From patchwork Thu Aug 11 18:18:52 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Waldemar Brodkorb <wbx@openadk.org>
X-Patchwork-Id: 658308
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3s9GVr2Tbnz9sR9
	for <incoming@patchwork.ozlabs.org>;
	Fri, 12 Aug 2016 04:19:00 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id E0A168A579;
	Thu, 11 Aug 2016 18:18:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Y8H4Jb+DTTMu; Thu, 11 Aug 2016 18:18:58 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 1BC068A570;
	Thu, 11 Aug 2016 18:18:58 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id C4D8B1C1F52
	for <buildroot@lists.busybox.net>;
	Thu, 11 Aug 2016 18:18:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id C1EE986E7D
	for <buildroot@lists.busybox.net>;
	Thu, 11 Aug 2016 18:18:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id aQ4SF0mI4SBT for <buildroot@lists.busybox.net>;
	Thu, 11 Aug 2016 18:18:55 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from helium.openadk.org (helium.openadk.org [89.238.66.15])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 13B4886E10
	for <buildroot@buildroot.org>; Thu, 11 Aug 2016 18:18:54 +0000 (UTC)
Received: by helium.openadk.org (Postfix, from userid 1000)
	id ECE8910136; Thu, 11 Aug 2016 20:18:52 +0200 (CEST)
Date: Thu, 11 Aug 2016 20:18:52 +0200
From: Waldemar Brodkorb <wbx@openadk.org>
To: buildroot@buildroot.org
Message-ID: <20160811181852.GA32127@waldemar-brodkorb.de>
MIME-Version: 1.0
Content-Disposition: inline
X-Operating-System: Linux 3.16.0-4-amd64 x86_64
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: [Buildroot] [PATCH] uclibc: add upstream patch for CVE-2016-4429
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Add security related bugfix to fix CVE-2016-4429 from
GNU libc project.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
---
 ...-sunrpc-Do-not-use-alloca-in-clntudp_call.patch | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 package/uclibc/0002-sunrpc-Do-not-use-alloca-in-clntudp_call.patch

diff --git a/package/uclibc/0002-sunrpc-Do-not-use-alloca-in-clntudp_call.patch b/package/uclibc/0002-sunrpc-Do-not-use-alloca-in-clntudp_call.patch
new file mode 100644
index 0000000..b0c523c
--- /dev/null
+++ b/package/uclibc/0002-sunrpc-Do-not-use-alloca-in-clntudp_call.patch
@@ -0,0 +1,59 @@
+From 9213ad631513d0e67d9d31465c9cdb3f3dde0399 Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@uclibc-ng.org>
+Date: Fri, 5 Aug 2016 21:33:44 +0200
+Subject: [PATCH 2/3] sunrpc: Do not use alloca in clntudp_call
+
+CVE-2016-4429:
+The call is technically in a loop, and under certain circumstances
+(which are quite difficult to reproduce in a test case), alloca
+can be invoked repeatedly during a single call to clntudp_call.
+As a result, the available stack space can be exhausted (even
+though individual alloca sizes are bounded implicitly by what
+can fit into a UDP packet, as a side effect of the earlier
+successful send operation).
+
+From GNU libc:
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bc779a1a5b3035133024b21e2f339fe4219fb11c
+
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+---
+ libc/inet/rpc/clnt_udp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libc/inet/rpc/clnt_udp.c b/libc/inet/rpc/clnt_udp.c
+index 4fc55b7..ce7e9e6 100644
+--- a/libc/inet/rpc/clnt_udp.c
++++ b/libc/inet/rpc/clnt_udp.c
+@@ -368,9 +368,15 @@ send_again:
+ 	  struct sock_extended_err *e;
+ 	  struct sockaddr_in err_addr;
+ 	  struct iovec iov;
+-	  char *cbuf = (char *) alloca (outlen + 256);
++	  char *cbuf = malloc (outlen + 256);
+ 	  int ret;
+ 
++	  if (cbuf == NULL)
++	    {
++	      cu->cu_error.re_errno = errno;
++	      return (cu->cu_error.re_status = RPC_CANTRECV);
++	    }
++
+ 	  iov.iov_base = cbuf + 256;
+ 	  iov.iov_len = outlen;
+ 	  msg.msg_name = (void *) &err_addr;
+@@ -395,10 +401,12 @@ send_again:
+ 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
+ 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ 		{
++		  free (cbuf);
+ 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ 		  cu->cu_error.re_errno = e->ee_errno;
+ 		  return (cu->cu_error.re_status = RPC_CANTRECV);
+ 		}
++	  free (cbuf);
+ 	}
+ #endif
+       do
+-- 
+2.7.4 (Apple Git-66)
+