From e92d0abecfb11884e85a53f81966c66e5319942d Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Mon, 23 Nov 2009 17:02:20 +0000 Subject: [PATCH] Use NetBSD fix for CVE-2009-0689 security vulnerability. * libc/include/sys/reent.h (_Kmax): Define here based on the sizeof size_t, as in latest NetBSD. * libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant value 15. * libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why. --- newlib/ChangeLog | 9 +++++++++ newlib/libc/include/sys/reent.h | 5 +++++ newlib/libc/reent/reent.c | 2 +- newlib/libc/stdlib/mprec.c | 6 +++++- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/newlib/ChangeLog b/newlib/ChangeLog index 72ca21653..be8b35737 100644 --- a/newlib/ChangeLog +++ b/newlib/ChangeLog @@ -1,3 +1,12 @@ +2009-11-23 Corinna Vinschen + + Use NetBSD fix for CVE-2009-0689 security vulnerability. + * libc/include/sys/reent.h (_Kmax): Define here based on the sizeof + size_t, as in latest NetBSD. + * libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant + value 15. + * libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why. + 2009-11-20 Nick Clifton * libc/machine/rx/strncat.S (_strncat): Replace use of r6 diff --git a/newlib/libc/include/sys/reent.h b/newlib/libc/include/sys/reent.h index 60eb208a7..ed3d9aa01 100644 --- a/newlib/libc/include/sys/reent.h +++ b/newlib/libc/include/sys/reent.h @@ -800,6 +800,11 @@ struct _reent #endif /* !_REENT_SMALL */ +/* This value is used in stdlib/misc.c. reent/reent.c has to know it + as well to make sure the freelist is correctly free'd. Therefore + we define it here, rather than in stdlib/misc.c, as before. */ +#define _Kmax (sizeof (size_t) << 3) + /* * All references to struct _reent are via this pointer. * Internally, newlib routines that need to reference it should use _REENT. diff --git a/newlib/libc/reent/reent.c b/newlib/libc/reent/reent.c index 3c9de71f7..63812db83 100644 --- a/newlib/libc/reent/reent.c +++ b/newlib/libc/reent/reent.c @@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr), if (_REENT_MP_FREELIST(ptr)) { int i; - for (i = 0; i < 15 /* _Kmax */; i++) + for (i = 0; i < _Kmax; i++) { struct _Bigint *thisone, *nextone; diff --git a/newlib/libc/stdlib/mprec.c b/newlib/libc/stdlib/mprec.c index 6e84ece5b..2b982ef55 100644 --- a/newlib/libc/stdlib/mprec.c +++ b/newlib/libc/stdlib/mprec.c @@ -86,8 +86,12 @@ #include #include "mprec.h" -/* reent.c knows this value */ +/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD. + The old value of 15 was wrong and made newlib vulnerable against buffer + overrun attacks (CVE-2009-0689), same as other implementations of gdtoa + based on BSD code. #define _Kmax 15 +*/ _Bigint * _DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k) -- 2.43.5