diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2009-11-23 17:02:20 +0000 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2009-11-23 17:02:20 +0000 |
| commit | e92d0abecfb11884e85a53f81966c66e5319942d (patch) | |
| tree | b60bc08b2ed4b28621ede6b89fb6de2d24145665 | |
| parent | 27bbefdefd339676bee4238e996df70e89fcdfa1 (diff) | |
| download | cygnal-e92d0abecfb11884e85a53f81966c66e5319942d.tar.gz cygnal-e92d0abecfb11884e85a53f81966c66e5319942d.tar.bz2 cygnal-e92d0abecfb11884e85a53f81966c66e5319942d.zip | |
Use NetBSD fix for CVE-2009-0689 security vulnerability.
* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
size_t, as in latest NetBSD.
* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
value 15.
* libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why.
| -rw-r--r-- | newlib/ChangeLog | 9 | ||||
| -rw-r--r-- | newlib/libc/include/sys/reent.h | 5 | ||||
| -rw-r--r-- | newlib/libc/reent/reent.c | 2 | ||||
| -rw-r--r-- | newlib/libc/stdlib/mprec.c | 6 |
4 files changed, 20 insertions, 2 deletions
diff --git a/newlib/ChangeLog b/newlib/ChangeLog index 72ca21653..be8b35737 100644 --- a/newlib/ChangeLog +++ b/newlib/ChangeLog @@ -1,3 +1,12 @@ +2009-11-23 Corinna Vinschen <corinna@vinschen.de> + + Use NetBSD fix for CVE-2009-0689 security vulnerability. + * libc/include/sys/reent.h (_Kmax): Define here based on the sizeof + size_t, as in latest NetBSD. + * libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant + value 15. + * libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why. + 2009-11-20 Nick Clifton <nickc@redhat.com> * libc/machine/rx/strncat.S (_strncat): Replace use of r6 diff --git a/newlib/libc/include/sys/reent.h b/newlib/libc/include/sys/reent.h index 60eb208a7..ed3d9aa01 100644 --- a/newlib/libc/include/sys/reent.h +++ b/newlib/libc/include/sys/reent.h @@ -800,6 +800,11 @@ struct _reent #endif /* !_REENT_SMALL */ +/* This value is used in stdlib/misc.c. reent/reent.c has to know it + as well to make sure the freelist is correctly free'd. Therefore + we define it here, rather than in stdlib/misc.c, as before. */ +#define _Kmax (sizeof (size_t) << 3) + /* * All references to struct _reent are via this pointer. * Internally, newlib routines that need to reference it should use _REENT. diff --git a/newlib/libc/reent/reent.c b/newlib/libc/reent/reent.c index 3c9de71f7..63812db83 100644 --- a/newlib/libc/reent/reent.c +++ b/newlib/libc/reent/reent.c @@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr), if (_REENT_MP_FREELIST(ptr)) { int i; - for (i = 0; i < 15 /* _Kmax */; i++) + for (i = 0; i < _Kmax; i++) { struct _Bigint *thisone, *nextone; diff --git a/newlib/libc/stdlib/mprec.c b/newlib/libc/stdlib/mprec.c index 6e84ece5b..2b982ef55 100644 --- a/newlib/libc/stdlib/mprec.c +++ b/newlib/libc/stdlib/mprec.c @@ -86,8 +86,12 @@ #include <reent.h> #include "mprec.h" -/* reent.c knows this value */ +/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD. + The old value of 15 was wrong and made newlib vulnerable against buffer + overrun attacks (CVE-2009-0689), same as other implementations of gdtoa + based on BSD code. #define _Kmax 15 +*/ _Bigint * _DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k) |