dgit.raspbian.org Git - klibc.git/log

[klibc] cpio: Fix possible crash on 64-bit systems

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31871

copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.

The previous commit made this impossible on 32-bit systems.

CVE-2021-31871

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch

[klibc] cpio: Fix possible integer overflow on 32-bit systems

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31872

The maximum name and file sizes in the "new" header format are 32-bit
unsigned values. However, the I/O functions mostly use long for sizes
and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
systems.

The current GNU cpio code doesn't seem to have this problem, but the
divergence between this version and that is large enough that I can't
simply cherry-pick a fix for it.

As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
c_filesize is > LONG_MAX.

CVE-2021-31872

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch

[klibc] calloc: Fail if multiplication overflows

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31870

calloc() multiplies its 2 arguments together and passes the result to
malloc(). Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.

CVE-2021-31870

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch

[klibc] malloc: Fail if requested size > PTRDIFF_MAX

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31873

malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX. It should fail if size is large enough for this to happen.

Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow. So return failure immediately if size is greater than that.

CVE-2021-31873

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch

[klibc] malloc: Set errno on failure

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=7f6626d12daa2f1efd9953d1f4ba2065348dc5cd

malloc() is specified to set errno = ENOMEM on failure, so do that.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0035-klibc-malloc-Set-errno-on-failure.patch

[klibc] ia64: Fix definition of struct sigaction

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=811bff9cec254e3396493f4f2447862d252870ac

ia64 only provides the RT signal API, in which the type of sa_flags is
unsigned long and sa_mask is the last member of the struct.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch

[klibc] sparc: Set sa_restorer for signals and disable executable stack

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=05350b72cace18417c1ba00c4796a5e19ebb908b

sparc allows specifiying a signal restorer in the usual way.  We
should do this to avoid needing an executable stack.

* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
  __sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
  always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch

[klibc] alpha: Pass restorer to rt_sigaction() and disable executable stack

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=570ed1e207cbe38ed487c722f8ac7db68e664a94

alpha does not support the SA_RESTORER flag, but allows specifiying a
restorer callback as an additional parameter to rt_sigaction(). We
should do this to avoid needing an executable stack.

* Force the SA_SIGINFO flag on for all signal handlers, so that we can
always return from them with rt_sigreturn
* Define a __sigreturn() routine that calls rt_sigreturn
* Pass that routine as the last argument to rt_sigaction()
* Set KLIBCEXECSTACK=n

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch

[klibc] s390: Set sa_restorer for signals and disable executable stack

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=c341c978e3024b9c575fac94012fc5b6f5679334

s390 allows specifiying a signal restorer in the usual way.  We
should do this to avoid needing an executable stack.

* Define a __sigreturn() routine that calls rt_sigreturn
* Force the SA_RESTORER flag on for all signal handlers, and set
  __sigreturn as the restorer if none is already set
* Force the SA_SIGINFO flag on for all signal handlers, so that we can
  always return from them with rt_sigreturn
* Set KLIBCEXECSTACK=n

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch

[klibc] signal: Add sysconfig setting to force SA_SIGINFO on

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2a2a0b6b79c2470f529daabd5c193f58fe188337

On alpha, arm, i386, m68k, powerpc, s390, sh, and sparc (32-bit), the
kernel sets up the signal stack frame differently depending on the
SA_SIGINFO flag, not whether the sigaction() or rt_sigaction() system
call was used to install the handler.

On alpha and sparc, we are going to start providing our own restorer
that will call rt_sigaction(), so will need to ensure this flag is
always set.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch

[klibc] signal: Note another reason to define _KLIBC_NEEDS_SA_RESTORER

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=ccc5c14c44f3fa76f61b8aae947cf3b853a6c833

On some architectures we should set SA_RESTORER to avoid the need for
a signal trampoline and executable stack.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch

[klibc] alpha: Fix definitions of _NSIG and struct sigaction

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=1cd11aaed1dece773c6b1ce2e99a0fe98b51321e

We use the RT signals API, but include the kernel UAPI header
that defines _NSIG and struct sigaction for the old API.

Copy over all the definitions and fix those two.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch

klibc (2.0.8-6) unstable; urgency=medium

  * Upload to unstable
  * malloc: Set errno on failure
  * malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873)
  * calloc: Fail if multiplication overflows (CVE-2021-31870)
  * cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872)
  * cpio: Fix possible crash on 64-bit systems (CVE-2021-31871)

[dgit import unpatched klibc 2.0.8-6]

Import klibc_2.0.8-6.debian.tar.xz

[dgit import tarball klibc 2.0.8-6 klibc_2.0.8-6.debian.tar.xz]

Import klibc_2.0.8.orig.tar.xz

[dgit import orig klibc_2.0.8.orig.tar.xz]