diff -Nru glibc-2.30/debian/changelog glibc-2.30/debian/changelog --- glibc-2.30/debian/changelog 2019-09-16 14:56:30.000000000 +0000 +++ glibc-2.30/debian/changelog 2020-06-04 17:19:08.000000000 +0000 @@ -1,3 +1,38 @@ +glibc (2.30-0ubuntu2.2) eoan-security; urgency=medium + + * SECURITY UPDATE: ASLR bypass + - debian/patches/any/CVE-2019-19126.patch: check __libc_enable_secure + before honoring LD_PREFER_MAP_32BIT_EXEC in + sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h. + - CVE-2019-19126 + * SECURITY UPDATE: out-of-bounds write on PowerPC + - debian/patches/any/CVE-2020-1751.patch: fix array overflow in + backtrace on PowerPC in debug/tst-backtrace5.c, + sysdeps/powerpc/powerpc32/backtrace.c, + sysdeps/powerpc/powerpc64/backtrace.c. + - CVE-2020-1751 + * SECURITY UPDATE: use-after-free via tilde expansion + - debian/patches/any/CVE-2020-1752.patch: fix use-after-free in glob + when expanding ~user in posix/glob.c. + - CVE-2020-1752 + * SECURITY UPDATE: stack overflow via 80-bit long double function + - debian/patches/any/CVE-2020-10029-1.patch: avoid ldbl-96 stack + corruption from range reduction of pseudo-zero in + sysdeps/ieee754/ldbl-96/Makefile, + sysdeps/ieee754/ldbl-96/e_rem_pio2l.c, + sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c. + - debian/patches/any/CVE-2020-10029-2.patch: use stack protector only + if available in sysdeps/ieee754/ldbl-96/Makefile. + - CVE-2020-10029 + + -- Marc Deslauriers Thu, 04 Jun 2020 13:19:08 -0400 + +glibc (2.30-0ubuntu2.1) eoan; urgency=medium + + * Cherrypick upstream fix for strstr on s390x z15. LP: #1854326 + + -- Dimitri John Ledkov Fri, 29 Nov 2019 14:19:57 +0000 + glibc (2.30-0ubuntu2) eoan; urgency=medium * Merge with current Debian git, bringing in container-based testsuite fix: diff -Nru glibc-2.30/debian/patches/any/CVE-2019-19126.patch glibc-2.30/debian/patches/any/CVE-2019-19126.patch --- glibc-2.30/debian/patches/any/CVE-2019-19126.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/any/CVE-2019-19126.patch 2020-06-04 17:17:54.000000000 +0000 @@ -0,0 +1,48 @@ +From d5dfad4326fc683c813df1e37bbf5cf920591c8e Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Marcin=20Ko=C5=9Bcielnicki?= +Date: Thu, 21 Nov 2019 00:20:15 +0100 +Subject: [PATCH] rtld: Check __libc_enable_secure before honoring + LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] + +The problem was introduced in glibc 2.23, in commit +b9eb92ab05204df772eb4929eccd018637c9f3e9 +("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). +--- + NEWS | 6 +++++- + sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +#diff --git a/NEWS b/NEWS +#index 50479f17c9..df03f4dc48 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -86,7 +86,11 @@ Changes to build and runtime requirements: +# +# Security related changes: +# +#- [Add security related changes here] +#+ CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC +#+ environment variable during program execution after a security +#+ transition, allowing local attackers to restrict the possible mapping +#+ addresses for loaded libraries and thus bypass ASLR for a setuid +#+ program. Reported by Marcin Kościelnicki. +# +# The following bugs are resolved with this release: +# +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 0e95221908..e3af239faa 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ + |= bit_arch_Prefer_MAP_32BIT_EXEC; \ + break; +-- +2.18.2 + diff -Nru glibc-2.30/debian/patches/any/CVE-2020-10029-1.patch glibc-2.30/debian/patches/any/CVE-2020-10029-1.patch --- glibc-2.30/debian/patches/any/CVE-2020-10029-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/any/CVE-2020-10029-1.patch 2020-06-04 17:18:18.000000000 +0000 @@ -0,0 +1,126 @@ +From 0474cd5de60448f31d7b872805257092faa626e4 Mon Sep 17 00:00:00 2001 +From: Joseph Myers +Date: Wed, 12 Feb 2020 23:31:56 +0000 +Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of + pseudo-zero (bug 25487). + +Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero +argument (an representation where all the significand bits, including +the explicit high bit, are zero, but the exponent is not zero, which +is not a valid representation for the long double type). + +Although this is not a valid long double representation, existing +practice in this area (see bug 4586, originally marked invalid but +subsequently fixed) is that we still seek to avoid invalid memory +accesses as a result, in case of programs that treat arbitrary binary +data as long double representations, although the invalid +representations of the ldbl-96 format do not need to be consistently +handled the same as any particular valid representation. + +This patch makes the range reduction detect pseudo-zero and unnormal +representations that would otherwise go to __kernel_rem_pio2, and +returns a NaN for them instead of continuing with the range reduction +process. (Pseudo-zero and unnormal representations whose unbiased +exponent is less than -1 have already been safely returned from the +function before this point without going through the rest of range +reduction.) Pseudo-zero representations would previously result in +the value passed to __kernel_rem_pio2 being all-zero, which is +definitely unsafe; unnormal representations would previously result in +a value passed whose high bit is zero, which might well be unsafe +since that is not a form of input expected by __kernel_rem_pio2. + +Tested for x86_64. + +(cherry picked from commit 9333498794cde1d5cca518badf79533a24114b6f) +--- + sysdeps/ieee754/ldbl-96/Makefile | 3 +- + sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++ + sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c + +diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile +index b103254214..052c1c7703 100644 +--- a/sysdeps/ieee754/ldbl-96/Makefile ++++ b/sysdeps/ieee754/ldbl-96/Makefile +@@ -17,5 +17,6 @@ + # . + + ifeq ($(subdir),math) +-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 ++tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo ++CFLAGS-test-sinl-pseudo.c += -fstack-protector-all + endif +diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +index 805de22d73..1aeccb47d7 100644 +--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c ++++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y) + return 0; + } + ++ if ((i0 & 0x80000000) == 0) ++ { ++ /* Pseudo-zero and unnormal representations are not valid ++ representations of long double. We need to avoid stack ++ corruption in __kernel_rem_pio2, which expects input in a ++ particular normal form, but those representations do not need ++ to be consistently handled like any particular floating-point ++ value. */ ++ y[1] = y[0] = __builtin_nanl (""); ++ return 0; ++ } ++ + /* Split the 64 bits of the mantissa into three 24-bit integers + stored in a double array. */ + exp = j0 - 23; +diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c +new file mode 100644 +index 0000000000..f59b97769d +--- /dev/null ++++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c +@@ -0,0 +1,41 @@ ++/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487). ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ for (int i = 0; i < 64; i++) ++ { ++ uint64_t sig = i == 63 ? 0 : 1ULL << i; ++ long double ld; ++ SET_LDOUBLE_WORDS (ld, 0x4141, ++ sig >> 32, sig & 0xffffffffULL); ++ /* The requirement is that no stack overflow occurs when the ++ pseudo-zero or unnormal goes through range reduction. */ ++ volatile long double ldr; ++ ldr = sinl (ld); ++ (void) ldr; ++ } ++ return 0; ++} ++ ++#include +-- +2.18.2 + diff -Nru glibc-2.30/debian/patches/any/CVE-2020-10029-2.patch glibc-2.30/debian/patches/any/CVE-2020-10029-2.patch --- glibc-2.30/debian/patches/any/CVE-2020-10029-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/any/CVE-2020-10029-2.patch 2020-06-04 17:18:22.000000000 +0000 @@ -0,0 +1,28 @@ +From 8e5d591b101d7d8a4628522f1e5ec24b6dfa731b Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 13 Feb 2020 17:01:15 +0100 +Subject: [PATCH] math/test-sinl-pseudo: Use stack protector only if available + +This fixes commit 9333498794cde1d5cca518bad ("Avoid ldbl-96 stack +corruption from range reduction of pseudo-zero (bug 25487)."). + +(cherry picked from commit c10acd40262486dac597001aecc20ad9d3bd0e4a) +--- + sysdeps/ieee754/ldbl-96/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile +index 052c1c7703..4142695ec8 100644 +--- a/sysdeps/ieee754/ldbl-96/Makefile ++++ b/sysdeps/ieee754/ldbl-96/Makefile +@@ -18,5 +18,7 @@ + + ifeq ($(subdir),math) + tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo ++ifeq ($(have-ssp),yes) + CFLAGS-test-sinl-pseudo.c += -fstack-protector-all + endif ++endif # $(subdir) == math +-- +2.18.2 + diff -Nru glibc-2.30/debian/patches/any/CVE-2020-1751.patch glibc-2.30/debian/patches/any/CVE-2020-1751.patch --- glibc-2.30/debian/patches/any/CVE-2020-1751.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/any/CVE-2020-1751.patch 2020-06-04 17:18:09.000000000 +0000 @@ -0,0 +1,66 @@ +From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 20 Jan 2020 17:01:50 +0100 +Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423) + +When unwinding through a signal frame the backtrace function on PowerPC +didn't check array bounds when storing the frame address. Fixes commit +d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). +--- + debug/tst-backtrace5.c | 12 ++++++++++++ + sysdeps/powerpc/powerpc32/backtrace.c | 2 ++ + sysdeps/powerpc/powerpc64/backtrace.c | 2 ++ + 3 files changed, 16 insertions(+) + +diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c +index e7ce410845..b2f46160e7 100644 +--- a/debug/tst-backtrace5.c ++++ b/debug/tst-backtrace5.c +@@ -89,6 +89,18 @@ handle_signal (int signum) + } + /* Symbol names are not available for static functions, so we do not + check do_test. */ ++ ++ /* Check that backtrace does not return more than what fits in the array ++ (bug 25423). */ ++ for (int j = 0; j < NUM_FUNCTIONS; j++) ++ { ++ n = backtrace (addresses, j); ++ if (n > j) ++ { ++ FAIL (); ++ return; ++ } ++ } + } + + NO_INLINE int +diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c +index 7c2d4726f8..d1456c8ae4 100644 +--- a/sysdeps/powerpc/powerpc32/backtrace.c ++++ b/sysdeps/powerpc/powerpc32/backtrace.c +@@ -114,6 +114,8 @@ __backtrace (void **array, int size) + } + if (gregset) + { ++ if (count + 1 == size) ++ break; + array[++count] = (void*)((*gregset)[PT_NIP]); + current = (void*)((*gregset)[PT_R1]); + } +diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c +index 65c260ab76..8a53a1088f 100644 +--- a/sysdeps/powerpc/powerpc64/backtrace.c ++++ b/sysdeps/powerpc/powerpc64/backtrace.c +@@ -87,6 +87,8 @@ __backtrace (void **array, int size) + if (is_sigtramp_address (current->return_address)) + { + struct signal_frame_64 *sigframe = (struct signal_frame_64*) current; ++ if (count + 1 == size) ++ break; + array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP]; + current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1]; + } +-- +2.18.2 + diff -Nru glibc-2.30/debian/patches/any/CVE-2020-1752.patch glibc-2.30/debian/patches/any/CVE-2020-1752.patch --- glibc-2.30/debian/patches/any/CVE-2020-1752.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/any/CVE-2020-1752.patch 2020-06-04 17:18:13.000000000 +0000 @@ -0,0 +1,63 @@ +From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Wed, 19 Feb 2020 17:21:46 +0100 +Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) + +The value of `end_name' points into the value of `dirname', thus don't +deallocate the latter before the last use of the former. +--- + posix/glob.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/posix/glob.c b/posix/glob.c +index cba9cd1819..4580cefb9f 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + { + size_t home_len = strlen (p->pw_dir); + size_t rest_len = end_name == NULL ? 0 : strlen (end_name); +- char *d; ++ char *d, *newp; ++ bool use_alloca = glob_use_alloca (alloca_used, ++ home_len + rest_len + 1); + +- if (__glibc_unlikely (malloc_dirname)) +- free (dirname); +- malloc_dirname = 0; +- +- if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) +- dirname = alloca_account (home_len + rest_len + 1, +- alloca_used); ++ if (use_alloca) ++ newp = alloca_account (home_len + rest_len + 1, alloca_used); + else + { +- dirname = malloc (home_len + rest_len + 1); +- if (dirname == NULL) ++ newp = malloc (home_len + rest_len + 1); ++ if (newp == NULL) + { + scratch_buffer_free (&pwtmpbuf); + retval = GLOB_NOSPACE; + goto out; + } +- malloc_dirname = 1; + } +- d = mempcpy (dirname, p->pw_dir, home_len); ++ d = mempcpy (newp, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; + ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); ++ dirname = newp; ++ malloc_dirname = !use_alloca; ++ + dirlen = home_len + rest_len; + dirname_modified = 1; + } +-- +2.18.2 + diff -Nru glibc-2.30/debian/patches/bfdb731438206b0f70fe7afa890681155c30b419.patch glibc-2.30/debian/patches/bfdb731438206b0f70fe7afa890681155c30b419.patch --- glibc-2.30/debian/patches/bfdb731438206b0f70fe7afa890681155c30b419.patch 1970-01-01 00:00:00.000000000 +0000 +++ glibc-2.30/debian/patches/bfdb731438206b0f70fe7afa890681155c30b419.patch 2019-11-29 14:19:42.000000000 +0000 @@ -0,0 +1,95 @@ +From bfdb731438206b0f70fe7afa890681155c30b419 Mon Sep 17 00:00:00 2001 +From: Stefan Liebler +Date: Wed, 27 Nov 2019 12:35:40 +0100 +Subject: [PATCH] S390: Fix handling of needles crossing a page in strstr z15 + ifunc-variant. [BZ #25226] + +If the specified needle crosses a page-boundary, the s390-z15 ifunc variant of +strstr truncates the needle which results in invalid results. + +This is fixed by loading the needle beyond the page boundary to v18 instead of v16. +The bug is sometimes observable in test-strstr.c in check1 and check2 as the +haystack and needle is stored on stack. Thus the needle can be on a page boundary. + +check2 is now extended to test haystack / needles located on stack, at end of page +and on two pages. + +This bug was introduced with commit 6f47401bd5fc71209219779a0426170a9a7395b0 +("S390: Add arch13 strstr ifunc variant.") and is already released in glibc 2.30. +--- + string/test-strstr.c | 41 +++++++++++++++++++++++++++++++++++------ + sysdeps/s390/strstr-arch13.S | 2 +- + 2 files changed, 36 insertions(+), 7 deletions(-) + +diff --git a/string/test-strstr.c b/string/test-strstr.c +index 37fcb68..049f0e1 100644 +--- a/string/test-strstr.c ++++ b/string/test-strstr.c +@@ -139,16 +139,45 @@ check1 (void) + static void + check2 (void) + { +- const char s1[] = ", enable_static, \0, enable_shared, "; ++ const char s1_stack[] = ", enable_static, \0, enable_shared, "; ++ const size_t s1_byte_count = 18; ++ const char *s2_stack = &(s1_stack[s1_byte_count]); ++ const size_t s2_byte_count = 18; + char *exp_result; +- char *s2 = (void *) buf1 + page_size - 18; ++ const size_t page_size_real = getpagesize (); + +- strcpy (s2, s1); +- exp_result = stupid_strstr (s1, s1 + 18); ++ /* Haystack at end of page. The following page is protected. */ ++ char *s1_page_end = (void *) buf1 + page_size - s1_byte_count; ++ strcpy (s1_page_end, s1_stack); ++ ++ /* Haystack which crosses a page boundary. ++ Note: page_size is at least 2 * getpagesize. See test_init. */ ++ char *s1_page_cross = (void *) buf1 + page_size_real - 8; ++ strcpy (s1_page_cross, s1_stack); ++ ++ /* Needle at end of page. The following page is protected. */ ++ char *s2_page_end = (void *) buf2 + page_size - s2_byte_count; ++ strcpy (s2_page_end, s2_stack); ++ ++ /* Needle which crosses a page boundary. ++ Note: page_size is at least 2 * getpagesize. See test_init. */ ++ char *s2_page_cross = (void *) buf2 + page_size_real - 8; ++ strcpy (s2_page_cross, s2_stack); ++ ++ exp_result = stupid_strstr (s1_stack, s2_stack); + FOR_EACH_IMPL (impl, 0) + { +- check_result (impl, s1, s1 + 18, exp_result); +- check_result (impl, s2, s1 + 18, exp_result); ++ check_result (impl, s1_stack, s2_stack, exp_result); ++ check_result (impl, s1_stack, s2_page_end, exp_result); ++ check_result (impl, s1_stack, s2_page_cross, exp_result); ++ ++ check_result (impl, s1_page_end, s2_stack, exp_result); ++ check_result (impl, s1_page_end, s2_page_end, exp_result); ++ check_result (impl, s1_page_end, s2_page_cross, exp_result); ++ ++ check_result (impl, s1_page_cross, s2_stack, exp_result); ++ check_result (impl, s1_page_cross, s2_page_end, exp_result); ++ check_result (impl, s1_page_cross, s2_page_cross, exp_result); + } + } + +diff --git a/sysdeps/s390/strstr-arch13.S b/sysdeps/s390/strstr-arch13.S +index 92cafd3..aefdb49 100644 +--- a/sysdeps/s390/strstr-arch13.S ++++ b/sysdeps/s390/strstr-arch13.S +@@ -164,7 +164,7 @@ ENTRY(STRSTR_ARCH13) + vfenezb %v19,%v18,%v18 /* Search zero in loaded needle bytes. */ + veclb %v19,%v21 /* Zero index <= max loaded byte index? */ + jle .Lneedle_loaded /* -> v18 contains full needle. */ +- vl %v16,0(%r3) /* Load needle beyond page boundary. */ ++ vl %v18,0(%r3) /* Load needle beyond page boundary. */ + vfenezb %v19,%v18,%v18 + j .Lneedle_loaded + END(STRSTR_ARCH13) +-- +2.9.3 + diff -Nru glibc-2.30/debian/patches/series glibc-2.30/debian/patches/series --- glibc-2.30/debian/patches/series 2019-09-16 14:56:30.000000000 +0000 +++ glibc-2.30/debian/patches/series 2020-06-04 17:18:57.000000000 +0000 @@ -150,3 +150,9 @@ ubuntu/localedata/sd_PK.diff ubuntu/localedata/ug_CN@latin.diff ubuntu/local-pldd-root.diff +bfdb731438206b0f70fe7afa890681155c30b419.patch +any/CVE-2019-19126.patch +any/CVE-2020-1751.patch +any/CVE-2020-1752.patch +any/CVE-2020-10029-1.patch +any/CVE-2020-10029-2.patch