about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
* Fix powerpc software sqrt (bug 17964). release/2.19/masterJoseph Myers2017-02-203-17/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As Adhemerval noted in <https://sourceware.org/ml/libc-alpha/2015-01/msg00451.html>, the powerpc sqrt implementation for when _ARCH_PPCSQ is not defined is inaccurate in some cases. The problem is that this code relies on fused multiply-add, and relies on the compiler contracting a * b + c to get a fused operation. But sysdeps/ieee754/dbl-64/Makefile disables contraction for e_sqrt.c, because the implementation in that directory relies on *not* having contracted operations. While it would be possible to arrange makefiles so that an earlier sysdeps directory can disable the setting in sysdeps/ieee754/dbl-64/Makefile, it seems a lot cleaner to make the dependence on fused operations explicit in the .c file. GCC 4.6 introduced support for __builtin_fma on powerpc and other architectures with such instructions, so we can rely on that; this patch duly makes the code use __builtin_fma for all such fused operations. Tested for powerpc32 (hard float). 2015-02-12 Joseph Myers <joseph@codesourcery.com> [BZ #17964] * sysdeps/powerpc/fpu/e_sqrt.c (__slow_ieee754_sqrt): Use __builtin_fma instead of relying on contraction of a * b + c. (cherry picked from commit e8bd5286c68bc35be3b41e94c15c4387dcb3bec9)
* powerpc: Fix fsqrt build in libm [BZ#16576]Adhemerval Zanella2016-11-217-107/+46
| | | | | | | | | | | | Some powerpc64 processors (e5500 core for instance) does not provide the fsqrt instruction, however current check to use in math_private.h is __WORDSIZE and _ARCH_PWR4 (ISA 2.02). This is patch change it to use the compiler flag _ARCH_PPCSQ (which is the same condition GCC uses to decide whether to generate fsqrt instruction). It fixes BZ#16576. (cherry picked from commit 08cee2a464f614a6d4275b5af6c52481f1aa16e6)
* arm: mark __startcontext as .cantunwind (bug 20435)Andreas Schwab2016-08-193-0/+19
| | | | | | | | | | | __startcontext marks the bottom of the call stack of the contexts created by makecontext. (cherry picked from commit 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617) Also includes the NEWS update, cherry-picked from commits 056dd72af83f5459ce6d545a49dea6dba7d635dc and 4d047efdbc55b0d68947cde682e5363d16a66294.
* linux: open and openat ignore 'mode' with O_TMPFILE in flagsEric Rannaud2016-08-1420-47/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both open and openat load their last argument 'mode' lazily, using va_arg() only if O_CREAT is found in oflag. This is wrong, mode is also necessary if O_TMPFILE is in oflag. By chance on x86_64, the problem wasn't evident when using O_TMPFILE with open, as the 3rd argument of open, even when not loaded with va_arg, is left untouched in RDX, where the syscall expects it. However, openat was not so lucky, and O_TMPFILE couldn't be used: mode is the 4th argument, in RCX, but the syscall expects its 4th argument in a different register than the glibc wrapper, in R10. Introduce a macro __OPEN_NEEDS_MODE (oflag) to test if either O_CREAT or O_TMPFILE is set in oflag. Tested on Linux x86_64. [BZ #17523] * io/fcntl.h (__OPEN_NEEDS_MODE): New macro. * io/bits/fcntl2.h (open): Use it. (openat): Likewise. * io/open.c (__libc_open): Likewise. * io/open64.c (__libc_open64): Likewise. * io/open64_2.c (__open64_2): Likewise. * io/open_2.c (__open_2): Likewise. * io/openat.c (__openat): Likewise. * io/openat64.c (__openat64): Likewise. * io/openat64_2.c (__openat64_2): Likewise. * io/openat_2.c (__openat_2): Likewise. * sysdeps/mach/hurd/open.c (__libc_open): Likewise. * sysdeps/mach/hurd/openat.c (__openat): Likewise. * sysdeps/posix/open64.c (__libc_open64): Likewise. * sysdeps/unix/sysv/linux/dl-openat64.c (openat64): Likewise. * ports/sysdeps/unix/sysv/linux/generic/open.c (__libc_open): Likewise. (__open_nocancel): Likewise. * ports/sysdeps/unix/sysv/linux/generic/open64.c (__libc_open64): Likewise. * sysdeps/unix/sysv/linux/open64.c (__libc_open64): Likewise. * sysdeps/unix/sysv/linux/openat.c (__OPENAT): Likewise. (cherry picked from commit 65f6f938cd562a614a68e15d0581a34b177ec29d)
* Harden tls_dtor_list with pointer mangling [BZ #19018]Florian Weimer2016-07-113-4/+19
| | | | | | | | (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549) Conflicts: NEWS stdlib/cxa_thread_atexit_impl.c
* Always enable pointer guard [BZ #18928]Florian Weimer2016-07-114-16/+16
| | | | | | | | | | | | | | | | | | | Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode has security implications. This commit enables pointer guard unconditionally, and the environment variable is now ignored. [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard initializer. (security_init): Always set up pointer guard. (process_envvars): Do not process LD_POINTER_GUARD. (cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7) Conflicts: NEWS
* Fix memory handling in strxfrm_l [BZ #16009]Leonhard Holz2016-07-115-107/+476
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Modified from the original email by Siddhesh Poyarekar] This patch solves bug #16009 by implementing an additional path in strxfrm that does not depend on caching the weight and rule indices. In detail the following changed: * The old main loop was factored out of strxfrm_l into the function do_xfrm_cached to be able to alternativly use the non-caching version do_xfrm. * strxfrm_l allocates a a fixed size array on the stack. If this is not sufficiant to store the weight and rule indices, the non-caching path is taken. As the cache size is not dependent on the input there can be no problems with integer overflows or stack allocations greater than __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the definition of strxfrm does not allow an oom errorhandling. * The uncached path determines the weight and rule index for every char and for every pass again. * Passing all the locale data array by array resulted in very long parameter lists, so I introduced a structure that holds them. * Checking for zero src string has been moved a bit upwards, it is before the locale data initialization now. * To verify that the non-caching path works correct I added a test run to localedata/sort-test.sh & localedata/xfrm-test.c where all strings are patched up with spaces so that they are too large for the caching path. (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa) Conflicts: NEWS string/strxfrm_l.c
* CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]Florian Weimer2016-05-313-2/+21
| | | | | | | | | | | | The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
* resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]Florian Weimer2016-05-233-24/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement second fallback mode for DNS requests), there is a code path which returns early, before *resplen2 is initialized. This happens if the name server address is immediately recognized as invalid (because of lack of protocol support, or if it is a broadcast address such 255.255.255.255, or another invalid address). If this happens and *resplen2 was non-zero (which is the case if a previous query resulted in a failure), __libc_res_nquery would reuse an existing second answer buffer. This answer has been previously identified as unusable (for example, it could be an NXDOMAIN response). Due to the presence of a second answer, no name server switching will occur. The result is a name resolution failure, although a successful resolution would have been possible if name servers have been switched and queries had proceeded along the search path. The above paragraph still simplifies the situation. Before glibc 2.23, if the second answer needed malloc, the stub resolver would still attempt to reuse the second answer, but this is not possible because __libc_res_nsearch has freed it, after the unsuccessful call to __libc_res_nquerydomain, and set the buffer pointer to NULL. This eventually leads to an assertion failure in __libc_res_nquery: /* Make sure both hp and hp2 are defined */ assert((hp != NULL) && (hp2 != NULL)); If assertions are disabled, the consequence is a NULL pointer dereference on the next line. Starting with glibc 2.23, as a result of commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665)), the second answer is always allocated with malloc. This means that the assertion failure happens with small responses as well because there is no buffer to reuse, as soon as there is a name resolution failure which triggers a search for an answer along the search path. This commit addresses the issue by ensuring that *resplen2 is initialized before the send_dg function returns. This commit also addresses a bug where an invalid second reply is incorrectly returned as a valid to the caller. (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
* CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).Carlos O'Donell2016-05-175-63/+339
| | | | | | | | | | | | | | | | | | | | | | * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family. The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by _nss_dns_gethostbyname4_r. Buffer management is simplified to remove the overflow. Thanks to the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. (CVE-2015-7547) See also: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
* CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010]Florian Weimer2016-05-123-62/+85
| | | | | | | | | | | | When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) used alloca, without malloc fallback for large responses. This commit changes this code to use calloc unconditionally. This commit also consolidated a second hostent-to-gaih_addrtuple conversion loop (in gaih_inet) to use the new conversion function. (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
* CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]Florian Weimer2016-05-125-101/+185
| | | | | | | | Instead, we store the data we need from the return value of readdir in an object of the new type struct readdir_result. This type is independent of the layout of struct dirent. (cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)
* glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdirFlorian Weimer2016-05-126-24/+100
| | | | | | | | | | | | | | Previously, application code had to set up the d_namlen member if the target supported it, involving conditional compilation. After this change, glob will use the length of the string in d_name instead of d_namlen to determine the file name length. All glibc targets provide the d_type and d_ino members, and setting them as needed for gl_readdir is straightforward. Changing the behavior with regards to d_ino is left to a future cleanup. (cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)
* S390: Fix "backtrace() returns infinitely deep stack frames with ↵Stefan Liebler2016-04-286-2/+74
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | makecontext()" [BZ #18508]. On s390/s390x backtrace(buffer, size) returns the series of called functions until "makecontext_ret" and additional entries (up to "size") with "makecontext_ret". GDB-backtrace is also warning: "Backtrace stopped: previous frame identical to this frame (corrupt stack?)" To reproduce this scenario you have to setup a new context with makecontext() and activate it with setcontext(). See e.g. cf() function in testcase stdlib/tst-makecontext.c. Or see bug in libgo "Bug 66303 - runtime.Caller() returns infinitely deep stack frames on s390x " (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66303). This patch omits the cfi_startproc/cfi_endproc directives in ENTRY/END macro of __makecontext_ret. Thus no frame information is generated in .eh_frame and backtrace stops after __makecontext_ret. There is also no .eh_frame info for _start or thread_start functions. ChangeLog: [BZ #18508] * stdlib/Makefile ($(objpfx)tst-makecontext3): Depend on $(libdl). * stdlib/tst-makecontext.c (cf): Test if _Unwind_Backtrace is not called infinitely times. (backtrace_helper): New function. (trace_arg): New struct. (st1): Enlarge stack size. * sysdeps/unix/sysv/linux/s390/s390-32/__makecontext_ret.S: (__makecontext_ret): Omit cfi_startproc and cfi_endproc. * sysdeps/unix/sysv/linux/s390/s390-64/__makecontext_ret.S: Likewise. (cherry picked from commit 890b7a4b33d482b5c768ab47d70758b80227e9bc)
* S/390: Fix setcontext/swapcontext which are not restoring sigmask. [BZ #18080]Stefan Liebler2016-04-288-30/+264
| | | | | | | This patch uses sigprocmask(SIG_SETMASK) instead of SIG_BLOCK in setcontext, swapcontext. (cherry picked from commit 2e807f29595eb5b1e5d0decc6e356a3562ecc58e)
* CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]Florian Weimer2016-04-273-5/+14
| | | | | | | The defensive copy is not needed because the name may not alias the output buffer. (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
* hsearch_r: Apply VM size limit in test caseFlorian Weimer2016-02-162-0/+26
| | | | (cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c)
* Improve check against integer wraparound in hcreate_r [BZ #18240]Florian Weimer2016-01-295-20/+107
| | | | (cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb)
* Handle overflow in __hcreate_rOndřej Bílka2016-01-292-1/+13
| | | | | | | | | | | | Hi, As in bugzilla entry there is overflow in hsearch when looking for prime number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large inputs before looking for prime. * misc/hsearch_r.c (__hcreate_r): Handle overflow. (cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc)
* Fix BZ #18985 -- out of range data to strftime() causes a segfaultPaul Pluzhnikov2016-01-274-9/+73
| | | | (cherry picked from commit d36c75fc0d44deec29635dd239b0fbd206ca49b7)
* Fix trailing space.Paul Pluzhnikov2016-01-271-1/+1
| | | | (cherry picked from commit 7565d2a862683a3c26ffb1f32351b8c5ab9f7b31)
* Fix BZ #17905Paul Pluzhnikov2016-01-276-21/+75
| | | | (cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)
* Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)Siddhesh Poyarekar2015-12-203-9/+18
| | | | | | | | | | | | | | | | | | | | Calls to stpcpy from nscd netgroups code will have overlapping source and destination when all three values in the returned triplet are non-NULL and in the expected (host,user,domain) order. This is seen in valgrind as: ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48) ==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3181== by 0x12567A: addgetnetgrentX (string3.h:111) ==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665) ==3181== by 0x11114C: nscd_run_worker (connections.c:1338) ==3181== by 0x4E3C102: start_thread (pthread_create.c:309) ==3181== by 0x59B81AC: clone (clone.S:111) ==3181== Fix this by using memmove instead of stpcpy. (cherry picked from commit ea7d8b95e2fcb81f68b04ed7787a3dbda023991a)
* Return NULL for wildcard values in getnetgrent from nscd (BZ #16759)Siddhesh Poyarekar2015-12-203-6/+18
| | | | | | | | | | | | | | | | | | | | | | | | getnetgrent is supposed to return NULL for values that are wildcards in the (host, user, domain) triplet. This works correctly with nscd disabled, but with it enabled, it returns a blank ("") instead of a NULL. This is easily seen with the output of `getent netgroup foonet` for a netgroup foonet defined as follows in /etc/netgroup: foonet (,foo,) The output with nscd disabled is: foonet ( ,foo,) while with nscd enabled, it is: foonet (,foo,) The extra space with nscd disabled is due to the fact that `getent netgroup` adds it if the return value from getnetgrent is NULL for either host or user. (cherry picked from commit dd3022d75e6fb8957843d6d84257a5d8457822d5)
* Fix nscd lookup for innetgr when netgroup has wildcards (BZ #16758)Siddhesh Poyarekar2015-12-203-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | nscd works correctly when the request in innetgr is a wildcard, i.e. when one or more of host, user or domain parameters is NULL. However, it does not work when the the triplet in the netgroup definition has a wildcard. This is easy to reproduce for a triplet defined as follows: foonet (,foo,) Here, an innetgr call that looks like this: innetgr ("foonet", "foohost", "foo", NULL); should succeed and so should: innetgr ("foonet", NULL, "foo", "foodomain"); It does succeed with nscd disabled, but not with nscd enabled. This fix adds this additional check for all three parts of the triplet so that it gives the correct result. [BZ #16758] * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has blank values. (cherry picked from commit fbd6b5a4052316f7eb03c4617eebfaafc59dcc06)
* Don't read past end of pattern in fnmatch (BZ #17062)Andreas Schwab2015-11-245-13/+44
| | | | | | | | (cherry picked from commit b3a9f56ba59c3d8eadd3135a1c25c37a63151450) Conflicts: NEWS posix/Makefile
* CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]Florian Weimer2015-10-195-3/+134
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Robin Hack discovered Samba would enter an infinite loop processing certain quota-related requests. We eventually tracked this down to a glibc issue. Running a (simplified) test case under strace shows that /etc/passwd is continuously opened and closed: … open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 … The lookup function implementation in nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is supposed skip closing the input file if it was already open. /* Reset file pointer to beginning or open file. */ \ status = internal_setent (keep_stream); \ \ if (status == NSS_STATUS_SUCCESS) \ { \ /* Tell getent function that we have repositioned the file pointer. */ \ last_use = getby; \ \ while ((status = internal_getent (result, buffer, buflen, errnop \ H_ERRNO_ARG EXTRA_ARGS_VALUE)) \ == NSS_STATUS_SUCCESS) \ { break_if_match } \ \ if (! keep_stream) \ internal_endent (); \ } \ keep_stream is initialized from the stayopen flag in internal_setent. internal_setent is called from the set*ent implementation as: status = internal_setent (stayopen); However, for non-host database, this flag is always 0, per the STAYOPEN magic in nss/getXXent_r.c. Thus, the fix is this: - status = internal_setent (stayopen); + status = internal_setent (1); This is not a behavioral change even for the hosts database (where the application can specify the stayopen flag) because with a call to sethostent(0), the file handle is still not closed in the implementation of gethostent. (cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55) Conflicts: ChangeLog NEWS
* Fix BZ #17269 -- _IO_wstr_overflow integer overflowPaul Pluzhnikov2015-10-193-2/+14
| | | | | | | | (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33) Conflicts: ChangeLog NEWS
* Fix read past end of pattern in fnmatch (bug 18032)Andreas Schwab2015-10-193-4/+9
| | | | | | | | (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185) Conflicts: ChangeLog NEWS
* Don't ignore too long lines in nss_files (BZ #17079)Andreas Schwab2015-10-183-3/+11
| | | | | | | | (cherry picked from commit ac60763eac3d43b7234dd21286ad3ec3f17957fc) Conflicts: ChangeLog NEWS
* Fix parsing of getai result from nscd for IPv6-only requestAndreas Schwab2015-10-022-4/+13
| | | | (cherry picked from commit 8dc9751764eb1bedf06d19695524b31a16773413)
* Correct DT_PPC64_NUMAlan Modra2015-09-113-3/+9
| | | | | | | | | | | [BZ #17153] * elf/elf.h (DT_PPC64_NUM): Correct value. * NEWS: Add to fixed bug list. (cherry picked from commit f6c44d475104e931bab2b4ffa499961088de673c) Conflicts: NEWS
* Fix use of half-initialized result in getaddrinfo when using nscd (bug 16743)Andreas Schwab2015-09-103-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | This fixes a bug in the way the results from __nscd_getai are collected: for every returned result a new entry is first added to the gaih_addrtuple list, but if that result doesn't match the request this entry remains uninitialized. So for this non-matching result an extra result with uninitialized content is returned. To reproduce (with nscd running): $ getent ahostsv4 localhost 127.0.0.1 STREAM localhost 127.0.0.1 DGRAM 127.0.0.1 RAW (null) STREAM (null) DGRAM (null) RAW (cherry picked from commit a071766ebfd853179ac39f9773f894029bf86d36) Conflicts: ChangeLog NEWS
* CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]Arjun Shankar2015-08-283-2/+17
| | | | (cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
* Properly handle forced elision in pthread_mutex_trylock (bug 16657)Andreas Schwab2015-08-284-12/+14
| | | | (cherry picked from commit b0a3c1640ab2fb7d16d9b9a8d9c0e524e9cb0001)
* PowerPC: Fix gprof entry point for LEAdhemerval Zanella2015-08-243-1/+9
| | | | | | | | This patch fixes the ELFv2 gprof entry point since the ABI does not define function descriptors. It fixes BZ#17213. Conflicts: NEWS
* [AArch64] End frame record chain correctly.Renlin Li2014-11-113-2/+7
|
* CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]Florian Weimer2014-09-0511-10/+54
| | | | | | | | | | | These changes are based on the fix for BZ #14134 in commit 6e230d11837f3ae7b375ea69d7905f0d18eb79e5. (cherry picked from commit 41488498b6d9440ee66ab033808cce8323bba7ac) Conflicts: NEWS iconvdata/Makefile
* __gconv_translit_find: Disable function [BZ #17187]Florian Weimer2014-09-053-174/+19
| | | | | | | | | | | This functionality has never worked correctly, and the implementation contained a security vulnerability (CVE-2014-5119). (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8) (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645) Conflicts: NEWS
* NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.Stefan Liebler2014-09-052-0/+16
| | | | | | | | | | (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6) Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20. Conflicts: NEWS
* S/390: Revert the jmp_buf/ucontext_t ABI changeStefan Liebler2014-09-0536-795/+260
| | | | Backport of commit 2f438e20ab591641760e97458d5d1569942eced5
* manual: Update the locale documentationFlorian Weimer2014-09-052-32/+127
| | | | | | | (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4) Conflicts: manual/locale.texi
* _nl_find_locale: Improve handling of crafted locale names [BZ #17137]Florian Weimer2014-09-056-16/+292
| | | | | | | | | | | | | | Prevent directory traversal in locale-related environment variables (CVE-2014-0475). (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3) Addiational backporting fixes: Added tst-setlocale3-ENV to localedata/Makefile Conflicts: NEWS localedata/Makefile
* setlocale: Use the heap for the copy of the locale argumentFlorian Weimer2014-09-052-2/+17
| | | | | | This avoids alloca calls with potentially large arguments. (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)
* Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)Siddhesh Poyarekar2014-09-054-9/+19
| | | | | | | | | | | | | | | | | The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL (with errno as ERANGE) when the supplied buffer does not have sufficient space for the result. This is wrong, because the canonical way to indicate insufficient buffer is to set the errno to ERANGE and the status to NSS_STATUS_TRYAGAIN, as is used by all other modules. This fixes nscd behaviour when the nss_ldap module returns NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to fit into the supplied buffer. (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692) Conflicts: NEWS
* Provide correct buffer length to netgroup queries in nscd (BZ #16695)Siddhesh Poyarekar2014-09-053-3/+9
| | | | | | | | | | | | | | The buffer to query netgroup entries is allocated sufficient space for the netgroup entries and the key to be appended at the end, but it sends in an incorrect available length to the NSS netgroup query functions, resulting in overflow of the buffer in some special cases. The fix here is to factor in the key length when sending the available buffer and buffer length to the query functions. (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f) Conflicts: NEWS
* [BZ #16046] dl_iterate_phdr static executable testMaciej W. Rozycki2014-09-053-1/+54
| | | | (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)
* Fix another memory leak in regexp compiler (BZ #17069)Andreas Schwab2014-09-054-4/+15
| | | | | | | (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee) Conflicts: NEWS
* Fix memory leak in regexp compiler (BZ #17069)Andreas Schwab2014-09-054-5/+59
| | | | | | | (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c) Conflicts: posix/Makefile
* Fix invalid file descriptor reuse while sending DNS query (BZ #15946)Andreas Schwab2014-09-053-1/+9
| | | | | | | (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47) Conflicts: NEWS