RES_DEBUG, ++ (stdout, ";; response may be truncated (UDP)\n") ++ ); ++ } ++ + HEADER *anhp = (HEADER *) *thisansp; + socklen_t fromlen = sizeof(struct sockaddr_in6); + assert (sizeof(from) <= fromlen); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,18 @@ ++2016-02-15 Carlos O'Donell <carlos@redhat.com> ++ ++ [BZ #18665] ++ * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set ++ *herrno_p. ++ (gaih_getanswer): Document functional behviour. Return tryagain ++ if any result is tryagain. ++ * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero ++ when freed. ++ * resolv/res_send.c: Add copyright text. ++ (__libc_res_nsend): Document that MAXPACKET is expected. ++ (send_vc): Document. Remove buffer reuse. ++ (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the ++ size of the buffer. Add Dprint for truncated UDP buffer. ++ + 2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #18985] diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch new file mode 100644 index 000000000..684f34417 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch @@ -0,0 +1,155 @@ +From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Sat, 26 Sep 2015 13:27:48 -0700 +Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a + segfault + +Upstream-Status: Backport +CVE: CVE-2015-8776 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 8 ++++++++ + NEWS | 2 +- + time/strftime_l.c | 20 +++++++++++++------- + time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 73 insertions(+), 9 deletions(-) + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,11 @@ ++2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> ++ ++ [BZ #18985] ++ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check. ++ (__strftime_internal): Likewise. ++ * time/tst-strftime.c (do_bz18985): New test. ++ (do_test): Call it. ++ + 2015-12-04 Joseph Myers <joseph@codesourcery.com> + + [BZ #16961] +Index: git/time/strftime_l.c +=================================================================== +--- git.orig/time/strftime_l.c ++++ git/time/strftime_l.c +@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format, + only a few elements. Dereference the pointers only if the format + requires this. Then it is ok to fail if the pointers are invalid. */ + # define a_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) + # define f_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) + # define a_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) + # define f_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) + # define ampm \ + ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ + ? NLW(PM_STR) : NLW(AM_STR))) +@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format, + # define ap_len STRLEN (ampm) + #else + # if !HAVE_STRFTIME +-# define f_wkday (weekday_name[tp->tm_wday]) +-# define f_month (month_name[tp->tm_mon]) ++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : weekday_name[tp->tm_wday]) ++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : month_name[tp->tm_mon]) + # define a_wkday f_wkday + # define a_month f_month + # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) +@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format, + *tzset_called = true; + } + # endif +- zone = tzname[tp->tm_isdst]; ++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; + } + #endif + if (! zone) +Index: git/time/tst-strftime.c +=================================================================== +--- git.orig/time/tst-strftime.c ++++ git/time/tst-strftime.c +@@ -4,6 +4,56 @@ + #include <time.h> + + ++static int ++do_bz18985 (void) ++{ ++ char buf[1000]; ++ struct tm ttm; ++ int rc, ret = 0; ++ ++ memset (&ttm, 1, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 66) ++ { ++ const char expected[] ++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 66, got %d\n", rc); ++ ret += 1; ++ } ++ ++ /* Check negative values as well. */ ++ memset (&ttm, 0xFF, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 30) ++ { ++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 30, got %d\n", rc); ++ ret += 1; ++ } ++ ++ return ret; ++} ++ + static struct + { + const char *fmt; +@@ -104,7 +154,7 @@ do_test (void) + } + } + +- return result; ++ return result + do_bz18985 (); + } + + #define TEST_FUNCTION do_test () diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 000000000..eeab72d65 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch @@ -0,0 +1,123 @@ +From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Thu, 15 Oct 2015 09:23:07 +0200 +Subject: [PATCH] Always enable pointer guard [BZ #18928] + +Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode +has security implications. This commit enables pointer guard +unconditionally, and the environment variable is now ignored. + + [BZ #18928] + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove + _dl_pointer_guard member. + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard + initializer. + (security_init): Always set up pointer guard. + (process_envvars): Do not process LD_POINTER_GUARD. + +Upstream-Status: Backport +CVE: CVE-2015-8777 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 10 ++++++++++ + NEWS | 13 ++++++++----- + elf/rtld.c | 15 ++++----------- + sysdeps/generic/ldsodefs.h | 3 --- + 4 files changed, 22 insertions(+), 19 deletions(-) + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,14 @@ ++2015-10-15 Florian Weimer <fweimer@redhat.com> ++ ++ [BZ #18928] ++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove ++ _dl_pointer_guard member. ++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard ++ initializer. ++ (security_init): Always set up pointer guard. ++ (process_envvars): Do not process LD_POINTER_GUARD. ++ ++ + 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com> + + [BZ #18778] +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -34,7 +34,10 @@ Version 2.22 + 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547, + 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593, + 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648, +- 18657, 18676, 18694, 18696. ++ 18657, 18676, 18694, 18696, 18928. ++ ++* The LD_POINTER_GUARD environment variable can no longer be used to ++ disable the pointer guard feature. It is always enabled. + + * Cache information can be queried via sysconf() function on s390 e.g. with + _SC_LEVEL1_ICACHE_SIZE as argument. +Index: git/elf/rtld.c +=================================================================== +--- git.orig/elf/rtld.c ++++ git/elf/rtld.c +@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at + ._dl_hwcap_mask = HWCAP_IMPORTANT, + ._dl_lazy = 1, + ._dl_fpu_control = _FPU_DEFAULT, +- ._dl_pointer_guard = 1, + ._dl_pagesize = EXEC_PAGESIZE, + ._dl_inhibit_cache = 0, + +@@ -710,15 +709,12 @@ security_init (void) + #endif + + /* Set up the pointer guard as well, if necessary. */ +- if (GLRO(dl_pointer_guard)) +- { +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, +- stack_chk_guard); ++ uintptr_t pointer_chk_guard ++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); + #ifdef THREAD_SET_POINTER_GUARD +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); + #endif +- __pointer_chk_guard_local = pointer_chk_guard; +- } ++ __pointer_chk_guard_local = pointer_chk_guard; + + /* We do not need the _dl_random value anymore. The less + information we leave behind, the better, so clear the +@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep) + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; + break; + } +- +- if (memcmp (envline, "POINTER_GUARD", 13) == 0) +- GLRO(dl_pointer_guard) = envline[14] != '0'; + break; + + case 14: +Index: git/sysdeps/generic/ldsodefs.h +=================================================================== +--- git.orig/sysdeps/generic/ldsodefs.h ++++ git/sysdeps/generic/ldsodefs.h +@@ -600,9 +600,6 @@ struct rtld_global_ro + /* List of auditing interfaces. */ + struct audit_ifaces *_dl_audit; + unsigned int _dl_naudit; +- +- /* 0 if internal pointer values should not be guarded, 1 if they should. */ +- EXTERN int _dl_pointer_guard; + }; + # define __rtld_global_attribute__ + # if IS_IN (rtld) diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch new file mode 100644 index 000000000..4dc93c769 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch @@ -0,0 +1,262 @@ +From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Sat, 8 Aug 2015 15:53:03 -0700 +Subject: [PATCH] Fix BZ #17905 + +Upstream-Status: Backport +CVE: CVE-2015-8779 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 8 ++++++++ + NEWS | 2 +- + catgets/Makefile | 9 ++++++++- + catgets/catgets.c | 19 ++++++++++++------- + catgets/open_catalog.c | 23 ++++++++++++++--------- + catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++ + 6 files changed, 74 insertions(+), 18 deletions(-) + +Index: git/catgets/Makefile +=================================================================== +--- git.orig/catgets/Makefile ++++ git/catgets/Makefile +@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS)) + ifeq ($(run-built-tests),yes) + tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ + $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out ++tests-special += $(objpfx)tst-catgets-mem.out + endif + endif + gencat-modules = xmalloc +@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat + + generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ + test-gencat.h ++generated += tst-catgets.mtrace tst-catgets-mem.out ++ + generated-dirs += de + +-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de ++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace + + ifeq ($(run-built-tests),yes) + # This test just checks whether the program produces any error or not. +@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh + $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat + $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ ++ $(evaluate-test) + endif +Index: git/catgets/catgets.c +=================================================================== +--- git.orig/catgets/catgets.c ++++ git/catgets/catgets.c +@@ -16,7 +16,6 @@ + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +-#include <alloca.h> + #include <errno.h> + #include <locale.h> + #include <nl_types.h> +@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) + __nl_catd result; + const char *env_var = NULL; + const char *nlspath = NULL; ++ char *tmp = NULL; + + if (strchr (cat_name, '/') == NULL) + { +@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) + { + /* Append the system dependent directory. */ + size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; +- char *tmp = alloca (len); ++ tmp = malloc (len); ++ ++ if (__glibc_unlikely (tmp == NULL)) ++ return (nl_catd) -1; + + __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); + nlspath = tmp; +@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) + + result = (__nl_catd) malloc (sizeof (*result)); + if (result == NULL) +- /* We cannot get enough memory. */ +- return (nl_catd) -1; +- +- if (__open_catalog (cat_name, nlspath, env_var, result) != 0) ++ { ++ /* We cannot get enough memory. */ ++ result = (nl_catd) -1; ++ } ++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) + { + /* Couldn't open the file. */ + free ((void *) result); +- return (nl_catd) -1; ++ result = (nl_catd) -1; + } + ++ free (tmp); + return (nl_catd) result; + } + +Index: git/catgets/open_catalog.c +=================================================================== +--- git.orig/catgets/open_catalog.c ++++ git/catgets/open_catalog.c +@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co + size_t tab_size; + const char *lastp; + int result = -1; ++ char *buf = NULL; + + if (strchr (cat_name, '/') != NULL || nlspath == NULL) + fd = open_not_cancel_2 (cat_name, O_RDONLY); +@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co + if (__glibc_unlikely (bufact + (n) >= bufmax)) \ + { \ + char *old_buf = buf; \ +- bufmax += 256 + (n); \ +- buf = (char *) alloca (bufmax); \ +- memcpy (buf, old_buf, bufact); \ ++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ ++ buf = realloc (buf, bufmax); \ ++ if (__glibc_unlikely (buf == NULL)) \ ++ { \ ++ free (old_buf); \ ++ return -1; \ ++ } \ + } + + /* The RUN_NLSPATH variable contains a colon separated list of + descriptions where we expect to find catalogs. We have to + recognize certain % substitutions and stop when we found the + first existing file. */ +- char *buf; + size_t bufact; +- size_t bufmax; ++ size_t bufmax = 0; + size_t len; + +- buf = NULL; +- bufmax = 0; +- + fd = -1; + while (*run_nlspath != '\0') + { +@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co + + /* Avoid dealing with directories and block devices */ + if (__builtin_expect (fd, 0) < 0) +- return -1; ++ { ++ free (buf); ++ return -1; ++ } + + if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) + goto close_unlock_return; +@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co + /* Release the lock again. */ + close_unlock_return: + close_not_cancel_no_status (fd); ++ free (buf); + + return result; + } +Index: git/catgets/tst-catgets.c +=================================================================== +--- git.orig/catgets/tst-catgets.c ++++ git/catgets/tst-catgets.c +@@ -1,7 +1,10 @@ ++#include <assert.h> + #include <mcheck.h> + #include <nl_types.h> + #include <stdio.h> ++#include <stdlib.h> + #include <string.h> ++#include <sys/resource.h> + + + static const char *msgs[] = +@@ -12,6 +15,33 @@ static const char *msgs[] = + }; + #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) + ++ ++/* Test for unbounded alloca. */ ++static int ++do_bz17905 (void) ++{ ++ char *buf; ++ struct rlimit rl; ++ nl_catd result; ++ ++ const int sz = 1024 * 1024; ++ ++ getrlimit (RLIMIT_STACK, &rl); ++ rl.rlim_cur = sz; ++ setrlimit (RLIMIT_STACK, &rl); ++ ++ buf = malloc (sz + 1); ++ memset (buf, 'A', sz); ++ buf[sz] = '\0'; ++ setenv ("NLSPATH", buf, 1); ++ ++ result = catopen (buf, NL_CAT_LOCALE); ++ assert (result == (nl_catd) -1); ++ ++ free (buf); ++ return 0; ++} ++ + #define ROUNDS 5 + + static int +@@ -62,6 +92,7 @@ do_test (void) + } + } + ++ result += do_bz17905 (); + return result; + } + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,11 @@ ++2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com> ++ ++ [BZ #17905] ++ * catgets/Makefile (tst-catgets-mem): New test. ++ * catgets/catgets.c (catopen): Don't use unbounded alloca. ++ * catgets/open_catalog.c (__open_catalog): Likewise. ++ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca. ++ + 2015-10-15 Florian Weimer <fweimer@redhat.com> + + [BZ #18928] +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -9,7 +9,7 @@ Version 2.22.1 + + * The following bugs are resolved with this release: + +- 18778, 18781, 18787. ++ 18778, 18781, 18787, 17905. + + Version 2.22 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch new file mode 100644 index 000000000..3aca91331 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch @@ -0,0 +1,1039 @@ +From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Tue, 24 Nov 2015 22:24:52 +0000 +Subject: [PATCH] Refactor strtod parsing of NaN payloads. + +The nan* functions handle their string argument by constructing a +NAN(...) string on the stack as a VLA and passing it to strtod +functions. + +This approach has problems discussed in bug 16961 and bug 16962: the +stack usage is unbounded, and it gives incorrect results in certain +cases where the argument is not a valid n-char-sequence. + +The natural fix for both issues is to refactor the NaN payload parsing +out of strtod into a separate function that the nan* functions can +call directly, so that no temporary string needs constructing on the +stack at all. This patch does that refactoring in preparation for +fixing those bugs (but without actually using the new functions from +nan* - which will also require exporting them from libc at version +GLIBC_PRIVATE). This patch is not intended to change any user-visible +behavior, so no tests are added (fixes for the above bugs will of +course add tests for them). + +This patch builds on my recent fixes for strtol and strtod issues in +Turkish locales. Given those fixes, the parsing of NaN payloads is +locale-independent; thus, the new functions do not need to take a +locale_t argument. + +Tested for x86_64, x86, mips64 and powerpc. + + * stdlib/strtod_nan.c: New file. + * stdlib/strtod_nan_double.h: Likewise. + * stdlib/strtod_nan_float.h: Likewise. + * stdlib/strtod_nan_main.c: Likewise. + * stdlib/strtod_nan_narrow.h: Likewise. + * stdlib/strtod_nan_wide.h: Likewise. + * stdlib/strtof_nan.c: Likewise. + * stdlib/strtold_nan.c: Likewise. + * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise. + * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise. + * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise. + * wcsmbs/wcstod_nan.c: Likewise. + * wcsmbs/wcstof_nan.c: Likewise. + * wcsmbs/wcstold_nan.c: Likewise. + * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and + strtold_nan. + * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and + wcstof_nan. + * include/stdlib.h (__strtof_nan): Declare and use + libc_hidden_proto. + (__strtod_nan): Likewise. + (__strtold_nan): Likewise. + (__wcstof_nan): Likewise. + (__wcstod_nan): Likewise. + (__wcstold_nan): Likewise. + * include/wchar.h (____wcstoull_l_internal): Declare. + * stdlib/strtod_l.c: Do not include <ieee754.h>. + (____strtoull_l_internal): Remove declaration. + (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + (STRTOULL): Likewise. + (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload. + * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration. + (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define + macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define + macro. + (SET_MANTISSA): Remove macro. + * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro. + (SET_MANTISSA): Remove macro. + * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration. + * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise. + * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise. + +Upstream-Status: Backport +CVE: CVE-2015-9761 patch #1 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 49 ++++++++++++++++++ + include/stdlib.h | 18 +++++++ + include/wchar.h | 3 ++ + stdlib/Makefile | 1 + + stdlib/strtod_l.c | 48 ++++-------------- + stdlib/strtod_nan.c | 24 +++++++++ + stdlib/strtod_nan_double.h | 30 +++++++++++ + stdlib/strtod_nan_float.h | 29 +++++++++++ + stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++ + stdlib/strtod_nan_narrow.h | 22 +++++++++ + stdlib/strtod_nan_wide.h | 22 +++++++++ + stdlib/strtof_l.c | 11 +---- + stdlib/strtof_nan.c | 24 +++++++++ + stdlib/strtold_nan.c | 30 +++++++++++ + sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++ + sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +---- + sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++ + sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +--- + sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +---- + sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++ + sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +--- + wcsmbs/Makefile | 1 + + wcsmbs/wcstod_l.c | 3 -- + wcsmbs/wcstod_nan.c | 23 +++++++++ + wcsmbs/wcstof_l.c | 3 -- + wcsmbs/wcstof_nan.c | 23 +++++++++ + wcsmbs/wcstold_l.c | 3 -- + wcsmbs/wcstold_nan.c | 30 +++++++++++ + 28 files changed, 504 insertions(+), 95 deletions(-) + create mode 100644 stdlib/strtod_nan.c + create mode 100644 stdlib/strtod_nan_double.h + create mode 100644 stdlib/strtod_nan_float.h + create mode 100644 stdlib/strtod_nan_main.c + create mode 100644 stdlib/strtod_nan_narrow.h + create mode 100644 stdlib/strtod_nan_wide.h + create mode 100644 stdlib/strtof_nan.c + create mode 100644 stdlib/strtold_nan.c + create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h + create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h + create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h + create mode 100644 wcsmbs/wcstod_nan.c + create mode 100644 wcsmbs/wcstof_nan.c + create mode 100644 wcsmbs/wcstold_nan.c + +Index: git/include/stdlib.h +=================================================================== +--- git.orig/include/stdlib.h ++++ git/include/stdlib.h +@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll) + libc_hidden_proto (strtoul) + libc_hidden_proto (strtoull) + ++extern float __strtof_nan (const char *, char **, char) internal_function; ++extern double __strtod_nan (const char *, char **, char) internal_function; ++extern long double __strtold_nan (const char *, char **, char) ++ internal_function; ++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t) ++ internal_function; ++ ++libc_hidden_proto (__strtof_nan) ++libc_hidden_proto (__strtod_nan) ++libc_hidden_proto (__strtold_nan) ++libc_hidden_proto (__wcstof_nan) ++libc_hidden_proto (__wcstod_nan) ++libc_hidden_proto (__wcstold_nan) ++ + extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt, + int *__restrict __sign); + extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt, +Index: git/include/wchar.h +=================================================================== +--- git.orig/include/wchar.h ++++ git/include/wchar.h +@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull + __restrict __endptr, + int __base, + int __group) __THROW; ++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, ++ wchar_t **, int, int, ++ __locale_t); + libc_hidden_proto (__wcstof_internal) + libc_hidden_proto (__wcstod_internal) + libc_hidden_proto (__wcstold_internal) +Index: git/stdlib/Makefile +=================================================================== +--- git.orig/stdlib/Makefile ++++ git/stdlib/Makefile +@@ -51,6 +51,7 @@ routines-y := \ + strtol_l strtoul_l strtoll_l strtoull_l \ + strtof strtod strtold \ + strtof_l strtod_l strtold_l \ ++ strtof_nan strtod_nan strtold_nan \ + system canonicalize \ + a64l l64a \ + getsubopt xpg_basename \ +Index: git/stdlib/strtod_l.c +=================================================================== +--- git.orig/stdlib/strtod_l.c ++++ git/stdlib/strtod_l.c +@@ -21,8 +21,6 @@ + #include <xlocale.h> + + extern double ____strtod_l_internal (const char *, char **, int, __locale_t); +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, +- int, int, __locale_t); + + /* Configuration part. These macros are defined by `strtold.c', + `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the +@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou + # ifdef USE_WIDE_CHAR + # define STRTOF wcstod_l + # define __STRTOF __wcstod_l ++# define STRTOF_NAN __wcstod_nan + # else + # define STRTOF strtod_l + # define __STRTOF __strtod_l ++# define STRTOF_NAN __strtod_nan + # endif + # define MPN2FLOAT __mpn_construct_double + # define FLOAT_HUGE_VAL HUGE_VAL +-# define SET_MANTISSA(flt, mant) \ +- do { union ieee754_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = (mant) >> 32; \ +- u.ieee_nan.mantissa1 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ +- (flt) = u.d; \ +- } while (0) + #endif + /* End of configuration part. */ + + #include <ctype.h> + #include <errno.h> + #include <float.h> +-#include <ieee754.h> + #include "../locale/localeinfo.h" + #include <locale.h> + #include <math.h> +@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou + # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr) + # define STRNCASECMP(S1, S2, N) \ + __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) +-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc) + #else + # define STRING_TYPE char + # define CHAR_TYPE char +@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou + # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr) + # define STRNCASECMP(S1, S2, N) \ + __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr) +-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc) + #endif + + +@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group + if (*cp == L_('(')) + { + const STRING_TYPE *startp = cp; +- do +- ++cp; +- while ((*cp >= L_('0') && *cp <= L_('9')) +- || ({ CHAR_TYPE lo = TOLOWER (*cp); +- lo >= L_('a') && lo <= L_('z'); }) +- || *cp == L_('_')); +- +- if (*cp != L_(')')) +- /* The closing brace is missing. Only match the NAN +- part. */ +- cp = startp; ++ STRING_TYPE *endp; ++ retval = STRTOF_NAN (cp + 1, &endp, L_(')')); ++ if (*endp == L_(')')) ++ /* Consume the closing parenthesis. */ ++ cp = endp + 1; + else +- { +- /* This is a system-dependent way to specify the +- bitmask used for the NaN. We expect it to be +- a number which is put in the mantissa of the +- number. */ +- STRING_TYPE *endp; +- unsigned long long int mant; +- +- mant = STRTOULL (startp + 1, &endp, 0); +- if (endp == cp) +- SET_MANTISSA (retval, mant); +- +- /* Consume the closing brace. */ +- ++cp; +- } ++ /* Only match the NAN part. */ ++ cp = startp; + } + + if (endptr != NULL) +Index: git/stdlib/strtod_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan.c +@@ -0,0 +1,24 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <strtod_nan_narrow.h> ++#include <strtod_nan_double.h> ++ ++#define STRTOD_NAN __strtod_nan ++#include <strtod_nan_main.c> +Index: git/stdlib/strtod_nan_double.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_double.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For double. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee754_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.ieee_nan.mantissa1 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/stdlib/strtod_nan_float.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_float.h +@@ -0,0 +1,29 @@ ++/* Convert string for NaN payload to corresponding NaN. For float. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT float ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee754_float u; \ ++ u.f = (flt); \ ++ u.ieee_nan.mantissa = (mant); \ ++ if (u.ieee.mantissa != 0) \ ++ (flt) = u.f; \ ++ } \ ++ while (0) +Index: git/stdlib/strtod_nan_main.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_main.c +@@ -0,0 +1,63 @@ ++/* Convert string for NaN payload to corresponding NaN. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <ieee754.h> ++#include <locale.h> ++#include <math.h> ++#include <stdlib.h> ++#include <wchar.h> ++ ++ ++/* If STR starts with an optional n-char-sequence as defined by ISO C ++ (a sequence of ASCII letters, digits and underscores), followed by ++ ENDC, return a NaN whose payload is set based on STR. Otherwise, ++ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point ++ to the character after the initial n-char-sequence. */ ++ ++internal_function ++FLOAT ++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc) ++{ ++ const STRING_TYPE *cp = str; ++ ++ while ((*cp >= L_('0') && *cp <= L_('9')) ++ || (*cp >= L_('A') && *cp <= L_('Z')) ++ || (*cp >= L_('a') && *cp <= L_('z')) ++ || *cp == L_('_')) ++ ++cp; ++ ++ FLOAT retval = NAN; ++ if (*cp != endc) ++ goto out; ++ ++ /* This is a system-dependent way to specify the bitmask used for ++ the NaN. We expect it to be a number which is put in the ++ mantissa of the number. */ ++ STRING_TYPE *endp; ++ unsigned long long int mant; ++ ++ mant = STRTOULL (str, &endp, 0); ++ if (endp == cp) ++ SET_MANTISSA (retval, mant); ++ ++ out: ++ if (endptr != NULL) ++ *endptr = (STRING_TYPE *) cp; ++ return retval; ++} ++libc_hidden_def (STRTOD_NAN) +Index: git/stdlib/strtod_nan_narrow.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_narrow.h +@@ -0,0 +1,22 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow strings. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define STRING_TYPE char ++#define L_(Ch) Ch ++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \ ++ _nl_C_locobj_ptr) +Index: git/stdlib/strtod_nan_wide.h +=================================================================== +--- /dev/null ++++ git/stdlib/strtod_nan_wide.h +@@ -0,0 +1,22 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define STRING_TYPE wchar_t ++#define L_(Ch) L##Ch ++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \ ++ _nl_C_locobj_ptr) +Index: git/stdlib/strtof_l.c +=================================================================== +--- git.orig/stdlib/strtof_l.c ++++ git/stdlib/strtof_l.c +@@ -20,26 +20,19 @@ + #include <xlocale.h> + + extern float ____strtof_l_internal (const char *, char **, int, __locale_t); +-extern unsigned long long int ____strtoull_l_internal (const char *, char **, +- int, int, __locale_t); + + #define FLOAT float + #define FLT FLT + #ifdef USE_WIDE_CHAR + # define STRTOF wcstof_l + # define __STRTOF __wcstof_l ++# define STRTOF_NAN __wcstof_nan + #else + # define STRTOF strtof_l + # define __STRTOF __strtof_l ++# define STRTOF_NAN __strtof_nan + #endif + #define MPN2FLOAT __mpn_construct_float + #define FLOAT_HUGE_VAL HUGE_VALF +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee754_float u; \ +- u.f = (flt); \ +- u.ieee_nan.mantissa = (mant); \ +- if (u.ieee.mantissa != 0) \ +- (flt) = u.f; \ +- } while (0) + + #include "strtod_l.c" +Index: git/stdlib/strtof_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtof_nan.c +@@ -0,0 +1,24 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, float. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <strtod_nan_narrow.h> ++#include <strtod_nan_float.h> ++ ++#define STRTOD_NAN __strtof_nan ++#include <strtod_nan_main.c> +Index: git/stdlib/strtold_nan.c +=================================================================== +--- /dev/null ++++ git/stdlib/strtold_nan.c +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. Narrow ++ strings, long double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++ ++/* This function is unused if long double and double have the same ++ representation. */ ++#ifndef __NO_LONG_DOUBLE_MATH ++# include <strtod_nan_narrow.h> ++# include <strtod_nan_ldouble.h> ++ ++# define STRTOD_NAN __strtold_nan ++# include <strtod_nan_main.c> ++#endif +Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h +@@ -0,0 +1,33 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee854_long_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = 0; \ ++ u.ieee_nan.mantissa1 = 0; \ ++ u.ieee_nan.mantissa2 = (mant) >> 32; \ ++ u.ieee_nan.mantissa3 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ ++ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-128/strtold_l.c +@@ -25,22 +25,13 @@ + #ifdef USE_WIDE_CHAR + # define STRTOF wcstold_l + # define __STRTOF __wcstold_l ++# define STRTOF_NAN __wcstold_nan + #else + # define STRTOF strtold_l + # define __STRTOF __strtold_l ++# define STRTOF_NAN __strtold_nan + #endif + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = 0; \ +- u.ieee_nan.mantissa1 = 0; \ +- u.ieee_nan.mantissa2 = (mant) >> 32; \ +- u.ieee_nan.mantissa3 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <strtod_l.c> +Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ibm_extended_long_double u; \ ++ u.ld = (flt); \ ++ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.d[0].ieee_nan.mantissa1 = (mant); \ ++ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ ++ (flt) = u.ld; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c +@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co + # define STRTOF __new_wcstold_l + # define __STRTOF ____new_wcstold_l + # define ____STRTOF_INTERNAL ____wcstold_l_internal ++# define STRTOF_NAN __wcstold_nan + #else + extern long double ____new_strtold_l (const char *, char **, __locale_t); + # define STRTOF __new_strtold_l + # define __STRTOF ____new_strtold_l + # define ____STRTOF_INTERNAL ____strtold_l_internal ++# define STRTOF_NAN __strtold_nan + #endif + extern __typeof (__STRTOF) STRTOF; + libc_hidden_proto (__STRTOF) + libc_hidden_proto (STRTOF) + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-# define SET_MANTISSA(flt, mant) \ +- do { union ibm_extended_long_double u; \ +- u.ld = (flt); \ +- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \ +- u.d[0].ieee_nan.mantissa1 = (mant); \ +- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \ +- (flt) = u.ld; \ +- } while (0) + + #include <strtod_l.c> + +Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c +@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co + # define STRTOF __new_wcstold_l + # define __STRTOF ____new_wcstold_l + # define ____STRTOF_INTERNAL ____wcstold_l_internal ++# define STRTOF_NAN __wcstold_nan + #else + extern long double ____new_strtold_l (const char *, char **, __locale_t); + # define STRTOF __new_strtold_l + # define __STRTOF ____new_strtold_l + # define ____STRTOF_INTERNAL ____strtold_l_internal ++# define STRTOF_NAN __strtold_nan + #endif + extern __typeof (__STRTOF) STRTOF; + libc_hidden_proto (__STRTOF) + libc_hidden_proto (STRTOF) + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = 0; \ +- u.ieee_nan.mantissa1 = 0; \ +- u.ieee_nan.mantissa2 = (mant) >> 32; \ +- u.ieee_nan.mantissa3 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \ +- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <strtod_l.c> + +Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h +=================================================================== +--- /dev/null ++++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. For ldbl-96. ++ Copyright (C) 1997-2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#define FLOAT long double ++#define SET_MANTISSA(flt, mant) \ ++ do \ ++ { \ ++ union ieee854_long_double u; \ ++ u.d = (flt); \ ++ u.ieee_nan.mantissa0 = (mant) >> 32; \ ++ u.ieee_nan.mantissa1 = (mant); \ ++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ ++ (flt) = u.d; \ ++ } \ ++ while (0) +Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c +=================================================================== +--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c ++++ git/sysdeps/ieee754/ldbl-96/strtold_l.c +@@ -25,19 +25,13 @@ + #ifdef USE_WIDE_CHAR + # define STRTOF wcstold_l + # define __STRTOF __wcstold_l ++# define STRTOF_NAN __wcstold_nan + #else + # define STRTOF strtold_l + # define __STRTOF __strtold_l ++# define STRTOF_NAN __strtold_nan + #endif + #define MPN2FLOAT __mpn_construct_long_double + #define FLOAT_HUGE_VAL HUGE_VALL +-#define SET_MANTISSA(flt, mant) \ +- do { union ieee854_long_double u; \ +- u.d = (flt); \ +- u.ieee_nan.mantissa0 = (mant) >> 32; \ +- u.ieee_nan.mantissa1 = (mant); \ +- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \ +- (flt) = u.d; \ +- } while (0) + + #include <stdlib/strtod_l.c> +Index: git/wcsmbs/Makefile +=================================================================== +--- git.orig/wcsmbs/Makefile ++++ git/wcsmbs/Makefile +@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR + wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \ + wcstol_l wcstoul_l wcstoll_l wcstoull_l \ + wcstod_l wcstold_l wcstof_l \ ++ wcstod_nan wcstold_nan wcstof_nan \ + wcscoll wcsxfrm \ + wcwidth wcswidth \ + wcscoll_l wcsxfrm_l \ +Index: git/wcsmbs/wcstod_l.c +=================================================================== +--- git.orig/wcsmbs/wcstod_l.c ++++ git/wcsmbs/wcstod_l.c +@@ -23,9 +23,6 @@ + + extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #define USE_WIDE_CHAR 1 + +Index: git/wcsmbs/wcstod_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstod_nan.c +@@ -0,0 +1,23 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include "../stdlib/strtod_nan_wide.h" ++#include "../stdlib/strtod_nan_double.h" ++ ++#define STRTOD_NAN __wcstod_nan ++#include "../stdlib/strtod_nan_main.c" +Index: git/wcsmbs/wcstof_l.c +=================================================================== +--- git.orig/wcsmbs/wcstof_l.c ++++ git/wcsmbs/wcstof_l.c +@@ -25,8 +25,5 @@ + + extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #include <stdlib/strtof_l.c> +Index: git/wcsmbs/wcstof_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstof_nan.c +@@ -0,0 +1,23 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, float. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include "../stdlib/strtod_nan_wide.h" ++#include "../stdlib/strtod_nan_float.h" ++ ++#define STRTOD_NAN __wcstof_nan ++#include "../stdlib/strtod_nan_main.c" +Index: git/wcsmbs/wcstold_l.c +=================================================================== +--- git.orig/wcsmbs/wcstold_l.c ++++ git/wcsmbs/wcstold_l.c +@@ -24,8 +24,5 @@ + + extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int, + __locale_t); +-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *, +- wchar_t **, int, int, +- __locale_t); + + #include <strtold_l.c> +Index: git/wcsmbs/wcstold_nan.c +=================================================================== +--- /dev/null ++++ git/wcsmbs/wcstold_nan.c +@@ -0,0 +1,30 @@ ++/* Convert string for NaN payload to corresponding NaN. Wide strings, ++ long double. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++ ++/* This function is unused if long double and double have the same ++ representation. */ ++#ifndef __NO_LONG_DOUBLE_MATH ++# include "../stdlib/strtod_nan_wide.h" ++# include <strtod_nan_ldouble.h> ++ ++# define STRTOD_NAN __wcstold_nan ++# include "../stdlib/strtod_nan_main.c" ++#endif +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,57 @@ ++2015-11-24 Joseph Myers <joseph@codesourcery.com> ++ ++ * stdlib/strtod_nan.c: New file. ++ * stdlib/strtod_nan_double.h: Likewise. ++ * stdlib/strtod_nan_float.h: Likewise. ++ * stdlib/strtod_nan_main.c: Likewise. ++ * stdlib/strtod_nan_narrow.h: Likewise. ++ * stdlib/strtod_nan_wide.h: Likewise. ++ * stdlib/strtof_nan.c: Likewise. ++ * stdlib/strtold_nan.c: Likewise. ++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise. ++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise. ++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise. ++ * wcsmbs/wcstod_nan.c: Likewise. ++ * wcsmbs/wcstof_nan.c: Likewise. ++ * wcsmbs/wcstold_nan.c: Likewise. ++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and ++ strtold_nan. ++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and ++ wcstof_nan. ++ * include/stdlib.h (__strtof_nan): Declare and use ++ libc_hidden_proto. ++ (__strtod_nan): Likewise. ++ (__strtold_nan): Likewise. ++ (__wcstof_nan): Likewise. ++ (__wcstod_nan): Likewise. ++ (__wcstold_nan): Likewise. ++ * include/wchar.h (____wcstoull_l_internal): Declare. ++ * stdlib/strtod_l.c: Do not include <ieee754.h>. ++ (____strtoull_l_internal): Remove declaration. ++ (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ (STRTOULL): Likewise. ++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload. ++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration. ++ (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define ++ macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define ++ macro. ++ (SET_MANTISSA): Remove macro. ++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro. ++ (SET_MANTISSA): Remove macro. ++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration. ++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise. ++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise. ++ ++ [BZ #19266] ++ * stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for ++ upper case and lower case letters inside NAN(), not using TOLOWER. + 2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #17905] diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch new file mode 100644 index 000000000..e30307fbc --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch @@ -0,0 +1,385 @@ +From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Fri, 4 Dec 2015 20:36:28 +0000 +Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug + 16962). + +The nan, nanf and nanl functions handle payload strings by doing e.g.: + + if (tagp[0] != '\0') + { + char buf[6 + strlen (tagp)]; + sprintf (buf, "NAN(%s)", tagp); + return strtod (buf, NULL); + } + +This is an unbounded stack allocation based on the length of the +argument. Furthermore, if the argument starts with an n-char-sequence +followed by ')', that n-char-sequence is wrongly treated as +significant for determining the payload of the resulting NaN, when ISO +C says the call should be equivalent to strtod ("NAN", NULL), without +being affected by that initial n-char-sequence. This patch fixes both +those problems by using the __strtod_nan etc. functions recently +factored out of strtod etc. for that purpose, with those functions +being exported from libc at version GLIBC_PRIVATE. + +Tested for x86_64, x86, mips64 and powerpc. + + [BZ #16961] + [BZ #16962] + * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a + string on the stack for strtod. + * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing + a string on the stack for strtof. + * math/s_nanl.c (__nanl): Use __strtold_nan instead of + constructing a string on the stack for strtold. + * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and + __strtold_nan to GLIBC_PRIVATE. + * math/test-nan-overflow.c: New file. + * math/test-nan-payload.c: Likewise. + * math/Makefile (tests): Add test-nan-overflow and + test-nan-payload. + +Upstream-Status: Backport +CVE: CVE-2015-9761 patch #2 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 17 +++++++ + NEWS | 6 +++ + math/Makefile | 3 +- + math/s_nan.c | 9 +--- + math/s_nanf.c | 9 +--- + math/s_nanl.c | 9 +--- + math/test-nan-overflow.c | 66 +++++++++++++++++++++++++ + math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ + stdlib/Versions | 1 + + 9 files changed, 217 insertions(+), 25 deletions(-) + create mode 100644 math/test-nan-overflow.c + create mode 100644 math/test-nan-payload.c + +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,20 @@ ++2015-12-04 Joseph Myers <joseph@codesourcery.com> ++ ++ [BZ #16961] ++ [BZ #16962] ++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a ++ string on the stack for strtod. ++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing ++ a string on the stack for strtof. ++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of ++ constructing a string on the stack for strtold. ++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and ++ __strtold_nan to GLIBC_PRIVATE. ++ * math/test-nan-overflow.c: New file. ++ * math/test-nan-payload.c: Likewise. ++ * math/Makefile (tests): Add test-nan-overflow and ++ test-nan-payload. ++ + 2015-11-24 Joseph Myers <joseph@codesourcery.com> + + * stdlib/strtod_nan.c: New file. +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -99,6 +99,12 @@ Version 2.22 + + Version 2.21 + ++Security related changes: ++ ++* The nan, nanf and nanl functions no longer have unbounded stack usage ++ depending on the length of the string passed as an argument to the ++ functions. Reported by Joseph Myers. ++ + * The following bugs are resolved with this release: + + 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498, +Index: git/math/Makefile +=================================================================== +--- git.orig/math/Makefile ++++ git/math/Makefile +@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp + test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \ + test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \ + test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \ ++ test-nan-overflow test-nan-payload \ + $(tests-static) + tests-static = test-fpucw-static test-fpucw-ieee-static + # We do the `long double' tests only if this data type is available and +Index: git/math/s_nan.c +=================================================================== +--- git.orig/math/s_nan.c ++++ git/math/s_nan.c +@@ -28,14 +28,7 @@ + double + __nan (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtod (buf, NULL); +- } +- +- return NAN; ++ return __strtod_nan (tagp, NULL, 0); + } + weak_alias (__nan, nan) + #ifdef NO_LONG_DOUBLE +Index: git/math/s_nanf.c +=================================================================== +--- git.orig/math/s_nanf.c ++++ git/math/s_nanf.c +@@ -28,13 +28,6 @@ + float + __nanf (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtof (buf, NULL); +- } +- +- return NAN; ++ return __strtof_nan (tagp, NULL, 0); + } + weak_alias (__nanf, nanf) +Index: git/math/s_nanl.c +=================================================================== +--- git.orig/math/s_nanl.c ++++ git/math/s_nanl.c +@@ -28,13 +28,6 @@ + long double + __nanl (const char *tagp) + { +- if (tagp[0] != '\0') +- { +- char buf[6 + strlen (tagp)]; +- sprintf (buf, "NAN(%s)", tagp); +- return strtold (buf, NULL); +- } +- +- return NAN; ++ return __strtold_nan (tagp, NULL, 0); + } + weak_alias (__nanl, nanl) +Index: git/math/test-nan-overflow.c +=================================================================== +--- /dev/null ++++ git/math/test-nan-overflow.c +@@ -0,0 +1,66 @@ ++/* Test nan functions stack overflow (bug 16962). ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++#include <stdio.h> ++#include <string.h> ++#include <sys/resource.h> ++ ++#define STACK_LIM 1048576 ++#define STRING_SIZE (2 * STACK_LIM) ++ ++static int ++do_test (void) ++{ ++ int result = 0; ++ struct rlimit lim; ++ getrlimit (RLIMIT_STACK, &lim); ++ lim.rlim_cur = STACK_LIM; ++ setrlimit (RLIMIT_STACK, &lim); ++ char *nanstr = malloc (STRING_SIZE); ++ if (nanstr == NULL) ++ { ++ puts ("malloc failed, cannot test"); ++ return 77; ++ } ++ memset (nanstr, '0', STRING_SIZE - 1); ++ nanstr[STRING_SIZE - 1] = 0; ++#define NAN_TEST(TYPE, FUNC) \ ++ do \ ++ { \ ++ char *volatile p = nanstr; \ ++ volatile TYPE v = FUNC (p); \ ++ if (isnan (v)) \ ++ puts ("PASS: " #FUNC); \ ++ else \ ++ { \ ++ puts ("FAIL: " #FUNC); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ NAN_TEST (float, nanf); ++ NAN_TEST (double, nan); ++#ifndef NO_LONG_DOUBLE ++ NAN_TEST (long double, nanl); ++#endif ++ return result; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/math/test-nan-payload.c +=================================================================== +--- /dev/null ++++ git/math/test-nan-payload.c +@@ -0,0 +1,122 @@ ++/* Test nan functions payload handling (bug 16961). ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <float.h> ++#include <math.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ ++/* Avoid built-in functions. */ ++#define WRAP_NAN(FUNC, STR) \ ++ ({ const char *volatile wns = (STR); FUNC (wns); }) ++#define WRAP_STRTO(FUNC, STR) \ ++ ({ const char *volatile wss = (STR); FUNC (wss, NULL); }) ++ ++#define CHECK_IS_NAN(TYPE, A) \ ++ do \ ++ { \ ++ if (isnan (A)) \ ++ puts ("PASS: " #TYPE " " #A); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++#define CHECK_SAME_NAN(TYPE, A, B) \ ++ do \ ++ { \ ++ if (memcmp (&(A), &(B), sizeof (A)) == 0) \ ++ puts ("PASS: " #TYPE " " #A " = " #B); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A " = " #B); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++#define CHECK_DIFF_NAN(TYPE, A, B) \ ++ do \ ++ { \ ++ if (memcmp (&(A), &(B), sizeof (A)) != 0) \ ++ puts ("PASS: " #TYPE " " #A " != " #B); \ ++ else \ ++ { \ ++ puts ("FAIL: " #TYPE " " #A " != " #B); \ ++ result = 1; \ ++ } \ ++ } \ ++ while (0) ++ ++/* Cannot test payloads by memcmp for formats where NaNs have padding ++ bits. */ ++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106) ++ ++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \ ++ do \ ++ { \ ++ TYPE n123 = WRAP_NAN (FUNC, "123"); \ ++ CHECK_IS_NAN (TYPE, n123); \ ++ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \ ++ CHECK_IS_NAN (TYPE, s123); \ ++ TYPE n456 = WRAP_NAN (FUNC, "456"); \ ++ CHECK_IS_NAN (TYPE, n456); \ ++ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \ ++ CHECK_IS_NAN (TYPE, s456); \ ++ TYPE n123x = WRAP_NAN (FUNC, "123)"); \ ++ CHECK_IS_NAN (TYPE, n123x); \ ++ TYPE nemp = WRAP_NAN (FUNC, ""); \ ++ CHECK_IS_NAN (TYPE, nemp); \ ++ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \ ++ CHECK_IS_NAN (TYPE, semp); \ ++ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \ ++ CHECK_IS_NAN (TYPE, sx); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n123, s123); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n456, s456); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, nemp, semp); \ ++ if (CAN_TEST_EQ (MANT_DIG)) \ ++ CHECK_SAME_NAN (TYPE, n123x, sx); \ ++ CHECK_DIFF_NAN (TYPE, n123, n456); \ ++ CHECK_DIFF_NAN (TYPE, n123, nemp); \ ++ CHECK_DIFF_NAN (TYPE, n123, n123x); \ ++ CHECK_DIFF_NAN (TYPE, n456, nemp); \ ++ CHECK_DIFF_NAN (TYPE, n456, n123x); \ ++ } \ ++ while (0) ++ ++static int ++do_test (void) ++{ ++ int result = 0; ++ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG); ++ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG); ++#ifndef NO_LONG_DOUBLE ++ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG); ++#endif ++ return result; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +Index: git/stdlib/Versions +=================================================================== +--- git.orig/stdlib/Versions ++++ git/stdlib/Versions +@@ -118,5 +118,6 @@ libc { + # Used from other libraries + __libc_secure_getenv; + __call_tls_dtors; ++ __strtof_nan; __strtod_nan; __strtold_nan; + } + } diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch new file mode 100644 index 000000000..8ce255f11 --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch @@ -0,0 +1,323 @@ +Upstream-Status: Backport + +Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> + +From https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c84109cfa26f35c3dfed3acb97d347361bd5849 +Author: Carlos O'Donell <carlos@systemhalted.org> +Date: Thu Oct 8 16:34:53 2015 -0400 + + strcoll: Remove incorrect STRDIFF-based optimization (Bug 18589). + + The optimization introduced in commit + f13c2a8dff2329c6692a80176262ceaaf8a6f74e, causes regressions in + sorting for languages that have digraphs that change sort order, like + cs_CZ which sorts ch between h and i. + + My analysis shows the fast-forwarding optimization in STRCOLL advances + through a digraph while possibly stopping in the middle which results + in a subsequent skipping of the digraph and incorrect sorting. The + optimization is incorrect as implemented and because of that I'm + removing it for 2.23, and I will also commit this fix for 2.22 where + it was originally introduced. + + This patch reverts the optimization, introduces a new bug-strcoll2.c + regression test that tests both cs_CZ.UTF-8 and da_DK.ISO-8859-1 and + ensures they sort one digraph each correctly. The optimization can't be + applied without regressing this test. + + Checked on x86_64, bug-strcoll2.c fails without this patch and passes + after. This will also get a fix on 2.22 which has the same bug. + + (cherry picked from commit 87701a58e291bd7ac3b407d10a829dac52c9c16e) +--- + locale/C-collate.c | 4 +- + locale/categories.def | 1 - + locale/langinfo.h | 1 - + locale/localeinfo.h | 7 ---- + locale/programs/ld-collate.c | 9 ----- + string/bug-strcoll2.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ + string/strcoll_l.c | 39 +----------------- + wcsmbs/wcscoll_l.c | 1 - + 8 files changed, 98 insertions(+), 59 deletions(-) + create mode 100644 string/bug-strcoll2.c + +diff --git a/locale/C-collate.c b/locale/C-collate.c +index d7f3c55..06dfdfa 100644 +--- a/locale/C-collate.c ++++ b/locale/C-collate.c +@@ -144,8 +144,6 @@ const struct __locale_data _nl_C_LC_COLLATE attribute_hidden = + /* _NL_COLLATE_COLLSEQWC */ + { .string = (const char *) collseqwc }, + /* _NL_COLLATE_CODESET */ +- { .string = _nl_C_codeset }, +- /* _NL_COLLATE_ENCODING_TYPE */ +- { .word = __cet_8bit } ++ { .string = _nl_C_codeset } + } + }; +diff --git a/locale/categories.def b/locale/categories.def +index 045489d..a8dda53 100644 +--- a/locale/categories.def ++++ b/locale/categories.def +@@ -58,7 +58,6 @@ DEFINE_CATEGORY + DEFINE_ELEMENT (_NL_COLLATE_COLLSEQMB, "collate-collseqmb", std, wstring) + DEFINE_ELEMENT (_NL_COLLATE_COLLSEQWC, "collate-collseqwc", std, wstring) + DEFINE_ELEMENT (_NL_COLLATE_CODESET, "collate-codeset", std, string) +- DEFINE_ELEMENT (_NL_COLLATE_ENCODING_TYPE, "collate-encoding-type", std, word) + ), NO_POSTLOAD) + + +diff --git a/locale/langinfo.h b/locale/langinfo.h +index ffc5c7f..a565d9d 100644 +--- a/locale/langinfo.h ++++ b/locale/langinfo.h +@@ -255,7 +255,6 @@ enum + _NL_COLLATE_COLLSEQMB, + _NL_COLLATE_COLLSEQWC, + _NL_COLLATE_CODESET, +- _NL_COLLATE_ENCODING_TYPE, + _NL_NUM_LC_COLLATE, + + /* LC_CTYPE category: character classification. +diff --git a/locale/localeinfo.h b/locale/localeinfo.h +index a7516c0..c076d8e 100644 +--- a/locale/localeinfo.h ++++ b/locale/localeinfo.h +@@ -110,13 +110,6 @@ enum coll_sort_rule + sort_mask + }; + +-/* Collation encoding type. */ +-enum collation_encoding_type +-{ +- __cet_other, +- __cet_8bit, +- __cet_utf8 +-}; + + /* We can map the types of the entries into a few categories. */ + enum value_type +diff --git a/locale/programs/ld-collate.c b/locale/programs/ld-collate.c +index 16e9039..3c88c6d 100644 +--- a/locale/programs/ld-collate.c ++++ b/locale/programs/ld-collate.c +@@ -32,7 +32,6 @@ + #include "linereader.h" + #include "locfile.h" + #include "elem-hash.h" +-#include "../localeinfo.h" + + /* Uncomment the following line in the production version. */ + /* #define NDEBUG 1 */ +@@ -2130,8 +2129,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap, + /* The words have to be handled specially. */ + if (idx == _NL_ITEM_INDEX (_NL_COLLATE_SYMB_HASH_SIZEMB)) + add_locale_uint32 (&file, 0); +- else if (idx == _NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE)) +- add_locale_uint32 (&file, __cet_other); + else + add_locale_empty (&file); + } +@@ -2495,12 +2492,6 @@ collate_output (struct localedef_t *locale, const struct charmap_t *charmap, + add_locale_raw_data (&file, collate->mbseqorder, 256); + add_locale_collseq_table (&file, &collate->wcseqorder); + add_locale_string (&file, charmap->code_set_name); +- if (strcmp (charmap->code_set_name, "UTF-8") == 0) +- add_locale_uint32 (&file, __cet_utf8); +- else if (charmap->mb_cur_max == 1) +- add_locale_uint32 (&file, __cet_8bit); +- else +- add_locale_uint32 (&file, __cet_other); + write_locale_data (output_path, LC_COLLATE, "LC_COLLATE", &file); + + obstack_free (&weightpool, NULL); +diff --git a/string/bug-strcoll2.c b/string/bug-strcoll2.c +new file mode 100644 +index 0000000..950b090 +--- /dev/null ++++ b/string/bug-strcoll2.c +@@ -0,0 +1,95 @@ ++/* Bug 18589: sort-test.sh fails at random. ++ * Copyright (C) 1998-2015 Free Software Foundation, Inc. ++ * This file is part of the GNU C Library. ++ * Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998. ++ * ++ * The GNU C Library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * The GNU C Library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with the GNU C Library; if not, see ++ * <http://www.gnu.org/licenses/>. */ ++ ++#include <stdio.h> ++#include <string.h> ++#include <locale.h> ++ ++/* An incorrect strcoll optimization resulted in incorrect ++ * results from strcoll for cs_CZ and da_DK. */ ++ ++int ++test_cs_CZ (void) ++{ ++ const char t1[] = "config"; ++ const char t2[] = "choose"; ++ if (setlocale (LC_ALL, "cs_CZ.UTF-8") == NULL) ++ { ++ perror ("setlocale"); ++ return 1; ++ } ++ /* In Czech the digraph ch sorts after c, therefore we expect ++ * config to sort before choose. */ ++ int a = strcoll (t1, t2); ++ int b = strcoll (t2, t1); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b); ++ if (a < 0 && b > 0) ++ { ++ puts ("PASS: config < choose"); ++ return 0; ++ } ++ else ++ { ++ puts ("FAIL: Wrong sorting in cz_CZ.UTF-8."); ++ return 1; ++ } ++} ++ ++int ++test_da_DK (void) ++{ ++ const char t1[] = "AS"; ++ const char t2[] = "AA"; ++ if (setlocale (LC_ALL, "da_DK.ISO-8859-1") == NULL) ++ { ++ perror ("setlocale"); ++ return 1; ++ } ++ /* AA should be treated as the last letter of the Danish alphabet, ++ * hence sorting after AS. */ ++ int a = strcoll (t1, t2); ++ int b = strcoll (t2, t1); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t1, t2, a); ++ printf ("strcoll (\"%s\", \"%s\") = %d\n", t2, t1, b); ++ if (a < 0 && b > 0) ++ { ++ puts ("PASS: AS < AA"); ++ return 0; ++ } ++ else ++ { ++ puts ("FAIL: Wrong sorting in da_DK.ISO-8859-1"); ++ return 1; ++ } ++} ++ ++static int ++do_test (void) ++{ ++ int err = 0; ++ err |= test_cs_CZ (); ++ err |= test_da_DK (); ++ return err; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" ++ ++ +diff --git a/string/strcoll_l.c b/string/strcoll_l.c +index b36b18c..a18b65e 100644 +--- a/string/strcoll_l.c ++++ b/string/strcoll_l.c +@@ -30,7 +30,6 @@ + # define STRING_TYPE char + # define USTRING_TYPE unsigned char + # define STRCOLL __strcoll_l +-# define STRDIFF __strdiff + # define STRCMP strcmp + # define WEIGHT_H "../locale/weight.h" + # define SUFFIX MB +@@ -43,19 +42,6 @@ + #include "../locale/localeinfo.h" + #include WEIGHT_H + +-#define MASK_UTF8_7BIT (1 << 7) +-#define MASK_UTF8_START (3 << 6) +- +-size_t +-STRDIFF (const STRING_TYPE *s, const STRING_TYPE *t) +-{ +- size_t n; +- +- for (n = 0; *s != '\0' && *s++ == *t++; ++n) +- continue; +- +- return n; +-} + + /* Track status while looking for sequences in a string. */ + typedef struct +@@ -274,29 +260,9 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + const USTRING_TYPE *extra; + const int32_t *indirect; + +- /* In case there is no locale specific sort order (C / POSIX). */ + if (nrules == 0) + return STRCMP (s1, s2); + +- /* Fast forward to the position of the first difference. Needs to be +- encoding aware as the byte-by-byte comparison can stop in the middle +- of a char sequence for multibyte encodings like UTF-8. */ +- uint_fast32_t encoding = +- current->values[_NL_ITEM_INDEX (_NL_COLLATE_ENCODING_TYPE)].word; +- if (encoding != __cet_other) +- { +- size_t diff = STRDIFF (s1, s2); +- if (diff > 0) +- { +- if (encoding == __cet_utf8 && (*(s1 + diff) & MASK_UTF8_7BIT) != 0) +- do +- diff--; +- while (diff > 0 && (*(s1 + diff) & MASK_UTF8_START) != MASK_UTF8_START); +- s1 += diff; +- s2 += diff; +- } +- } +- + /* Catch empty strings. */ + if (__glibc_unlikely (*s1 == '\0') || __glibc_unlikely (*s2 == '\0')) + return (*s1 != '\0') - (*s2 != '\0'); +@@ -363,9 +329,8 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + byte-level comparison to ensure that we don't waste time + going through multiple passes for totally equal strings + before proceeding to subsequent passes. */ +- if (pass == 0 && encoding == __cet_other && +- STRCMP (s1, s2) == 0) +- return result; ++ if (pass == 0 && STRCMP (s1, s2) == 0) ++ return result; + else + break; + } +diff --git a/wcsmbs/wcscoll_l.c b/wcsmbs/wcscoll_l.c +index 6d9384a..87f240d 100644 +--- a/wcsmbs/wcscoll_l.c ++++ b/wcsmbs/wcscoll_l.c +@@ -23,7 +23,6 @@ + #define STRING_TYPE wchar_t + #define USTRING_TYPE wint_t + #define STRCOLL __wcscoll_l +-#define STRDIFF __wcsdiff + #define STRCMP __wcscmp + #define WEIGHT_H "../locale/weightwc.h" + #define SUFFIX WC +-- +1.8.4.2 + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch new file mode 100644 index 000000000..eb7f2b29b --- /dev/null +++ b/yocto-poky/meta/recipes-core/glibc/glibc/use_64bit_atomics.patch @@ -0,0 +1,24 @@ +This patch alows using 64 bit atomic instructions on a +32 bit platform. This is safe, providing x86 is Pentium or +later (would not work on i386, i486). Using 64 bit atomic +instructions bypasses code containing a bug as documented in +https://bugzilla.yoctoproject.org/show_bug.cgi?id=8140 + +Upstream-Status: TBD + +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> + + +Index: libc/sysdeps/i386/i486/bits/atomic.h +=================================================================== +--- libc.orig/sysdeps/i386/i486/bits/atomic.h ++++ libc/sysdeps/i386/i486/bits/atomic.h +@@ -54,7 +54,7 @@ typedef uintmax_t uatomic_max_t; + # endif + #endif + +-#define __HAVE_64B_ATOMICS 0 ++#define __HAVE_64B_ATOMICS 1 + #define USE_ATOMIC_COMPILER_BUILTINS 0 + + diff --git a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb index 09f0428ea..a13b7f94b 100644 --- a/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb +++ b/yocto-poky/meta/recipes-core/glibc/glibc_2.22.bb @@ -9,11 +9,11 @@ DEPENDS += "gperf-native kconfig-frontends-native" SRCREV ?= "a34d1c6afc86521d6ad17662a3b5362d8481514c" -BRANCH ?= "release/${PV}/master" +SRCBRANCH ?= "release/${PV}/master" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" -SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ +SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0004-Backport-https-sourceware.org-ml-libc-ports-2007-12-.patch \ file://0005-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch \ file://0006-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \ @@ -39,6 +39,14 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${BRANCH};name=glibc \ file://0026-eglibc-dl_debug_mask-is-controlled-by-__OPTION_EGLIB.patch \ file://0027-eglibc-use-option-groups-Conditionally-exclude-c-tes.patch \ file://nscd-no-bash.patch \ + file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ + file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \ + file://CVE-2015-8777.patch \ + file://CVE-2015-8779.patch \ + file://CVE-2015-9761_1.patch \ + file://CVE-2015-9761_2.patch \ + file://CVE-2015-8776.patch \ + file://CVE-2015-7547.patch \ " SRC_URI += "\ @@ -50,6 +58,7 @@ SRC_URI_append_class-nativesdk = "\ file://0001-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch \ file://0002-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch \ file://0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \ + file://use_64bit_atomics.patch \ " S = "${WORKDIR}/git" diff --git a/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb b/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb index 0a86ba4b3..fdeadb63a 100644 --- a/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb +++ b/yocto-poky/meta/recipes-core/images/build-appliance-image_12.0.1.bb @@ -21,8 +21,8 @@ IMAGE_FSTYPES = "vmdk" inherit core-image -SRCREV ?= "d01cd53429b1c20f01dac97f1b9b659cb9dc9812" -SRC_URI = "git://git.yoctoproject.org/poky \ +SRCREV ?= "7fe17a2942ff03e2ec47d566fd5393f52b2eb736" +SRC_URI = "git://git.yoctoproject.org/poky;branch=jethro \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ " diff --git a/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh index fc4908ef9..0443a9d11 100644 --- a/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh +++ b/yocto-poky/meta/recipes-core/initrdscripts/files/init-install-efi.sh @@ -134,7 +134,7 @@ swap_start=$((rootfs_end)) # 2) they are detected asynchronously (need rootwait) rootwait="" part_prefix="" -if [ ! "${device#mmcblk}" = "${device}" ]; then +if [ ! "${device#/dev/mmcblk}" = "${device}" ]; then part_prefix="p" rootwait="rootwait" fi @@ -184,8 +184,8 @@ mount -o rw,loop,noatime,nodiratime /run/media/$1/$2 /src_root echo "Copying rootfs files..." cp -a /src_root/* /tgt_root if [ -d /tgt_root/etc/ ] ; then - boot_uuid=$(blkid -o value -s UUID ${device}1) - swap_part_uuid=$(blkid -o value -s PARTUUID ${device}3) + boot_uuid=$(blkid -o value -s UUID ${bootfs}) + swap_part_uuid=$(blkid -o value -s PARTUUID ${swap}) echo "/dev/disk/by-partuuid/$swap_part_uuid swap swap defaults 0 0" >> /tgt_root/etc/fstab echo "UUID=$boot_uuid /boot vfat defaults 1 2" >> /tgt_root/etc/fstab # We dont want udev to mount our root device while we're booting... @@ -206,7 +206,7 @@ mkdir -p $EFIDIR cp /run/media/$1/EFI/BOOT/*.efi $EFIDIR if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then - root_part_uuid=$(blkid -o value -s PARTUUID ${device}2) + root_part_uuid=$(blkid -o value -s PARTUUID ${rootfs}) GRUBCFG="$EFIDIR/grub.cfg" cp /run/media/$1/EFI/BOOT/grub.cfg $GRUBCFG # Update grub config for the installed image @@ -223,6 +223,7 @@ if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then fi if [ -d /run/media/$1/loader ]; then + rootuuid=$(blkid -o value -s PARTUUID ${rootfs}) GUMMIBOOT_CFGS="/boot/loader/entries/*.conf" # copy config files for gummiboot cp -dr /run/media/$1/loader /boot diff --git a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish index e712ff03c..d09bbb8be 100755 --- a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish +++ b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/finish @@ -37,7 +37,7 @@ finish_run() { fi mount $flags $bootparam_root $ROOTFS_DIR else - debug "root '$bootparam_root' doesn't exist." + msg "root '$bootparam_root' doesn't exist." fi fi diff --git a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init index 9291ad5c2..204f2379a 100755 --- a/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init +++ b/yocto-poky/meta/recipes-core/initrdscripts/initramfs-framework/init @@ -58,7 +58,7 @@ fatal() { echo $1 >/dev/console echo >/dev/console - if [ -n "bootparam_init_fatal_sh" ]; then + if [ -n "$bootparam_init_fatal_sh" ]; then sh else while [ "true" ]; do diff --git a/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh b/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh index 0cfe76e23..0a52c90da 100644 --- a/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh +++ b/yocto-poky/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh @@ -21,3 +21,7 @@ fi if [ -e /sys/kernel/debug ] && grep -q debugfs /proc/filesystems; then mount -t debugfs debugfs /sys/kernel/debug fi + +if ! [ -e /dev/zero ] && [ -e /dev ] && grep -q devtmpfs /proc/filesystems; then + mount -n -t devtmpfs devtmpfs /dev +fi diff --git a/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb b/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb index 136dc7ac0..49bb6c9a3 100644 --- a/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb +++ b/yocto-poky/meta/recipes-core/kbd/kbd_2.0.2.bb @@ -34,3 +34,4 @@ ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt" ALTERNATIVE_PRIORITY = "100" BBCLASSEXTEND = "native" +PARALLEL_MAKEINST = "" diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2.inc b/yocto-poky/meta/recipes-core/libxml/libxml2.inc index 1c3c37d50..310d5bbc5 100644 --- a/yocto-poky/meta/recipes-core/libxml/libxml2.inc +++ b/yocto-poky/meta/recipes-core/libxml/libxml2.inc @@ -21,6 +21,22 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml-m4-use-pkgconfig.patch \ file://configure.ac-fix-cross-compiling-warning.patch \ file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ + file://CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch \ + file://CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch \ + file://CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch \ + file://CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch \ + file://CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch \ + file://0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch \ + file://CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch \ + file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \ + file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \ + file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \ + file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \ + file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \ + file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \ + file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \ + file://CVE-2015-8241.patch \ + file://CVE-2015-8710.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch new file mode 100644 index 000000000..979618d2c --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch @@ -0,0 +1,39 @@ +From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 +From: David Drysdale <drysdale@google.com> +Date: Fri, 20 Nov 2015 11:13:45 +0800 +Subject: [PATCH] CVE-2015-5312 Another entity expansion issue + +For https://bugzilla.gnome.org/show_bug.cgi?id=756733 +It is one case where the code in place to detect entities expansions +failed to exit when the situation was detected, leading to DoS +Problem reported by Kostya Serebryany @ Google +Patch provided by David Drysdale @ Google + +Upstream-Status: Backport + +CVE-2015-5312 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index b7b6668..da6e729 100644 +--- a/parser.c ++++ b/parser.c +@@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + 0, 0, 0); + ctxt->depth--; + ++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || ++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) ++ goto int_error; ++ + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming loop */ +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch new file mode 100644 index 000000000..955c96195 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch @@ -0,0 +1,40 @@ +From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 +From: David Drysdale <drysdale@google.com> +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in + xmlDictComputeFastQKey + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google + +Upstream-Status: Backport + +CVE-2015-7497 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 000000000..b4860791b --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch @@ -0,0 +1,131 @@ +From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect + entities boundaries + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +This slightly modifies the output of 754946 in regression tests + +Upstream-Status: Backport + +CVE-2015-7500 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 28 ++++++++++++++++++++++------ + result/errors/754946.xml.err | 7 +++++-- + 2 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/parser.c b/parser.c +index c7e4574..c5741e3 100644 +--- a/parser.c ++++ b/parser.c +@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9367,6 +9367,7 @@ reparse: + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9392,7 +9393,8 @@ reparse: + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9403,7 +9405,7 @@ reparse: + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9552,7 +9554,8 @@ skip_ns: + break; + } + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9589,7 +9592,8 @@ failed: + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9605,7 +9609,8 @@ failed: + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9772,6 +9777,17 @@ base_changed: + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +index 423dff5..a75088b 100644 +--- a/result/errors/754946.xml.err ++++ b/result/errors/754946.xml.err +@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated + Entity: line 1: + A<lbbbbbbbbbbbbbbbbbbb_ + ^ ++./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity ++>%SYSTEM;<![ ++ ^ + ./test/errors/754946.xml:1: parser error : Extra content at the end of the document +-<!DOCTYPEA[<!ENTITY % +- ^ ++>%SYSTEM;<![ ++ ^ +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch new file mode 100644 index 000000000..710735570 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch @@ -0,0 +1,38 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) + +Upstream-Status: Backport + +CVE-2015-8035 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch new file mode 100644 index 000000000..73531b3c1 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch @@ -0,0 +1,49 @@ +From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 +From: Hugh Davenport <hugh@allthethings.co.nz> +Date: Fri, 20 Nov 2015 17:16:06 +0800 +Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode + +For https://bugzilla.gnome.org/show_bug.cgi?id=756372 +Error in the code pointing to the codepoint in the stack for the +current char value instead of the pointer in the input that the SAX +callback expects +Reported and fixed by Hugh Davenport + +Upstream-Status: Backport + +CVE-2015-8242 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + HTMLparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index bdf7807..b729197 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + if (ctxt->keepBlanks) { + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } else { + if (ctxt->sax->ignorableWhitespace != NULL) + ctxt->sax->ignorableWhitespace( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } else { + htmlCheckParagraph(ctxt); + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } + ctxt->token = 0; +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch new file mode 100644 index 000000000..a86b9ee86 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch @@ -0,0 +1,138 @@ +From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 15 Sep 2015 16:50:32 +0800 +Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer + +For https://bugzilla.gnome.org/show_bug.cgi?id=754946 + +When hitting the end of the current input buffer while parsing +a name we could end up loosing the beginning of the name, which +led to various issues. + +Upstream-Status: backport + +Depend patch for CVE-2015-7500 + +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + parser.c | 29 ++++++++++++++++++++--------- + result/errors/754946.xml | 0 + result/errors/754946.xml.err | 16 ++++++++++++++++ + result/errors/754946.xml.str | 4 ++++ + test/errors/754946.xml | 1 + + 5 files changed, 41 insertions(+), 9 deletions(-) + create mode 100644 result/errors/754946.xml + create mode 100644 result/errors/754946.xml.err + create mode 100644 result/errors/754946.xml.str + create mode 100644 test/errors/754946.xml + +diff --git a/parser.c b/parser.c +index 0edd53b..fd29a39 100644 +--- a/parser.c ++++ b/parser.c +@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + if (c == 0) { + count = 0; ++ /* ++ * when shrinking to extend the buffer we really need to preserve ++ * the part of the name we already parsed. Hence rolling back ++ * by current lenght. ++ */ ++ ctxt->input->cur -= l; + GROW; ++ ctxt->input->cur += l; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + end = ctxt->input->cur; +@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + + static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { +- const xmlChar *in; ++ const xmlChar *in, *e; + const xmlChar *ret; + int count = 0; + +@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + * Accelerator for simple ASCII names + */ + in = ctxt->input->cur; +- if (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- (*in == '_')) { ++ e = ctxt->input->end; ++ if ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ (*in == '_')) && (in < e)) { + in++; +- while (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- ((*in >= 0x30) && (*in <= 0x39)) || +- (*in == '_') || (*in == '-') || +- (*in == '.')) ++ while ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ ((*in >= 0x30) && (*in <= 0x39)) || ++ (*in == '_') || (*in == '-') || ++ (*in == '.')) && (in < e)) + in++; ++ if (in >= e) ++ goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + if ((count > XML_MAX_NAME_LENGTH) && +@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + return(ret); + } + } ++complex: + return(xmlParseNCNameComplex(ctxt)); + } + +diff --git a/result/errors/754946.xml b/result/errors/754946.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +new file mode 100644 +index 0000000..423dff5 +--- /dev/null ++++ b/result/errors/754946.xml.err +@@ -0,0 +1,16 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ +diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str +new file mode 100644 +index 0000000..3b748cc +--- /dev/null ++++ b/result/errors/754946.xml.str +@@ -0,0 +1,4 @@ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ ++./test/errors/754946.xml : failed to parse +diff --git a/test/errors/754946.xml b/test/errors/754946.xml +new file mode 100644 +index 0000000..6b5f9b0 +--- /dev/null ++++ b/test/errors/754946.xml +@@ -0,0 +1 @@ ++<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![ +\ No newline at end of file +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch new file mode 100644 index 000000000..47ba8970e --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch @@ -0,0 +1,89 @@ +From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: [PATCH] Avoid processing entities after encoding conversion failures + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. + +Upstream-Status: Backport + +CVE-2015-7498 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 134afe7..c79b4e8 100644 +--- a/parser.c ++++ b/parser.c +@@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +diff --git a/parserInternals.c b/parserInternals.c +index df204fd..c8230c1 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch new file mode 100644 index 000000000..e39ec65cd --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch @@ -0,0 +1,88 @@ +From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 20 Nov 2015 14:55:30 +0800 +Subject: [PATCH] Add xmlHaltParser() to stop the parser + +The problem is doing it in a consistent and safe fashion +It's more complex than just setting ctxt->instate = XML_PARSER_EOF +Update the public function to reuse that new internal routine + +Upstream-Status: Backport + +CVE-2015-7499-1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +diff --git a/parser.c b/parser.c +index da6e729..b6e99b1 100644 +--- a/parser.c ++++ b/parser.c +@@ -94,6 +94,8 @@ static xmlParserCtxtPtr + xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + const xmlChar *base, xmlParserCtxtPtr pctx); + ++static void xmlHaltParser(xmlParserCtxtPtr ctxt); ++ + /************************************************************************ + * * + * Arbitrary limits set in the parser. See XML_PARSE_HUGE * +@@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, + #endif /* LIBXML_PUSH_ENABLED */ + + /** +- * xmlStopParser: ++ * xmlHaltParser: + * @ctxt: an XML parser context + * +- * Blocks further parser processing ++ * Blocks further parser processing don't override error ++ * for internal use + */ +-void +-xmlStopParser(xmlParserCtxtPtr ctxt) { ++static void ++xmlHaltParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; +- ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { ++ /* ++ * in case there was a specific allocation deallocate before ++ * overriding base ++ */ ++ if (ctxt->input->free != NULL) { ++ ctxt->input->free((xmlChar *) ctxt->input->base); ++ ctxt->input->free = NULL; ++ } + ctxt->input->cur = BAD_CAST""; + ctxt->input->base = ctxt->input->cur; + } + } + + /** ++ * xmlStopParser: ++ * @ctxt: an XML parser context ++ * ++ * Blocks further parser processing ++ */ ++void ++xmlStopParser(xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) ++ return; ++ xmlHaltParser(ctxt); ++ ctxt->errNo = XML_ERR_USER_STOP; ++} ++ ++/** + * xmlCreateIOParserCtxt: + * @sax: a SAX handler + * @user_data: The user data returned on SAX callbacks +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch new file mode 100644 index 000000000..aff392095 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch @@ -0,0 +1,43 @@ +From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 20 Nov 2015 15:04:09 +0800 +Subject: [PATCH] Detect incoherency on GROW + +the current pointer to the input has to be between the base and end +if not stop everything we have an internal state error. + +Upstream-Status: Backport + +CVE-2015-7499-2 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1810f99..ab007aa 100644 +--- a/parser.c ++++ b/parser.c +@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); ++ return; + } + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ if ((ctxt->input->cur > ctxt->input->end) || ++ (ctxt->input->cur < ctxt->input->base)) { ++ xmlHaltParser(ctxt); ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); ++ return; ++ } + if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) + xmlPopInput(ctxt); +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch new file mode 100644 index 000000000..11da9f9bd --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch @@ -0,0 +1,39 @@ +From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: [PATCH] Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. + +Upstream-Status: Backport + +CVE-2015-7941-1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch new file mode 100644 index 000000000..b7bd96053 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch @@ -0,0 +1,56 @@ +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: [PATCH] Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. + +Upstream-Status: Backport + +CVE-2015-7941-2 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch new file mode 100644 index 000000000..34b60362c --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch @@ -0,0 +1,35 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: [PATCH] Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure + +Upstream-Status: Backport + +CVE-2015-7942-2 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch new file mode 100644 index 000000000..40082ec07 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch @@ -0,0 +1,39 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: [PATCH] Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small + +Upstream-Status: Backport + +CVE-2015-7942 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch new file mode 100644 index 000000000..89a46ad17 --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch @@ -0,0 +1,40 @@ +From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001 +From: Hugh Davenport <hugh@allthethings.co.nz> +Date: Tue, 3 Nov 2015 20:40:49 +0800 +Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF + +For https://bugzilla.gnome.org/show_bug.cgi?id=756263 + +One place where ctxt->instate == XML_PARSER_EOF whic was set up +by entity detection issues doesn't get noticed, and even overrided + +Upstream-status: Backport + +https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe + +CVE: CVE-2015-8241 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.2/parser.c +=================================================================== +--- libxml2-2.9.2.orig/parser.c ++++ libxml2-2.9.2/parser.c +@@ -6999,6 +6999,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt + xmlParsePI(ctxt); + } + } ++ ++ /* ++ * detect requirement to exit there and act accordingly ++ * and avoid having instate overriden later on ++ */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; ++ + /* + * This is only for internal subset. On external entities, + * the replacement is done before parsing stage diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch new file mode 100644 index 000000000..59425cbfc --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch @@ -0,0 +1,42 @@ +From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: [PATCH] Fail parsing early on if encoding conversion failed + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. + +Upstream-Status: Backport + +CVE-2015-8317 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a3a9568..0edd53b 100644 +--- a/parser.c ++++ b/parser.c +@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); +-- +2.3.5 + diff --git a/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch new file mode 100644 index 000000000..be06cc22c --- /dev/null +++ b/yocto-poky/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch @@ -0,0 +1,71 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters + +Upstream-Status: Backport + +https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c + +CVE: CVE-2015-8710 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +Index: libxml2-2.9.2/HTMLparser.c +=================================================================== +--- libxml2-2.9.2.orig/HTMLparser.c ++++ libxml2-2.9.2/HTMLparser.c +@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n<!--%.50s\n", buf, NULL); +- xmlFree(buf); +- } else { ++ if (IS_CHAR(cur)) { + NEXT; + if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && + (!ctxt->disableSAX)) + ctxt->sax->comment(ctxt->userData, buf); + xmlFree(buf); ++ ctxt->instate = state; ++ return; + } +- ctxt->instate = state; ++ ++unfinished: ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated \n<!--%.50s\n", buf, NULL); ++ xmlFree(buf); + } + + /** diff --git a/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb b/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb index 2f9291281..86c57cda2 100644 --- a/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb +++ b/yocto-poky/meta/recipes-core/meta/meta-ide-support.bb @@ -13,5 +13,4 @@ do_populate_ide_support () { toolchain_create_tree_env_script } -do_populate_ide_support[nostamp] = "1" addtask populate_ide_support before do_build after do_install diff --git a/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb index d971c3ca3..904173489 100644 --- a/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb +++ b/yocto-poky/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb @@ -2,10 +2,17 @@ SUMMARY = "Dummy package which ensures perl is excluded from buildtools" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" -inherit nativesdk +inherit allarch -# Put it somewhere separate to ensure it's never used except when we want it -PACKAGE_ARCH = "buildtools-dummy-${SDKPKGSUFFIX}" +PR = "r1" + +python() { + # Put the package somewhere separate to ensure it's never used except + # when we want it + # (note that we have to do this in anonymous python here to avoid + # allarch.bbclass disabling itself) + d.setVar('PACKAGE_ARCH', 'buildtools-dummy-${SDKPKGSUFFIX}') +} PERLPACKAGES = "nativesdk-perl \ nativesdk-perl-module-file-path" diff --git a/yocto-poky/meta/recipes-core/meta/signing-keys.bb b/yocto-poky/meta/recipes-core/meta/signing-keys.bb new file mode 100644 index 000000000..cc401f3b6 --- /dev/null +++ b/yocto-poky/meta/recipes-core/meta/signing-keys.bb @@ -0,0 +1,45 @@ +# Copyright (C) 2015 Intel Corporation +# Released under the MIT license (see COPYING.MIT for the terms) + +DESCRIPTION = "Make public keys of the signing keys available" +LICENSE = "MIT" +PACKAGES = "" + +do_fetch[noexec] = "1" +do_unpack[noexec] = "1" +do_patch[noexec] = "1" +do_configure[noexec] = "1" +do_compile[noexec] = "1" +do_install[noexec] = "1" +do_package[noexec] = "1" +do_packagedata[noexec] = "1" +do_package_write_ipk[noexec] = "1" +do_package_write_rpm[noexec] = "1" +do_package_write_deb[noexec] = "1" +do_populate_sysroot[noexec] = "1" + +EXCLUDE_FROM_WORLD = "1" + +def export_gpg_pubkey(d, keyid, path): + import bb + gpg_bin = d.getVar('GPG_BIN', True) or \ + bb.utils.which(os.getenv('PATH'), "gpg") + cmd = '%s --batch --yes --export --armor -o %s %s' % \ + (gpg_bin, path, keyid) + status, output = oe.utils.getstatusoutput(cmd) + if status: + raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % + (keyid, output)) + +python do_export_public_keys () { + if d.getVar("RPM_SIGN_PACKAGES", True): + # Export public key of the rpm signing key + export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True), + d.getVar('RPM_GPG_PUBKEY', True)) + + if d.getVar('PACKAGE_FEED_SIGN', True) == '1': + # Export public key of the feed signing key + export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True), + d.getVar('PACKAGE_FEED_GPG_PUBKEY', True)) +} +addtask do_export_public_keys before do_build diff --git a/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb b/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb index 41f7927e1..21f3bd985 100644 --- a/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb +++ b/yocto-poky/meta/recipes-core/meta/uninative-tarball.bb @@ -7,6 +7,7 @@ TOOLCHAIN_TARGET_TASK = "" TOOLCHAIN_HOST_TASK = "\ nativesdk-glibc \ + nativesdk-glibc-gconv-ibm850 \ nativesdk-patchelf \ " diff --git a/yocto-poky/meta/recipes-core/os-release/os-release.bb b/yocto-poky/meta/recipes-core/os-release/os-release.bb index cc431d2cd..c690b82b2 100644 --- a/yocto-poky/meta/recipes-core/os-release/os-release.bb +++ b/yocto-poky/meta/recipes-core/os-release/os-release.bb @@ -32,11 +32,12 @@ python do_compile () { f.write('{0}={1}\n'.format(field, value)) if d.getVar('RPM_SIGN_PACKAGES', True) == '1': rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True) - os.mkdir('${B}/rpm-gpg') - distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" + bb.utils.mkdirhier('${B}/rpm-gpg') + distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0" shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) } do_compile[vardeps] += "${OS_RELEASE_FIELDS}" +do_compile[depends] += "signing-keys:do_export_public_keys" do_install () { install -d ${D}${sysconfdir} diff --git a/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb b/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb index 37f5e43a7..6997f396b 100644 --- a/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb +++ b/yocto-poky/meta/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bb @@ -7,6 +7,8 @@ inherit packagegroup RDEPENDS_${PN} = "\ libgcc \ libgcc-dev \ + libatomic \ + libatomic-dev \ libstdc++ \ libstdc++-dev \ ${LIBC_DEPENDENCIES} \ diff --git a/yocto-poky/meta/recipes-core/readline/readline-6.3/readline63-003 b/yocto-poky/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch index 98a9d810b..98a9d810b 100644 --- a/yocto-poky/meta/recipes-core/readline/readline-6.3/readline63-003 +++ b/yocto-poky/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch diff --git a/yocto-poky/meta/recipes-core/readline/readline_6.3.bb b/yocto-poky/meta/recipes-core/readline/readline_6.3.bb index 55964a6cf..fc362ae5a 100644 --- a/yocto-poky/meta/recipes-core/readline/readline_6.3.bb +++ b/yocto-poky/meta/recipes-core/readline/readline_6.3.bb @@ -1,6 +1,6 @@ require readline.inc -SRC_URI += "file://readline63-003 \ +SRC_URI += "file://readline-cve-2014-2524.patch;striplevel=0 \ file://readline-dispatch-multikey.patch" SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a" diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch b/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch new file mode 100644 index 000000000..76ce4b781 --- /dev/null +++ b/yocto-poky/meta/recipes-core/systemd/systemd/0001-fix-build-on-uClibc-exp10.patch @@ -0,0 +1,22 @@ +Inspired by: http://peter.korsgaard.com/patches/alsa-utils/alsamixer-fix-build-on-uClibc-exp10.patch + +exp10 extension is not part of uClibc, so compute it. + + +Signed-off-by: Samuel Martin <s.martin49@gmail.com> + +Upstream-Status: Pending + +Index: git/src/basic/missing.h +=================================================================== +--- git.orig/src/basic/missing.h ++++ git/src/basic/missing.h +@@ -1036,3 +1036,8 @@ static inline int kcmp(pid_t pid1, pid_t + #ifndef INPUT_PROP_ACCELEROMETER + #define INPUT_PROP_ACCELEROMETER 0x06 + #endif ++ ++#ifdef __UCLIBC__ ++/* 10^x = 10^(log e^x) = (e^x)^log10 = e^(x * log 10) */ ++#define exp10(x) (exp((x) * log(10))) ++#endif /* __UCLIBC__ */ diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch b/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch new file mode 100644 index 000000000..30e38173e --- /dev/null +++ b/yocto-poky/meta/recipes-core/systemd/systemd/0022-Use-getenv-when-secure-versions-are-not-available.patch @@ -0,0 +1,39 @@ +From cb71e4beea3b3b11e5951f95c829cd2eee9fcf7b Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 12 Sep 2015 19:10:04 +0000 +Subject: [PATCH 22/31] Use getenv when secure versions are not available + +musl doesnt implement secure version, so we default +to it if configure does not detect a secure imeplementation + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Rejected + + src/basic/missing.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/basic/missing.h b/src/basic/missing.h +index bf9b490..d6dbc7d 100644 +--- a/src/basic/missing.h ++++ b/src/basic/missing.h +@@ -584,13 +584,14 @@ static inline int name_to_handle_at(int fd, const char *name, struct file_handle + return syscall(__NR_name_to_handle_at, fd, name, handle, mnt_id, flags); + } + #endif +- +-#ifndef HAVE_SECURE_GETENV ++#ifdef HAVE_SECURE_GETENV + # ifdef HAVE___SECURE_GETENV + # define secure_getenv __secure_getenv + # else + # error "neither secure_getenv nor __secure_getenv are available" + # endif ++#else ++# define secure_getenv getenv + #endif + + #ifndef CIFS_MAGIC_NUMBER +-- +2.5.2 + diff --git a/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch b/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch new file mode 100644 index 000000000..8975b05e0 --- /dev/null +++ b/yocto-poky/meta/recipes-core/systemd/systemd/rules-whitelist-hd-devices.patch @@ -0,0 +1,32 @@ +From f77b7e5626e70c3a775e993816a33af5a61dea42 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 16 Sep 2015 13:55:58 +0200 +Subject: [PATCH] rules: whitelist hd* devices + +qemu by default emulates IDE and the linux-yocto kernel(s) use +CONFIG_IDE instead of the more modern libsata, so disks appear as +/dev/hd*. Patch rejected upstream because CONFIG_IDE is deprecated. + +Upstream-Status: Denied [https://github.com/systemd/systemd/pull/1276] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + rules/60-persistent-storage.rules | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules +index 0b14bb4..1c4d97a 100644 +--- a/rules/60-persistent-storage.rules ++++ b/rules/60-persistent-storage.rules +@@ -6,7 +6,7 @@ + ACTION=="remove", GOTO="persistent_storage_end" + + SUBSYSTEM!="block", GOTO="persistent_storage_end" +-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end" ++KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|hd*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end" + + # ignore partitions that span the entire disk + TEST=="whole_disk", GOTO="persistent_storage_end" +-- +2.1.4 + diff --git a/yocto-poky/meta/recipes-core/systemd/systemd_225.bb b/yocto-poky/meta/recipes-core/systemd/systemd_225.bb index f7d4c7df4..18c244812 100644 --- a/yocto-poky/meta/recipes-core/systemd/systemd_225.bb +++ b/yocto-poky/meta/recipes-core/systemd/systemd_225.bb @@ -18,7 +18,7 @@ PROVIDES = "udev" PE = "1" -DEPENDS = "kmod docbook-sgml-dtd-4.1-native intltool-native gperf-native acl readline dbus libcap libcgroup glib-2.0 qemu-native util-linux" +DEPENDS = "kmod docbook-sgml-dtd-4.1-native intltool-native gperf-native acl readline dbus libcap libcgroup qemu-native util-linux" SECTION = "base/shell" @@ -45,6 +45,7 @@ SRC_URI = "git://github.com/systemd/systemd.git;protocol=git \ file://00-create-volatile.conf \ file://init \ file://run-ptest \ + file://rules-whitelist-hd-devices.patch \ " SRC_URI_append_qemuall = " file://qemuall_io_latency-core-device.c-Change-the-default-device-timeout-to-2.patch" @@ -52,6 +53,8 @@ S = "${WORKDIR}/git" SRC_URI_append_libc-uclibc = "\ file://0001-units-Prefer-getty-to-agetty-in-console-setup-system.patch \ + file://0022-Use-getenv-when-secure-versions-are-not-available.patch \ + file://0001-fix-build-on-uClibc-exp10.patch \ " LDFLAGS_append_libc-uclibc = " -lrt" @@ -87,6 +90,7 @@ PACKAGECONFIG[iptc] = "--enable-libiptc,--disable-libiptc,iptables" PACKAGECONFIG[ldconfig] = "--enable-ldconfig,--disable-ldconfig,," PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" PACKAGECONFIG[valgrind] = "ac_cv_header_valgrind_memcheck_h=yes ac_cv_header_valgrind_valgrind_h=yes ,ac_cv_header_valgrind_memcheck_h=no ac_cv_header_valgrind_valgrind_h=no ,valgrind" +PACKAGECONFIG[qrencode] = "--enable-qrencode,--disable-qrencode,qrencode" CACHED_CONFIGUREVARS += "ac_cv_path_KILL=${base_bindir}/kill" CACHED_CONFIGUREVARS += "ac_cv_path_KMOD=${base_bindir}/kmod" @@ -123,6 +127,9 @@ EXTRA_OECONF = " --with-rootprefix=${rootprefix} \ # uclibc does not have NSS EXTRA_OECONF_append_libc-uclibc = " --disable-myhostname " +# disable problematic GCC 5.2 optimizations [YOCTO #8291] +FULL_OPTIMIZATION_append_arm = " -fno-schedule-insns -fno-schedule-insns2" + do_configure_prepend() { export NM="${HOST_PREFIX}gcc-nm" export AR="${HOST_PREFIX}gcc-ar" @@ -186,8 +193,8 @@ do_install() { sed -i -e 's/.*ForwardToSyslog.*/ForwardToSyslog=yes/' ${D}${sysconfdir}/systemd/journald.conf # this file is needed to exist if networkd is disabled but timesyncd is still in use since timesyncd checks it # for existence else it fails - if [ -s ${D}${libdir}/tmpfiles.d/systemd.conf ]; then - ${@bb.utils.contains('PACKAGECONFIG', 'networkd', ':', 'sed -i -e "\$ad /run/systemd/netif/links 0755 root root -" ${D}${libdir}/tmpfiles.d/systemd.conf', d)} + if [ -s ${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf ]; then + ${@bb.utils.contains('PACKAGECONFIG', 'networkd', ':', 'sed -i -e "\$ad /run/systemd/netif/links 0755 root root -" ${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf', d)} fi install -Dm 0755 ${S}/src/systemctl/systemd-sysv-install.SKELETON ${D}${systemd_unitdir}/systemd-sysv-install } diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc b/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc index 14a577f43..b7184794d 100644 --- a/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git.inc @@ -16,5 +16,10 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \ file://0005-Always-use-O2-for-compiling-fork.c.patch \ file://0006-ldso-limited-support-for-ORIGIN-in-rpath.patch \ file://0007-nptl-atfork-Hide-pthread_atfork-in-shared-versions.patch \ + file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \ + file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \ + file://0001-wire-in-syncfs.patch \ + file://CVE-2016-2224.patch \ + file://CVE-2016-2225.patch \ " S = "${WORKDIR}/git" diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch new file mode 100644 index 000000000..6942db462 --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch @@ -0,0 +1,42 @@ +From 4c8f5fe7d41493e8e181941ae5a01713155f44d1 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 15 Oct 2015 15:34:39 +0000 +Subject: [PATCH] fcntl: Add AT_EMPTY_PATH for all and O_PATH for arm + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + include/fcntl.h | 3 +++ + libc/sysdeps/linux/arm/bits/fcntl.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/include/fcntl.h b/include/fcntl.h +index 11000dd..8a7ad9b 100644 +--- a/include/fcntl.h ++++ b/include/fcntl.h +@@ -65,6 +65,9 @@ __BEGIN_DECLS + # define AT_SYMLINK_FOLLOW 0x400 /* Follow symbolic links. */ + # define AT_EACCESS 0x200 /* Test access permitted for + effective IDs, not real IDs. */ ++# ifdef __USE_GNU ++# define AT_EMPTY_PATH 0x1000 /* Allow empty relative pathname. */ ++# endif + #endif + + /* Do the file control operation described by CMD on FD. +diff --git a/libc/sysdeps/linux/arm/bits/fcntl.h b/libc/sysdeps/linux/arm/bits/fcntl.h +index aedc154..c6ba958 100644 +--- a/libc/sysdeps/linux/arm/bits/fcntl.h ++++ b/libc/sysdeps/linux/arm/bits/fcntl.h +@@ -50,6 +50,7 @@ + # define O_DIRECT 0200000 /* Direct disk access. */ + # define O_NOATIME 01000000 /* Do not set atime. */ + # define O_CLOEXEC 02000000 /* Set close_on_exec. */ ++# define O_PATH 010000000 /* Resolve pathname but do not open file. */ + #endif + + /* For now Linux has synchronisity options for data and read operations. +-- +2.6.1 + diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch new file mode 100644 index 000000000..e622f87ba --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-gcc5-optimizes-away-the-write-only-static-functions-.patch @@ -0,0 +1,51 @@ +From 2659fb25d32f4b29c1c96aa5730fe40e19d53ab0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 14 Oct 2015 17:38:37 -0700 +Subject: [PATCH] gcc5 optimizes away the write only static functions and we + end up with + + librt/librt_so.a(rt-unwind-resume.oS): In function `_Unwind_Resume': + rt-unwind-resume.c:(.text+0x3c): undefined reference to `libgcc_s_resume' + collect2: error: ld returned 1 exit status + make[2]: *** [lib/librt.so] Error 1 + +marking these functions explicitly used with __attribute_used__ avoids +that optimization. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c | 2 +- + libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c +index f4d6f41..0c2edd7 100644 +--- a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c ++++ b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-forcedunwind.c +@@ -27,7 +27,7 @@ + #define __libc_fatal(x) {/*write(STDERR_FILENO, x, strlen(x));*/ abort();} + + static void *libgcc_s_handle; +-static void (*libgcc_s_resume) (struct _Unwind_Exception *exc); ++static void (*libgcc_s_resume) (struct _Unwind_Exception *exc) __attribute_used__; + static _Unwind_Reason_Code (*libgcc_s_personality) + (_Unwind_State, struct _Unwind_Exception *, struct _Unwind_Context *); + static _Unwind_Reason_Code (*libgcc_s_forcedunwind) +diff --git a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c +index f9a4ffb..f0c3047 100644 +--- a/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c ++++ b/libpthread/nptl/sysdeps/unix/sysv/linux/arm/unwind-resume.c +@@ -25,7 +25,7 @@ + #define __libc_dlclose dlclose + #define __libc_fatal(x) {/*write(STDERR_FILENO, x, strlen(x));*/ abort();} + +-static void (*libgcc_s_resume) (struct _Unwind_Exception *exc); ++static void (*libgcc_s_resume) (struct _Unwind_Exception *exc) __attribute_used__; + static _Unwind_Reason_Code (*libgcc_s_personality) + (_Unwind_State, struct _Unwind_Exception *, struct _Unwind_Context *); + +-- +2.6.1 + diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch new file mode 100644 index 000000000..079ad6b3b --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/0001-wire-in-syncfs.patch @@ -0,0 +1,49 @@ +From 4f2db1b46bda5e376245ec36198b137709f069e8 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 15 Oct 2015 17:03:37 +0000 +Subject: [PATCH] wire in syncfs + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + include/unistd.h | 2 +- + libc/sysdeps/linux/common/syncfs.c | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 libc/sysdeps/linux/common/syncfs.c + +diff --git a/include/unistd.h b/include/unistd.h +index 3793d2d..d01bb08 100644 +--- a/include/unistd.h ++++ b/include/unistd.h +@@ -1073,7 +1073,7 @@ extern char *getpass (const char *__prompt) __nonnull ((1)); + extern int fsync (int __fd); + #endif /* Use BSD || X/Open || Unix98. */ + +-#if 0 /*def __USE_GNU */ ++#ifdef __USE_GNU + /* Make all changes done to all files on the file system associated + * with FD actually appear on disk. */ + extern int syncfs (int __fd) __THROW; +diff --git a/libc/sysdeps/linux/common/syncfs.c b/libc/sysdeps/linux/common/syncfs.c +new file mode 100644 +index 0000000..d2eed05 +--- /dev/null ++++ b/libc/sysdeps/linux/common/syncfs.c +@@ -0,0 +1,13 @@ ++/* vi: set sw=4 ts=4: */ ++/* ++ * fsync() for uClibc ++ * ++ * Copyright (C) 2000-2006 Erik Andersen <andersen@uclibc.org> ++ * ++ * Licensed under the LGPL v2.1, see the file COPYING.LIB in this tarball. ++ */ ++ ++#include <sys/syscall.h> ++#include <unistd.h> ++ ++_syscall1(int, syncfs, int, fd) +-- +2.6.1 + diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch new file mode 100644 index 000000000..218b60a85 --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch @@ -0,0 +1,49 @@ +From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 +From: Waldemar Brodkorb <wbx@openadk.org> +Date: Sun, 17 Jan 2016 15:47:22 +0100 +Subject: [PATCH] Do not follow compressed items forever. + +It is possible to get stuck in an infinite loop when receiving a +specially crafted DNS reply. Exit the loop after a number of iteration +and consider the packet invalid. + +Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> +Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> + +Upstream-status: Backport +http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 + +CVE: CVE-2016-2224 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libc/inet/resolv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: git/libc/inet/resolv.c +=================================================================== +--- git.orig/libc/inet/resolv.c ++++ git/libc/inet/resolv.c +@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char + bool measure = 1; + unsigned total = 0; + unsigned used = 0; ++ unsigned maxiter = 256; + + if (!packet) + return -1; + +- while (1) { ++ while (--maxiter) { + if (offset >= packet_len) + return -1; + b = packet[offset++]; +@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char + else + dest[used++] = '\0'; + } ++ if (!maxiter) ++ return -1; + + /* The null byte must be counted too */ + if (measure) diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch new file mode 100644 index 000000000..0217e4bf5 --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch @@ -0,0 +1,32 @@ +From bb01edff0377f2585ce304ecbadcb7b6cde372ac Mon Sep 17 00:00:00 2001 +From: Waldemar Brodkorb <wbx@openadk.org> +Date: Mon, 25 Jan 2016 21:11:34 +0100 +Subject: [PATCH] Make sure to always terminate decoded string + +Write a terminating '\0' to dest when the first byte of the encoded data +is 0. This corner case was previously missed. + +Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> +Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> + +Upstream-Status: Backport +http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac +CVE: CVE-2016-2225 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libc/inet/resolv.c | 1 + + 1 file changed, 1 insertion(+) + +Index: git/libc/inet/resolv.c +=================================================================== +--- git.orig/libc/inet/resolv.c ++++ git/libc/inet/resolv.c +@@ -671,6 +671,7 @@ int __decode_dotted(const unsigned char + if (!packet) + return -1; + ++ dest[0] = '\0'; + while (--maxiter) { + if (offset >= packet_len) + return -1; diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro index 6575482b3..3827b66e9 100644 --- a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/uClibc.distro @@ -182,6 +182,8 @@ UCLIBC_HAS_FLOATS=y # COMPILE_IN_THUMB_MODE is not set +# needed by shadow +UCLIBC_HAS_UTMP=y # needed by systemd UCLIBC_HAS_UTMPX=y UCLIBC_LINUX_MODULE_26=y diff --git a/yocto-poky/meta/recipes-core/udev/udev.inc b/yocto-poky/meta/recipes-core/udev/udev.inc index a00dad5db..c378ae3cd 100644 --- a/yocto-poky/meta/recipes-core/udev/udev.inc +++ b/yocto-poky/meta/recipes-core/udev/udev.inc @@ -15,6 +15,8 @@ LDFLAGS += "-lrt" DEPENDS = "glib-2.0 libusb usbutils pciutils glib-2.0-native gperf-native libxslt-native util-linux" RPROVIDES_${PN} = "hotplug" +PROVIDES = "libgudev" + SRC_URI = "${KERNELORG_MIRROR}/linux/utils/kernel/hotplug/udev-${PV}.tar.gz \ file://0001-Fixing-keyboard_force_release.sh-shell-script-path.patch \ file://avoid-mouse-autosuspend.patch \ diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux.inc b/yocto-poky/meta/recipes-core/util-linux/util-linux.inc index a4072bc6c..594108f68 100644 --- a/yocto-poky/meta/recipes-core/util-linux/util-linux.inc +++ b/yocto-poky/meta/recipes-core/util-linux/util-linux.inc @@ -163,6 +163,12 @@ do_install () { echo 'MOUNTALL="-t nonfs,nosmbfs,noncpfs"' > ${D}${sysconfdir}/default/mountall rm -f ${D}${bindir}/chkdupexe + + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then + install -d ${D}${sysconfdir}/pam.d + install -m 0644 ${WORKDIR}/runuser.pamd ${D}${sysconfdir}/pam.d/runuser + install -m 0644 ${WORKDIR}/runuser-l.pamd ${D}${sysconfdir}/pam.d/runuser-l + fi } # reset and nologin causes a conflict with ncurses-native and shadow-native diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd new file mode 100644 index 000000000..4b368ccf5 --- /dev/null +++ b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser-l.pamd @@ -0,0 +1,3 @@ +auth include runuser +session optional pam_keyinit.so force revoke +session include runuser diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd new file mode 100644 index 000000000..48d133b9e --- /dev/null +++ b/yocto-poky/meta/recipes-core/util-linux/util-linux/runuser.pamd @@ -0,0 +1,4 @@ +auth sufficient pam_rootok.so +session optional pam_keyinit.so revoke +session required pam_limits.so +session required pam_unix.so diff --git a/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb b/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb index fc7dc6e09..e09fdfaf5 100644 --- a/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb +++ b/yocto-poky/meta/recipes-core/util-linux/util-linux_2.26.2.bb @@ -13,6 +13,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \ file://uclibc-__progname-conflict.patch \ file://configure-sbindir.patch \ file://fix-parallel-build.patch \ + file://runuser.pamd \ + file://runuser-l.pamd \ ${OLDHOST} \ " SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb" |