fopencookie: Mangle function pointers stored on the heap (swbz#20222)
This commit is contained in:
parent
fe01d7c362
commit
80acfa27b0
126
glibc-swbz20222.patch
Normal file
126
glibc-swbz20222.patch
Normal file
@ -0,0 +1,126 @@
|
||||
commit 0d6895748bf4531b5e516c47409d35d104f51642
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Sat Jun 11 12:07:14 2016 +0200
|
||||
|
||||
fopencookie: Mangle function pointers stored on the heap [BZ #20222]
|
||||
|
||||
(cherry picked from commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8)
|
||||
|
||||
diff --git a/libio/iofopncook.c b/libio/iofopncook.c
|
||||
index b845d29..3aad3d3 100644
|
||||
--- a/libio/iofopncook.c
|
||||
+++ b/libio/iofopncook.c
|
||||
@@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size)
|
||||
_IO_ssize_t size;
|
||||
{
|
||||
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
|
||||
+ cookie_read_function_t *read_cb = cfile->__io_functions.read;
|
||||
+ PTR_DEMANGLE (read_cb);
|
||||
|
||||
- if (cfile->__io_functions.read == NULL)
|
||||
+ if (read_cb == NULL)
|
||||
return -1;
|
||||
|
||||
- return cfile->__io_functions.read (cfile->__cookie, buf, size);
|
||||
+ return read_cb (cfile->__cookie, buf, size);
|
||||
}
|
||||
|
||||
static _IO_ssize_t
|
||||
@@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size)
|
||||
_IO_ssize_t size;
|
||||
{
|
||||
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
|
||||
+ cookie_write_function_t *write_cb = cfile->__io_functions.write;
|
||||
+ PTR_DEMANGLE (write_cb);
|
||||
|
||||
- if (cfile->__io_functions.write == NULL)
|
||||
+ if (write_cb == NULL)
|
||||
{
|
||||
fp->_flags |= _IO_ERR_SEEN;
|
||||
return 0;
|
||||
}
|
||||
|
||||
- _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size);
|
||||
+ _IO_ssize_t n = write_cb (cfile->__cookie, buf, size);
|
||||
if (n < size)
|
||||
fp->_flags |= _IO_ERR_SEEN;
|
||||
|
||||
@@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir)
|
||||
int dir;
|
||||
{
|
||||
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
|
||||
+ cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
|
||||
+ PTR_DEMANGLE (seek_cb);
|
||||
|
||||
- return ((cfile->__io_functions.seek == NULL
|
||||
- || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir)
|
||||
+ return ((seek_cb == NULL
|
||||
+ || (seek_cb (cfile->__cookie, &offset, dir)
|
||||
== -1)
|
||||
|| offset == (_IO_off64_t) -1)
|
||||
? _IO_pos_BAD : offset);
|
||||
@@ -94,11 +100,13 @@ _IO_cookie_close (fp)
|
||||
_IO_FILE *fp;
|
||||
{
|
||||
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
|
||||
+ cookie_close_function_t *close_cb = cfile->__io_functions.close;
|
||||
+ PTR_DEMANGLE (close_cb);
|
||||
|
||||
- if (cfile->__io_functions.close == NULL)
|
||||
+ if (close_cb == NULL)
|
||||
return 0;
|
||||
|
||||
- return cfile->__io_functions.close (cfile->__cookie);
|
||||
+ return close_cb (cfile->__cookie);
|
||||
}
|
||||
|
||||
|
||||
@@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps = {
|
||||
};
|
||||
|
||||
|
||||
+/* Copy the callbacks from SOURCE to *TARGET, with pointer
|
||||
+ mangling. */
|
||||
+static void
|
||||
+set_callbacks (_IO_cookie_io_functions_t *target,
|
||||
+ _IO_cookie_io_functions_t source)
|
||||
+{
|
||||
+ PTR_MANGLE (source.read);
|
||||
+ PTR_MANGLE (source.write);
|
||||
+ PTR_MANGLE (source.seek);
|
||||
+ PTR_MANGLE (source.close);
|
||||
+ *target = source;
|
||||
+}
|
||||
+
|
||||
void
|
||||
_IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
|
||||
void *cookie, _IO_cookie_io_functions_t io_functions)
|
||||
@@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
|
||||
_IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps;
|
||||
|
||||
cfile->__cookie = cookie;
|
||||
- cfile->__io_functions = io_functions;
|
||||
+ set_callbacks (&cfile->__io_functions, io_functions);
|
||||
|
||||
_IO_file_init (&cfile->__fp);
|
||||
|
||||
@@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir)
|
||||
int dir;
|
||||
{
|
||||
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
|
||||
- int (*seek) (_IO_FILE *, _IO_off_t, int);
|
||||
- int ret;
|
||||
+ int (*seek_cb) (_IO_FILE *, _IO_off_t, int)
|
||||
+ = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;;
|
||||
+ PTR_DEMANGLE (seek_cb);
|
||||
|
||||
- seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;
|
||||
- if (seek == NULL)
|
||||
+ if (seek_cb == NULL)
|
||||
return _IO_pos_BAD;
|
||||
|
||||
- ret = seek (cfile->__cookie, offset, dir);
|
||||
+ int ret = seek_cb (cfile->__cookie, offset, dir);
|
||||
|
||||
return (ret == -1) ? _IO_pos_BAD : ret;
|
||||
}
|
@ -276,6 +276,7 @@ Patch1055: glibc-rh1348620.patch
|
||||
Patch1056: glibc-swbz20435.patch
|
||||
Patch1057: glibc-rh1294574.patch
|
||||
Patch1058: glibc-rh1344480.patch
|
||||
Patch1059: glibc-swbz20222.patch
|
||||
|
||||
##############################################################################
|
||||
#
|
||||
@ -751,6 +752,7 @@ microbenchmark tests on the system.
|
||||
%patch1056 -p1
|
||||
%patch1057 -p1
|
||||
%patch1058 -p1
|
||||
%patch1059 -p1
|
||||
%patch0059 -p1
|
||||
|
||||
##############################################################################
|
||||
@ -1978,6 +1980,7 @@ rm -f *.filelist*
|
||||
- CVE-2016-6323: Backtraces can hang on ARM EABI (32-bit) (swbz#20435)
|
||||
- Return proper status from _nss_nis_initgroups_dyn (#1294574)
|
||||
- nss_db: Fix initialization of iteration position (#1344480)
|
||||
- fopencookie: Mangle function pointers stored on the heap (swbz#20222)
|
||||
|
||||
* Thu Jun 2 2016 Florian Weimer <fweimer@redhat.com> - 2.22-17
|
||||
- CVE-2016-4429: stack overflow in Sun RPC clntudp_call (#1337140)
|
||||
|
Loading…
x
Reference in New Issue
Block a user