Use NetBSD fix for CVE-2009-0689 security vulnerability.

* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
	size_t, as in latest NetBSD.
	* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
	value 15.
	* libc/stdlib/mprec.c (_Kmax): Don't define here.  Explain why.
This commit is contained in:
Corinna Vinschen 2009-11-23 17:02:20 +00:00
parent 27bbefdefd
commit e92d0abecf
4 changed files with 20 additions and 2 deletions

View File

@ -1,3 +1,12 @@
2009-11-23 Corinna Vinschen <corinna@vinschen.de>
Use NetBSD fix for CVE-2009-0689 security vulnerability.
* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
size_t, as in latest NetBSD.
* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
value 15.
* libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why.
2009-11-20 Nick Clifton <nickc@redhat.com> 2009-11-20 Nick Clifton <nickc@redhat.com>
* libc/machine/rx/strncat.S (_strncat): Replace use of r6 * libc/machine/rx/strncat.S (_strncat): Replace use of r6

View File

@ -800,6 +800,11 @@ struct _reent
#endif /* !_REENT_SMALL */ #endif /* !_REENT_SMALL */
/* This value is used in stdlib/misc.c. reent/reent.c has to know it
as well to make sure the freelist is correctly free'd. Therefore
we define it here, rather than in stdlib/misc.c, as before. */
#define _Kmax (sizeof (size_t) << 3)
/* /*
* All references to struct _reent are via this pointer. * All references to struct _reent are via this pointer.
* Internally, newlib routines that need to reference it should use _REENT. * Internally, newlib routines that need to reference it should use _REENT.

View File

@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr),
if (_REENT_MP_FREELIST(ptr)) if (_REENT_MP_FREELIST(ptr))
{ {
int i; int i;
for (i = 0; i < 15 /* _Kmax */; i++) for (i = 0; i < _Kmax; i++)
{ {
struct _Bigint *thisone, *nextone; struct _Bigint *thisone, *nextone;

View File

@ -86,8 +86,12 @@
#include <reent.h> #include <reent.h>
#include "mprec.h" #include "mprec.h"
/* reent.c knows this value */ /* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD.
The old value of 15 was wrong and made newlib vulnerable against buffer
overrun attacks (CVE-2009-0689), same as other implementations of gdtoa
based on BSD code.
#define _Kmax 15 #define _Kmax 15
*/
_Bigint * _Bigint *
_DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k) _DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k)