glibc/patches/glibc-2.21-roundup.patch

diff --git a/ChangeLog b/ChangeLog
index dc1ed1b..26feb07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
+2015-02-10  Evangelos Foutras  <evangelos@foutrelis.com>
+
+	[BZ #17949]
+	* sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of
+	jump label.
+
 2015-02-06  Carlos O'Donell  <carlos@systemhalted.org>
 
 	* version.h (RELEASE): Set to "stable".
@@ -7,6 +19,7 @@
 	* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
 
 2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
+	    Paul Eggert  <eggert@cs.ucla.edu>
 
 	[BZ #16618]
 	* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
diff --git a/NEWS b/NEWS
index 617cdbb..c9f6b58 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,19 @@ See the end for copying conditions.
 Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
 using `glibc' in the "product" field.
 
+Version 2.21.1
+
+* The following bugs are resolved with this release:
+
+  17949, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
+
 Version 2.21
 
 * The following bugs are resolved with this release:
@@ -21,10 +34,11 @@ Version 2.21
   17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
   17892.
 
-* CVE-2015-1472 Under certain conditions wscanf can allocate too little
-  memory for the to-be-scanned arguments and overflow the allocated
-  buffer.  The implementation now correctly computes the required buffer
-  size when using malloc.
+* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate
+  too little memory for the to-be-scanned arguments and overflow the
+  allocated buffer.  The implementation now correctly computes the required
+  buffer size when using malloc, and switches to malloc from alloca as
+  intended.
 
 * A new semaphore algorithm has been implemented in generic C code for all
   machines. Previous custom assembly implementations of semaphore were
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0..40069a7 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:
diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
index 207b648..b6fa202 100644
--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
+++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
@@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk)
 	cmpl	$0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx)
 	jne	1f
 	call	__init_cpu_features
-	leal	__mempcpy_chk_ia32@GOTOFF(%ebx), %eax
-1:	testl	$bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
+1:	leal	__mempcpy_chk_ia32@GOTOFF(%ebx), %eax
+	testl	$bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
 	jz	2f
 	leal	__mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
 	testl	$bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)
1	diff --git a/ChangeLog b/ChangeLog
2	index dc1ed1b..26feb07 100644
3	--- a/ChangeLog
4	+++ b/ChangeLog
5	@@ -1,3 +1,15 @@
6	+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
7	+
8	+ [BZ #18287]
9	+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
10	+ based on padding. (CVE-2015-1781)
11	+
12	+2015-02-10 Evangelos Foutras <evangelos@foutrelis.com>
13	+
14	+ [BZ #17949]
15	+ * sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of
16	+ jump label.
17	+
18	2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
19
20	* version.h (RELEASE): Set to "stable".
21	@@ -7,6 +19,7 @@
22	* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
23
24	2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
25	+ Paul Eggert <eggert@cs.ucla.edu>
26
27	[BZ #16618]
28	* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
29	diff --git a/NEWS b/NEWS
30	index 617cdbb..c9f6b58 100644
31	--- a/NEWS
32	+++ b/NEWS
33	@@ -5,6 +5,19 @@ See the end for copying conditions.
34	Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
35	using `glibc' in the "product" field.
36
37	+Version 2.21.1
38	+
39	+* The following bugs are resolved with this release:
40	+
41	+ 17949, 18287.
42	+
43	+* A buffer overflow in gethostbyname_r and related functions performing DNS
44	+ requests has been fixed. If the NSS functions were called with a
45	+ misaligned buffer, the buffer length change due to pointer alignment was
46	+ not taken into account. This could result in application crashes or,
47	+ potentially arbitrary code execution, using crafted, but syntactically
48	+ valid DNS responses. (CVE-2015-1781)
49	+
50	Version 2.21
51
52	* The following bugs are resolved with this release:
53	@@ -21,10 +34,11 @@ Version 2.21
54	17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
55	17892.
56
57	-* CVE-2015-1472 Under certain conditions wscanf can allocate too little
58	- memory for the to-be-scanned arguments and overflow the allocated
59	- buffer. The implementation now correctly computes the required buffer
60	- size when using malloc.
61	+* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate
62	+ too little memory for the to-be-scanned arguments and overflow the
63	+ allocated buffer. The implementation now correctly computes the required
64	+ buffer size when using malloc, and switches to malloc from alloca as
65	+ intended.
66
67	* A new semaphore algorithm has been implemented in generic C code for all
68	machines. Previous custom assembly implementations of semaphore were
69	diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
70	index f715ab0..40069a7 100644
71	--- a/resolv/nss_dns/dns-host.c
72	+++ b/resolv/nss_dns/dns-host.c
73	@@ -615,7 +615,8 @@ getanswer_r (const querybuf answer, int anslen, const char qname, int qtype,
74	int have_to_map = 0;
75	uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
76	buffer += pad;
77	- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
78	+ buflen = buflen > pad ? buflen - pad : 0;
79	+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
80	{
81	/* The buffer is too small. */
82	too_small:
83	diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
84	index 207b648..b6fa202 100644
85	--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
86	+++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
87	@@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk)
88	cmpl $0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx)
89	jne 1f
90	call __init_cpu_features
91	- leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax
92	-1: testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
93	+1: leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax
94	+ testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx)
95	jz 2f
96	leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
97	testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)