Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001 |
| 2 | From: Paul Pluzhnikov <ppluzhnikov@google.com> |
| 3 | Date: Sat, 26 Sep 2015 13:27:48 -0700 |
| 4 | Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a |
| 5 | segfault |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | CVE: CVE-2015-8776 |
| 9 | [Yocto # 8980] |
| 10 | |
| 11 | https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 |
| 12 | |
| 13 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 14 | |
| 15 | --- |
| 16 | ChangeLog | 8 ++++++++ |
| 17 | NEWS | 2 +- |
| 18 | time/strftime_l.c | 20 +++++++++++++------- |
| 19 | time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- |
| 20 | 4 files changed, 73 insertions(+), 9 deletions(-) |
| 21 | |
| 22 | Index: git/ChangeLog |
| 23 | =================================================================== |
| 24 | --- git.orig/ChangeLog |
| 25 | +++ git/ChangeLog |
| 26 | @@ -1,3 +1,11 @@ |
| 27 | +2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> |
| 28 | + |
| 29 | + [BZ #18985] |
| 30 | + * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check. |
| 31 | + (__strftime_internal): Likewise. |
| 32 | + * time/tst-strftime.c (do_bz18985): New test. |
| 33 | + (do_test): Call it. |
| 34 | + |
| 35 | 2015-12-04 Joseph Myers <joseph@codesourcery.com> |
| 36 | |
| 37 | [BZ #16961] |
| 38 | Index: git/time/strftime_l.c |
| 39 | =================================================================== |
| 40 | --- git.orig/time/strftime_l.c |
| 41 | +++ git/time/strftime_l.c |
| 42 | @@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format, |
| 43 | only a few elements. Dereference the pointers only if the format |
| 44 | requires this. Then it is ok to fail if the pointers are invalid. */ |
| 45 | # define a_wkday \ |
| 46 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) |
| 47 | + ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ |
| 48 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) |
| 49 | # define f_wkday \ |
| 50 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) |
| 51 | + ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ |
| 52 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) |
| 53 | # define a_month \ |
| 54 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) |
| 55 | + ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ |
| 56 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) |
| 57 | # define f_month \ |
| 58 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) |
| 59 | + ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ |
| 60 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) |
| 61 | # define ampm \ |
| 62 | ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ |
| 63 | ? NLW(PM_STR) : NLW(AM_STR))) |
| 64 | @@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format, |
| 65 | # define ap_len STRLEN (ampm) |
| 66 | #else |
| 67 | # if !HAVE_STRFTIME |
| 68 | -# define f_wkday (weekday_name[tp->tm_wday]) |
| 69 | -# define f_month (month_name[tp->tm_mon]) |
| 70 | +# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ |
| 71 | + ? "?" : weekday_name[tp->tm_wday]) |
| 72 | +# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ |
| 73 | + ? "?" : month_name[tp->tm_mon]) |
| 74 | # define a_wkday f_wkday |
| 75 | # define a_month f_month |
| 76 | # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) |
| 77 | @@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format, |
| 78 | *tzset_called = true; |
| 79 | } |
| 80 | # endif |
| 81 | - zone = tzname[tp->tm_isdst]; |
| 82 | + zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; |
| 83 | } |
| 84 | #endif |
| 85 | if (! zone) |
| 86 | Index: git/time/tst-strftime.c |
| 87 | =================================================================== |
| 88 | --- git.orig/time/tst-strftime.c |
| 89 | +++ git/time/tst-strftime.c |
| 90 | @@ -4,6 +4,56 @@ |
| 91 | #include <time.h> |
| 92 | |
| 93 | |
| 94 | +static int |
| 95 | +do_bz18985 (void) |
| 96 | +{ |
| 97 | + char buf[1000]; |
| 98 | + struct tm ttm; |
| 99 | + int rc, ret = 0; |
| 100 | + |
| 101 | + memset (&ttm, 1, sizeof (ttm)); |
| 102 | + ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ |
| 103 | + rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); |
| 104 | + |
| 105 | + if (rc == 66) |
| 106 | + { |
| 107 | + const char expected[] |
| 108 | + = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; |
| 109 | + if (0 != strcmp (buf, expected)) |
| 110 | + { |
| 111 | + printf ("expected:\n %s\ngot:\n %s\n", expected, buf); |
| 112 | + ret += 1; |
| 113 | + } |
| 114 | + } |
| 115 | + else |
| 116 | + { |
| 117 | + printf ("expected 66, got %d\n", rc); |
| 118 | + ret += 1; |
| 119 | + } |
| 120 | + |
| 121 | + /* Check negative values as well. */ |
| 122 | + memset (&ttm, 0xFF, sizeof (ttm)); |
| 123 | + ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ |
| 124 | + rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); |
| 125 | + |
| 126 | + if (rc == 30) |
| 127 | + { |
| 128 | + const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; |
| 129 | + if (0 != strcmp (buf, expected)) |
| 130 | + { |
| 131 | + printf ("expected:\n %s\ngot:\n %s\n", expected, buf); |
| 132 | + ret += 1; |
| 133 | + } |
| 134 | + } |
| 135 | + else |
| 136 | + { |
| 137 | + printf ("expected 30, got %d\n", rc); |
| 138 | + ret += 1; |
| 139 | + } |
| 140 | + |
| 141 | + return ret; |
| 142 | +} |
| 143 | + |
| 144 | static struct |
| 145 | { |
| 146 | const char *fmt; |
| 147 | @@ -104,7 +154,7 @@ do_test (void) |
| 148 | } |
| 149 | } |
| 150 | |
| 151 | - return result; |
| 152 | + return result + do_bz18985 (); |
| 153 | } |
| 154 | |
| 155 | #define TEST_FUNCTION do_test () |