glibc/patches/glibc-2.21-roundup.patch

diff --git a/ChangeLog b/ChangeLog
index dc1ed1b..26feb07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
+2015-02-10  Evangelos Foutras  <evangelos@foutrelis.com>
+
+	[BZ #17949]
+	* sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of
+	jump label.
+
 2015-02-06  Carlos O'Donell  <carlos@systemhalted.org>
 
 	* version.h (RELEASE): Set to "stable".
@@ -7,6 +19,7 @@
 	* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
 
 2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
+	    Paul Eggert  <eggert@cs.ucla.edu>
 
 	[BZ #16618]
 	* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
diff --git a/NEWS b/NEWS
index 617cdbb..c9f6b58 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,19 @@ See the end for copying conditions.
 Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
 using `glibc' in the "product" field.
 
+Version 2.21.1
+
+* The following bugs are resolved with this release:
+
+  17949, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
+
 Version 2.21
 
 * The following bugs are resolved with this release:
@@ -21,10 +34,11 @@ Version 2.21
   17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
   17892.
 
-* CVE-2015-1472 Under certain conditions wscanf can allocate too little
-  memory for the to-be-scanned arguments and overflow the allocated
-  buffer.  The implementation now correctly computes the required buffer
-  size when using malloc.
+* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate
+  too little memory for the to-be-scanned arguments and overflow the
+  allocated buffer.  The implementation now correctly computes the required
+  buffer size when using malloc, and switches to malloc from alloca as
+  intended.
 
 * A new semaphore algorithm has been implemented in generic C code for all
   machines. Previous custom assembly implementations of semaphore were
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0..40069a7 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:
diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
index 207b648..b6fa202 100644
--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
+++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
@@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk)
 	cmpl	$0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx)
 	jne	1f
 	call	__init_cpu_features
-	leal	__mempcpy_chk_ia32@GOTOFF(%ebx), %eax
-1:	testl	$bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
+1:	leal	__mempcpy_chk_ia32@GOTOFF(%ebx), %eax
+	testl	$bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
 	jz	2f
 	leal	__mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
 	testl	$bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)
1	niro	2568	diff --git a/ChangeLog b/ChangeLog
2			index dc1ed1b..26feb07 100644
3			--- a/ChangeLog
4			+++ b/ChangeLog
5			@@ -1,3 +1,15 @@
6			+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
7			+
8			+ [BZ #18287]
9			+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
10			+ based on padding. (CVE-2015-1781)
11			+
12			+2015-02-10 Evangelos Foutras <evangelos@foutrelis.com>
13			+
14			+ [BZ #17949]
15			+ * sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of
16			+ jump label.
17			+
18			2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
19
20			* version.h (RELEASE): Set to "stable".
21			@@ -7,6 +19,7 @@
22			* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
23
24			2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
25			+ Paul Eggert <eggert@cs.ucla.edu>
26
27			[BZ #16618]
28			* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
29			diff --git a/NEWS b/NEWS
30			index 617cdbb..c9f6b58 100644
31			--- a/NEWS
32			+++ b/NEWS
33			@@ -5,6 +5,19 @@ See the end for copying conditions.
34			Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
35			using `glibc' in the "product" field.
36
37			+Version 2.21.1
38			+
39			+* The following bugs are resolved with this release:
40			+
41			+ 17949, 18287.
42			+
43			+* A buffer overflow in gethostbyname_r and related functions performing DNS
44			+ requests has been fixed. If the NSS functions were called with a
45			+ misaligned buffer, the buffer length change due to pointer alignment was
46			+ not taken into account. This could result in application crashes or,
47			+ potentially arbitrary code execution, using crafted, but syntactically
48			+ valid DNS responses. (CVE-2015-1781)
49			+
50			Version 2.21
51
52			* The following bugs are resolved with this release:
53			@@ -21,10 +34,11 @@ Version 2.21
54			17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
55			17892.
56
57			-* CVE-2015-1472 Under certain conditions wscanf can allocate too little
58			- memory for the to-be-scanned arguments and overflow the allocated
59			- buffer. The implementation now correctly computes the required buffer
60			- size when using malloc.
61			+* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate
62			+ too little memory for the to-be-scanned arguments and overflow the
63			+ allocated buffer. The implementation now correctly computes the required
64			+ buffer size when using malloc, and switches to malloc from alloca as
65			+ intended.
66
67			* A new semaphore algorithm has been implemented in generic C code for all
68			machines. Previous custom assembly implementations of semaphore were
69			diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
70			index f715ab0..40069a7 100644
71			--- a/resolv/nss_dns/dns-host.c
72			+++ b/resolv/nss_dns/dns-host.c
73			@@ -615,7 +615,8 @@ getanswer_r (const querybuf answer, int anslen, const char qname, int qtype,
74			int have_to_map = 0;
75			uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
76			buffer += pad;
77			- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
78			+ buflen = buflen > pad ? buflen - pad : 0;
79			+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
80			{
81			/* The buffer is too small. */
82			too_small:
83			diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
84			index 207b648..b6fa202 100644
85			--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
86			+++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
87			@@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk)
88			cmpl $0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx)
89			jne 1f
90			call __init_cpu_features
91			- leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax
92			-1: testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
93			+1: leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax
94			+ testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
95			jz 2f
96			leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
97			testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)