About glibc getaddrinfo() stack-based buffer overflow in i.MX6DQ.

keitanagashima · ‎02-25-2016

Dear All,

Hello. Recently, the below security issue was found.

https://www.sourceware.org/ml/libc-alpha/2016-02/msg00416.html

In BSP(L3.0.35_4.1.0_130816), we just find the RPM package of gcc, gcc-4.6.2-glibc-2.13-linaro-multilib-2011.12-1.i386.rpm.

But, no source code.

[Question]

Could you give us the source code of gcc-4.6.2-glibc-2.13-linaro-multilib-2011.12-1.i386.rpm to apply the patch?

The compile guideline is also necessary!

Best Regards,

Keita

gusarambula · ‎03-28-2016

Hello Keita Nagashima,

My apologies for the delay. I just got an answer from the escalation.

Glibc is part of the toolchain and support for the toolchain is not usually provided so no further help can be granted and the recommendation is to look for information on open source forums. However, you may contact your Sales Representative to look for access to the source code used, which may help.

I’m sorry for not having a better answer for your questions.

Regards,

View solution in original post

gusarambula · ‎03-23-2016

Hello Keita Nagashima,

I am very sorry but I do not have an answer from the escalation yet. I am contacting the escalation owners to ask for an update. I've asked them to answer directly to this thread to avoid further delays.

Regards,

keitanagashima · ‎03-09-2016

Dear gusarambula,

I have additional questions. Please answer it asap!

(I updated question on 11-Mar.)

> I confirmed that this is the only patch to glibc that was applied so you may apply it to the source code available at the GNU mirrors.

[Q1]

About how to compile the gcc source code, my customer made some efforts but failed, so they need the compile guideline to resolve the following questions:

Q1-1. What's hardware & software requirement on PC?

e.g. what OS version? need install what software? How many DDR memory?

Q1-2. What preparation need to do before gcc compile?

We try to compile gcc after uncompress the [Linaro_gcc_4.6.2.zip], but failed!

Q1-3. What command to start compile?

“./build.sh linux” is right?

Q1-4. How long time to complete the gcc compile?

Q1-5. What path is the compile result in?

And what's the binary file name?

[Q2]

Refer to the "0001-Freescale-build-multilib-toolchain.patch" from you.

The patch was for gcc (not glibc).

Is it necessary to apply the patch for gcc?

[Q3]

Please send me URL about your mentioned "GNU mirrors"

Is it correct below link? Please confirm.

Index of /gnu/glibc

Index of /pub/gnu/gcc/gcc-4.6.2

[Q4]

Is it a same contents in GNU mirrors and below Linaro repositories?

These looks same by myself checking.

Linaro Git Hosting - toolchain/glibc.git/commit

Linaro Git Hosting - toolchain/gcc.git/commit

Best Regards,

Keita

gusarambula · ‎03-11-2016

Hello Keita Nagashima,

I've escalated your questions. I'll let you know as soon as I have an update.

Regards,

Gustavo

keitanagashima · ‎03-16-2016

Dear gusarambula,

Hello. Do you have any update?

And, Please give me your answer's schedule.

Best Regards,

Keita

2016-03-12 2:44 GMT+09:00 gusarambula <admin@community.freescale.com>:

NXP Community
<https://community.freescale.com/resources/statics/1000/35400-NXP-Community-Email-banner-600x75.jpg>
About glibc getaddrinfo() stack-based buffer overflow in i.MX6DQ.
reply from gusarambula
<https://community.freescale.com/people/gusarambula?et=watches.email.thread>
in i.MX Community - View the full discussion
<https://community.freescale.com/message/624056?et=watches.email.thread#comment-624056>

gusarambula · ‎03-16-2016

My apologies, Keita Nagashima. I'm still awaiting for an update on your questions and I have not a schedule for the answer. I'll let you know as soon as I have more information.

keitanagashima · ‎03-22-2016

Hi gusarambula,

I'm still waiting for your answer.

Please give me your update.

Best Regards,

Keita

gusarambula · ‎03-28-2016

Hello Keita Nagashima,

My apologies for the delay. I just got an answer from the escalation.

Glibc is part of the toolchain and support for the toolchain is not usually provided so no further help can be granted and the recommendation is to look for information on open source forums. However, you may contact your Sales Representative to look for access to the source code used, which may help.

I’m sorry for not having a better answer for your questions.

Regards,

keitanagashima · ‎03-14-2016

Dear Gustavo,

Hello. I updated the customer's compile environment.

Please tell me your compile method.

And, when will you get answer?

===========

Environment is: “Ubuntu 10.04.4 LTS 32bit”.

Compile command is: “./build.sh linux”.

Source code is:

Index of /gnu/glibc

Index of /pub/gnu/gcc/gcc-4.6.2

Error message is:

----------------------------------------------

[CFG ] configure: WARNING: using cross tools not prefixed with host triplet

[CFG ] checking whether we are using the GNU C++ compiler... yes

[CFG ] checking whether g++ accepts -g... yes

[CFG ] configure: running configure fragment for add-on cortex-strings

[CFG ] configure: WARNING: you should use --build, --host, --target

[CFG ] configure: WARNING: invalid host type: $CXX

[ERROR] configure: error: unrecognized option: `-c'

[CFG ] Try `/home/xxxx/Linaro/build/fsl/build/.build/src/glibc-2.13/configure --help' for more information

[ERROR]

[ERROR] >> Build failed in step 'Installing C library headers & start files'

----------------------------------------------

===========

Best Regards,

Keita

gusarambula · ‎02-25-2016

Hello Keita Nagashima,

You may find the source code for GCC on the GNU site (link below)

https://gcc.gnu.org/gcc-4.6/

You would be looking for the 4.6.2 release, which is available on one of the GCC mirror sites available (the link to these is almost at the bottom of the Release page).

The manuals for the 4.6.2 release are available on the following link:

https://gcc.gnu.org/onlinedocs/4.6.2/

I would recommend also looking at the attach document, which was originally posted on the following thread, which is similar to this and may also be of help.

How to get gcc source code for i.MX6 Linux BSP.

I hope this helps!

Regards,

Gustavo

keitanagashima · ‎02-25-2016

Dear Gustavo,

Thank you for your reply.

But, my real question was David-san's question, too.

(Dear David-san, Thank you follow up my question!)

So, please answer it asap.

The issue was very important and urgent.

[Question]

"Was that source used as is by Freescale or Linaro when building the RPM content, or did they modify glibc-2.13 in any way?"

"If the latter is true, then we need that modified source from Freescale. "

"The compile guideline is also necessary!"

Best Regards,

Keita

gusarambula · ‎02-25-2016

My mistake. Thank you both for the clarification! I do not have this information at hand but I'll investigate this and I'll let you know as soon as possible!

davidjonathan · ‎02-26-2016

I'm not sure what has happened here... I have an email from gusarambula with this thread as the title, and there is a "View the full discussion" link. When I click that I get "Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."

Also, at the top of this thread page there is now a line with a "new discussion" link, and when I click that I get the same error as above:

" Latest reply on Feb 25, 2016 5:51 PM by gusarambula Branched to a new discussion"

gusarambula · ‎02-26-2016

I apologize for the confusion. The message was created as part of this escalation, since I have to inquiry on this information. I'll update this thread as soon as I have more information.

keitanagashima · ‎03-02-2016

Dear gusarambula,

Hello. Do you have any update?

The question is very urgent.

Please tell me your situation and answer's schedule asap.

Best Regards,

Keita

2016-02-27 6:19 GMT+09:00 gusarambula <admin@community.freescale.com>:

NXP Community
<https://community.freescale.com/resources/statics/1000/35400-NXP-Community-Email-banner-600x75.jpg>
About glibc getaddrinfo() stack-based buffer overflow in i.MX6DQ.
reply from gusarambula
<https://community.freescale.com/people/gusarambula?et=watches.email.thread>
in i.MX Community - View the full discussion
<https://community.freescale.com/message/619262?et=watches.email.thread#619262>

gusarambula · ‎03-03-2016

Hello Keita Nagashima,

This case is escalated to the BSP team. I'm still awaiting for an answer. My apologies for the delay. I will let you know as soon as I have more information on this.

keitanagashima · ‎03-03-2016

Dear gusarambula,

Thank you for your reply..

This is very important things. Now, the project status is MP.

Customer's product will be running change.

When can you answer this question by?

(source code & compile guideline)

Best Regards,

Keita

gusarambula · ‎03-04-2016

Hello Keita Nagashima,

My apologies for the delay.

Please find the patch attached. I confirmed that this is the only patch to glibc that was applied so you may apply it to the source code available at the GNU mirrors.

Please let me know if you have any issues with the patch.

Regards,

davidjonathan · ‎02-25-2016

Unfortunately, in providing your "answer" I think you must not have paid attention to the question.

The referenced getadderinfo() bug is in libresolv, which is part of glibc, which is NOT included in the gcc source distribution.

The referenced RPM indicates Keita Nagashima is looking for the glibc-2.13 source which was used to create the library binaries contained in the RPM. While a glibc-2.13 source can be found at http://ftp.gnu.org/gnu/libc/ this question remains: Was that source used as is by Freescale or Linaro when building the RPM content, or did they modify glibc-2.13 in any way?

If the latter is true, then we need that modified source from Freescale.

TIA for help sorting this out.

About glibc getaddrinfo() stack-based buffer overflow in i.MX6DQ.

About glibc getaddrinfo() stack-based buffer overflow in i.MX6DQ.

i.MX6_All

i.MX6Dual

i.MX6Quad

Linux

Yocto Project