diff --git a/glibc-swbz20222.patch b/glibc-swbz20222.patch new file mode 100644 index 0000000..5d2a4b6 --- /dev/null +++ b/glibc-swbz20222.patch @@ -0,0 +1,126 @@ +commit 0d6895748bf4531b5e516c47409d35d104f51642 +Author: Florian Weimer +Date: Sat Jun 11 12:07:14 2016 +0200 + + fopencookie: Mangle function pointers stored on the heap [BZ #20222] + + (cherry picked from commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8) + +diff --git a/libio/iofopncook.c b/libio/iofopncook.c +index b845d29..3aad3d3 100644 +--- a/libio/iofopncook.c ++++ b/libio/iofopncook.c +@@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size) + _IO_ssize_t size; + { + struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; ++ cookie_read_function_t *read_cb = cfile->__io_functions.read; ++ PTR_DEMANGLE (read_cb); + +- if (cfile->__io_functions.read == NULL) ++ if (read_cb == NULL) + return -1; + +- return cfile->__io_functions.read (cfile->__cookie, buf, size); ++ return read_cb (cfile->__cookie, buf, size); + } + + static _IO_ssize_t +@@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size) + _IO_ssize_t size; + { + struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; ++ cookie_write_function_t *write_cb = cfile->__io_functions.write; ++ PTR_DEMANGLE (write_cb); + +- if (cfile->__io_functions.write == NULL) ++ if (write_cb == NULL) + { + fp->_flags |= _IO_ERR_SEEN; + return 0; + } + +- _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size); ++ _IO_ssize_t n = write_cb (cfile->__cookie, buf, size); + if (n < size) + fp->_flags |= _IO_ERR_SEEN; + +@@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir) + int dir; + { + struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; ++ cookie_seek_function_t *seek_cb = cfile->__io_functions.seek; ++ PTR_DEMANGLE (seek_cb); + +- return ((cfile->__io_functions.seek == NULL +- || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir) ++ return ((seek_cb == NULL ++ || (seek_cb (cfile->__cookie, &offset, dir) + == -1) + || offset == (_IO_off64_t) -1) + ? _IO_pos_BAD : offset); +@@ -94,11 +100,13 @@ _IO_cookie_close (fp) + _IO_FILE *fp; + { + struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; ++ cookie_close_function_t *close_cb = cfile->__io_functions.close; ++ PTR_DEMANGLE (close_cb); + +- if (cfile->__io_functions.close == NULL) ++ if (close_cb == NULL) + return 0; + +- return cfile->__io_functions.close (cfile->__cookie); ++ return close_cb (cfile->__cookie); + } + + +@@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps = { + }; + + ++/* Copy the callbacks from SOURCE to *TARGET, with pointer ++ mangling. */ ++static void ++set_callbacks (_IO_cookie_io_functions_t *target, ++ _IO_cookie_io_functions_t source) ++{ ++ PTR_MANGLE (source.read); ++ PTR_MANGLE (source.write); ++ PTR_MANGLE (source.seek); ++ PTR_MANGLE (source.close); ++ *target = source; ++} ++ + void + _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write, + void *cookie, _IO_cookie_io_functions_t io_functions) +@@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write, + _IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps; + + cfile->__cookie = cookie; +- cfile->__io_functions = io_functions; ++ set_callbacks (&cfile->__io_functions, io_functions); + + _IO_file_init (&cfile->__fp); + +@@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir) + int dir; + { + struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; +- int (*seek) (_IO_FILE *, _IO_off_t, int); +- int ret; ++ int (*seek_cb) (_IO_FILE *, _IO_off_t, int) ++ = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;; ++ PTR_DEMANGLE (seek_cb); + +- seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek; +- if (seek == NULL) ++ if (seek_cb == NULL) + return _IO_pos_BAD; + +- ret = seek (cfile->__cookie, offset, dir); ++ int ret = seek_cb (cfile->__cookie, offset, dir); + + return (ret == -1) ? _IO_pos_BAD : ret; + } diff --git a/glibc.spec b/glibc.spec index df05f64..f870011 100644 --- a/glibc.spec +++ b/glibc.spec @@ -276,6 +276,7 @@ Patch1055: glibc-rh1348620.patch Patch1056: glibc-swbz20435.patch Patch1057: glibc-rh1294574.patch Patch1058: glibc-rh1344480.patch +Patch1059: glibc-swbz20222.patch ############################################################################## # @@ -751,6 +752,7 @@ microbenchmark tests on the system. %patch1056 -p1 %patch1057 -p1 %patch1058 -p1 +%patch1059 -p1 %patch0059 -p1 ############################################################################## @@ -1978,6 +1980,7 @@ rm -f *.filelist* - CVE-2016-6323: Backtraces can hang on ARM EABI (32-bit) (swbz#20435) - Return proper status from _nss_nis_initgroups_dyn (#1294574) - nss_db: Fix initialization of iteration position (#1344480) +- fopencookie: Mangle function pointers stored on the heap (swbz#20222) * Thu Jun 2 2016 Florian Weimer - 2.22-17 - CVE-2016-4429: stack overflow in Sun RPC clntudp_call (#1337140)