packages/newlib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!20 [sync] PR-13: fix CVE-2024-30949

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @liqingqing_1229 
Signed-off-by: @liqingqing_1229
This commit is contained in:
openeuler-ci-bot 2025-02-12 12:02:39 +00:00 committed by Gitee
commit 168bccbe35
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 60 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
0001-correctly-check-for-out-of-bounds-allocation-reqs.patch
View File

@ -1,107 +0,0 @@
From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinschen@redhat.com>
Date: Tue, 17 Nov 2020 10:50:57 +0100
Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds
allocation reqs
CVE: CVE-2021-3420
Reference: https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
The overflow check in mEMALIGn erroneously checks for INT_MAX,
albeit the input parameter is size_t. Fix this to check for
__SIZE_MAX__ instead. Also, it misses to check the req against
adding the alignment before calling mALLOc.
While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
nano_valloc, and Cygwin's (unused) dlpvalloc.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
newlib/libc/stdlib/mallocr.c | 7 ++++++-
newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++-
winsup/cygwin/malloc.cc | 4 ++++
3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
index 26d1c89c..af877605 100644
--- a/newlib/libc/stdlib/mallocr.c
+++ b/newlib/libc/stdlib/mallocr.c
@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
nb = request2size(bytes);
/* Check for overflow. */
- if (nb > INT_MAX || nb < bytes)
+ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
{
RERRNO = ENOMEM;
return 0;
@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
#endif
{
size_t pagesize = malloc_getpagesize;
+ if (bytes > __SIZE_MAX__ - pagesize)
+ {
+ RERRNO = ENOMEM;
+ return 0;
+ }
return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
}
diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
index 13b72c99..edf68e7a 100644
--- a/newlib/libc/stdlib/nano-mallocr.c
+++ b/newlib/libc/stdlib/nano-mallocr.c
@@ -568,8 +568,22 @@ void * nano_memalign(RARG size_t align, size_t s)
if ((align & (align-1)) != 0) return NULL;
align = MAX(align, MALLOC_ALIGN);
+
+ /* Make sure ma_size does not overflow */
+ if (s > __SIZE_MAX__ - CHUNK_ALIGN)
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
ma_size = ALIGN_TO(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN);
- size_with_padding = ma_size + align - MALLOC_ALIGN;
+
+ /* Make sure size_with_padding does not overflow */
+ if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN))
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
+ size_with_padding = ma_size + (align - MALLOC_ALIGN);
allocated = nano_malloc(RCALL size_with_padding);
if (allocated == NULL) return NULL;
@@ -632,6 +646,12 @@ void * nano_valloc(RARG size_t s)
#ifdef DEFINE_PVALLOC
void * nano_pvalloc(RARG size_t s)
{
+ /* Make sure size given to nano_valloc does not overflow */
+ if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN)
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
return nano_valloc(RCALL ALIGN_TO(s, MALLOC_PAGE_ALIGN));
}
#endif /* DEFINE_PVALLOC */
diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc
index 23c35407..8a1fc257 100644
--- a/winsup/cygwin/malloc.cc
+++ b/winsup/cygwin/malloc.cc
@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) {
size_t pagesz;
ensure_initialization();
pagesz = mparams.page_size;
+ if (bytes > MAX_REQUEST) {
+ MALLOC_FAILURE_ACTION;
+ return NULL;
+ }
return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
}
--
2.33.0.windows.2

54
fix-CVE-2024-30949.patch Normal file
View File

@ -0,0 +1,54 @@
From 5f15d7c5817b07a6b18cbab17342c95cb7b42be4 Mon Sep 17 00:00:00 2001
From: Kuan-Wei Chiu <visitorckw@gmail.com>
Date: Fri, 20 Sep 2024 12:44:40 +0800
Subject: [PATCH] fix CVE-2024-30949
RISC-V: Fix timeval conversion in _gettimeofday()
Replace multiplication with division for microseconds calculation from
nanoseconds in _gettimeofday function.
---
libgloss/riscv/sys_gettimeofday.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/libgloss/riscv/sys_gettimeofday.c b/libgloss/riscv/sys_gettimeofday.c
index 457dcbc..5379a89 100644
--- a/libgloss/riscv/sys_gettimeofday.c
+++ b/libgloss/riscv/sys_gettimeofday.c
@@ -1,10 +1,31 @@
#include <machine/syscall.h>
#include <sys/time.h>
+#include <stdint.h>
#include "internal_syscall.h"
/* Get the current time. Only relatively correct. */
int
_gettimeofday(struct timeval *tp, void *tzp)
{
- return syscall_errno (SYS_gettimeofday, tp, 0, 0, 0, 0, 0);
+#if __riscv_xlen == 32
+ struct __timespec64
+ {
+ int64_t tv_sec; /* Seconds */
+# if BYTE_ORDER == BIG_ENDIAN
+ int32_t __padding; /* Padding */
+ int32_t tv_nsec; /* Nanoseconds */
+# else
+ int32_t tv_nsec; /* Nanoseconds */
+ int32_t __padding; /* Padding */
+# endif
+ };
+ struct __timespec64 ts64;
+ int rv;
+ rv = syscall_errno (SYS_clock_gettime64, 2, 0, (long)&ts64, 0, 0, 0, 0);
+ tp->tv_sec = ts64.tv_sec;
+ tp->tv_usec = ts64.tv_nsec / 1000;
+ return rv;
+#else
+ return syscall_errno (SYS_gettimeofday, 1, tp, 0, 0, 0, 0, 0);
+#endif
}
--
2.43.0

9
newlib.spec
View File

@ -2,15 +2,15 @@
%global _newlib newlib %global _newlib newlib
Name: newlib Name: newlib
Version: 3.3.0 Version: 3.3.0
Release: 4 Release: 5
Summary: Newlib is a C library intended for use on embedded systems. Summary: Newlib is a C library intended for use on embedded systems.
License: BSD License: BSD
URL: https://sourceware.org/newlib/ URL: https://sourceware.org/newlib/
Source0: ftp://sourceware.org/pub/newlib/newlib-%{version}.tar.gz Source0: ftp://sourceware.org/pub/newlib/newlib-%{version}.tar.gz
Patch01: Modify-neon-instruction.patch Patch01: Modify-neon-instruction.patch
Patch02: fix-CVE-2024-30949.patch
BuildRequires: make gcc binutils texinfo texinfo-tex BuildRequires: make gcc binutils texinfo texinfo-tex
Excludearch: loongarch64 Excludearch: loongarch64
@ -64,6 +64,9 @@ cd ..
%changelog %changelog
* Wed Sep 25 2024 changtao <changtao@kylinos.cn> - 3.3.0-5
- fix CVE-2024-30949
* Sat Jun 08 2024 yueyuankun <yueyuankun@kylinos.cn> - 3.3.0-4 * Sat Jun 08 2024 yueyuankun <yueyuankun@kylinos.cn> - 3.3.0-4
- add Excludearch: loongarch64 - add Excludearch: loongarch64