Commit d400dcac5e introduced an array overflow in the backtrace functions for powerpc. The entry for the signal trampoline stack frame is stored without checking the array bounds.
I will check this out.
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 commit d93769405996dfc11d216ddbe415946617b5a494 Author: Andreas Schwab <schwab@suse.de> Date: Mon Jan 20 17:01:50 2020 +0100 Fix array overflow in backtrace on PowerPC (bug 25423) When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
Fixed in 2.31.
It is a security issue that the function call would write beyond the bounds of the input array given the size. Marked security+
The release/2.30/master branch has been updated by Patricia Franklin <patsy@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fb266e65ccf6fd674e05352ceb5f12d60889b92d commit fb266e65ccf6fd674e05352ceb5f12d60889b92d Author: Andreas Schwab <schwab@suse.de> Date: Mon Jan 20 17:01:50 2020 +0100 Fix array overflow in backtrace on PowerPC (bug 25423) When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
The release/2.29/master branch has been updated by Patricia Franklin <patsy@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a318448f7aca169f7795d9d300c525d96f914af0 commit a318448f7aca169f7795d9d300c525d96f914af0 Author: Andreas Schwab <schwab@suse.de> Date: Mon Jan 20 17:01:50 2020 +0100 Fix array overflow in backtrace on PowerPC (bug 25423) When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
The release/2.28/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0478174d1e2c2a894a35b1cdffc573dca310b438 commit 0478174d1e2c2a894a35b1cdffc573dca310b438 Author: Andreas Schwab <schwab@suse.de> Date: Mon Jan 20 17:01:50 2020 +0100 Fix array overflow in backtrace on PowerPC (bug 25423) When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
The release/2.26/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37db4539dd8b5c098d9235249c5d2aedaa67d7d1 commit 37db4539dd8b5c098d9235249c5d2aedaa67d7d1 Author: Andreas Schwab <schwab@suse.de> Date: Mon Jan 20 17:01:50 2020 +0100 Fix array overflow in backtrace on PowerPC (bug 25423) When unwinding through a signal frame the backtrace function on PowerPC didn't check array bounds when storing the frame address. Fixes commit d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
The master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=07d16a6debc830ebcf9533da5396edd2eff688e0 commit 07d16a6debc830ebcf9533da5396edd2eff688e0 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Tue Mar 24 22:49:10 2020 +0100 Add NEWS entry for CVE-2020-1751 (bug 25423) Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The release/2.31/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf commit d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf Author: Aurelien Jarno <aurelien@aurel32.net> Date: Tue Mar 24 22:49:10 2020 +0100 Add NEWS entry for CVE-2020-1751 (bug 25423) Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)
The release/2.30/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b19792c9c86bb73e5032af7c2ff03272bdac442 commit 6b19792c9c86bb73e5032af7c2ff03272bdac442 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Tue Mar 24 22:49:10 2020 +0100 Add NEWS entry for CVE-2020-1751 (bug 25423) Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)