clntudp_call allocates a buffer, using alloca, to store the payload of an incoming socket error. If a malicious server floods the client with crafted ICMP and UDP packets, this can cause the client to allocate sufficiently many such temporary buffers to cause a stack (frame) overflow (denial of service). The size of the allocated buffer depends on the request size. If the request size is close to the page size or even larger, this could cause the stack pointer to step over the guard page, leading to additional impact beyond denial of service.
This was discovered by Aldy Hernandez' alloca plugin for GCC. Introduced in this commit: commit b1eab230118c7d65223927486afb7fe0b531bf33 Author: Ulrich Drepper <drepper@redhat.com> Date: Wed Jan 10 23:47:39 2001 +0000 … 2001-01-10 Jakub Jelinek <jakub@redhat.com> * sunrpc/clnt_udp.c (clntudp_bufcreate): Set IP_RECVERR on the UDP socket. (clntudp_call): Handle MSG_ERRQUEUE. * sysdeps/generic/errqueue.h: New file. * sysdeps/unix/sysv/linux/errqueue.h: New file. I have a patch (replace the alloca with malloc/free). libtirpc is affected as well.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via bc779a1a5b3035133024b21e2f339fe4219fb11c (commit) from 3375cfafa7961c6ae0e509c31c3b3cef9ad1f03d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c commit bc779a1a5b3035133024b21e2f339fe4219fb11c Author: Florian Weimer <fweimer@redhat.com> Date: Mon May 23 20:18:34 2016 +0200 CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 4 ++++ sunrpc/clnt_udp.c | 10 +++++++++- 3 files changed, 20 insertions(+), 1 deletions(-)
Fixed in 2.24.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.23/master has been updated via bdce95930e1d9a7d013d1ba78740243491262879 (commit) from 25a34b0ac1356c1442380db2d2b13e05ccaeedd9 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdce95930e1d9a7d013d1ba78740243491262879 commit bdce95930e1d9a7d013d1ba78740243491262879 Author: Florian Weimer <fweimer@redhat.com> Date: Mon May 23 20:18:34 2016 +0200 CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 4 ++++ sunrpc/clnt_udp.c | 10 +++++++++- 3 files changed, 20 insertions(+), 1 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.22/master has been updated via 444fb8c27d9b0d1671ce1a441faf52b24305a332 (commit) from a64be6fb2f1317ce7039a4bb8638bd0c30c31e28 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=444fb8c27d9b0d1671ce1a441faf52b24305a332 commit 444fb8c27d9b0d1671ce1a441faf52b24305a332 Author: Florian Weimer <fweimer@redhat.com> Date: Mon May 23 20:18:34 2016 +0200 CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 6 +++++- sunrpc/clnt_udp.c | 10 +++++++++- 3 files changed, 21 insertions(+), 2 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.19/master has been updated via ce92632d1297d032e5781cfa077e300f5c167471 (commit) from 10d268070a8aa9a878668e7f060e92ed668de146 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ce92632d1297d032e5781cfa077e300f5c167471 commit ce92632d1297d032e5781cfa077e300f5c167471 Author: Florian Weimer <fweimer@redhat.com> Date: Mon May 23 20:18:34 2016 +0200 CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 7 +++++++ NEWS | 6 +++++- sunrpc/clnt_udp.c | 10 +++++++++- 3 files changed, 21 insertions(+), 2 deletions(-)
Is it possible to get a patch for this bug fix.
(In reply to Nilan from comment #7) > Is it possible to get a patch for this bug fix. The glibc Git repository contains the patch.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The annotated tag, glibc-2.24 has been created at beb0f59498c3e0337df298f9d7a3f8f77eb39842 (tag) tagging fdfc9260b61d3d72541f18104d24c7bcb0ce5ca2 (commit) replaces glibc-2.23 tagged by Carlos O'Donell on Mon Aug 1 22:46:26 2016 -0400 - Log ----------------------------------------------------------------- The GNU C Library ================= The GNU C Library version 2.24 is now available. The GNU C Library is used as *the* C library in the GNU system and in GNU/Linux systems, as well as many other systems that use Linux as the kernel. The GNU C Library is primarily designed to be a portable and high performance C library. It follows all relevant standards including ISO C11 and POSIX.1-2008. It is also internationalized and has one of the most complete internationalization interfaces known. The GNU C Library webpage is at http://www.gnu.org/software/libc/ Packages for the 2.24 release may be downloaded from: http://ftpmirror.gnu.org/libc/ http://ftp.gnu.org/gnu/libc/ The mirror list is at http://www.gnu.org/order/ftp.html NEWS for version 2.24 ===================== * The minimum Linux kernel version that this version of the GNU C Library can be used with is 3.2, except on i[4567]86 and x86_64, where Linux kernel version 2.6.32 or later suffices (on architectures that already required kernel versions more recent than 3.2, those requirements remain unchanged). Linux 3.2 or later kernel headers are required on all architectures. * The pap_AN locale has been deleted. This has been deprecated for a long time. It has been replaced by pap_AW & pap_CW, both of which have long been included in previous releases. * The readdir_r and readdir64_r functions have been deprecated. It is recommended to use readdir and readdir64 instead. * The type “union wait” has been removed. It was deprecated in the early 1990s and never part of POSIX. Application code should use the int type instead of “union wait”. * A new NSS action is added to facilitate large distributed system administration. The action, MERGE, allows remote user stores like LDAP to be merged into local user stores like /etc/groups in order to provide easy to use, updated, and managed sets of merged credentials. The new action can be used by configuring it in /etc/nsswitch.conf: group: files [SUCCESS=merge] nis Implemented by Stephen Gallagher (Red Hat). * The deprecated __malloc_initialize_hook variable has been removed from the API. * The long unused localedef --old-style option has been removed. It hasn't done anything in over 16 years. Scripts using this option can safely drop it. * nextupl, nextup, nextupf, nextdownl, nextdown and nextdownf are added to libm. They are defined by TS 18661 and IEEE754-2008. The nextup functions return the next representable value in the direction of positive infinity and the nextdown functions return the next representable value in the direction of negative infinity. These are currently enabled as GNU extensions. Security related changes: * An unnecessary stack copy in _nss_dns_getnetbyname_r was removed. It could result in a stack overflow when getnetbyname was called with an overly long name. (CVE-2016-3075) * Previously, getaddrinfo copied large amounts of address data to the stack, even after the fix for CVE-2013-4458 has been applied, potentially resulting in a stack overflow. getaddrinfo now uses a heap allocation instead. Reported by Michael Petlan. (CVE-2016-3706) * The glob function suffered from a stack-based buffer overflow when it was called with the GLOB_ALTDIRFUNC flag and encountered a long file name. Reported by Alexander Cherepanov. (CVE-2016-1234) * The Sun RPC UDP client could exhaust all available stack space when flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez' alloca plugin for GCC. (CVE-2016-4429) * The IPv6 name server management code in libresolv could result in a memory leak for each thread which is created, performs a failing naming lookup, and exits. Over time, this could result in a denial of service due to memory exhaustion. Reported by Matthias Schiffer. (CVE-2016-5417) The following bugs are resolved with this release: [1170] localedata: ne_NP: update Nepali locale definition file [3629] manual: stpcpy description in string.texi refers to MS-DOG instead of MS-DOS. [6527] malloc: [powerpc] Malloc alignment insufficient for PowerPC [6796] math: fdim() does not set errno on overflow [10354] libc: posix_spawn should use vfork() in more cases than presently [11213] localedata: localedata: add copyright disclaimer to locale files [12143] localedata: chr_US: new Cherokee locale [12450] localedata: sgs_LT: new locale [12676] localedata: ln_CD: new locale [13237] localedata: LC_ADDRESS.country_name: update all locales w/latest CLDR data [13304] math: fma, fmaf, fmal produce wrong results [14259] build: --localedir arg to configure is ignored [14499] nptl: Does posix_spawn invoke atfork handlers / use vfork? [14750] libc: Race condition in posix_spawn vfork usage vs signal handlers [14934] localedata: es_CL: wrong first weekday chilean locale [15262] localedata: LC_MESSAGES.yesexpr/noexpr: inconsistent use of romanisation [15263] localedata: LC_MESSAGES.yesexpr/noexpr: inconsistent use of 1/0 and +/- [15264] localedata: LC_MESSAGES.yesstr/nostr: lacking in many locales [15368] nptl: raise() is not async-signal-safe [15479] math: ceil, floor, round and trunc raise inexact exception [15578] localedata: kk_KZ: various updates [16003] localedata: pap_AN: punt old locale [16137] localedata: iw_IL: punt old locale [16190] localedata: eo: new esperanto locale [16374] localedata: lv_LV: change currency symbol in LC_MONETARY to euro [16742] malloc: race condition: pthread_atfork() called before first malloc() results in unexpected locking behaviour/deadlocks [16975] localedata: LC_MESSAGES.yesexpr/noexpr: revisit capitalization in all locales [16983] localedata: postal_fmt does not allow %l and %n modifiers [17565] localedata: pt_PT: wrong (work-)week start [17899] math: [powerpc] floorl returns negative zero with FE_DOWNWARD [17950] build: Build fails with -msse [18205] localedata: be_BY*: wrong first_weekday and first_workday [18433] libc: posix_spawn does not return correctly upon failure to execute [18453] localedata: charmaps/IBM875: incorrect codes [18712] string: bits/string2.h incompatible with -O2 -Werror=packed -Wsystem-headers [18896] localedata: he_IL: improvements for currency [18911] localedata: ro_RO: Correcting week day name for "Tuesday" in Romanian locale data [18960] locale: s390: _nl_locale_subfreeres uses larl opcode on misaligned symbol [19056] libc: Deprecate readdir_r [19133] localedata: pt_*: days & months should be lowercase in Portuguese language [19198] localedata: nl_NL: small improvements for Dutch locales [19257] network: Per-thread memory leak in __res_vinit with IPv6 nameservers (CVE-2016-5417) [19269] build: tst-audit4 and tst-audit10 failures with gcc-6 on non avx machine [19400] locale: Language missing in "iso-639.def", trivial fix in description [19431] malloc: Deadlock between fflush, getdelim, and fork [19505] libc: Incorrect file descriptor validity checks in posix_spawn_file_actions_add{open,close,dup2} [19509] dynamic-link: dlsym, dlvsym do not report errors through dlerror when using RTLD_NEXT [19512] locale: Stale `#ifndef HAVE_BUILTIN_EXPECT' in `intl/{gettextP,loadinfo}.h' [19534] libc: execle, execlp may use malloc [19568] localedata: *_CH: Swiss locales have inconsistent start of week [19573] network: res_nclose and __res_maybe_init disagree about name server initialization, breaking Hesiod [19575] localedata: Status of GB18030 tables [19581] localedata: sr_* date_fmt string contains additional newline [19583] string: SSSE3_Fast_Copy_Backward flag needs to be enabled for AMD Excavator core [19592] math: [ldbl-128ibm] ceill incorrect in non-default rounding modes [19593] math: [ldbl-128ibm] truncl incorrect in non-default rounding modes [19594] math: [ldbl-128ibm] roundl incorrect in non-default rounding modes [19595] math: [ldbl-128ibm] fmodl incorrect for results in subnormal double range [19602] math: [ldbl-128ibm] fmodl handling of equal arguments with low part zero incorrect [19603] math: [ldbl-128ibm] remainderl, remquol incorrect sign handling in equality tests [19610] dynamic-link: ldconfig -X removes stale symbolic links [19613] libc: s390x (64 bit) macro expansion WCOREDUMP and others [19633] locale: strfmon_l applies global locale to number formatting [19642] network: Memory leak in getnameinfo [19648] libc: test-skeleton.c: Do not set RLIMIT_DATA [19653] libc: Potential for NULL pointer dereference (CWE-476) in glibc-2.22 [19654] math: [x86_64] Need testcase for BZ #19590 fix [19671] localedata: Missing Sanity Check for malloc() in 'tst-fmon.c' & 'tst-numeric.c' [19674] math: [ldbl-128ibm] powl incorrect overflow handling [19677] math: [ldbl-128ibm] remainderl equality test incorrect for zero low part [19678] math: [ldbl-128ibm] nextafterl, nexttowardl incorrect sign of zero result [19679] dynamic-link: gcc-4.9.3 C++ exception handling broken due to unaligned stack [19726] locale: Converting UCS4LE to INTERNAL with iconv() does not update pointers and lengths in error-case. [19727] locale: Converting from/to UTF-xx with iconv() does not always report errors on UTF-16 surrogates values. [19755] nscd: nscd assertion failure in gc [19758] dynamic-link: Typo in EXTRA_LD_ENVVARS for x86-64 [19759] libc: mempcpy shouldn't be inlined [19762] dynamic-link: HAS_CPU_FEATURE/HAS_ARCH_FEATURE are easy to misuse [19765] libc: s390 needs an optimized mempcpy [19779] glob: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234) [19783] build: benchtests don't support --enable-hardcoded-path-in-tests [19787] network: Missing and incorrect truncation checks in getnameinfo [19790] math: [ldbl-128ibm] nearbyintl incorrect in non-default rounding modes [19791] network: Assertion failure in res_query.c with un-connectable name server addresses [19792] libc: MIPS: backtrace yields infinite backtrace with makecontext [19822] math: libm.so install clobbers old version [19825] network: resolv: send_vc can return uninitialized data in second response to getaddrinfo [19830] network: nss_dns: should check RDATA length against buffer length [19831] network: nss_dns: getaddrinfo returns uninitialized data when confronted with A/AAAA records of invalid size [19837] nss: nss_db: No retries for some long lines with a larger buffer [19848] math: powl(10,n) for n=-4,-5,-6,-7 is off by more than 1 ULP [19853] stdio: Printing IBM long double in decimal with high precision is sometimes incorrect [19860] build: x86_64: compile errors for tst-audit10 and tst-auditmod10b [19861] nptl: libpthread IFUNC resolver for fork can lead to crash [19862] network: resolv, nss_dns: Remove remaining logging of unexpected record types [19865] network: Assertion failure or memory leak in _nss_dns_getcanonname_r [19868] network: nss_dns: netent code does not skip over non-PTR records [19879] network: nss_dns: Stack overflow in getnetbyname implementation (CVE-2016-3075) [19881] string: Improve x86-64 memset [19907] string: Incorrect memcpy tests [19916] dynamic-link: S390: fprs/vrs are not saved/restored while resolving symbols [19925] libc: termios.h XCASE namespace [19928] string: memmove-vec-unaligned-erms.S is slow with large data size [19929] libc: limits.h NL_NMAX namespace [19931] stdio: Memory leak in vfprintf [19957] libc: clone(CLONE_VM) access invalid parent memory [19963] localedata: en_IL: New locale [19989] stdio: stdio.h cuserid namespace [19994] network: getaddrinfo does not restore RES_USE_INET6 flag in gethosts [19996] locale: langinfo.h nl_langinfo_l namespace [20005] stdio: fflush on a file opened with fmemopen resets position to 0 [20010] network: getaddrinfo: Stack overflow in hostent translation (CVE-2016-3706) [20012] stdio: libio: fmemopen append mode failure [20014] stdio: stdio.h namespace for pre-threads POSIX [20017] network: resolv: Use gmtime_r instead of gmtime in p_secstodate [20023] libc: fcntl.h timespec namespace [20024] math: [x86_64] vectorized sincos trashes the stack [20031] network: nss_hesiod: Heap overflow in get_txt_records [20041] time: sys/time.h timespec namespace [20043] libc: unistd.h missing cuserid for UNIX98 and before [20044] libc: unistd.h missing pthread_atfork for UNIX98 [20051] libc: ttyslot in wrong header under wrong conditions [20054] libc: gethostname not declared for XPG4 [20055] libc: termios.h missing tcgetsid for XPG4 [20072] dynamic-link: x86 init_cpu_features is called twice in static executable [20073] libc: sys/stat.h fchmod namespace [20074] libc: stdlib.h rand_r namespace [20076] libc: sys/stat.h missing S_IFSOCK, S_ISSOCK for XPG4 [20094] libc: stdlib.h should not declare grantpt, ptsname, unlockpt for XPG3 [20111] libc: struct sockaddr_storage cannot be aggregate-copied [20112] network: sunrpc: stack (frame) overflow in Sun RPC clntudp_call (CVE-2016-4429) [20115] string: Extra alignment in memset-vec-unaligned-erms.S [20119] libc: Wrong mask for processors level type from CPUID [20139] dynamic-link: Upper part of zmm is zeroed if Glibc is built with AS not supporting AVX512 [20151] math: [ldbl-128/ldbl-128ibm] j0l, j1l, y0l, y1l return sNaN for sNaN argument [20153] math: [ldbl-128ibm] sqrtl (sNaN) returns sNaN [20156] math: [ldbl-128ibm] ceill, rintl etc. return sNaN for sNaN argument [20157] math: [powerpc] fabsl (sNaN) wrongly raises "invalid" [20160] math: [powerpc] ceil, rint etc. return sNaN for sNaN input [20178] libc: posix_spawn{p} should not call exit [20191] stdio: libio: vtables hardening [20195] string: FMA4 detection requires CPUID execution with register eax=0x80000001 [20198] libc: quick_exit incorrectly destroys C++11 thread objects. [20205] math: [i386/x86_64] nextafterl incorrect incrementing negative subnormals [20212] math: acos (sNaN) returns sNaN [20213] math: asin (sNaN) returns sNaN [20214] network: Linux header sync with linux/in6.h and ipv6.h again. [20218] math: [i386] asinhl (sNaN) returns sNaN [20219] math: [i386] atanhl (sNaN) returns sNaN [20222] stdio: fopencookie: Mangle function pointers [20224] math: [i386] cbrtl (sNaN) returns sNaN [20225] math: ldexp, scalbn, scalbln return sNaN for sNaN input [20226] math: [i386/x86_64] expl, exp10l, expm1l return sNaN for sNaN input [20227] math: [i386/x86_64] logl (sNaN) returns sNaN [20228] math: [i386/x86_64] log10l (sNaN) returns sNaN [20229] math: [i386/x86_64] log1pl (sNaN) returns sNaN [20232] math: [ldbl-128] expm1l (sNaN) returns sNaN [20233] math: [ldbl-128ibm] expm1l (sNaN) returns sNaN [20234] math: [ldbl-128ibm] log1pl (sNaN) returns sNaN [20235] math: [i386/x86_64] log2l (sNaN) returns sNaN [20237] nss: nss_db: get*ent segfaults without preceding set*ent [20240] math: modf (sNaN) returns sNaN [20248] libc: debug/tst-longjump_chk2 calls printf from a signal handler [20250] math: frexp (sNaN) returns sNaN [20252] math: atan2 (sNaN, qNaN) fails to raise "invalid" [20255] math: [i386] fdim, fdimf return with excess range and precision / double rounding [20256] math: [i386/x86_64] fdiml returns sNaN for sNaN input [20260] string: ../sysdeps/x86/bits/string.h:1092:3: error: array subscript is below array bounds [-Werror=array-bounds] [20262] nis: _nss_nis_initgroups_dyn always returns NSS_STATUS_NOTFOUND [20263] nptl: robust mutex deadlocks if other thread requests timedlock (Only arm/linux) [20277] libc: $dp is not initialized correctly in sysdeps/hppa/start.S [20284] malloc: malloc: Corrupt arena avoidance causes unnecessary mmap fallbacks [20296] math: [i386/x86_64] scalbl returns sNaN for sNaN input, missing "invalid" exceptions [20314] nptl: make[4]: *** [/usr/include/stdlib.h] Error 1 [20316] localedata: id_ID: Februari instead of Pebruari [20327] string: POWER8 strcasecmp returns incorrect result [20347] math: Failure: Test: j0_downward (0xap+0) [20348] libc: FAIL: misc/tst-preadvwritev64 [20349] libc: 64-bit value is passed differently in p{readv,writev}{64} [20350] libc: There is no test for p{read,write}64 [20357] math: Incorrect cos result for 1.5174239687223976 [20384] build: Don't run libmvec-sincos-avx* tests on non avx machines Contributors ============ This release was made possible by the contributions of many people. The maintainers are grateful to everyone who has contributed changes or bug reports. These include: Adhemerval Zanella Andreas Schwab Andrew Senkevich Anton Blanchard Arnas Udovičius Aurelien Jarno Carlos Eduardo Seo Carlos O'Donell Chris Metcalf Chung-Lin Tang Claude Paroz Dimitris Pappas Dmitry V. Levin Dylan Alex Simon Eduardo Trápani Florian Weimer Gabriel F. T. Gomes Gunnar Hjalmarsson Gustavo Romero Guy Rutenberg H.J. Lu Hongjiu Zhang Jiyoung Yun John David Anglin Joseph Myers Khem Raj Maciej W. Rozycki Mark Wielaard Marko Myllynen Martin Galvan Matthew Fortune Matthias Wallnoefer Mike FABIAN Mike Frysinger Neskie Manuel Nick Alcock Paras pradhan Paul E. Murphy Paul Pluzhnikov Rajalakshmi Srinivasaraghavan Rical Jasan Richard Henderson Robin van der Vliet Roland McGrath Samuel Thibault Siddhesh Poyarekar Simion Onea Stefan Liebler Stephen Gallagher Szabolcs Nagy Timur Birsh Torvald Riegel Tulio Magno Quites Machado Filho Wilco Dijkstra Will Newton Yvan Roux Zack Weinberg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJXoAmUAAoJEBZ5K06iU0D4Nx8P/3EGutqtVg6OubIKw9izzWMO 6pNj7Iy569Bk+ER2ElR5xvTeumpVS05A8r94oXX0rzCNsFIAVct7Ocr62r/OQz8A +p6W+USpORha6m+SzY1bkI1109RR6Q4jpbENkhk/JKcBXJ7AHWHeW72QKMP0+JJu QBavQ8b3ZLJQ4X+Be10bjseTaqAn4XNYj6fmajQC2x7F0sL32+xFjSktw8hn9AFs A32yS3c2v/GfqKIyNj4Yz/akZzffACZ+8twVkJGDK5eoMGGQ/Obr3yttzKSNsN+O n73HyyP4O8dG/U+v5k0IR4drT6mnUFRHUvkN10VahCHiTSG5AFQut30lwvVKzhF6 VYylPzbhOcVnSuJqdT4xJ6sumvQl5W4IAb/GKSso62MrcKFYPFdnx0wgMX6Arlgm wkuSkSQCOfj/be2/R88alRJYNTW39vsPqKPop5ov/uXbfHqIoFcQitS0vDFJqGIC zOhJSlV0cS/StKkw0xNgQ6Ay/dnHMm2Hzg5lqRzaQblkDVrNfN7TqyeZBEhwh3N5 KifvkdKSO6L6N7dM3nLsT+qJWoSp8dNsQ+qCHL6A/hL0SA4nxJ3hmC5hanCL+7D8 MrO5m+Z5yjpdSWFDmJv2LZsIzYX2UGZmUO19c7zvZoIrXuJE4bQXEmM4rylrNXGS Lcke/0PPdvDeSW7iWjjP =j7Oo -----END PGP SIGNATURE----- Adhemerval Zanella (40): Open development for 2.24. Updated translations for 2.23. Regenerate libc.pot for 2.23. Regenerated configure scripts. Update NEWS with 2.24 template posix: Remove dynamic memory allocation from execl{e,p} posix: execvpe cleanup posix: New Linux posix_spawn{p} implementation posix: Fix tst-execvpe5 for --enable-hardcoded-path-in-tests posix: Fix posix_spawn invalid memory access posix: Fix posix_spawn implict check style Fix tst-dlsym-error build Improve generic strspn performance Improve generic strpbrk performance Remove powerpc64 strspn, strcspn, and strpbrk implementation Use PTR_ALIGN_DOWN on strcspn and strspn Define __ASSUME_ALIGNED_REGISTER_PAIRS for missing ports Consolidate off_t/off64_t syscall argument passing Consolidate pread/pread64 implementations Consolidate pwrite/pwrite64 implementations Fix pread consolidation on ports that require argument alignment libio: Update internal fmemopen position after write (BZ #20005) Fix clone (CLONE_VM) pid/tid reset (BZ#19957) libio: Fix fmemopen append mode failure (BZ# 20012) powerpc: Fix clone CLONE_VM compare Adjust kernel-features.h defaults for recvmsg and sendmsg network: recvmsg and sendmsg standard compliance (BZ#16919) network: recvmmsg and sendmmsg standard compliance (BZ#16919) network: Fix missing bits from {recv,send}{m}msg standard com,pliance posix: Call _exit in failure case for posix_spawn{p} (BZ#20178) Consolidate preadv/preadv64 implementation Consolidate pwritev/pwritev64 implementations Revert {send,sendm,recv,recvm}msg conformance changes Remove __ASSUME_FUTEX_LOCK_PI nptl: Add sendmmsg and recvmmsg cancellation tests Fix p{readv,writev}{64} consolidation implementation nptl: Add more coverage in tst-cancel4 Remove __ASSUME_OFF_DIFF_OFF64 definition Fix LO_HI_LONG definition Refactor Linux raise implementation (BZ#15368) Andreas Schwab (13): Don't use long double math functions if NO_LONG_DOUBLE Fix min/max needed for ascii to INTERNAL conversion Fix compilation of test-signgam-* tests Fix resource leak in resolver (bug 19257) Register extra test objects m68k: avoid local labels in symbol table m68k: use large PIC model for gcrt1.o Use __typeof instead of typeof Fix nscd assertion failure in gc (bug 19755) Avoid array-bounds warning for strncat on i586 (bug 20260) Return proper status from _nss_nis_initgroups_dyn (bug 20262) m68k: suppress -Wframe-address warning Add test case for bug 20263 Andrew Senkevich (2): Added tests to ensure linkage through libmvec *_finite aliases which are Fixed wrong vector sincos/sincosf ABI to have it compatible with Anton Blanchard (1): powerpc: Add a POWER8-optimized version of sinf() Arnas Udovičius (1): localedata: sgs_LT: new locale [BZ #12450] Aurelien Jarno (17): Add placeholder libnsl.abilist and libutil.abilist files Add sys/auxv.h wrapper to include/sys/ mips: terminate the FDE before the return trampoline in makecontext Assume __NR_openat is always defined Assume __NR_utimensat is always defined Synchronize <sys/personality.h> with kernel headers MIPS, SPARC: fix wrong vfork aliases in libpthread.so MIPS, SPARC: more fixes to the vfork aliases in libpthread.so MIPS: run tst-mode-switch-{1,2,3}.c using test-skeleton.c i686/multiarch: Regenerate ulps SPARC64: update localplt.data SPARC: fix nearbyint on sNaN input New locale de_LI localedata: fix de_LI locale ppc: Fix modf (sNaN) for pre-POWER5+ CPU (bug 20240). Define __USE_KERNEL_IPV6_DEFS macro for non-Linux kernels sparc: remove ceil, floor, trunc sparc specific implementations Carlos Eduardo Seo (2): powerpc: Fix dl-procinfo HWCAP powerpc: Optimization for strlen for POWER8. Carlos O'Donell (16): nptl: support thread stacks that grow up GB 18030-2005: Document non-rountrip and PUA mappings (bug 19575). Enable --localedir to set message catalog directory (Bug 14259) NEWS (2.23): Fix typo in bug 19048 text. Removed unused timezone/checktab.awk. Remove mention of checktab.awk in timezone/README. Fix building glibc master with NDEBUG and --with-cpu. localedata: an_ES: fix case of lang_ab Fix macro API for __USE_KERNEL_IPV6_DEFS. Fix include/wchar.h for C++ Bug 20198: quick_exit should not call destructors. Bug 20214: Fix linux/in6.h and netinet/in.h sync. Bug 20215: Always undefine __always_inline before defining it. Expand comments in Linux times() implementation. Update libc.pot and NEWS. Update for glibc 2.24 release. Chris Metcalf (2): Bump up tst-malloc-thread-fail timeout from 20 to 30s tile: only define __ASSUME_ALIGNED_REGISTER_PAIRS for 32-bit Chung-Lin Tang (2): Fix stdlib/tst-makecontext regression for Nios II Nios II localplt.data update: remove __eqsf2 Claude Paroz (1): localedata: ln_CD: new locale [BZ #12676] Dimitris Pappas (1): charmaps: IBM875: fix mapping of iota/upsilon variants [BZ #18453] Dmitry V. Levin (1): intl: reintroduce unintentionally disabled optimization Dylan Alex Simon (1): math: don't clobber old libm.so on install [BZ #19822] Eduardo Trápani (1): localedata: eo: new Esperanto locale [BZ #16190] Florian Weimer (91): tst-malloc-thread-exit: Use fewer system resources Remove trailing newline from date_fmt in Serbian locales [BZ #19581] Improve file descriptor checks for posix_spawn actions [BZ #19505] res_ninit: Update comment malloc: Remove arena_mem variable malloc: Remove max_total_mem member form struct malloc_par malloc: Remove NO_THREADS Deprecate readdir_r, readdir64_r [BZ #19056] test-skeleton.c: Do not set RLIMIT_DATA [BZ #19648] tst-audit4, tst-audit10: Compile AVX/AVX-512 code separately [BZ #19269] libio: Clean up _IO_file_doallocate and _IO_wfile_doallocate ldconfig: Do not remove stale symbolic links with -X [BZ #19610] sunrpc: In key_call_keyenvoy, use int status instead of union wait tst-audit10: Fix compilation on compilers without bit_AVX512F [BZ #19860] resolv: Always set *resplen2 out parameter in send_dg [BZ #19791] nss_db: Propagate ERANGE error if parse_line fails [BZ #19837] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] Report dlsym, dlvsym lookup errors using dlerror [BZ #19509] strfmon_l: Use specified locale for number formatting [BZ #19633] scratch_buffer_set_array_size: Include <limits.h> hsearch_r: Include <limits.h> Add missing bug number to ChangeLog nss_dns: Fix assertion failure in _nss_dns_getcanonname_r [BZ #19865] Remove union wait [BZ #19613] malloc: Run fork handler as late as possible [BZ #19431] malloc: Remove unused definitions of thread_atfork, thread_atfork_static malloc: Remove malloc hooks from fork handler malloc: Add missing internal_function attributes on function definitions vfprintf: Fix memory with large width and precision [BZ #19931] resolv: Always set *resplen2 out parameter in send_vc [BZ #19825] nss_dns: Validate RDATA length against packet length [BZ #19830] resolv, nss_dns: Remove remaining syslog logging [BZ #19862] nss_dns: Check address length before creating addrinfo result [BZ #19831] nss_dns: Remove custom offsetof macro definition nss_dns: Skip over non-PTR records in the netent code [BZ #19868] Fix ChangeLog date to reflect commit date resolv: Remove SCCS and RCS keywords resolv: Remove _LIBC conditionals inet: Remove SCCS keywords resolv: Remove BIND_UPDATE preprocessor conditionals resolv: Remove RESOLVSORT preprocess conditionals resolv: Remove RFC1535 conditionals resolv: Remove traces of ULTRIX support resolv: Remove __BIND_NOSTATIC conditionals resolv: Remove BSD compatibility conditionals and header resolv: Remove SUNSECURITY preprocessor conditionals resolv: Assorted preprocessor cleanups resolv: Reindent preprocessor conditionals following cleanups getnameinfo: Do not preserve errno glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010] NEWS entry for CVE-2016-3075 getnameinfo: Refactor and fix memory leak [BZ #19642] hesiod: Remove RCS keywords hesiod: Remove DEF_RHS hesiod: Always use thread-local resolver state [BZ #19573] hesiod: Avoid heap overflow in get_txt_records [BZ #20031] CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779] getnameinfo: Reduce line length and add missing comments getnameinfo: Avoid calling strnlen on uninitialized buffer getnameinfo: Return EAI_OVERFLOW in more cases [BZ #19787] malloc: Adjust header file guard in malloc-internal.h getaddrinfo: Restore RES_USE_INET6 flag on error path [BZ #19994] resolv: Call gmtime_r instead of gmtime in p_secstodate [BZ #20017] localedef: Do not compile with mcheck getaddrinfo: Convert from extend_alloca to struct scratch_buffer Increase fork signal safety for single-threaded processes [BZ #19703] malloc: Rewrite dumped heap for compatibility in __malloc_set_state tst-mallocfork2: Fix race condition, use fewer resources Make padding in struct sockaddr_storage explicit [BZ #20111] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] malloc: Correct malloc alignment on 32-bit architectures [BZ #6527] fork in libpthread cannot use IFUNC resolver [BZ #19861] libio: Use wmemset instead of __wmemset to avoid linknamespace issue tst-rec-dlopen: Use interposed malloc instead of hooks malloc: Correct size computation in realloc for dumped fake mmapped chunks quick_exit tests: Do not use C++ headers malloc: Remove __malloc_initialize_hook from the API [BZ #19564] fopencookie: Mangle function pointers stored on the heap [BZ #20222] malloc_usable_size: Use correct size for dumped fake mapped chunks nss_db: Fix initialization of iteration position [BZ #20237] debug/tst-longjmp_chk2: Make signal handler more conservative [BZ #20248] Revert __malloc_initialize_hook symbol poisoning elf: Consolidate machine-agnostic DTV definitions in <dl-dtv.h> malloc: Avoid premature fallback to mmap [BZ #20284] test-skeleton.c: Add write_message function test-skeleton.c: xmalloc, xcalloc, xrealloc are potentially unused test-skeleton.c (xrealloc): Support realloc-as-free libio: Implement vtable verification [BZ #20191] Correct bug number in ChangeLog [BZ #18960] CVE-2016-5417 was assigned to bug 19257 Gabriel F. T. Gomes (3): powerpc: Remove uses of operand modifier (%s) in inline asm powerpc: Zero pad using memset in strncpy/stpncpy powerpc: Fix operand prefixes Gunnar Hjalmarsson (1): localedata: id_ID: Februari instead of Pebruari [BZ #20316] Gustavo Romero (1): powerpc: Fix missing verb and typo in comment about AT_HWCAP entry Guy Rutenberg (1): localedata: en_IL: new English locale [BZ #19963] H.J. Lu (68): [x86_64] Set DL_RUNTIME_UNALIGNED_VEC_SIZE to 8 Call x86-64 __setcontext directly Call x86-64 __mcount_internal/__sigjmp_save directly Copy x86_64 _mcount.op from _mcount.o Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS x86-64: Fix memcpy IFUNC selection Add a comment in sysdeps/x86_64/Makefile Replace @PLT with @GOTPCREL(%rip) in call Replace PREINIT_FUNCTION@PLT with *%rax in call Use HAS_ARCH_FEATURE with Fast_Rep_String Group AVX512 functions in .text.avx512 section Support --enable-hardcoded-path-in-tests in benchtests Define _HAVE_STRING_ARCH_mempcpy to 1 for x86 Add _arch_/_cpu_ to index_*/bit_* in x86 cpu-features.h Use JUMPTARGET in x86-64 mathvec Use JUMPTARGET in x86-64 pthread Set index_arch_AVX_Fast_Unaligned_Load only for Intel processors Don't set %rcx twice before "rep movsb" [x86] Add a feature bit: Fast_Unaligned_Copy Implement x86-64 multiarch mempcpy in memcpy Make __memcpy_avx512_no_vzeroupper an alias Initial Enhanced REP MOVSB/STOSB (ERMS) support Add x86-64 memmove with unaligned load/store and rep movsb Add x86-64 memset with unaligned store and rep stosb Test 64-byte alignment in memcpy benchtest Test 64-byte alignment in memmove benchtest Test 64-byte alignment in memset benchtest Remove Fast_Copy_Backward from Intel Core processors Fix memmove-vec-unaligned-erms.S Don't put SSE2/AVX/AVX512 memmove/memset in ld.so Add a comment in memset-sse2-unaligned-erms.S Force 32-bit displacement in memset-vec-unaligned-erms.S Add memcpy/memmove/memset benchmarks with large data X86-64: Prepare memset-vec-unaligned-erms.S X86-64: Prepare memmove-vec-unaligned-erms.S X86-64: Use non-temporal store in memcpy on large data Detect Intel Goldmont and Airmont processors Reduce number of mmap calls from __libc_memalign in ld.so Move sysdeps/x86_64/cacheinfo.c to sysdeps/x86 Remove x86 ifunc-defines.sym and rtld-global-offsets.sym Support non-inclusive caches on Intel processors Call init_cpu_features only if SHARED is defined Clear destination buffer updated by the previous run Don't call internal __pthread_unwind via PLT Don't call internal _Unwind_Resume via PLT Remove alignments on jump targets in memset Check the HTT bit before counting logical threads Correct Intel processor level type mask from CPUID Remove special L2 cache case for Knights Landing Avoid an extra branch to PLT for -z now Count number of logical processors sharing L2 cache Fix a typo in comments in memmove-vec-unaligned-erms.S Check FMA after COMMON_CPUID_INDEX_80000001 X86-64: Remove the previous SSE2/AVX2 memsets X86-64: Remove previous default/SSE2/AVX2 memcpy/memmove X86-64: Add dummy memcopy.h and wordcopy.c Always indirect branch to __libc_start_main via GOT Compile tst-cleanupx4 test with -fexceptions Check Prefer_ERMS in memmove/memcpy/mempcpy/memset Require binutils 2.24 to build x86-64 glibc [BZ #20139] Make copies of cstdlib/cmath and use them [BZ #20314] X86-64: Define LO_HI_LONG to skip pos_h [BZ #20349] x86-64: Properly align stack in _dl_tlsdesc_dynamic [BZ #20309] Test p{read,write}64 with offset > 4GB x86-64: Add p{read,write}[v]64 to syscalls.list [BZ #20348] Regenerate i686 libm-test-ulps with GCC 6.1 at -O3 [BZ #20347] i386: Compile rtld-*.os with -mno-sse -mno-mmx -mfpmath=387 Don't compile do_test with -mavx/-mavx/-mavx512 Hongjiu Zhang (1): sln: use stat64 Jiyoung Yun (1): Fix robust mutex daedlock [BZ #20263] John David Anglin (2): hppa: fix loading of global pointer in _start [BZ #20277] hppa: Update libm-test-ulps. Joseph Myers (107): Fix ldbl-128ibm floorl for non-default rounding modes (bug 17899). Fix ldbl-128ibm ceill for non-default rounding modes (bug 19592). Fix ldbl-128ibm truncl for non-default rounding modes (bug 19593). Fix ldbl-128ibm roundl for non-default rounding modes (bug 19594). Fix ldbl-128ibm fmodl handling of subnormal results (bug 19595). Fix ldbl-128ibm fmodl handling of equal arguments with low part zero (bug 19602). Fix ldbl-128ibm remainderl, remquol equality tests (bug 19603). Fix ldbl-128ibm powl overflow handling (bug 19674). Fix ldbl-128ibm nextafterl, nexttowardl sign of zero result (bug 19678). Require Linux 3.2 except on x86 / x86_64, 3.2 headers everywhere. Remove linux/fanotify.h configure test. Remove kernel-features.h conditionals on pre-3.2 kernels. Fix ldbl-128ibm remainderl equality test for zero low part (bug 19677). Fix ldbl-128ibm nearbyintl in non-default rounding modes (bug 19790). Allow spurious underflow / inexact for ldbl-128ibm. Update glibc headers for Linux 4.5. Adjust kernel-features.h defaults for socket syscalls. Remove __ASSUME_PPOLL. Remove __ASSUME_FALLOCATE. Remove __ASSUME_EVENTFD2, move eventfd to syscalls.list. Remove __ASSUME_SIGNALFD4. Remove __ASSUME_GETDENTS64_SYSCALL. Fix x86_64 / x86 powl inaccuracy for integer exponents (bug 19848). [microblaze] Remove __ASSUME_FUTIMESAT. Fix termios.h XCASE namespace (bug 19925). Fix limits.h NL_NMAX namespace (bug 19929). Fix stdio.h cuserid namespace (bug 19989). Define off_t in stdio.h for XOPEN2K. conformtest: Correct XOPEN2K stdarg.h expectations. Fix langinfo.h nl_langinfo_l namespace (bug 19996). conformtest: Correct some signal.h expectations for XOPEN2K. conformtest: Correct some stdio.h expectations for UNIX98. conformtest: Correct stdio.h expectations for fdopen. Also define off_t in stdio.h for UNIX98. conformtest: Add langinfo.h expectations for YESSTR, NOSTR. Fix stdio.h namespace for pre-threads POSIX (bug 20014). Fix fcntl.h timespec namespace (bug 20023). Fix sys/time.h timespec namespace (bug 20041). conformtest: Remove some bogus sys/types.h expectations for XPG3 and XPG4. Declare cuserid in unistd.h for UNIX98 and before (bug 20043). Declare pthread_atfork in unistd.h for UNIX98 (bug 20044). conformtest: Fix st_blksize, st_blocks expectations for XPG3, XPG4. conformtest: Correct some sys/stat.h expectations for XPG3. Fix sys/stat.h fchmod namespace (bug 20073). Declare tcgetsid for XPG4 (bug 20055). conformtest: Do not expect S_IF* in fcntl.h. Declare gethostname for XPG4 (bug 20054). conformtest: Correct some unistd.h expectations for XPG3, XPG4. conformtest: Correct time.h XPG3 expectations. conformtest: Do not expect strdup in string.h for XPG3. conformtest: Correct some stdlib.h expectations for XPG3. Correct ttyslot header declaration conditions (bug 20051). Fix stdlib.h rand_r namespace (bug 20074). Make sys/stat.h define S_IFSOCK, S_ISSOCK for XPG4 (bug 20076). Do not declare grantpt, ptsname, unlockpt in stdlib.h for XPG3 (bug 20094). Add Q_GETNEXTQUOTA from Linux 4.6 to sys/quota.h. Add CLONE_NEWCGROUP from Linux 4.6 to bits/sched.h. Update libm-test.inc comment about NaN signs. conformtest: Correct search.h expectations for XPG3. conformtest: Correct pwd.h expectations for XPG3. Implement proper fmal for ldbl-128ibm (bug 13304). conformtest: Correct ftw.h expectations for XPG3, XPG4. Update sysdeps/unix/sysv/linux/bits/socket.h for Linux 4.6. conformtest: Correct some limits.h expectations for XPG3, XPG4. Do not raise "inexact" from generic ceil (bug 15479). Do not raise "inexact" from generic floor (bug 15479). Do not raise "inexact" from generic round (bug 15479). Do not raise "inexact" from x86_64 SSE4.1 ceil, floor (bug 15479). Do not raise "inexact" from powerpc32 ceil, floor, trunc (bug 15479). Do not raise "inexact" from powerpc64 ceil, floor, trunc (bug 15479). Support sNaN testing in libm-test.inc. Add more sNaN tests to libm-test.inc. Fix ldbl-128 j0l, j1l, y0l, y1l for sNaN argument (bug 20151). Fix ldbl-128ibm sqrtl (sNaN) (bug 20153). Fix ldbl-128ibm ceill, rintl etc. for sNaN arguments (bug 20156). Remove unused macros from libm-test.inc. Avoid "invalid" exceptions from powerpc fabsl (sNaN) (bug 20157). Fix powerpc32 ceil, rint etc. on sNaN input (bug 20160). Fix powerpc64 ceil, rint etc. on sNaN input (bug 20160). Fix x86/x86_64 nextafterl incrementing negative subnormals (bug 20205). Fix dbl-64 acos (sNaN) (bug 20212). Fix dbl-64 asin (sNaN) (bug 20213). Fix i386 asinhl (sNaN) (bug 20218). Fix i386 atanhl (sNaN) (bug 20219). Fix i386 cbrtl (sNaN) (bug 20224). Fix ldexp, scalbn, scalbln for sNaN input (bug 20225). Fix i386/x86_64 expl, exp10l, expm1l for sNaN input (bug 20226). Fix i386/x86_64 logl (sNaN) (bug 20227). Fix i386/x86_64 log10l (sNaN) (bug 20228). Fix i386/x86_64 log1pl (sNaN) (bug 20229). Fix ldbl-128 expm1l (sNaN) (bug 20232). Fix ldbl-128ibm expm1l (sNaN) (bug 20233). Fix ldbl-128ibm log1pl (sNaN) (bug 20234). Fix i386/x86_64 log2l (sNaN) (bug 20235). Fix modf (sNaN) (bug 20240). Fix frexp (NaN) (bug 20250). Add more sNaN tests (cimag, conj, copysign, creal, fma, fmod). Fix dbl-64 atan2 (sNaN, qNaN) (bug 20252). Simplify generic fdim implementations. Use generic fdim on more architectures (bug 6796, bug 20255, bug 20256). Fix i386 fdim double rounding (bug 20255). Simplify x86 nearbyint functions. Add more sNaN tests (most remaining real functions). Fix i386/x86_64 scalbl with sNaN input (bug 20296). Avoid "inexact" exceptions in i386/x86_64 ceil functions (bug 15479). Avoid "inexact" exceptions in i386/x86_64 floor functions (bug 15479). Avoid "inexact" exceptions in i386/x86_64 trunc functions (bug 15479). Khem Raj (2): When disabling SSE, make sure -fpmath is not set to use SSE either elf: Define missing Meta architecture specific relocations Maciej W. Rozycki (1): Treat STV_HIDDEN and STV_INTERNAL symbols as STB_LOCAL Mark Wielaard (2): elf/elf.h: Add new 386 and X86_64 relocations from binutils. elf.h: Add NT_ARM_SYSTEM_CALL constant. Marko Myllynen (1): localedef: drop unused --old-style Martin Galvan (1): Add pretty printers for the NPTL lock types Matthew Fortune (1): VDSO support for MIPS Matthias Wallnoefer (2): localedata: de_{AT,CH}: copy data from de_DE localedata: de_IT: new locale Mike FABIAN (1): localedata: i18n: fix typos in tel_int_fmt Mike Frysinger (44): locledata: trim trailing blank lines/comments localedata: dz_BT/ps_AF: reformat data localedata: CLDRv28: update LC_TELEPHONE.int_prefix locales: pap_AN: delete old/deprecated locale [BZ #16003] test-skeleton: increase default TIMEOUT to 20 seconds localedata: an_ES: fix lang_ab value localedata: es_PR: change LC_MEASUREMENT to metric localedata: clear LC_IDENTIFICATION tel/fax fields link sln fix to bugzilla [BZ #15333] localedata: use same comment_char/escape_char in these files add ChangeLog entry localedata: standardize first few lines localedata: standardize copyright/license information [BZ #11213] localedata: iw_IL: delete old/deprecated locale [BZ #16137] configure: fix `test ==` usage localedata: CLDRv28: update LC_PAPER values localedata: LC_TIME.date_fmt: delete entries same as the default value localedata: CLDRv29: update LC_IDENTIFICATION language/territory fields localedata: LC_MEASUREMENT: use copy directives everywhere localedata: LC_PAPER: use copy directives everywhere localedata: CLDRv29: update LC_ADDRESS.country_num values localedata: fix LC_ADDRESS.country_car entries localedata: CLDRv29: update LC_ADDRESS.country_name translations localedata: LC_IDENTIFICATION.category: set to ISO 30112 2014 standard localedef: check LC_IDENTIFICATION.category values localedata: CLDRv29: update LC_MONETARY int_curr_symbol & currency_symbol localedata: LC_IDENTIFICATION: delete uncommon fields locale: ld-telephone: update to ISO-30112 2014 localedef: allow %l/%n in postal_fmt [BZ #16983] localedata: fix LC_TELEPHONE in a few locales localedata: CLDRv29: update LC_TIME week/first_week,workday fields localedef: change week_1stweek default to 7 localedata: standard LC_MESSAGES string regexes a bit localedata: LC_MESSAGES.{yes,no}expr: add +1/-0 to all regexes [BZ #15263] localedata: LC_MESSAGES.{yes,no}expr: standardize yY/nN [BZ #15262] localedata: CLDRv29: update LC_MESSAGES yes/no strings [BZ #15264] [BZ #16975] tst-langinfo: update yesexpr/noexpr baselines tst-fmon/tst-numeric: switch malloc to static stack space [BZ #19671] localedata: add more translit entries localedata: pt_BR/pt_PT: make days/months lowercase [BZ #19133] unicode-gen: include standard comment file header NEWS: clarify localedef --old-style update manual: fix spelling typos microblaze: fix variable name collision with syscall macros Neskie Manuel (1): localedata: chr_US: new Cherokee locale [BZ #12143] Nick Alcock (2): x86, pthread_cond_*wait: Do not depend on %eax not being clobbered Allow overriding of CFLAGS as well as CPPFLAGS for rtld. Paras pradhan (1): localedata: ne_NP: misc updates [BZ #1170] Paul E. Murphy (22): Increase internal precision of ldbl-128ibm decimal printf [BZ #19853] powerpc: Add optimized P8 strspn powerpc: Add optimized strcspn for P8 powerpc: Add missing insn in swapcontext [BZ #20004] Refactor bug-strtod.c to better test new types. Refactor bug-strtod2.c to be type generic Refactor tst-strtod6.c Refactor tst-strtod-round.c Fixup usage of MANT_DIG in libm-test.inc Fixup usage of MIN_EXP in libm-test.inc Refactor tst-strtod-round.c for type-generic-ness Begin refactor of libm-test.inc Refactor type specific macros using regexes Refactor M_ macros defined in libm-test.inc Replace M_PI2l with lit_pi_2_d in libm-test.inc Replace M_PIl with lit_pi in libm-test.inc Replace M_PI_4l with lit_pi_4_d in libm-test.inc Replace M_El with lit_e in libm-test.inc Apply LIT(x) to floating point literals in libm-test.c Remove CHOOSE() macro from libm-tests.inc Remove type specific information from auto-libm-test-in Generate new format names in auto-libm-test-out Paul Pluzhnikov (7): 2016-03-03 Paul Pluzhnikov <ppluzhnikov@google.com> 2016-05-30 Paul Pluzhnikov <ppluzhnikov@google.com> Merge branch 'master' of ssh://sourceware.org/git/glibc 2016-06-05 Paul Pluzhnikov <ppluzhnikov@google.com> 2016-06-09 Paul Pluzhnikov <ppluzhnikov@gmail.com> 2016-06-11 Paul Pluzhnikov <ppluzhnikov@google.com> Fix rt/tst-aio64.c as well, and mention login/tst-utmp.c in ChangeLog Rajalakshmi Srinivasaraghavan (4): powerpc: Rearrange cfi_offset calls powerpc: strcasestr optmization for power8 Add nextup and nextdown math functions powerpc: Fix return code of strcasecmp for unaligned inputs Rical Jasan (9): manual: fix typos in the memory chapter manual: fix typos in the character handling chapter manual: fix typos in the string chapters manual: fix typos in character set handling manual: fix typos in the locale chapter manual: fix typos in the locale chapter manual: fix typos in the message chapter manual: fix typos in the search chapter manual: fix typos in the pattern chapter Richard Henderson (2): elf.h: Sync with the gabi webpage elf.h: Add declarations for BPF Robin van der Vliet (1): locale: iso-639: add Talossan language [BZ #19400] Roland McGrath (9): Add fts64_* to sysdeps/arm/nacl/libc.abilist Typo fixes. Gratuitous change to poke buildbot. Fix c++-types-check conditionalization. Omit test-math-isinff when no C++ compiler. Conditionalize c++-types-check.out addition to tests-special. Fix edito in last change. Fix tst-audit10 build when -mavx512f is not supported. stpcpy is part of POSIX.1-2008 [BZ #3629] Samuel Thibault (23): Fix flag test in waitid compatibility layer Fix hurd build hurd: Break errnos.d / libc-modules.h dependency loop Fix mach-syscalls.mk build hurd: Do not hide rtld symbols which need to be preempted hurd: Allow inlining IO locks hurd: Add c++-types expected result Fix malloc threaded tests link on non-Linux Fix crash on getauxval call without HAVE_AUX_VECTOR Fix build with HAVE_AUX_VECTOR hurd: fix profiling short-living processes Fix gprof timing non-linux: Apply RFC3542 obsoletion of RFC2292 macros non-linux: Apply RFC3542 obsoletion of RFC2292 macros aio: fix newp->running data race Revert "aio: fix newp->running data race" hurd: fix _hurd_self_sigstate reference from ____longjmp_chk Add more hurd exception to local headers list hurd: disable ifunc for now mach: Add mach_print sycsall declaration hurd: Fix PTR_{,DE}MANGLE calls Add missing changelog part Fix TABDLY value Siddhesh Poyarekar (10): New make target to only build benchmark binaries Fix up ChangeLog formatting benchtests: Update README to include instructions for bench-build target Fix up ChangeLog benchtests: Clean up extra-objs benchtests: Support for cross-building benchmarks Avoid attempt for runtime checks if all environments are defined Fix up ChangeLog Revert "Add pretty printers for the NPTL lock types" Fix cos computation for multiple precision fallback (bz #20357) Simion Onea (1): localedata: ro_RO: update Tuesday translation [BZ #18911] Stefan Liebler (31): Add missing inclusion of libc-internal.h. S390: Save and restore fprs/vrs while resolving symbols. S390: Extend structs La_s390_regs / La_s390_retval with vector-registers. S390: Use ahi instead of aghi in 32bit _dl_runtime_resolve. Mention Bug in ChangeLog for S390: Save and restore fprs/vrs while resolving symbols. Fix strfmon_l: Use specified locale for number formatting [BZ #19633] Add missing iucv related defines. S390: Add support for vdso getcpu symbol. S390: Use fPIC to avoid R_390_GOT12 relocation in gcrt1.o. Fix tst-cancel17/tst-cancelx17, which sometimes segfaults while exiting. S390: Use mvcle for copies > 1MB on 32bit with default memcpy variant. S390: Use 64bit instruction to check for copies of > 1MB with mvcle. S390: Do not call memcpy, memcmp, memset within libc.so via ifunc-plt. S390: Implement mempcpy with help of memcpy. [BZ #19765] S390: Get rid of make warning: overriding recipe for target gconv-modules. S390: Configure check for vector support in gcc. S390: Optimize 8bit-generic iconv modules. S390: Optimize builtin iconv-modules. S390: Optimize iso-8859-1 to ibm037 iconv-module. S390: Optimize utf8-utf32 module. S390: Optimize utf8-utf16 module. S390: Optimize utf16-utf32 module. S390: Use s390-64 specific ionv-modules on s390-32, too. S390: Fix utf32 to utf8 handling of low surrogates (disable cu41). S390: Fix utf32 to utf16 handling of low surrogates (disable cu42). Fix ucs4le_internal_loop in error case. [BZ #19726] Fix UTF-16 surrogate handling. [BZ #19727] tst-rec-dlopen: Fix build fail due to missing inclusion of string.h S390: Fix relocation of _nl_current_LC_CATETORY_used in static build. [BZ #19860] S390: Use DT_JUMPREL in prelink undo code. S390: Do not clobber r13 with memcpy on 31bit with copies >1MB. Stephen Gallagher (1): NSS: Implement group merging support. Szabolcs Nagy (4): [AArch64] Fix libc internal asm profiling code [AArch64] Add bits/hwcap.h for aarch64 linux [AArch64] Regenerate libm-test-ulps [AArch64] Update libm-test-ulps Timur Birsh (1): localedata: kk_KZ: various updates [BZ #15578] Torvald Riegel (1): Remove atomic_compare_and_exchange_bool_rel. Tulio Magno Quites Machado Filho (3): Fix type of parameter passed by malloc_consolidate powerpc: Fix --disable-multi-arch build on POWER8 powerpc: Add a POWER8-optimized version of expf() Wilco Dijkstra (7): Improve generic strcspn performance Remove pre GCC3.2 optimizations from string/bits/string2.h. Move mempcpy, strcpy and stpcpy inlines to string/string-inlines.c as compatibility This is an optimized memset for AArch64. Memset is split into 4 main cases: This is an optimized memcpy/memmove for AArch64. Copies are split into 3 main Add a simple rawmemchr implementation. Use strlen for rawmemchr(s, '\0') as it This patch further tunes memcpy - avoid one branch for sizes 1-3, Will Newton (1): elf/elf.h: Add missing Meta relocations Yvan Roux (1): Suppress GCC 6 warning about ambiguous 'else' with -Wparentheses Zack Weinberg (3): Move sysdeps/generic/bits/hwcap.h to top-level bits/ Move sysdeps/generic/bits/hwcap.h to top-level bits/ Don't install the internal header grp-merge.h raji (1): powerpc: strcasecmp/strncasecmp optmization for power8 ricaljasan@pacific.net (2): manual: fix typo in the introduction manual: fix typos in error reporting -----------------------------------------------------------------------
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, gentoo/2.23 has been updated via a80b8ab9117b3e30bb56d913a5e60ead97117d6d (commit) from 1aa6738de4fcd332a83f24899f464994ebab9865 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a80b8ab9117b3e30bb56d913a5e60ead97117d6d commit a80b8ab9117b3e30bb56d913a5e60ead97117d6d Author: Florian Weimer <fweimer@redhat.com> Date: Mon May 23 20:18:34 2016 +0200 CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) (cherry picked from commit bdce95930e1d9a7d013d1ba78740243491262879) ----------------------------------------------------------------------- Summary of changes: sunrpc/clnt_udp.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via d42eed4a044e5e10dfb885cf9891c2518a72a491 (commit) from 963394a22b38c4ec92b6875a6c06d3b15d5c0d21 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 commit d42eed4a044e5e10dfb885cf9891c2518a72a491 Author: Florian Weimer <fweimer@redhat.com> Date: Mon Feb 27 19:05:13 2017 +0100 sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 8 ++++++ sunrpc/Makefile | 3 +- sunrpc/clnt_udp.c | 2 +- sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 sunrpc/tst-udp-error.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.25/master has been updated via 045e368799cd253ddbf8bdec42ed92e8ebb3ce67 (commit) from 58520986c38e34db60e07260c64c563e3efcf353 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=045e368799cd253ddbf8bdec42ed92e8ebb3ce67 commit 045e368799cd253ddbf8bdec42ed92e8ebb3ce67 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Feb 28 17:05:46 2017 +0100 sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 8 ++++++ NEWS | 1 + sunrpc/Makefile | 3 +- sunrpc/clnt_udp.c | 2 +- sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 sunrpc/tst-udp-error.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, gentoo/2.25 has been updated via 55df1000167b0143106e063f23159515d0c9c61c (commit) from 0232af1ad6cbd8378025e804f535ce9449ad49de (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=55df1000167b0143106e063f23159515d0c9c61c commit 55df1000167b0143106e063f23159515d0c9c61c Author: Florian Weimer <fweimer@redhat.com> Date: Tue Feb 28 17:05:46 2017 +0100 sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491) (cherry picked from commit 045e368799cd253ddbf8bdec42ed92e8ebb3ce67) ----------------------------------------------------------------------- Summary of changes: sunrpc/Makefile | 3 +- sunrpc/clnt_udp.c | 2 +- sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 sunrpc/tst-udp-error.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.24/master has been updated via 36f173ab3709b4a920a833b9af67f30bcba1ea01 (commit) from 6aacb5befa4992dcbd6df17e914dd802fba8a1ea (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36f173ab3709b4a920a833b9af67f30bcba1ea01 commit 36f173ab3709b4a920a833b9af67f30bcba1ea01 Author: Florian Weimer <fweimer@redhat.com> Date: Mon Feb 27 19:05:13 2017 +0100 sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 8 ++++++ sunrpc/Makefile | 3 +- sunrpc/clnt_udp.c | 2 +- sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 sunrpc/tst-udp-error.c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.22/master has been updated via 017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 (commit) via 436359fd41343c1db0616bd90e8a05bf188f237c (commit) via 407ec876262f0e6f55635ea0783f1f4a6c5d127f (commit) via d2450a97c3df5527ea0fd49743bc354c979c185f (commit) via c64d6bc3da8e61feab4117bcad53bd97e7a111cd (commit) via d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 (commit) via f87adbcaa47de2109e1c4561a2badf8aa82bc349 (commit) via 21c5d14bfb4e08bee86f94fd815535d3be2c3869 (commit) via 9d0aec236891576c7f12e935128364669b785233 (commit) via 89dc0372bb497b7d51bcf9999ce3f9684d450959 (commit) via 1be1845b280cfadff0cbd09170af554549849ffb (commit) from 771fb81f98a2be9e96f2a09056617ad93d64959f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 commit 017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Feb 6 09:19:03 2018 +0100 Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774] (cherry picked from commit 71aa429b029fdb6f9e65d44050388b51eca460d6) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=436359fd41343c1db0616bd90e8a05bf188f237c commit 436359fd41343c1db0616bd90e8a05bf188f237c Author: Florian Weimer <fweimer@redhat.com> Date: Thu Feb 1 15:00:44 2018 +0100 Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343] (cherry picked from commit 4590634fd65162568b9f52fb4beb60aa25da37f2) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=407ec876262f0e6f55635ea0783f1f4a6c5d127f commit 407ec876262f0e6f55635ea0783f1f4a6c5d127f Author: Florian Weimer <fweimer@redhat.com> Date: Wed Aug 16 16:47:20 2017 +0200 Add ChangeLog reference to bug 16750/CVE-2009-5064 (cherry picked from commit 403143e1df85dadd374f304bd891be0cd7573e3b) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d2450a97c3df5527ea0fd49743bc354c979c185f commit d2450a97c3df5527ea0fd49743bc354c979c185f Author: Arjun Shankar <arjun.is@lostca.se> Date: Thu Jan 18 16:47:06 2018 +0000 Fix integer overflows in internal memalign and malloc functions [BZ #22343] When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT and a requested size close to SIZE_MAX, it falls back to malloc code (because the alignment of a block returned by malloc is sufficient to satisfy the call). In this case, an integer overflow in _int_malloc leads to posix_memalign incorrectly returning successfully. Upon fixing this and writing a somewhat thorough regression test, it was discovered that when posix_memalign is called with an alignment larger than MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size close to SIZE_MAX, a different integer overflow in _int_memalign leads to posix_memalign incorrectly returning successfully. Both integer overflows affect other memory allocation functions that use _int_malloc (one affected malloc in x86) or _int_memalign as well. This commit fixes both integer overflows. In addition to this, it adds a regression test to guard against false successful allocations by the following memory allocation functions when called with too-large allocation sizes and, where relevant, various valid alignments: malloc, realloc, calloc, reallocarray, memalign, posix_memalign, aligned_alloc, valloc, and pvalloc. (cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c64d6bc3da8e61feab4117bcad53bd97e7a111cd commit c64d6bc3da8e61feab4117bcad53bd97e7a111cd Author: Florian Weimer <fweimer@redhat.com> Date: Thu Dec 14 15:18:38 2017 +0100 elf: Compute correct array size in _dl_init_paths [BZ #22606] (cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 commit d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Nov 2 12:14:01 2017 +0100 <array_length.h>: New array_length and array_end macros (cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f87adbcaa47de2109e1c4561a2badf8aa82bc349 commit f87adbcaa47de2109e1c4561a2badf8aa82bc349 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Dec 14 15:05:57 2017 +0100 elf: Count components of the expanded path in _dl_init_path [BZ #22607] (cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869 commit 21c5d14bfb4e08bee86f94fd815535d3be2c3869 Author: Aurelien Jarno <aurelien@aurel32.net> Date: Sat Dec 30 10:54:23 2017 +0100 elf: Check for empty tokens before dynamic string token expansion [BZ #22625] The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH tokens and interprets empty tokens as the current directory ("./"). In practice the check for empty token is done *after* the dynamic string token expansion. The expansion process can return an empty string for the $ORIGIN token if __libc_enable_secure is set or if the path of the binary can not be determined (/proc not mounted). Fix that by moving the check for empty tokens before the dynamic string token expansion. In addition, check for NULL pointer or empty strings return by expand_dynamic_string_token. The above changes highlighted a bug in decompose_rpath, an empty array is represented by the first element being NULL at the fillin_rpath level, but by using a -1 pointer in decompose_rpath and other functions. Changelog: [BZ #22625] * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic string token expansion. Check for NULL pointer or empty string possibly returned by expand_dynamic_string_token. (decompose_rpath): Check for empty path after dynamic string token expansion. (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9d0aec236891576c7f12e935128364669b785233 commit 9d0aec236891576c7f12e935128364669b785233 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 13 13:09:38 2017 +0200 sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89dc0372bb497b7d51bcf9999ce3f9684d450959 commit 89dc0372bb497b7d51bcf9999ce3f9684d450959 Author: Andreas Schwab <schwab@suse.de> Date: Wed Aug 16 15:59:55 2017 +0200 ldd: never run file directly (cherry picked from commit eedca9772e99c72ab4c3c34e43cc764250aa3e3c) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1be1845b280cfadff0cbd09170af554549849ffb commit 1be1845b280cfadff0cbd09170af554549849ffb Author: Arjun Shankar <arjun.is@lostca.se> Date: Wed Jun 7 11:46:24 2017 +0200 Synchronize support/ infrastructure with master This commit updates the support/ subdirectory to commit 2714c5f3c95f90977167c1d21326d907fb76b419 on the master branch and modifies Makeconfig, Rules, and extra-lib.mk accordingly. (cherry picked from commit 4c5785aa129a5d195fc1cd5c7fcd6f62c2b0ff0c) Reviewed-by: Carlos O'Donell <carlos@redhat.com> ----------------------------------------------------------------------- Summary of changes: ChangeLog | 57 ++ Makeconfig | 15 +- NEWS | 32 + Rules | 3 + elf/dl-load.c | 76 +- elf/ldd.bash.in | 14 +- extra-lib.mk | 5 + include/array_length.h | 36 + malloc/Makefile | 3 +- malloc/malloc.c | 30 +- malloc/tst-malloc-too-large.c | 237 ++++++ scripts/backport-support.sh | 110 +++ sunrpc/Makefile | 3 +- sunrpc/clnt_udp.c | 2 +- sunrpc/tst-udp-error.c | 62 ++ support/Makefile | 146 ++++ support/README | 29 + support/README-testing.c | 19 + support/capture_subprocess.h | 61 ++ support/check.c | 57 ++ support/check.h | 94 +++ support/check_addrinfo.c | 42 + support/check_dns_packet.c | 42 + support/check_hostent.c | 42 + support/check_netent.c | 42 + support/check_nss.h | 42 + support/delayed_exit.c | 55 ++ support/format_nss.h | 41 + support/ignore_stderr.c | 38 + support/namespace.h | 65 ++ support/oom_error.c | 29 + support/resolv_test.c | 1202 ++++++++++++++++++++++++++++ support/resolv_test.h | 180 +++++ support/run_diff.h | 31 + support/set_fortify_handler.c | 34 + support/support-xstat.c | 30 + support/support.h | 74 ++ support/support_become_root.c | 40 + support/support_can_chroot.c | 65 ++ support/support_capture_subprocess.c | 108 +++ support/support_capture_subprocess_check.c | 67 ++ support/support_enter_network_namespace.c | 75 ++ support/support_format_address_family.c | 35 + support/support_format_addrinfo.c | 239 ++++++ support/support_format_dns_packet.c | 222 +++++ support/support_format_herrno.c | 45 + support/support_format_hostent.c | 75 ++ support/support_format_netent.c | 52 ++ support/support_isolate_in_subprocess.c | 38 + support/support_record_failure.c | 106 +++ support/support_run_diff.c | 76 ++ support/support_shared_allocate.c | 59 ++ support/support_test_main.c | 423 ++++++++++ support/support_test_verify_impl.c | 33 + support/support_write_file_string.c | 39 + support/temp_file-internal.h | 31 + support/temp_file.c | 132 +++ support/temp_file.h | 37 + support/test-driver.c | 156 ++++ support/test-driver.h | 74 ++ support/tst-support-namespace.c | 34 + support/tst-support_capture_subprocess.c | 188 +++++ support/tst-support_format_dns_packet.c | 101 +++ support/tst-support_record_failure-2.sh | 69 ++ support/tst-support_record_failure.c | 153 ++++ support/write_message.c | 29 + support/xaccept.c | 32 + support/xaccept4.c | 32 + support/xasprintf.c | 36 + support/xbind.c | 30 + support/xcalloc.c | 34 + support/xchroot.c | 28 + support/xclose.c | 28 + support/xconnect.c | 30 + support/xdup2.c | 28 + support/xfclose.c | 33 + support/xfopen.c | 31 + support/xfork.c | 32 + support/xgetsockname.c | 30 + support/xlisten.c | 30 + support/xmalloc.c | 34 + support/xmemstream.c | 42 + support/xmemstream.h | 49 ++ support/xmkdir.c | 28 + support/xmmap.c | 31 + support/xmunmap.c | 28 + support/xopen.c | 30 + support/xpipe.c | 28 + support/xpoll.c | 32 + support/xpthread_attr_destroy.c | 26 + support/xpthread_attr_init.c | 25 + support/xpthread_attr_setdetachstate.c | 27 + support/xpthread_attr_setstacksize.c | 26 + support/xpthread_barrier_destroy.c | 26 + support/xpthread_barrier_init.c | 27 + support/xpthread_barrier_wait.c | 28 + support/xpthread_cancel.c | 25 + support/xpthread_check_return.c | 34 + support/xpthread_cond_wait.c | 26 + support/xpthread_create.c | 29 + support/xpthread_detach.c | 25 + support/xpthread_join.c | 27 + support/xpthread_mutex_consistent.c | 26 + support/xpthread_mutex_destroy.c | 26 + support/xpthread_mutex_init.c | 26 + support/xpthread_mutex_lock.c | 25 + support/xpthread_mutex_unlock.c | 25 + support/xpthread_mutexattr_destroy.c | 26 + support/xpthread_mutexattr_init.c | 25 + support/xpthread_mutexattr_setprotocol.c | 26 + support/xpthread_mutexattr_setpshared.c | 26 + support/xpthread_mutexattr_setrobust.c | 26 + support/xpthread_mutexattr_settype.c | 26 + support/xpthread_once.c | 25 + support/xpthread_sigmask.c | 34 + support/xpthread_spin_lock.c | 25 + support/xpthread_spin_unlock.c | 25 + support/xrealloc.c | 32 + support/xrecvfrom.c | 33 + support/xsendto.c | 35 + support/xsetsockopt.c | 31 + support/xsignal.h | 34 + support/xsocket.c | 32 + support/xsocket.h | 39 + support/xstdio.h | 32 + support/xstrdup.c | 30 + support/xthread.h | 77 ++ support/xunistd.h | 56 ++ support/xwaitpid.c | 33 + support/xwrite.c | 39 + 130 files changed, 7804 insertions(+), 59 deletions(-) create mode 100644 include/array_length.h create mode 100644 malloc/tst-malloc-too-large.c create mode 100644 scripts/backport-support.sh create mode 100644 sunrpc/tst-udp-error.c create mode 100644 support/Makefile create mode 100644 support/README create mode 100644 support/README-testing.c create mode 100644 support/capture_subprocess.h create mode 100644 support/check.c create mode 100644 support/check.h create mode 100644 support/check_addrinfo.c create mode 100644 support/check_dns_packet.c create mode 100644 support/check_hostent.c create mode 100644 support/check_netent.c create mode 100644 support/check_nss.h create mode 100644 support/delayed_exit.c create mode 100644 support/format_nss.h create mode 100644 support/ignore_stderr.c create mode 100644 support/namespace.h create mode 100644 support/oom_error.c create mode 100644 support/resolv_test.c create mode 100644 support/resolv_test.h create mode 100644 support/run_diff.h create mode 100644 support/set_fortify_handler.c create mode 100644 support/support-xstat.c create mode 100644 support/support.h create mode 100644 support/support_become_root.c create mode 100644 support/support_can_chroot.c create mode 100644 support/support_capture_subprocess.c create mode 100644 support/support_capture_subprocess_check.c create mode 100644 support/support_enter_network_namespace.c create mode 100644 support/support_format_address_family.c create mode 100644 support/support_format_addrinfo.c create mode 100644 support/support_format_dns_packet.c create mode 100644 support/support_format_herrno.c create mode 100644 support/support_format_hostent.c create mode 100644 support/support_format_netent.c create mode 100644 support/support_isolate_in_subprocess.c create mode 100644 support/support_record_failure.c create mode 100644 support/support_run_diff.c create mode 100644 support/support_shared_allocate.c create mode 100644 support/support_test_main.c create mode 100644 support/support_test_verify_impl.c create mode 100644 support/support_write_file_string.c create mode 100644 support/temp_file-internal.h create mode 100644 support/temp_file.c create mode 100644 support/temp_file.h create mode 100644 support/test-driver.c create mode 100644 support/test-driver.h create mode 100644 support/tst-support-namespace.c create mode 100644 support/tst-support_capture_subprocess.c create mode 100644 support/tst-support_format_dns_packet.c create mode 100644 support/tst-support_record_failure-2.sh create mode 100644 support/tst-support_record_failure.c create mode 100644 support/write_message.c create mode 100644 support/xaccept.c create mode 100644 support/xaccept4.c create mode 100644 support/xasprintf.c create mode 100644 support/xbind.c create mode 100644 support/xcalloc.c create mode 100644 support/xchroot.c create mode 100644 support/xclose.c create mode 100644 support/xconnect.c create mode 100644 support/xdup2.c create mode 100644 support/xfclose.c create mode 100644 support/xfopen.c create mode 100644 support/xfork.c create mode 100644 support/xgetsockname.c create mode 100644 support/xlisten.c create mode 100644 support/xmalloc.c create mode 100644 support/xmemstream.c create mode 100644 support/xmemstream.h create mode 100644 support/xmkdir.c create mode 100644 support/xmmap.c create mode 100644 support/xmunmap.c create mode 100644 support/xopen.c create mode 100644 support/xpipe.c create mode 100644 support/xpoll.c create mode 100644 support/xpthread_attr_destroy.c create mode 100644 support/xpthread_attr_init.c create mode 100644 support/xpthread_attr_setdetachstate.c create mode 100644 support/xpthread_attr_setstacksize.c create mode 100644 support/xpthread_barrier_destroy.c create mode 100644 support/xpthread_barrier_init.c create mode 100644 support/xpthread_barrier_wait.c create mode 100644 support/xpthread_cancel.c create mode 100644 support/xpthread_check_return.c create mode 100644 support/xpthread_cond_wait.c create mode 100644 support/xpthread_create.c create mode 100644 support/xpthread_detach.c create mode 100644 support/xpthread_join.c create mode 100644 support/xpthread_mutex_consistent.c create mode 100644 support/xpthread_mutex_destroy.c create mode 100644 support/xpthread_mutex_init.c create mode 100644 support/xpthread_mutex_lock.c create mode 100644 support/xpthread_mutex_unlock.c create mode 100644 support/xpthread_mutexattr_destroy.c create mode 100644 support/xpthread_mutexattr_init.c create mode 100644 support/xpthread_mutexattr_setprotocol.c create mode 100644 support/xpthread_mutexattr_setpshared.c create mode 100644 support/xpthread_mutexattr_setrobust.c create mode 100644 support/xpthread_mutexattr_settype.c create mode 100644 support/xpthread_once.c create mode 100644 support/xpthread_sigmask.c create mode 100644 support/xpthread_spin_lock.c create mode 100644 support/xpthread_spin_unlock.c create mode 100644 support/xrealloc.c create mode 100644 support/xrecvfrom.c create mode 100644 support/xsendto.c create mode 100644 support/xsetsockopt.c create mode 100644 support/xsignal.h create mode 100644 support/xsocket.c create mode 100644 support/xsocket.h create mode 100644 support/xstdio.h create mode 100644 support/xstrdup.c create mode 100644 support/xthread.h create mode 100644 support/xunistd.h create mode 100644 support/xwaitpid.c create mode 100644 support/xwrite.c
Created attachment 12624 [details] tst-rpc-udp-client.c I looked at this again. On really old kernels (I tried kernel-2.6.32-754.29.2.el6.x86_64), I could not get looping behavior because the error state on the socket appears to be sticky, so the second recvmsg (with MSG_DONTWAIT, after the one with MSG_ERRQUEUE) in clntudp_call does not fail with EWOULDBLOCK, and the function returns to the caller. Without the looping behavior, the alloca should be harmless for pretty much all applications because the size argument depends on the size of the generated (outgoing) UDP packet and will be well below default stack sizes. With kernel-3.10.0-327.el7.x86_64 and kernel-5.6.11-200.fc31.x86_64, I see looping behavior and segfaults with small stack sizes. -fstack-class-protection will turn this into a reliable crash (no code execution possible). Even without that build flag, this will not be exploitable in most cases because the application determines the alloca argument, based on the generated UDP packet (not the response). This will usually be smaller than a page.
As per upstream " it's extremely unlikely that real-world applications are impacted by this." Florian can you please explain/comment on this.
(In reply to Huzaifa Sidhpurwala from comment #17) > As per upstream " it's extremely unlikely that real-world applications are > impacted by this." > > Florian can you please explain/comment on this. In order to trigger a denial-of-service condition, an attacker would have to send a stream of appropriate ICMP messages at high rate. It is likely that an attacker who is able to do that can just flood the network directly, degrading the service in a similar fashion than a crash would (although perhaps with less permanence). The main concern regarding this bug seems to be whether it allows remote code execution. This is theoretically possible if the alloca call allows skipping the guard page. For this to be possible, several factors need to align: * glibc must have been built without -fstack-clash-protection. * The application must be multi-threaded. For a single-threaded application, the guard page supplied by kernel pages is so large that it is not possible to skip over it using packets received from the network. * The application must generate UDP RPC packets which are larger than the guard page (minus 200 bytes). This is rather unusual because the guard page is typically 4K, and the network MTU is 1500 bytes or less, and applications usually try to keep UDP packet size small, to avoid dealing with fragmentation-related issues. Please let me know if you have further questions.